SlideShare a Scribd company logo

Automating security policies (compliance) with Rudder

RUDDER
RUDDER

Designing, applying and keeping track of security-oriented rules for your IT infrastructure can be time-consuming, costly and approximate job. Whether you're in charge of defining the policy, implementing it or checking for discrepencies, you'll be aware that all of this takes time, often out-of-hours time, that there is a lot of room for error and usually a considerable gap between ideals and reality - just how big a gap may or may not be shared with everyone involved. This talk will show how Rudder, an open source stack for automating configuration and auditing, can be used to ease and improve on several of these issues. Topics covered will include deploying identical settings everywhere, saving time for multiple changes, near real-time auditing of actual settings, gaining global overview to help analyze vulnerability impacts, and improved reactivity. I will include real-life examples and feedback from several companies where this has been put into action, including benefits (of course) and shortcomings (because there are always some). The aim of this session is to discuss methods and the approach of automation applied to this field, while demonstrating and giving feedback on some of the possibilities offered by Rudder. I hope to avoid being side-tracked into talking about detailed security recommendations, sticking to simple best practices for the sake of examples, thus focusing on the approach.

Technology
1 of 23
Download to read offline
Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
Context IT infrastructure Normation – CC-BY-SA normation.com 3
Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
Introducing Rudder Normation – CC-BY-SA normation.com 19
Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com

Recommended

La Gestion de Configuration des logiciels et du Système d’Information Cours J...
La Gestion de Configuration des logiciels et du Système d’Information Cours J...La Gestion de Configuration des logiciels et du Système d’Information Cours J...
La Gestion de Configuration des logiciels et du Système d’Information Cours J...Jean-Antoine Moreau
 
What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 

Recommended

La Gestion de Configuration des logiciels et du Système d’Information Cours J...
La Gestion de Configuration des logiciels et du Système d’Information Cours J...La Gestion de Configuration des logiciels et du Système d’Information Cours J...
La Gestion de Configuration des logiciels et du Système d’Information Cours J...Jean-Antoine Moreau
 
What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 
What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 
What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

More Related Content

More from RUDDER

What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 
What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 

More from RUDDER (20)

What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?
 
What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libres
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50k
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in Rudder
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into Rudder
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughts
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 

Automating security policies (compliance) with Rudder

  • 1. Automating security policies From deployment to auditing with Rudder Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com
  • 2. Who am I ? ● Jonathan Clarke ● Job: Co-founder and CTO at Normation ● Line of work: – Initially system administration, infrastructure management... – Now a whole load of other stuff ! ● Free software: – Co-creator of Rudder – Developer in several LDAP projects: LSC, LTB, OpenLDAP … – Contributor to CFEngine Contact info Email: jcl@normation.com Twitter: @jooooooon42 (that's 7 'o's!) Normation – CC-BY-SA normation.com 2
  • 3. Context IT infrastructure Normation – CC-BY-SA normation.com 3
  • 4. Context IT infrastructure Automation Normation – CC-BY-SA normation.com 4
  • 5. Context IT infrastructure Automation Motivations: Avoid Build new Rebuild hosts Scale out human error hosts quickly quickly quickly Normation – CC-BY-SA normation.com 5
  • 6. Context IT infrastructure Automation Tools: Normation – CC-BY-SA normation.com 6
  • 7. What about compliance? IT infrastructure Compliance? Normation – CC-BY-SA normation.com 7
  • 8. What about compliance? IT infrastructure Compliance? Motivations: Get a Get an Know about Prove complete objective config drift compliance overview overview Normation – CC-BY-SA normation.com 8
  • 9. What about compliance? IT infrastructure Compliance to what? Normation – CC-BY-SA normation.com 9
  • 10. What about compliance? IT infrastructure Compliance to what? Rules come from everywhere: Industry Corporate Laws Best practices regulations regulations Normation – CC-BY-SA normation.com 10
  • 11. What about compliance? IT infrastructure Compliance to what? Practical examples Enforce some MOTD Password Tripwire parameters “warning” policy (disk contents) in a service Normation – CC-BY-SA normation.com 11
  • 12. How is this different from “just” automation? Automation vs Compliance How different is this technically? Normation – CC-BY-SA normation.com 12
  • 13. How is this different from “just” automation? Frequency The more often you check, the more reliable your compliance reporting is. How can you reach this goal? Lightweight, Run “slow” Focus on the efficient agent checks in the security checks background (file copying Reporting can over network...) be done later Normation – CC-BY-SA normation.com 13
  • 14. How is this different from “just” automation? All or nothing Compliance matters on each and every system. Not “most”. All of them. How can you reach this goal? Make sure you Support all the Two systems may know what {old,weird,buggy} be alike on paper, systems exist: {OS,software, they very rarely rely on an versions} are in reality. inventory DB Normation – CC-BY-SA normation.com 14
  • 15. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Fake ID + Prebook flight to Cayman islands? Normation – CC-BY-SA normation.com 15
  • 16. How is this different from “just” automation? You cannot get it wrong. You cannot get it wrong. You cannot get it wrong. If you care about compliance, “prod” is usually pretty real. How can you reach this goal? Don't touch stuff Start with no changes. Classic you don't need to. Just check. Dry-run? quality Be specific. control Cover full cycles (reviews...) (One line in a file?) (days, weeks, months...) Normation – CC-BY-SA normation.com 16
  • 17. So, what have we actually done? Applied these principles in Normation – CC-BY-SA normation.com 17
  • 18. Introducing Rudder http://rudder.cm/ Specifically designed for Simplified user experience automation & compliance via a Web UI Based on CFEngine 3 Graphical reporting Multi-platform Open Source (packaged for each OS) Vagrant config to test: https://github.com/normation/rudder-vagrant/ Normation – CC-BY-SA normation.com 18
  • 19. Introducing Rudder Normation – CC-BY-SA normation.com 19
  • 20. Key points for security compliance Continuous checking High freqency, trust in Every 5 minutes compliance reporting Reuse implementations, Separate configuration from implementation less bugs, shared code... Clear separation of roles Multi-platform Cover as many systems Linux, Unix, Windows, Android... as possible Reporting Avoid bottleneck Done after the checks, Different report types separate process Normation – CC-BY-SA normation.com 20
  • 21. Rudder - workflow Define Changes security policy (fixes, upgrades...) Management REPORTING c c Technical abstraction Community Expert (method vs parameters) Configure parameters Sysadmins Initial application Configuration agent Continuous verification Normation – CC-BY-SA normation.com 21
  • 22. Final thoughts Summary: - Security compliance is a very demanding type of automation - Possible today with open source tools - Main issue is about how you use them! Next steps? - Authorizations: who can change which parameters? (law vs regulations vs policy...) - Correlate with monitoring data: determine root causes, cross effects... It works but the tools can be improved: - detect changes (inotify?) - even 1 minute not always enough - dry-run iterations automatically? Normation – CC-BY-SA normation.com 23
  • 23. Questions? Follow us on Twitter: @RudderProject Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA normation.com