Security, Identity, and DevOps, oh my - Print

November 15, 2016
Security, Identity, and DevOps, oh my…
Chris Sanchez, Founder and CTO, zibernetics
Twitter - @CSanchezAustin
chris@zibernetics.com

November 15, 2016Post questions to #security-track
Background
• 20+ years in Austin Technology as an Engineer, Manager, Mentor, Executive, and Entrepreneur
• Tech Veteran – iChat/Acuity, CALEB Technologies, Webify, PointSource, 21CT, CognitiveScale, Sun
Microsystems, IBM
• Passion for Identity and DevOps
• Founded zibernetics in 2015
– Research and Development projects
• Identity, HIPAA Security, DevOps, Cloud, Linux
– Consultancy for early stage and growth startups

Pop Quiz: Why is this bad?
pg_hba.conf
host all pgbot 192.168.5.0/24 trust
host all pgbot 172.20.0.0/16 trust
First 2 people to post the most
interesting security issues to the
#security-track with #IdentityOps will
win a bumper sticker. è
#IdentityOps

DevOps is hard because ____
moving fast, lot of tooling, skills, knowledge

What makes it harder?
The Business is moving faster

What makes it harder?
and changing…

and harder
Security is hard

…and harder
Security gets little to no planning

What’s needed?
Security Strategy ó DevOps Strategy

There's no need to fear, IdentityOps is here.
What is IdentityOps?
Security – Treat as a first class citizen
Identity – Right resource, time, reason
DevOps – Security that scales

IdentityOps Essentials

Use Case: SSH Access
– Use Case: Provide user-level access to Linux servers and
support business and IT policy
– Solution Options: SSH Public Key Authentication
– Advantages:
• Well understood and secure solution
• Very good support by all Linux distributions
– Challenges:
• Only provides for authn, not authz
• More operational overhead – e.g. user management

Use Case: SSH Access
• Solution: SSH Fabric
– Model the concept of Users, Layers, Groups, and
Hosts as virtual objects that are overlaid on top of an
existing Linux infrastructure
– Keeps ssh keys centralized in an LDAP Directory (not
authorized_keys file) and deliver real-time for authn
– Advanced authorization that integrates with PAM for
seamless, fine-grained authz
– Centralized policy for sudo access

1) Model Concepts

1) Model Concepts
Layers
Hosts
prod_pub
Groups
Users

2) Centralize SSH Keys
LDAP Schema

Configure SSH: /etc/ssh/sshd_config

Custom Script: sshldap-pubkey.sh

3) Configure PAM
Configure LDAP: /etc/ldap.conf

3) Configure PAM
Force TLS to LDAP

3) Configure PAM
Configure Authz: /etc/pam.d/common-account

3) Configure PAM
Configure Authn: /etc/pam.d/common-auth

3) Configure PAM
Enable LDAP: /etc/nsswitch.conf

Restrict Host Access: /etc/security/access.conf
4) Configure sudo

4) Configure sudo
Create sudo rule: /etc/sudoers.d/sshldap

LDAP and Linux are Connected
5) Test SSH Fabric

5) Test SSH Fabric
Policy Allow: grp_itops, security_admins

5) Test SSH Fabric
Policy Deny: All other

5) Test SSH Fabric
Update Policy

5) Test SSH Fabric
Policy Allow: ops_prv

5) Test SSH Fabric
Policy Allow Sudo: ops-prv-sudo

Use Case: Docker Access
– Use Case: Provide access to Docker runtime
while supporting business and IT policy
– Solution Options: Docker group or Authz plug-in
– Advantages:
• Users don’t require admin access
• Plug-in architecture is very flexible (Authz)
– Challenges:
• Have to rely on local Linux groups
• Docker group or Admin access is required
• Access is coarse – you can do anything

Use Case: Docker Access
• Solution: Docker Fabric
– Model the concept of Users, Layers, Groups, and
Hosts as virtual objects that are overlaid on top of
an existing Linux infrastructure (same as previous
use case)
– Centralized policy for User-level access to Docker
(via TLS and Flask app)
– Keeps rules centralized a repository that are
enforced at runtime (same as previous use case)

2) Centralize Policy for User-level Access
Setup Docker Group: /etc/default/docker

Update Docker socket access: /lib/systemd/system/docker.socket

Create Authz Plugin: /etc/default/docker_fabric_authz

Create Authz Plugin: /etc/systemd/system/docker.service.d/docker_fabric_authz.conf

Create Authz Plugin: /usr/local/bin/docker_fabric_authz.py

export theUser="Branton Davis”
alias dockera="docker -H=$(hostname):2376
--tlsverify
--tlscacert=/etc/zinet/pki/server/zibernetics-int-cacert.crt
--tlscert="/etc/zinet/pki/user/${theUser}.crt"
--tlskey="/etc/zinet/pki/user/${theUser}.ukey" "
4) Test Docker Fabric

Policy Deny: All others

Update Policy

Policy Allow: ops_prv

IdentityOps Summary
DirectoryBusiness Policies Linux. Docker

IdentityOps Summary
Centralized, real-time policy for
access management
Uniform application of policy and
real-time enforcement
Better operational efficiency
Enable use cases: least privilege,
nonrepudiation, segregation of
duties, auditability

W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com
First person to post Wile E. Coyote’s
middle name to the #security-track
with #IdentityOps will win a bumper
sticker. è
#IdentityOps

Thank you!
W: http://www.zibernetics.com T: @CSanchezAustin E: chris@zibernetics.com

Security, Identity, and DevOps, oh my - Print

Recommended

More Related Content

Viewers also liked (20)

Similar to Security, Identity, and DevOps, oh my - Print (20)

Recently uploaded (20)

Security, Identity, and DevOps, oh my - Print