Security and Advanced Automation in the Enterprise

Security and Advanced Automation in the Enterprise Phil ChristensenSenior Systems Engineer, DevOps Logicworks www.logicworks.net

©2015 Logicworks. All Rights Reserved.

©2015 Logicworks. All Rights Reserved. 2

Agenda

  Why automate security?

 Best practices during build, maintenance, and monitoring

  What can be automated? Automate all the things!


What’s the problem?

Cloud engineers manage huge, complex systems

Automated deployments encourage adoption of evolving standards


What’s the problem? Security often has the highest priority during

infrastructure build-out

How to ensure both new and legacy builds gain the benefits of evolving standards?


Why Automate? Issues w/ Manual Security

Human Error

The limitations of human memory

Inconsistent naming conventions

Time suck as environment grows

Auditors have a lot to dig through

Slower deploys

Manual work = risk

Separate configuration and code

Code it once and maintain templates, not instances

No/limited custom configurations

Ensure historical vulnerabilities continue to be patched


Why Automate? Basic Principles of SecOps

Best Practices Security and Advanced Automation in the Enterprise


Infrastructure Buildout

Configuration Management

Iterative Deployment

Process Monitoring


Best Practices: Architecture Overview


Best Practices: Infrastructure Buildout

CHALLENGES:

 Need new, identical environment for every client

 Quick turnaround

 HIPAA compliance

 Many unique security requirements

SOLUTION:

 CloudFormation allows us to spin up completely new environment in hours

 No manual security group configuration, no AWS Identity and Access Management (IAM) role configuration

 Consistent configuration, so updates / security patches are near-simultaneous

 “Guaranteed” compliance

 Consistent naming conventions



Master CloudFormation Stack

{ "Resources" : { "mao-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "mao-prod", "EnvironmentNetwork": "10.64.100.0/24", "ManagementAZ": "a", "PrimaryAZ": "b", "SecondaryAZ": "c", "KeyPair": "lw-orion", "DhcpDomainName": "orionhealth.com", "DhcpNs1": "10.64.196.246", "DhcpNs2": "10.64.196.246", "DhcpNtp": "10.64.196.246",

"DhcpNetbios": "10.64.196.246", "GatewayAccessCidr": "206.252.134.18/32", "ManagementDefaultGateway": "10.64.100.1", "ManagementPrivateCidr": "10.64.100.0/27", "ManagementPublicCidr": "10.64.100.32/27", "PrimaryPrivateCidr": "10.64.100.64/27", "PrimaryPublicCidr": "10.64.100.128/26", "SecondaryPrivateCidr": "10.64.100.96/27", "SecondaryPublicCidr": "10.64.100.192/26" }



Master CloudFormation Stack "clx-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-prod", "EnvironmentNetwork": "10.64.101.0/24”, ... } } }, "clx-dev" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-dev", "EnvironmentNetwork": "10.64.110.0/24", ... }. } } }}



CloudFormation

COOL TRICKS:

 Register static ENIs to enable support for fixed private IPs, simplifying route management

 Manage LaunchConfiguration updates and reduce confusion in Auto Scaling groups

 Easily test boot process by terminating instances in fixed-size Auto Scaling groups.

WHAT CLOUDFORMATION DOES:

 Build network foundation

 Configure gateways and access points

 Install management services, like Puppet

 Allocate Amazon S3 buckets

 Attach encrypted volumes

 Control and manage access though IAM

 Register DNS names with Amazon Route 53

 Configure log shipping and retention


Best Practices: Configuration Management

CHALLENGES:

 Quick turnaround, previous MSP suddenly ceased operations

 Global presence, end-users mostly in Europe

 PCI compliance requirements

SOLUTION:

 Most crucial part of an instance lifetime is standard across instances

 Continual check-in rolls back non-authorized changes

 Living single source of truth on instance configuration

 Changes are recorded

 Prevents regressions



BASH vs. Puppet

BASH

Puppet



Puppet

COOL TRICKS:

 Functions run on the PuppetMaster, so sensitive AWS API calls can be made from custom Puppet functions so only the PM needs privileges API access

 Puppet ‘apply’ can configure assets before a PuppetMaster even exists, making it possible to bootstrap an entire environment from scratch

 Puppet’s idempotent design ensures manifests can be re-applied to snapshotted AMIs without issue — save time on boot by saving an interstitial image

STUFF THAT NEEDS TO HAPPEN:

 Configure hostnames

 Bind instance to central authentication

 Require MFA on bastion host

 Install NTP, MTA, and other essentials

 Install log shipping and monitoring software

 Install IDS agents (AlertLogic)

 Provision machine for deploy


Best Practices: Deploy

CHALLENGES:

 Agile development process

 Catch 22: Auto scaling often, they want instance up quickly w/latest version of software

 Make sure instances do not get added to load balancer before they’re ready

SOLUTION:

CodeDeploy ensures that all your instances have the latest software

 Simultaneous deployment across auto scaling group maintains HA

 Respond to security threats quickly

 Jenkins also suitable, but requires custom build scripts for AWS



CodeDeploy Overview



CodeDeploy

STUFF THAT NEEDS TO HAPPEN:

1.  Create deployable content and add to AppSpec file and bundle into an archive file 2.  Upload the archive file to Amazon S3 or GitHub 3.  Provide CodeDeploy with information about which set of instances to deploy the

revision to 4.  The Agent polls CodeDeploy to determine what and when to pull the revision

from the S3 bucket or GitHub repository 5.  The Agent pulls the revision and starts deploying the contents to that instance,

following the instructions in the AppSpec file


Best Practices: Monitoring

 Customized dashboards

 Automated reporting

 Trend analysis

 First response

 Change monitoring w/AWS CloudTrail integration

 IAM reporting

 Geographic awareness of data

 Visibility into key security settings

 Cost analysis

 Threat Manager (IDS)

 Log Manager collects parses, analyses data

 Custom reporting

Automate All The Things! Security and Advanced Automation in the Enterprise



Automate All The Things

Feature Tool

Security Groups CloudFormation

Network ACL (Firewall) CloudFormation

Subnet Sizing CloudFormation

Naming CloudFormation, Puppet

Authentication Puppet

Encryption CloudFormation (S3), Puppet (GPG)

Anti-Virus Puppet

Hosts/Users Puppet

Software Versions Puppet

Log Shipping / Aggregator Puppet


Automate All The Things: Security Groups

Inconsistent naming conventions are a bigger security threat than many think.


Automate All The Things: Encryption

BEST PRACTICES:

 Create encrypted Amazon Elastic Block Store (Amazon EBS) volumes to store the most sensitive data

 Use S3 bucket policies to force use of server-side encryption

 Use Puppet to configure applications to use encrypted storage for sensitive data

 Force SSL ciphers and encryption standards across all web hosts

{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid": "DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption": "AES256" } } }]}


Automate All The Things: Authentication

BEST PRACTICES:

 Bind all instances to ActiveDirectory domain control at boot

 Install MFA extensions

 Import custom root CA certificates into java keystores

 Puppet-managed sudo access

MANAGING SECRETS:

 Use Amazon EC2 Instance roles to grant limited access to S3 for fetching credentials files.

 Pass sensitive parameters into your Puppet classes instead of hard-coding

 Use Hiera to configure credentials for each environment dynamically


Automate All The Things: Authentication

/etc/puppet/hiera.d/production.ymlauthentication::ad_netbios_name: "DOMAIN"

authentication::ad_realm_name: "domain.example.com"

authentication::ad_bind_username: "ec2-bin"

authentication::ad_bind_passwd: "BynbeQuocs"

/etc/puppet/hiera.yaml---

:backends: yaml

:yaml:

:datadir: /etc/puppet/hiera.d

:hierarchy:

- “%{::environment}”

- common

:logger: puppet

/etc/puppet/hiera.d/testing.ymlauthentication::ad_netbios_name: ”TEST"

authentication::ad_realm_name: ”test.example.com"

authentication::ad_bind_username: "ec2-bin"

authentication::ad_bind_passwd: "lymKuaj5"

About Logicworks


Global leader in enterprise cloud strategy and managed hosting, offering a single provider solution for improving the performance, availability, and security of mission-critical IT systems.

Services:

Enterprise Cloud Strategy

Managed Private Cloud

Security and Compliance

Managed AWS

 Trusted advisor for enterprises moving to the cloud

 Over 20 years of experience managing complex enterprise IT systems

 Premier AWS Partner with dedicated AWS DevOps team

 Average architect and engineer experience >20 years

 Security and compliance expertise for Healthcare, Financial Services, eCommerce, and Government organizations

Security and Advanced Automation in the Enterprise

Technology

Transcript of Security and Advanced Automation in the Enterprise