Shifting Left on Cloud Security to Develop and Deploy...
Transcript of Shifting Left on Cloud Security to Develop and Deploy...
Josh Stella- Co-founder & CTO of Fugue
Shifting Left on Cloud Security
to Develop and Deploy Faster
What is Shift Left?
Shift Left is an approach to software testing
in which testing is performed earlier in the
software development lifecycle (SDLC).
Today, we’re applying Shift Left to
cloud infrastructure security.
The software development lifecycle
Requirements Design Develop Test Deploy Review
Why Shift Left on security and compliance?
Change here
is easier, faster, and less
expensive
Change here is more
difficult, takes longer, and
is more expensive.
Requirements Design Develop Test Deploy Review
A simplified representation of the SDLC
Develop Test Deploy Monitor
Current: security and compliance happens late
Develop Test Deploy Monitor
Security and compliance
checks usually happen
over here
Current: security and compliance happens late
Develop Test Deploy Monitor
…as a gating function
Approvals
Certifications
Authority to Operate (ATO)
Current: security and compliance happens late
Develop Test Deploy Monitor
…as a reactionary function
Monitoring
Remediating
Reporting
Auditing
Current: security and compliance happens late
Develop Test Deploy Monitor
Monitoring
Remediating
Reporting
Auditing
The feedback loop back to developers is poor.
Approvals
Certifications
Authority to Operate (ATO)
Competing priorities pit teams against each
other
Develop Test Deploy Monitor
Security Teams need to
ensure that sensitive data and
systems are secure.
Compliance Teams need to
ensure IT environments
adhere to policy
Developers and Op Teams (DevOps) need to move fast,
deploy frequently,
and innovate
Goal: integrate policy checks earlier in the SDLC
Develop Test Deploy Monitor
• Save time
• Save money
• Move faster
• Be more secure and compliant
Goal: integrate policy checks earlier in the SDLC
Develop Test Deploy Monitor
Establish trust and collaboration between teams
Shift Left doesn’t mean…
Develop Test Deploy Monitor
Shifting security
and compliance
from here
Shift Left doesn’t mean…
Develop Test Deploy Monitor
Shifting security
and compliance
from here… …to here
Shift Left doesn’t mean…
Develop Test Deploy Monitor
Security and compliance teams
should move the gates to the left
We still need to do what we’ve been doing
Develop Test Deploy Monitor
Monitoring Remediating
Reporting Auditing
Approvals Certifications
ATO
But we can empower developers to validate their work
Develop Test Deploy Monitor
Monitoring
Remediating
Reporting
Auditing
Approvals
Certifications
ATO
Unit Tests
Developer Tools
But we can empower developers to validate their work
Develop Test Deploy Monitor
Monitoring
Remediating
Reporting
Auditing
Approvals
Certifications
ATO
Integration Tests
Unit Tests
Developer Tools
Validation reinforces security and compliance
Develop Test Deploy Monitor
Monitoring Remediating
Reporting Auditing
Approvals Certifications
ATO
Integration Tests
Unit Tests
Developer Tools
Automation
What is security and compliance?
An agreed set of truths as to what’s allowed
and what is safe.
Typically expressed in English, in docs,
or worse, verbally.
What is security and compliance?
Without a single source of truth,
you have multiple interpretations of truth,
and multiple sources of distrust.
And you can’t Shift Left.
Shift Left must live in the developer’s context
Tools that work with developers’ toolchains
Automation tools for checking their work
Policy-as-Code validation
The shared-responsibility model of the cloud
The customer is responsible for the
security on the cloud – including the configuration
of the cloud services!
The Cloud Service Provider is responsible
for the security of the cloud
Data
Application
Runtime
O/S
Cloud Config
Virtualization
Servers
Storage
Networking
Shift Left typically ignores cloud infrastructure
Cloud infrastructure configuration
is often neglected.
This is our focus.
Data
Application
Runtime
O/S
Cloud Config
Virtualization
Servers
Storage
Networking
“
Cloud misconfiguration: a big security risk
The complexities of
cloud computing, and the
chance of human error,
will bite you in the butt.
⎯ David Linthicum, InfoWorld | OCT 5, 2018
93% CONCERNED FOR MAJOR SECURITY BREACH
DUE TO MISCONFIGURATION
“
Cloud risks are very real
The cloud creates new security challenges
API-driven
infrastructure
Highly dynamic, on-demand
environments. Developers are making
infrastructure decisions
Challenges
at Scale
Is everything in compliance?
Can we maintain compliance
while moving fast at scale? New services and
operational
patterns Old security models are broken.
Effectively infinite configuration
options
Common types of cloud infrastructure policy violations
IAM
66% OBJECT STORAGE
ACCESS POLICIES
51% SECURITY
GROUP RULES
59%
ENCRYPTION IN
TRANSIT DISABLED
42%
What’s causing cloud misconfiguration?
HUMAN ERROR
64% LACK OF TEAM AWARENESS
OF SECURITY & POLICIES
54% LACK OF ADEQUATE
CONTROL & OVERSIGHT
49%
HIPPA PCI
NIST 800-53
GDPR, SOC 2, CIS
ISO 27001
• Manual certifications and approvals
• Locking down cloud consoles
• Provisioning guardrails
Typical response: restrict access and innovation
“
Alternate approach: Baselining
Leverage hardened baselines within infrastructure automation
practices, and maintain vetted builds in VCSs for organizational
teams to instantiate from. Audit assets at build time, delivery time
and runtime to account for new dependencies or environment drift.
⎯ Michael Isbitski, Gartner | MAY 9, 2019
“
“
Alternate approach: leverage baselines
Leverage hardened baselines within infrastructure
automation practices, and maintain vetted builds in
[version control systems]… to instantiate from.
Audit assets at build time, delivery time and runtime
to account for new dependencies or environment drift.
⎯ Michael Isbitski, Gartner | MAY 9, 2019
“
• The baseline is a complete picture of a cloud infrastructure environment
and how everything is configured.
• It serves as a contract between Development, Operations, Security, and
Compliance.
• It provides the basis for shifting left on
cloud security and compliance based
on a single source of trust.
Alternate approach: Baselining
Baselining drives Shift Left and cloud security
DevSecOps / Shift Left Cloud Security
ESTABLISH A KNOWN-GOOD BASELINE
• Automate policy-as-code validation to identify
compliance violations early
• Integrate policy checks into CI/CD and
provisioning tools for agility and speed
ENFORCE THE KNOWN-GOOD BASELINE
• Identify unauthorized infrastructure changes
and policy violations
• Automatically revert drift back to the known-
good baseline for critical resources
Unit tests
Unit tests
CLIENT VERSION CONTROL CI/CD
PROVISIONING TOOL
CLOUD ACCOUNTS
</>
Development
QA
Production
Compositions
Validation Libraries
Github Jenkins Job
Fix error in the noncompliant
composition and try again
Validation Failed
Automated Provisioning
Validation Passed
Integration tests
BUILD IN POLICY CONTROLS AT EVERY STAGE OF THE SLDC
Aligning teams, building trust, moving fast
Develop Test Deploy Monitor
Compliance Teams can automate policy checks earlier in the SLDC
and gain better visibility into the CI/CD pipeline.
Developers and Op Teams (DevOps) can move faster by
identifying and fixing security problems earlier in the SLDC.
Security Teams can protect critical resources and data from a
breach by eliminating misconfiguration prior to deployment.
Where to start?
APPLY A POLICY TO AN EXISTING CLOUD ENVIRONMENT
• Identify violations
• Work with developers
to fix issues
• Use CIS Benchmark
LEARN WHAT YOUR APP DEVELOPERS ARE DOING
• CI/CD tools
• Infrastructure-as-code
• Policy checks
• Security best practices
IDENTIFY CRITICAL CLOUD RESOURCES AND ESTABLISH BASELINES
• Sensitive data
• Access controls/IAM
• Monitor for drift
• Enforce baselines
Questions?