Compliance as Code

Compliance as Code Nathen Harvey VP, Community Development @nathenharvey

INTRODUCTIONS Nathen Harvey VP, Community Development Chef Software, Inc. @nathenharvey
.

This is a true story... Auditor: "Communication from your network
devices to your authentication server must be encrypted."

This is a true story... Auditor: "Communication from your network
devices to your authentication server must be encrypted." Me: "We use BlahBlah TACACS+ server. You can't disable encryption."

This is a true story... Auditor: "Okay. Please show me
that encryption is enabled in your configuration."

This is a true story... Auditor: "Okay. Please show me
that encryption is enabled in your configuration." Me: "Um… I can't. I can't disable it, so I can't show you where it's enabled. But I can show you that I'm using BlahBlah TACACS+ server."

This is a true story... Auditor: "Can you show me
how you can't disable it?"

This is a true story... Auditor: "Can you show me
how you can't disable it?" Me:

This is a true story... Me: "How about I show
you where I configured the encryption key? Is that good enough?"

This is a true story... Me: "How about I show
you where I configured the encryption key? Is that good enough?" Auditor: "Ummmm… sure."

Why did I tell you this? •  How to prove
"compliance" might not be obvious •  What the auditor was looking for can be automated •  This happened multiple times a year •  We really need to automate

OMG so much compliance •  PCI-DSS •  Dodd-Frank •  HITECH
•  ISO •  HIPAA •  Grundschutz •  Sarbanes-Oxley •  General Data Protection Regulation (GDPR) •  Gramm-Leach-Bliley Act

ABA: Always Be Automating

Compliance: the everlasting roadblock...

Product Ideas and Features

Compliance: the everlasting roadblock...

The OODA Loop Observe Orient Decide Act

OODA: Observe •  How do you know when it's time
for a new compliance control? •  Who is responsible?

An Example from Documentation 404.3.5: Communication between network devices and
central authentication systems must be encrypted at all times.

OODA: Orient

I can totally script that... $ grep "key" /etc/tac_plus.conf |
sed 's/key = //' s00persecretkey $

...but there's no context.

Install TACACS+

A tale of three personas...

… and a single language.

From lemons... $ grep "key" /etc/tac_plus.conf | sed 's/key =
//' s00persecretkey $

… create lemonade! describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil
} end

… create lemonade! control 'sox-404.3.5' do title 'Network Device to
Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end

Map Documentation to Controls control 'sox-404.3.5' do title 'Network Device
to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Share Context control 'sox-404.3.5' do title 'Network Device to Central
Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Automate Test Execution control 'sox-404.3.5' do title 'Network Device to
Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

One Language •  Linux •  Windows •  BSD •  Solaris
•  AIX •  … and more

Yup, I said Windows... control 'windows-base-201' do impact 1.0 title
'Strong Windows NTLMv2 Authentication Enabled' desc 'http://support.microsoft.com/en-us/kb/823659' describe registry_key('HKLM\System\CurrentControlSet\Control\Lsa') do it { should exist } its('LmCompatibilityLevel') { should cmp 4 } end end

One Language •  Bare Metal •  VMs •  Containers

Test Locally $ inspec exec /path/to/profile

Test Remotely $ inspec exec /path/to/profile -i ssh.key -t ssh://me@myhost

Test Remotely $ inspec exec /path/to/profile -t winrm://me@myhost --password secret

Test Remotely $ inspec exec /path/to/profile -t docker://3cc8837bb6a8

Test via Chef Client Runs Chef Client Chef Server Chef
Automate InSpec via "audit" cookbook

Test via Test Kitchen verifier: name: inspec inspec_tests: - name:
company-base compliance: company/base-profile - name: app1 compliance: company/app1-profile

Compliance at every step

OODA: Decide •  How urgent is this? •  Where does
this fall in our backlog? •  How do we become compliant?

Assessing Impact and Priority control 'sox-404.3.5' do title 'Network Device
to Central Auth Encryption' impact 1.0 desc " All communication between network devices and central auth must be encrypted. Our TACACS+ servers encrypt all the time and the presence of a pre-shared key proves it." describe ini('/etc/tac_plus/tac_plus.conf') do its('key') { should_not be_nil } end end 404.3.5: Communication between network devices and central authentication systems must be encrypted at all times.

Assessing Impact and Priority control 'no-telnet' do title 'telnet not
installed' impact 0.5 tag 'pci' ref 'pci stage 1', url: 'https://wiki.mycompany.biz/…' desc " PCI-DSS requires all admin traffic to be encrypted. Telnet is not encrypted and is therefore not permitted." describe package('telnetd') do it { should_not be_installed } end end

OODA: Act •  What does remediation look like? •  Can
I test my remediation steps?

Compliance at every step

Why InSpec? •  Break down silos between organizations •  Codify
your compliance agreements and requirements •  Share context about your compliance requirements •  Achieve safety at velocity with compliance at every step

55% Step one: Detect Gain visibility into current status to
satisfy audits and drive decision-making of organizations do compliance assessments inconsistently or not at all. Apply policies and gain a complete view across the fleet ▪  Accurately assess risk ▪  Prioritize remediation actions ▪  Maintain audit readiness ▪  Create and adjust policies ” Continuous visibility means that you enter into audits knowing the outcome. Jon Williams, NIU ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
✓ ✓ ✓ Step two: Correct Remediate issues to improve performance and security ▪  Prioritize actions based on impact ▪  Improve application performance ▪  Close security holes ▪  Prove policy compliance Web & Media Giant Can patch 250,000 nodes within 6 hours of a patch being made available Develop, test, and deploy remediation to address issues across the fleet ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ of organizations need days or longer to remediate issues. 58%

Continuous Workflow Detect Correct

https://supermarket.chef.io/tools?type=compliance_profile http://dev-sec.io/ https://github.com/chef-cookbooks/audit#configure-node Compliance Profiles

https://github.com/chef/inspec-aws https://github.com/chef/inspec-azure https://github.com/chef/inspec-vmware InSpec, meet my IaaS Provider

Thank You! Nathen Harvey VP, Community Development Chef Software, Inc.
@nathenharvey .

Compliance as Code

Compliance as Code

More Decks by Nathen Harvey

Other Decks in Technology

Featured

Transcript