SlideShare a Scribd company logo

Putting the Sec into DevOps

M
Maytal Levi

The document discusses integrating security into the DevOps lifecycle, emphasizing the importance of network connectivity and compliance in application delivery. It highlights the challenges of managing security policies across different environments and the need for automated solutions to streamline the process. Key strategies include documenting connectivity requirements, employing object groups for security policies, and utilizing Algosec for continuous integration and compliance throughout the DevOps cycle.

Technology
1 of 54
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PUTTING THE SEC INTO DEVOPS Prof. Avishai Wool
AGENDA • Introduction: DevOps and Network Security • Ops + Security scenarios: Pitfalls and Tips • Dev + Security scenarios • DevOps with AlgoSec • Continuous integration with AlgoSec 2
WHAT’S THE MOTIVATION • Network connectivity and security is a painful bottleneck in the application delivery pipeline • Accelerate application delivery by automating network connectivity processing • Human intervention only when required • Visibility into application connectivity requirements is important for Network and Security teams • Security, full audit trail and continuous compliance must be built into the process 3
DEVOPS CYCLE • Develop (Programmers in R&D) • New application • New functionalities in an existing application • Test • Deploy (Ops) • Add capacity to an existing application • New deployment targets • Production 4
NO APPLICATION IS AN ISLAND Applications have connectivity requirements • Human users • Insiders • Remote sites and road warriors • Outsourcers • Business partners • Outsiders • Internal resources (DB, API to other applications, …) • Infrastructure resources (DNS, backup, authentication, …) • Business partner resources • Internet resource 5
NETWORK SEGMENTATION • Separate environments for Dev/Test/Pre-production/Production • Network security policies must allow the necessary traffic • Changes to applications that modify connectivity requirements must be implemented in network security policies • … so you need DevSecOps 6
TIGHTER SECURITY IN PROD DevelopmentTest Production Front Production Backend Pre-Production Test & Pre-Production environments: servers all in one security zone Production servers in several security zones 7
OPS + SECURITY SCENARIOS: PITFALLS AND TIPS
ADDING CAPACITY • Typically only Ops involved • Typically only relevant to Production environment • Add another • Web server to the web farm • Compute engine to the Compute cluster • Etc. • New clone has the same role as existing clones • No need for another security review – all pre-approved 9
SOUTHBOUND TRAFFIC: LOAD BALANCER • Load balancer in front of the web farm • Upstream security policies written using “Virtual IP” / “Virtual Server name” Result: • Add new server to the farm • Update load balancer configuration to use the new resource • No need to touch security policies Load Balancer DevTest Prod Front Prod Back Pre-Prod 10
EAST/WEST TRAFFIC • Need to connect to/accept connection from/other systems • Management connections • Access to internal/partner/Internet resources • Resources in other network segments • Connections flow across security zones • Load balancer does not help: need to differentiate between clones DevTest Prod Front Prod Back Pre-Prod Firewall 11
EAST/WEST TRAFFIC – SOLUTION A • Careful IP address allocation! • Discipline: • All clones have IP addresses in the same Subnet / Range / VLAN / VPC • Security policy rules allow traffic to/from whole Subnet Result: • Add new server to the farm • Ensure its IP address is in the correct Subnet / Range • No need to touch Security Policies 12
ADDRESS ALLOCATION – PROPERTIES Pro: works with all filtering technologies Con: • Pre-allocate IP addresses for each server class • Need to predict maximal capacity 13
EAST/WEST TRAFFIC – SOLUTION B • Use object groups! • Discipline: • Filtering devices have a network object group for each server class • Security policy rules allow traffic to/from object group Result: • Add new server to the farm • Add its IP address to the correct object group • No need to touch security policies rules – object change is sufficient  14
OBJECT GROUPS – PROPERTIES Pros: • Clones can have arbitrary IP addresses • No address pre-allocation • No need to predict maximal capacity Cons: • Need to touch object definitions on security devices • Goal: zero-touch orchestration, with audit trail • Requires filtering devices that support object groups • Router ACLs and cloud providers “Security Groups” have limitations 15
DEV + SECURITY SCENARIOS
DEVOPS WITHOUT “SEC” FAILURES • Developers add new functionality to an application • Everything works in Test and Pre-Production environments • Push new version to Production  Fail! 17
WHAT WENT WRONG? • Remember “No application is an island” • New functionality includes new connectivity flows • Dev didn’t document the new flows • Possibly didn’t realize new connectivity was required • Relaxed security policy in Dev, Test, Pre-Production environments allows connectivity • Maybe the resource replica/placeholder is inside the same zone? • Application works in Test: no need for Sec involvement – wrong! 18
DOCUMENT THE APPLICATION FLOWS • Maintain a repository recording all the flows required by each application • For each flow record, at least: • Source and Destination IP addresses • Services and network-applications in use • Automation Tools: • Modify the application record whenever new functionality adds flows • Add security review and approval for new flows during Dev cycle 19
TIP: TIGHTEN SECURITY AROUND TEST • Place filtering devices around the Pre-Production environment • Apply the tight security policy of Production • Not the loose policy of Dev! Result: • Dev forgets to document new flows or • Does not realize there is a new flow • Failure will happen in Pre-Production environment – as desired • … triggering Sec review earlier in the cycle DevTest Prod Front Prod Back Pre-Prod 20
MULTIPLE INSTANCES OF APPLICATION’S RECORD • Application’s flows in Dev / Test / Pre-Prod / Prod have • Same services (“SQL”, “HTTPS”, …) • Same logical structure (“Application Logic server connects to DB”) • Different IP addresses: Test DB is different from Prod DB • Maintain separate instances of the application’s record: • Dev (“Dev-Application-logic-server connects to Dev-DB”) • Test (“Test-Application-logic-server connects to Test-DB”) • Pre-Prod (“Pre-prod-Application-logic-server connects to Pre-Prod-DB”) • Prod (“Prod-Application-logic-server connects to Prod-DB”) 21
LIFECYCLE: MIGRATE BETWEEN STAGES • Pushing application version (e.g. from Pre-Prod to Production): • Provision workloads, deploy code, … • … Don’t forget to update the security policies protecting the next stage! • Not a simple copy! • Maintain a mapping: • Dev-DB  Test-DB • When deploying security rules, replace all Pre-Prod-DB by Prod-DB 22
DEVOPS WITH ALGOSEC
APPLICATION FLOW REPOSITORY: BUSINESSFLOW For all applications, maintain record of: • Network flows • Contact information • Connectivity status • Change history and activity log • Risk and vulnerability information • Initiate DevOps-led changes from UI or from API 24
Putting the Sec into DevOps
Putting the Sec into DevOps
Putting the Sec into DevOps
Putting the Sec into DevOps
SCENARIO: NEW APPLICATION ROLLOUT Background: • New application going live • All testing in pre-production environment completed successfully • Connectivity flows for pre-production documented in BusinessFlow Current task: • Configure security policies to allow connectivity in Production 29
Putting the Sec into DevOps
Putting the Sec into DevOps
Putting the Sec into DevOps
• Move: if application will no longer have a staging environment • Clone: retain both staging and production environments
Map Pre-Production to Production servers
Putting the Sec into DevOps
Putting the Sec into DevOps
Putting the Sec into DevOps
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
Putting the Sec into DevOps
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
#4388 BusinessFlowChangeRequestfor GameStop Central - Production
Putting the Sec into DevOps
ZERO-TOUCH All workflow steps can be automated (with controls & audit): • Automatically accept security devices to update • Automatically accept risk check (if risks below a defined threshold) • Automatically implement on devices (“ActiveChange”) 43
CONTINUOUS INTEGRATION WITH ALGOSEC
Deploy DEVOPS PIPELINE Developer commits code Compile & Package Unit Tests Test environments Integration Performance Bring up test environments Connectivity Tests + Open + Document Run all tests Production45
CI: CONNECTIVITY TEST PIPELINE (ZOOM IN) Application Connectivity .json Code BusinessFlow FireFlow Changed ? Yes No Test connectivity Yes Success Check status in Business Flow No Pre-approved – automatic implementation Requires security approval Fail 46
APP DEVELOPMENT • Developer maintains a json file describing application connectivity requirements in test and production environments • Commit with code • Alternatively, json automatically derived from puppet during test environment bring-up ConnectivityRequirements.json { “flow1”: { “source”: “10.20.1.4”, “destination”: “8.8.8.8”, “service”: “http”, “description”: “web connectivity to Google” }, “flow2”: { “source”: “10.20.1.4”, “destination”: “10.20.5.112”, “service”: “tcp/5432”, “description”: “connectivity to PostgreSQL DB” } } 47
CI UPDATES ALGOSEC • If connectivity requirements change - CI system (Jenkins, etc.) uses AlgoSec plugin to update AlgoSec • AlgoSec BusinessFlow calculates required changes and opens a Change Request with AlgoSec FireFlow 48
CONNECTIVITY CHECK • AlgoSec FireFlow calculates the network path and checks which security policies need to be updated (if any) • If connectivity already allowed -> Return “Success” 49
OPEN BLOCKED CONNECTIVITY • If connectivity not allowed -> go through automatic change process • Find relevant firewalls and policies, perform “what-if” risk analysis • If no risks (pre-approved connectivity, not breaking compliance) -> continue with zero-touch • Push changes to relevant firewalls and routers • Multiple vendors, physical or virtual, on-prem, SDN or cloud • -> Return “Success” ACI 50
WHAT JUST HAPPENED HERE • High percentage of application changes – automatically processed • Either already works, or pre-approved and immediately implemented • When manual security approval is required – Change Request automatically opened, with relevant application context • Application connectivity requirements – automatically updated • Full application context and visibility – for infrastructure changes, security incidents, network or server migrations, maintenance, etc. • Continuous compliance is retained • Security has full control over policy and approvals • Full audit trail and documentation of changes 51
THE BOTTOM LINE • More agile application development and delivery cycles • Security is no longer a bottleneck • App developers, DevOps and Security all save time and work thanks to automation 52
MORE RESOURCES 53
Thank you! Questions can be emailed to marketing@algosec.com

More Related Content

PDF
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Maytal Levi
 
PDF
DevSecOps: Putting the Sec into the DevOps
shira koper
 
PPT
Create and Manage a Micro-Segmented Data Center – Best Practices
AlgoSec
 
PPTX
Tying cyber attacks to business processes, for faster mitigation
Maytal Levi
 
PDF
AlgoSec Application Migration Webinar
Maytal Levi
 
PPTX
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
PDF
5 things you didnt know you could do with security policy management
AlgoSec
 
PDF
Migrating and Managing Security Policies in a Segmented Data Center
AlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Maytal Levi
 
DevSecOps: Putting the Sec into the DevOps
shira koper
 
Create and Manage a Micro-Segmented Data Center – Best Practices
AlgoSec
 
Tying cyber attacks to business processes, for faster mitigation
Maytal Levi
 
AlgoSec Application Migration Webinar
Maytal Levi
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
5 things you didnt know you could do with security policy management
AlgoSec
 
Migrating and Managing Security Policies in a Segmented Data Center
AlgoSec
 

What's hot (20)

PPTX
AWS Security Fundamentals: Dos and Don’ts
AlgoSec
 
PDF
Security Change Management: Agility vs. Control
AlgoSec
 
PDF
Managing application connectivity securely through a merger or acquisition – ...
AlgoSec
 
PPTX
Application visibility across the security estate the value and the vision ...
AlgoSec
 
PDF
Cisco aci and AlgoSec webinar
Maytal Levi
 
PPTX
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
Liraz Goldstein
 
PPT
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
AlgoSec
 
PDF
Taking the fire drill out of making firewall changes
AlgoSec
 
PDF
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
PPTX
Migrating Application Connectivity and Network Security to AWS
AlgoSec
 
PDF
Radically reduce firewall rules with application-driven rule recertification
AlgoSec
 
PDF
compliance made easy. pass your audits stress-free webinar
AlgoSec
 
PPTX
2019 02-20 micro-segmentation based network security strategies (yoni geva)
AlgoSec
 
PDF
Migrating and Managing Security in an AWS Environment- Best Practices
shira koper
 
PPTX
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
AlgoSec
 
PPTX
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
AlgoSec
 
PDF
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
shira koper
 
PPTX
SDN's managing security across the virtual network final
AlgoSec
 
PDF
Managing Application Connectivity in the World of Network Security
shira koper
 
PDF
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
AWS Security Fundamentals: Dos and Don’ts
AlgoSec
 
Security Change Management: Agility vs. Control
AlgoSec
 
Managing application connectivity securely through a merger or acquisition – ...
AlgoSec
 
Application visibility across the security estate the value and the vision ...
AlgoSec
 
Cisco aci and AlgoSec webinar
Maytal Levi
 
2019 01-30 Firewalls Ablaze? Put Out Network Security Audit & Compliance Fires
Liraz Goldstein
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
AlgoSec
 
Taking the fire drill out of making firewall changes
AlgoSec
 
Avoid outages-from-misconfigured-devices-webinar-slides
AlgoSec
 
Migrating Application Connectivity and Network Security to AWS
AlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
AlgoSec
 
compliance made easy. pass your audits stress-free webinar
AlgoSec
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
AlgoSec
 
Migrating and Managing Security in an AWS Environment- Best Practices
shira koper
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
AlgoSec
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
AlgoSec
 
Movin' On Up to the Cloud: How to Migrate your Application Connectivity
shira koper
 
SDN's managing security across the virtual network final
AlgoSec
 
Managing Application Connectivity in the World of Network Security
shira koper
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
Ad

Similar to Putting the Sec into DevOps (20)

ODP
Making security-agile matt-tesauro
Matt Tesauro
 
PDF
Dev ops and safety critical systems
Len Bass
 
PPTX
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
PDF
Webinar: How automation can transform the way you manage your network securit...
AlgoSec
 
PDF
Application Security with NGINX
NGINX, Inc.
 
PPTX
2018 11-19 improving business agility with security policy automation final
AlgoSec
 
PPTX
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
ODP
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
PPTX
Design Reviews for Operations - Velocity Europe 2014
Mandi Walls
 
PDF
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
PDF
Towards FutureOps: Stable, Repeatable environments from Dev to Prod
Naresh Jain
 
PDF
Oil & Water, Peanut Butter & Jelly, DevOps & Regulatory Compliance
TechWell
 
PDF
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
 
PDF
Application Security with NGINX | APAC
NGINX, Inc.
 
PDF
SAI - Serverless Integration Architectures - 09/2019
Samuel Vandecasteele
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
Application Security within Agile
Netlight Consulting
 
PDF
How to Design a Backend for IoT
İbrahim Gürses
 
PPTX
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
Making security-agile matt-tesauro
Matt Tesauro
 
Dev ops and safety critical systems
Len Bass
 
2018 07-24 network security at the speed of dev ops - webinar
AlgoSec
 
Webinar: How automation can transform the way you manage your network securit...
AlgoSec
 
Application Security with NGINX
NGINX, Inc.
 
2018 11-19 improving business agility with security policy automation final
AlgoSec
 
Shift Left for More Secure Apps with F5 NGINX
NGINX, Inc.
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Matt Tesauro
 
Design Reviews for Operations - Velocity Europe 2014
Mandi Walls
 
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
Towards FutureOps: Stable, Repeatable environments from Dev to Prod
Naresh Jain
 
Oil & Water, Peanut Butter & Jelly, DevOps & Regulatory Compliance
TechWell
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Matt Tesauro
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
Alex Senkevitch
 
Application Security with NGINX | APAC
NGINX, Inc.
 
SAI - Serverless Integration Architectures - 09/2019
Samuel Vandecasteele
 
AppSec in an Agile World
David Lindner
 
Application Security within Agile
Netlight Consulting
 
How to Design a Backend for IoT
İbrahim Gürses
 
Devops - Accelerating the Pace and Securing Along the Way - Thaddeus Walsh
Drew Malone
 
Ad

Recently uploaded (20)

PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation theory and applications.pdf
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

Putting the Sec into DevOps

  • 1. PUTTING THE SEC INTO DEVOPS Prof. Avishai Wool
  • 2. AGENDA • Introduction: DevOps and Network Security • Ops + Security scenarios: Pitfalls and Tips • Dev + Security scenarios • DevOps with AlgoSec • Continuous integration with AlgoSec 2
  • 3. WHAT’S THE MOTIVATION • Network connectivity and security is a painful bottleneck in the application delivery pipeline • Accelerate application delivery by automating network connectivity processing • Human intervention only when required • Visibility into application connectivity requirements is important for Network and Security teams • Security, full audit trail and continuous compliance must be built into the process 3
  • 4. DEVOPS CYCLE • Develop (Programmers in R&D) • New application • New functionalities in an existing application • Test • Deploy (Ops) • Add capacity to an existing application • New deployment targets • Production 4
  • 5. NO APPLICATION IS AN ISLAND Applications have connectivity requirements • Human users • Insiders • Remote sites and road warriors • Outsourcers • Business partners • Outsiders • Internal resources (DB, API to other applications, …) • Infrastructure resources (DNS, backup, authentication, …) • Business partner resources • Internet resource 5
  • 6. NETWORK SEGMENTATION • Separate environments for Dev/Test/Pre-production/Production • Network security policies must allow the necessary traffic • Changes to applications that modify connectivity requirements must be implemented in network security policies • … so you need DevSecOps 6
  • 7. TIGHTER SECURITY IN PROD DevelopmentTest Production Front Production Backend Pre-Production Test & Pre-Production environments: servers all in one security zone Production servers in several security zones 7
  • 8. OPS + SECURITY SCENARIOS: PITFALLS AND TIPS
  • 9. ADDING CAPACITY • Typically only Ops involved • Typically only relevant to Production environment • Add another • Web server to the web farm • Compute engine to the Compute cluster • Etc. • New clone has the same role as existing clones • No need for another security review – all pre-approved 9
  • 10. SOUTHBOUND TRAFFIC: LOAD BALANCER • Load balancer in front of the web farm • Upstream security policies written using “Virtual IP” / “Virtual Server name” Result: • Add new server to the farm • Update load balancer configuration to use the new resource • No need to touch security policies Load Balancer DevTest Prod Front Prod Back Pre-Prod 10
  • 11. EAST/WEST TRAFFIC • Need to connect to/accept connection from/other systems • Management connections • Access to internal/partner/Internet resources • Resources in other network segments • Connections flow across security zones • Load balancer does not help: need to differentiate between clones DevTest Prod Front Prod Back Pre-Prod Firewall 11
  • 12. EAST/WEST TRAFFIC – SOLUTION A • Careful IP address allocation! • Discipline: • All clones have IP addresses in the same Subnet / Range / VLAN / VPC • Security policy rules allow traffic to/from whole Subnet Result: • Add new server to the farm • Ensure its IP address is in the correct Subnet / Range • No need to touch Security Policies 12
  • 13. ADDRESS ALLOCATION – PROPERTIES Pro: works with all filtering technologies Con: • Pre-allocate IP addresses for each server class • Need to predict maximal capacity 13
  • 14. EAST/WEST TRAFFIC – SOLUTION B • Use object groups! • Discipline: • Filtering devices have a network object group for each server class • Security policy rules allow traffic to/from object group Result: • Add new server to the farm • Add its IP address to the correct object group • No need to touch security policies rules – object change is sufficient  14
  • 15. OBJECT GROUPS – PROPERTIES Pros: • Clones can have arbitrary IP addresses • No address pre-allocation • No need to predict maximal capacity Cons: • Need to touch object definitions on security devices • Goal: zero-touch orchestration, with audit trail • Requires filtering devices that support object groups • Router ACLs and cloud providers “Security Groups” have limitations 15
  • 16. DEV + SECURITY SCENARIOS
  • 17. DEVOPS WITHOUT “SEC” FAILURES • Developers add new functionality to an application • Everything works in Test and Pre-Production environments • Push new version to Production  Fail! 17
  • 18. WHAT WENT WRONG? • Remember “No application is an island” • New functionality includes new connectivity flows • Dev didn’t document the new flows • Possibly didn’t realize new connectivity was required • Relaxed security policy in Dev, Test, Pre-Production environments allows connectivity • Maybe the resource replica/placeholder is inside the same zone? • Application works in Test: no need for Sec involvement – wrong! 18
  • 19. DOCUMENT THE APPLICATION FLOWS • Maintain a repository recording all the flows required by each application • For each flow record, at least: • Source and Destination IP addresses • Services and network-applications in use • Automation Tools: • Modify the application record whenever new functionality adds flows • Add security review and approval for new flows during Dev cycle 19
  • 20. TIP: TIGHTEN SECURITY AROUND TEST • Place filtering devices around the Pre-Production environment • Apply the tight security policy of Production • Not the loose policy of Dev! Result: • Dev forgets to document new flows or • Does not realize there is a new flow • Failure will happen in Pre-Production environment – as desired • … triggering Sec review earlier in the cycle DevTest Prod Front Prod Back Pre-Prod 20
  • 21. MULTIPLE INSTANCES OF APPLICATION’S RECORD • Application’s flows in Dev / Test / Pre-Prod / Prod have • Same services (“SQL”, “HTTPS”, …) • Same logical structure (“Application Logic server connects to DB”) • Different IP addresses: Test DB is different from Prod DB • Maintain separate instances of the application’s record: • Dev (“Dev-Application-logic-server connects to Dev-DB”) • Test (“Test-Application-logic-server connects to Test-DB”) • Pre-Prod (“Pre-prod-Application-logic-server connects to Pre-Prod-DB”) • Prod (“Prod-Application-logic-server connects to Prod-DB”) 21
  • 22. LIFECYCLE: MIGRATE BETWEEN STAGES • Pushing application version (e.g. from Pre-Prod to Production): • Provision workloads, deploy code, … • … Don’t forget to update the security policies protecting the next stage! • Not a simple copy! • Maintain a mapping: • Dev-DB  Test-DB • When deploying security rules, replace all Pre-Prod-DB by Prod-DB 22
  • 24. APPLICATION FLOW REPOSITORY: BUSINESSFLOW For all applications, maintain record of: • Network flows • Contact information • Connectivity status • Change history and activity log • Risk and vulnerability information • Initiate DevOps-led changes from UI or from API 24
  • 29. SCENARIO: NEW APPLICATION ROLLOUT Background: • New application going live • All testing in pre-production environment completed successfully • Connectivity flows for pre-production documented in BusinessFlow Current task: • Configure security policies to allow connectivity in Production 29
  • 33. • Move: if application will no longer have a staging environment • Clone: retain both staging and production environments
  • 34. Map Pre-Production to Production servers
  • 43. ZERO-TOUCH All workflow steps can be automated (with controls & audit): • Automatically accept security devices to update • Automatically accept risk check (if risks below a defined threshold) • Automatically implement on devices (“ActiveChange”) 43
  • 45. Deploy DEVOPS PIPELINE Developer commits code Compile & Package Unit Tests Test environments Integration Performance Bring up test environments Connectivity Tests + Open + Document Run all tests Production45
  • 46. CI: CONNECTIVITY TEST PIPELINE (ZOOM IN) Application Connectivity .json Code BusinessFlow FireFlow Changed ? Yes No Test connectivity Yes Success Check status in Business Flow No Pre-approved – automatic implementation Requires security approval Fail 46
  • 47. APP DEVELOPMENT • Developer maintains a json file describing application connectivity requirements in test and production environments • Commit with code • Alternatively, json automatically derived from puppet during test environment bring-up ConnectivityRequirements.json { “flow1”: { “source”: “10.20.1.4”, “destination”: “8.8.8.8”, “service”: “http”, “description”: “web connectivity to Google” }, “flow2”: { “source”: “10.20.1.4”, “destination”: “10.20.5.112”, “service”: “tcp/5432”, “description”: “connectivity to PostgreSQL DB” } } 47
  • 48. CI UPDATES ALGOSEC • If connectivity requirements change - CI system (Jenkins, etc.) uses AlgoSec plugin to update AlgoSec • AlgoSec BusinessFlow calculates required changes and opens a Change Request with AlgoSec FireFlow 48
  • 49. CONNECTIVITY CHECK • AlgoSec FireFlow calculates the network path and checks which security policies need to be updated (if any) • If connectivity already allowed -> Return “Success” 49
  • 50. OPEN BLOCKED CONNECTIVITY • If connectivity not allowed -> go through automatic change process • Find relevant firewalls and policies, perform “what-if” risk analysis • If no risks (pre-approved connectivity, not breaking compliance) -> continue with zero-touch • Push changes to relevant firewalls and routers • Multiple vendors, physical or virtual, on-prem, SDN or cloud • -> Return “Success” ACI 50
  • 51. WHAT JUST HAPPENED HERE • High percentage of application changes – automatically processed • Either already works, or pre-approved and immediately implemented • When manual security approval is required – Change Request automatically opened, with relevant application context • Application connectivity requirements – automatically updated • Full application context and visibility – for infrastructure changes, security incidents, network or server migrations, maintenance, etc. • Continuous compliance is retained • Security has full control over policy and approvals • Full audit trail and documentation of changes 51
  • 52. THE BOTTOM LINE • More agile application development and delivery cycles • Security is no longer a bottleneck • App developers, DevOps and Security all save time and work thanks to automation 52
  • 54. Thank you! Questions can be emailed to marketing@algosec.com