Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / Security | OpenShift / 13 May 2020
Red Hat OpenShift / Security | OpenShift / 13 May 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: OpenShift Commons Briefing Compliance as Code with Keith Basil (Red Hat)

Description

OpenShift Commons Briefing
Compliance as Code
Keith Basil (RedHat)
Hosted by Diane Mueller (Red Hat)
2020-05-13

A

First, Who am I Keith Basel I am a product manager in the cloud platforms, business unit and I cover security for OpenStack and OpenShift, and so what I'm going to introduce today is a compliance driven approach to better security and I'm gonna, introduce this concept of compliance as code and what that means. So, let's actually jump into it and get started so fundamentally, here's the problem for the slides to advance.

A

Yes, ok, so there's about a four second delay: we've taken in internally, an effort to research, the many global compliance frameworks and so I read had been a global company. We run into these daily with our customers, so, for example, in Australia, there's a framework of recommendations around what's called the essential eight like the essential, 80 things you need to do to lock down your your computer system or cloud infrastructure right.

A

We also work with an organization called ANSI in France who is responsible for enforcing security policy for things that are labeled as critical infrastructure to the country right and then we have our friends here in the US government. We have really good relationships with NIST in the DoD and I see communities where we are helping make our products more secure to meet their requirements. So the takeaway here is that you've got geographical boundaries.

A

You've got industry, specificity for these risk management frameworks and as a product manager who kind of grew up in the DC metro area. I understand like the contractor mentality right and so my dream, as a product manager, was always to have a cloud product that would solve for these security problems to make the job of the compliance and audit folks a little bit easier by checking things out of the box.

A

But, as you can see from this slide, there's quite a few things globally that we need to be aware of, and it could drive you crazy as a product manager trying to pivot and answer questions along these mini lines, not to make it even more complex. But compliance is a full-stack exercise.

A

Kerstin had a slide that was very appropriate about kubernetes done right being very, very hard and so I wonder if you'd call out a little bit more detail here in that the compliance that we look at, we have to look at everything from the hardware from the host level all the way up through the stack. That means you know what type of operating system are you running the kernel matters in this regard, because there are certain food security facilities, particularly around kubernetes container hosting, that are absolutely critical to compartmentalizing.

A

You know the workloads on your Korean ADEs platform right, so namespaces system calls reduction of privileges, the eliminate capabilities, locking everything down with selinux and in for more extreme environments or having certified crypto. You want to make sure that that kernel enables fits right. So these are just some low-level pieces and parts, the Legos, if you will, that actually build up and that we have to take them to an account when it comes to compliance, and so, let's take it one step further.

A

Okay, so on the right, when the slide loads, I'll show you on the right. We have our listing of all the risk management frameworks right again, geographically bound industry bound, maybe even a mixture and then on the Left we have open shift is an example of infrastructure as a service offering that we need to secure and lock down.

A

I'm happy to Diane mentioned the compliance officer role at the top of the call, because this is the nightmare that compliance officers have to deal with, because on the left, you have an infrastructure stack that changes or iterates every three months upstream. So kubernetes is a very, very fast moving upstream open source project right and then you have to marry that against one of the frameworks on the right, and so, for example, if we say we're, gonna get our open, skiff, environment, FedRAMP, moderate enabled right.

A

That means that we have to take the time to document all of the things that go into doing kubernetes right right, it's a hard problem, so we have to build, what's called a system security plan as an example and that basically documents how you address all of the controls that are specified in FedRAMP I mean how are you gonna remediate?

A

What's your response to this thing into that thing right and so there's there's gap, analysis, there's our audit and remediations your auditor, your third-party order, there's gonna come in and give you a punch list of everything, that's wrong, and so these things take a long time.

A

So if we set out today to say, hey, we're, gonna go, get FedRAMP, moderate and what's called an ATO and authority to operate for federal, moderate, then that literally, could be a non month to 18 month, process right and so, if kubernetes, in and by downstream openshift, are changing and doing releases every three months when you start the clock on your your submission, you're gonna be at minimum two or three versions behind what you've documented right, and so basically the takeaway here is that the hamster wheel that that you see on this slide does not stop moving.

A

In fact, it gets worse right and so doing these things manual. You know addressing you, know: FedRAMP compliance, miss overall, 853 compliance or going for PCI, DSS, etc. These things are heavy processes, and so we want to shortcut this and this compliance as code approach is exactly how we approach that. So, let's talk about the solution before we go into the detail of the solution, I want to talk about the approach right, and so we, after we've done our research against the risk management frameworks that we run into as a company.

A

We decided to settle on two things: one is mist. The mist, 853 control said because there's a lot of overlap with NIST and other frameworks, kind of look to the US as the gold standard, and so what that does for us is.

A

It gives us leverage, okay, meaning that if we can solve for let's say the 853 controls that have been carved out for FISMA or FedRAMP, if we can solve for those we're, gonna get probably 80 to 90% of all the other frameworks out of the box in terms of meeting those requirements and the other logo that I'd put on this slide is the cloud security alliance. And let me let me talk about a really cool tool that these guys have.

A

They have this thing called the cloud controls matrix, it's essentially a spreadsheet and it acts as kind of a rosetta stone for mapping how you address this particular control, and it shows you how you can apply that to other one other frameworks. So, for example, if we solve for configuration management and mist as a family of controls, then we can see that our answers to how we do configuration management could be applied to ISO to HIPAA, PCI, DSS, etc. So it's a really cool tool in that regard.

A

It's kind of a road map to mapping down into the other frameworks, and so going more specifically from a redhead perspective. I want to talk about how we approach this with open shift as an example, so on the Left you'll see a what I call the FedRAMP cheat sheet right. So this is basically a summary of the control families that you will find applicable to a Fed lamp deployment, and so some of these are highlighted in the green circle like access control and sorry Diane. Can we mute that person? That's on the call.

A

Okay, so on the left is the FedRAMP cheat sheet, as I said, and so, as a software company, we can only read. I can only influence and provide guidance for the things that are within our scope. For example, you'll see personnel security on that list on the left there, the PS family of controls well, red head, is not in the business of doing background checks on people right so, for example, in federal matter it, the folks who have hands on keyboard to administrate your system must be US citizens, for example right.

A

So that's up to the organization to figure out and address how they're gonna solve for that control.

A

It's not a software issue right, so I just wanted to make sure that, with the folks on the call here understood that the things that we've highlighted here are the things that we have influence over in and largely they are technical and system level control, families right and the last thing I'll say before we go to the next slide- is that the green that you see there is an internal tool that we created to do a complete assessment against the more than 1,400 controls that you'll see in NIST 853.

A

So this is our kind of internal barometer. If you will on how we're meeting from a product perspective, FedRAMP or FISMA low, moderate and high as an example and we'd be happy to talk to you more about that. If there's any questions around our approach here, around security, so going back to the concept of compliance is code. What is the magic okay? What are we doing here? That's different, so as I alluded to before the process is very heavy.

A

It's intense it's very manual in terms of building documentation, documenting the system, all the controls and all the configs and and the knobs, and such that you do to make the system more secure. What we want to do is codify that knowledge right in areas where we have domain expertise right so, for example, think of it as building a cake and I'm going to use this cake analogy because I think it's effective here. So imagine if you will we're gonna bake a cake in layers.

A

We're gonna build each layer of the cake at a time and now we're going to deploy OpenShift for a federal government use case so number one. We need to figure out where system is going to reside physically right. So maybe we pick a data center somewhere in Ashburn Virginia. That's close to you know our folks and we're gonna say to that data center owner, give me your compliance, is code or put me to the repo. This shows your compliance is code artifacts.

A

So we could basically, in theory, just do a pull and pull down all of the data center remediations to like and descriptions for exactly a narrative pieces. What does that mean? That means that we now have in text form information about the physical barriers around the data center information about the security background checks of the security folks that physically reside in that data center, the man-traps. What is the level of redundancy for power and pink for the for the network? Our the cage is built out et cetera. So now we can just pull.

A

Do a git pull pull that down? We have that in a JSON formatted format, where we can drop that in as the bottom of the cake and then going one step, for we may say if we're gonna use the st. Dale Hardware, hey Dale, show me your compliance is code, repo that describes the hardware security that you have for your platform right. So maybe this will describe TPMS and hardware attestation, for example, and how that's done so we can pull that in and then we go up in this layer up.

A

Let's talk about rail, core OS as an operating system, so now we started getting into the red hat layers of the cake and then we as a red headed and we are on the product management team.

A

You want to make sure that we provide those layers of the cake and that they're fully complete and then finally, going back to the Scopes that we aren't responsible for maybe the personnel security is an in-house thing with a private repo and they build out all of that into a repo that specifies, via JSON all of the personal security procedures that they put in place. So now, we've got the entire cake. We've got a directory full of like artifacts, there's tooling, within this community called compliance masonry.

A

For example, you can point that to the artifacts that we just assembled and actually bake the cake, it's like putting it in the oven, right and so boom. Once this tooling runs, it will build a 400-page we're a document. That's the start of your system, security plan in a matter of minutes which is phenomenal right, and so this is the power of treating compliance as code.

A

Where now we have very close to real-time a status on the actual compliance implementation for each one of those layers in the cake, so, for example, on the OpenShift team, our goal is to make our security profiles by coterminous or released in parallel with the next version of OpenShift. So, for example, if open shift, 4.5 comes out, we'd love to publish the compliances code profile for FedRAMP, for example, for open ship for that 5 and then for that stay for that 7 X. So that way, anybody consuming this.

A

This work downstream can just pull the latest rerun the tooling and have immediate updates to their SSP ES and whatever other tooling can come out of that. And the last thing here this really critical is that the compliance is code. Work is really two parts. There's the text part the narrative that describes your responses in the system, security plan and then there's also a baseline set of content that does auditing and remediation. So what does that mean?

A

There's a code code in the compliances code, piece that will allow you to basically analyze audit and attest that your system is in compliance against those controls that we've defined and if it's not you'll, have the option to come back and force it to be in compliance with via the remediation content. That's supplied with that profile, so it's very, very powerful in that regard, in terms of giving us leverage to maintain relevance and accuracy with our compliance processes, and so let's actually look at it a little bit in action here.

A

So on the next slide, we talked about the process and going from left to right. This is typically how it goes so you'll see on the Left guides and documentation. This could be auditor Docs security requirements in the DoD space. We call them SR G's, just general configuration guides on how to you know, secure the system or make changes that are the city related to security, but need to be accounted for, and then you have, you know properly published and blessed what we call Stig's these security technical implementation guides.

A

So this is kind of like the the knowledge, but it's in Inked, so-called digital paper format, right and so one of our missions is to take that knowledge and turn that into submissions against the compliances code, repo, according to the recommendations that you find in those guys right, and so that's number one and then number two. We pick one of the risk management profiles that were targeting so, for example, for targeting the Australian.

A

The central 8 will take all of that knowledge on the left and we'll build an essential 8 profile and put that on the git repo. In fact, there's a link on this slide to that exact profile. Right we've just recently got a submission for from our struct Australian teen us to Pacific to the essentially and then.

A

Lastly, as I said, there's two parts of the code: there's the narrative that describes things and then there's attestation to do the check and then there's remediation to bring that system into the clients and what you see below those are just different facilities that can be enabled to do at a station every mediation in the case of open shift.

A

You know Kirsten mentioned that openshift was using kubernetes to manage kubernetes right, and so we are working on this concept of a compliance operator and it's it's really cool in the sense that once that operator is installed on your cluster, you can feed it a FISMA profile if here's my modern profile and it will bring that system into full compliance with that profile according to how its defined and it's it's a phenomenal thing and in the leverage that we're gonna get from that it is gonna, be really cool, and so this is the process.

A

So you got documentation and sometimes tribal knowledge. That's baked into your organization in in the heads of many of the people, and we want to get that from the docs from that tribal knowledge into something. That's we can act against from a software perspective. So that's what we're doing here, what compliance is code?

A

So we've started this. There is a community upstream. This is a screenshot from one of our public sector meetups, where we're talking about innovation and using open control. There's quite a few folks, Microsoft pivotal and some others are members of the open control community and have contributed their own compliances code profiles so we're starting to grow quite a bit there, and we've also created a derivative of that. We call it ATO pathways where it shows kind of the Red Hat product status against the authoritative information that you'll find.

A

Then the compliance is code, repo and then lastly, there's a few links that you can look at to go a little bit deeper and compliances code. The first github link is the number one is the top one and then the red specific one is second and then the open control community you'll find at the last pitch. So that's all I had today. Hopefully this was a good overview of compliance. Is code and I'm happy to take any questions.

A

You.