Transcription
Identity Management and Compliance inOpenShiftOr “Use DevOps to Make Your Auditors and SuitsHappy”Marc BoorshteinCTO, Tremolo SecurityEllen NewlandsSenior Security Product Manager, Cloud Business Unit at Red HatMay 3, 2017
Who Are We?Marc Boorshtein - CTO Tremolo Security, Inc. 15 years of identity management implementation experienceMultiple deployments across large commercial and federal customersEllen Newlands - Senior Security Product Manager, Cloud Business Unit at Red Hat Red Hat Product Manager for Identity and Access ManagementExtensive experience in enterprise and WEB identity management and single sign-on
What Will We Be Talking About? Why is identity management and compliance important to you?What is “compliance”?How does identity management apply to compliance?How does Red Hat and OpenShift manage security?What “compliance” looks like without and with DevOpsHow OpenShift manages it’s identitiesDemo!
Why is Compliance Important to You?It’s not just for meetings and auditors.DevOps Identity Management ( )
What is Compliance?When someone asks if you’re compliant.NIST 800-53Step 1 - Define Your PolicyStep 2 - Follow YourPolicyCriminal Justice Information Systems (CJIS)NIST 800-53 FrameworkCJIS Implementation
Where Does Identity Management Fit?NIST 800-53AC-2 / Authorizes access to theinformation system based on: 1. Avalid access authorization;Request for accessis approved byyour managerCriminal Justice Information Systems (CJIS)Section 5.6.2.1.1 - PasswordsIdentity ManagementIdentityManagement
OpenShift Container Platform SecurityIntegrated security features including Role-based Access Controls with LDAP and OAuth integrationPrivilege access managementAutomated certificate managementScalable secrets managementPrivate data and logins exchanged with OpenShift are transmitted over SSLApplication passwords are filtered from OpenShift log files and encrypted.Pushing and pulling of private data is done over SSH Authenticated with keys, not passwords, This helps prevent brute force cracking Tools are available for users to deploy similar steps for their applicationsVisit the Security zone in the Red Hat booth for more information on OpenShift & container security
Red Hat Enterprise Linux: Support Compliance forOpenShiftRed Hat EnterpriseLinux provides thefoundation forsecure, INERCONTAINERCONTAINER ORCHESTRATION & CLUSTER S &METRICSSECURITYCONTAINER RUNTIME & PACKAGING(DOCKER)On bare metal, onRed HatVirtualizationRed Hat OpenShiftDedicated availableon both AWS & GCPATOMIC HOSTRED HAT ENTERPRISE LINUXIn your datacenter orthe public cloudRed Hat provides industry-leading responsivenessto security vulnerabilitiesOpenShift on publiccloud inherits thesecurity features ofyour public cloudproviderFor example, to knowmore about thesecurity of AmazonEC2
Identity Management Compliance WithoutDevOpsUser needs access to anapplicationUser emails projectowner asking for accessAdmin creates accessand stores email inspecial folderAdmin tells user they’reapproved to access theprojectAuditor asks for approvaltrailAdmin forwards emailsProject owner forwardsto admin with the word“approved”:-(
Identity Management Compliance WithDevOpsUser needs access to aprojectLogs into IDM andrequests accessIDM system createsaccess and builds audittrailIDM system notifies userof accessAuditor logs into IDMsystemAuditor pulls reportsProject owner clicks“Approve”:-D
How this applies to OpenShiftWHO? WHAT?User Object in EtcDLDAPOpenID ConnectReverse Proxy Header WHY? External WorkflowSubject Role Project RoleBindingLocal ObjectsManagement OpenShift Console LDAP Sync oadm Web services
Demo
DEMO
Shameless Self Promotion Booth 145 Mobile Battery Chargers Screen CleanersWeb - http://tremolo.ioTwitter - @tremolosecurity / @mlbiamGithub - https://www.github.com/tremolosecurity/Blog this session is based on ce-and-identity-management/
THANK YOUplus.google.com/ tVideos
How this applies to OpenShiftLayerTechnologyIn DemoCloud OpenStack - KeystoneAmazon - IAMetcN/AOperating System1.2.3.LDAPADSSSDRed Hat Identity Management
How this applies to OpenShiftLayerOpenShift Console and CLIContainerTechnologyAuthentication LDAP Password File OpenID Connect Header Reverse ProxyAuthorization Internal User and Groupobjects Web services LDAP Sync1.2.External Identity ProviderExternal User SystemIn DemoAuthentication Username Password KeyCloak U2F - Unison Compliance Banner Unison OpenID ConnectAuthorization Unison self serviceN/A
Identity Management and Compliance in OpenShift Or “Use DevOps to Make Your Auditors and Suits Happy” Marc Boorshtein CTO, Tremolo Security Ellen Newlands Senior Security Product Man
