At this point, the Center for Internet Security’s Security Controls are an industry standard for technical cyber security. The first six basic controls can prevent 85 percent of the most common cyber attacks, and even though the controls have been developed with traditional data centers and process in mind, there is no reason they can’t be adapted to DevOps.
A quick review of the basic controls will offer some ideas of how they fit for DevOps (or not, as the case may be). Control 1 and Control 2 are about inventories: inventory and control of hardware and software assets.
Hardware in a cloud environment becomes virtualized infrastructure – containers and repositories, virtual machines, lambda functions, microservices, APIs, etc. The principle still stands, however, that knowing what underlying infrastructure is authorized in your environment and detecting unauthorized deployments is critical.
In a highly dynamic cloud system with ephemeral servers being deployed and destroyed constantly, it’s even more important to know whether what is coming up should be coming up and whether it is authorized to be in your environment. Consider your current controls and how you monitor your runtime environment. How do you know what is running is authorized to be running and is running authorized apps and services?
If you don’t have an answer for those questions, review your threat model and think about tools at your disposal to get a better view of your “hardware” assets. Those may be native to your cloud environment, third-party solutions and/or an inventory management process you point in place.
Software inventories also offer an interesting challenge that would traditionally be managed with a CMDB and ITSM processes. For some parts of DevOps, this could still work. It’s a good practice to have a defined set of authorized and standardized tools for (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Anthony Israel-Davis. Read the original post at: https://www.tripwire.com/state-of-security/devops/devops-cis-security-controls/