The Inner Circle

 View Only
Expand all | Collapse all

How do you risk assess infrastructure blueprints?

  • 1.  How do you risk assess infrastructure blueprints?

    Posted Aug 25, 2021 09:07:00 AM
    Edited by Rima Bose Aug 26, 2021 10:28:02 AM
    Infrastructure blueprints are commonly used in DevOps- these can be containers or stacks that can be readily deployed on public cloud like AWS. My question is how do you risk assess these 'blueprints' or reusable infrastructure-as-a-code? Automated Open Source Vulnerability Scanning, Pen testing and what else would you suggest?

    ------------------------------
    Rima Bose
    ------------------------------


  • 2.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 07:38:00 AM
    Edited by Robert Ficcaglia Aug 26, 2021 07:38:53 AM
    We use open source: OPA and cloudcustodian in particular (both have supported commercial versions) for exactly this. I personally have assessed these in the CNCF security group and have used both in very large prod AWS and Azure environments. Happy to discuss best practices if you DM or if there is large interest I can get some materials from both the open source teams and the commercial teams. That said, it would be great to align that presentation to CSA frameworks so if anyone is interested in that, maybe we can jump on a chat and outline what that could look like!

    edit: typos

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 3.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 08:37:00 AM
    Rima:

    @Richard Seiersen, co-author of "How To Measure Anything in Cybersecurity Risk", started publishing posts with free solutions for this issue on LinkedIn and his company's blog. Here's an example: https://get.soluble.cloud/posts/2021/08/using-iacbot-for-operational-control-of-iac/


    ------------------------------
    Mosi Platt
    ------------------------------



  • 4.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 09:22:00 AM
    Soluble it seems is in fact leveraging OPA.  Very cool! Had not seen this solution. It is great to see the impact of open source in the broader community.
    If the Soluble folks are monitoring the thread it would be great to have them present their OPA use cases to the CNCF/Kubernetes workgroups.  Feel free to DM or email me. Now even more excited to align these ideas to CCM and maybe there is a playbook that comes from it!
    Thanks @Mosi Platt! Great resource!!


    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 5.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 10:00:00 AM
    No problem, Robert. Rich is working with the continuous audit metrics working group. I will bring it up at our Friday meeting if he doesn't respond by then.

    Mosi K. Platt
    609.310.1473

    Sent from my mobile




  • 6.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 10:36:00 AM
    Edited by Rima Bose Aug 26, 2021 10:36:20 AM
    This is very good. Thanks @Mosi Platt!
    ​​​

    ------------------------------
    Rima Bose
    ------------------------------



  • 7.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 10:49:00 AM
    You're very welcome, Rima. Good luck with your project!

    Mosi K. Platt
    609.310.1473

    Sent from my mobile




  • 8.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 26, 2021 11:40:00 AM

    For me these kind of things fell under security review processes.

    We needed flexibility because we addressed so many different types of system, so went with "any documented review process", but suggested Microsoft STRIDE as an example. By systematically reviewing, what are the components, what are their history of security issues, what are the recommendations, how do they interconnect, how sensitive are the data flows, what boundaries do they cross, hopefully you should discover the tools that relate to the technology if you do this thoroughly, as well as identify where the risks lay,  any documented mitigations, any recommendations or standards you should have followed etc.

    That said STRIDE wasn't validated, it was more about bringing an understood structure to the process. It had a fairly lightweight risk approach, basically asking questions like "is it financial data?", but I guess the answers should tell you who will understand (and/or own) the corresponding risks & if you have the right people in the room. I'll take lightweight and done, over heavyweight and rarely done.

    Also by systematically decomposing, and documenting the attributes of systems, the process speeded up each time, as I'd have recommendations on how to harden Postfix, or what is wrong with Alpine Linux images, documented already, and they'd just need a quick refresh each time.



    ------------------------------
    Simon Waters
    Founder
    Insufficient Entropy
    ------------------------------



  • 9.  RE: How do you risk assess infrastructure blueprints?

    CSA Instructor
    Posted Aug 29, 2021 11:38:00 AM
    I am writing some blogs on deployment diagrams and their use in security analysis. Work in progress.
    https://www.clubcloudcomputing.com/2021/01/deployment-diagrams-for-the-cloud-native-age/

    This would give some semantics to the pictures, and would mainly speed up manual design review.

    I have some follow up blogs in the works. 

    Is this approach helpful?

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------



  • 10.  RE: How do you risk assess infrastructure blueprints?

    Posted Aug 29, 2021 01:49:00 PM
    Definitely useful.  I will typically use some version of 4+1  - ie the deployment model is one of them.

    reviewing each node and edge is a good way to know you have covered everything (at least in some superficial way).  It of course misses n-order systems-level issues where compound failures or side channels, etc are involved. 

    generating simple diagrams from terraform or ansible seems to be getting easier - I like this approach in particular:
    https://medium.com/analytics-vidhya/terraform-diagrams-provisioning-and-visualizing-a-simple-environment-on-aws-471f5d88c95d
    https://github.com/mingrammer/diagrams

    I know there are some commercial tools for this (e.g LucidChart) but haven't had time to play with all of them. 

    AWS specifically has CloudFormation Designer - pretty minimal but good enough to start if you need something quick (and everything is in Cfn).  Like all AWS tools will probably get better over time.

    https://www.hava.io/ was recommended to me recently -  also AWS specific - but has some interesting ideas - security views seem interesting. haven't played with it but looks cool.  

    in short - any tool - from a hand created diagram to a fancy graph - that helps you enumerate the nodes and edges in a system will force you to think through how things are connected and the data flowing across boundaries. from there you can trace through the system and comprehensively visit all nodes and edges and ideally use that to launch into more dynamic "what if" analysis.

    I should say there are several startups trying to automate and AI-ify this a bit.  Mostly from the attack/red teaming perspective and definitely only for enterprise budgets.  Randori and XMCyber are a couple I have seen that do a great job at this but not something a small IT shop might consider based on price.



    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------