Deploying R in a Secure Environment

Jared P. Lander

Lander Analytics

What are we Deploying?

Where do we Deploy R and Friends?

How Locked Down are These Environments?

What Industries Use the Higher Security Levels?

How do Organizations Trust Us?

Industry

  • Private Background Check
  • Drug Tests
  • Training
    • Cyber Security
    • Insider Trading
    • Personally Identifiable Information

Government

  • Clearance
    • Public Trust
    • Secret
    • Top Secret
    • Top Secret SCI
  • Training
    • Cyber Security
    • Insider Threat
    • Personally Identifiable Information

How do we Access these Machines?

Now That We’re Inside

  • Workbench
  • Connect
  • Package Manager
  • Postgres
  • NGINX

Workbench

  • Install
    • R
    • Python
    • Basic Packages
    • System Libraries
    • Workbench
  • Volumes
    • Home Directories
    • Config Directory
  • Configure
    • Authentication Provider
    • Connection to Databases
    • Connection to Metadata Database
    • Default Package Repo
    • Listening Port

Connect

  • Install
    • R
    • Python
    • Basic Packages
    • System Libraries
    • Connect
  • Volumes
    • Content Directory
    • Config Directory
  • Configure
    • Authentication Provider
    • Connection to Databases
    • Connection to Metadata Database
    • Listening Port
    • Serving URL
    • Email Service

Package Manager

  • Install
    • R
    • Python
    • System Libraries
    • Package Manager
  • Volumes
    • Storage Directory
    • Config Directory
  • Configure
    • Connection to Metadata Database
    • Listening Port
    • Git Repos

Postgres

  • Install
    • Postgres
  • Volumes
    • Storage Directory
    • Config Directory
  • Configure
    • Listening Port

NGINX

  • Install
    • NGINX
  • Volumes
    • Config Directory
  • Configure
    • URL Routings
    • Security Escalation
    • Certificates

Vulnerability Scans

  • Scan Every Image
  • Report all CVEs
  • Identify What We Can Change

Hardening

  • Remove any Unused Service
  • Close Unused Ports
  • Avoid Packages that Make Internet Requests

Getting the Images to the Airgapped Machines

Getting Packages to the Airgapped Machines

  • R Only, no PyPI yet (use artifcatory)
  • Download packages on internet-connected machine
  • Move to airgapped machine

Activating Licenses

  • Offline Activation
  • License Server
  • Activation Keys

Securing User Connections

  • Network Access Security
  • Proper Authentication Integration
  • Multi-Factor Authentication
  • https connections/SSL Certs

Authentication

  • Active Directory
  • SAML
  • Okta
  • Oauth

Securing Database Connections

  • All Secrets Stored in Environment Variables
  • Service Accounts for Databases, Storage and APIs
  • Use Kerberos to Pass Through Authentication from Login

Securing Content

  • Network Access
  • Authentication Provider

Key Considerations

Type Of Environment

How Locked Down?

How do we Move Files to Secure Network?

https/SSL Certs

Authentication

Do All of It

All Set

Thank You

www.landeranalytics.com