Deploying R in a Secure Environment
Jared P. Lander
Lander Analytics
What are we Deploying?
Where do we Deploy R and Friends?
How Locked Down are These Environments?
What Industries Use the Higher Security Levels?
How do Organizations Trust Us?
Industry
- Private Background Check
- Drug Tests
- Training
- Cyber Security
- Insider Trading
- Personally Identifiable Information
Government
- Clearance
- Public Trust
- Secret
- Top Secret
- Top Secret SCI
- Training
- Cyber Security
- Insider Threat
- Personally Identifiable Information
How do we Access these Machines?
Now That We’re Inside
- Workbench
- Connect
- Package Manager
- Postgres
- NGINX
Workbench
- Install
- R
- Python
- Basic Packages
- System Libraries
- Workbench
- Volumes
- Home Directories
- Config Directory
- Configure
- Authentication Provider
- Connection to Databases
- Connection to Metadata Database
- Default Package Repo
- Listening Port
Connect
- Install
- R
- Python
- Basic Packages
- System Libraries
- Connect
- Volumes
- Content Directory
- Config Directory
- Configure
- Authentication Provider
- Connection to Databases
- Connection to Metadata Database
- Listening Port
- Serving URL
- Email Service
Package Manager
- Install
- R
- Python
- System Libraries
- Package Manager
- Volumes
- Storage Directory
- Config Directory
- Configure
- Connection to Metadata Database
- Listening Port
- Git Repos
Postgres
- Install
- Volumes
- Storage Directory
- Config Directory
- Configure
NGINX
- Install
- Volumes
- Configure
- URL Routings
- Security Escalation
- Certificates
Vulnerability Scans
- Scan Every Image
- Report all CVEs
- Identify What We Can Change
Hardening
- Remove any Unused Service
- Close Unused Ports
- Avoid Packages that Make Internet Requests
Getting the Images to the Airgapped Machines
Getting Packages to the Airgapped Machines
- R Only, no PyPI yet (use artifcatory)
- Download packages on internet-connected machine
- Move to airgapped machine
Activating Licenses
- Offline Activation
- License Server
- Activation Keys
Securing User Connections
- Network Access Security
- Proper Authentication Integration
- Multi-Factor Authentication
- https connections/SSL Certs
Authentication
- Active Directory
- SAML
- Okta
- Oauth
Securing Database Connections
- All Secrets Stored in Environment Variables
- Service Accounts for Databases, Storage and APIs
- Use Kerberos to Pass Through Authentication from Login
Securing Content
- Network Access
- Authentication Provider
Key Considerations
Type Of Environment
How Locked Down?
How do we Move Files to Secure Network?
https/SSL Certs
Authentication
Do All of It
Thank You