infosec at ludicrous speeds - rugged devops
Post on 13-May-2015
2.330 Views
Preview:
TRANSCRIPT
@RealGeneKim, genek@realgenekim.me
Session ID:
Security is Dead. Long Live Rugged DevOps:
IT at Ludicrous Speed…
Gene KimIT Revolution Press
@RealGeneKim, genek@realgenekim.me
Act I: IT Ops Fixing Fragile Artifacts
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me
Act 2: The Product Managers
@RealGeneKim, genek@realgenekim.me
Act 3: The Developers
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me
Act 4: IT Ops And Dev At War
8
@RealGeneKim, genek@realgenekim.me
Act 5: Nothing Left For Infosec
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me11
The DownwardSpiral…
@RealGeneKim, genek@realgenekim.me13
The IT Core Chronic Conflict
Every IT organization is pressured to simultaneously: Respond more quickly to urgent business needs Provide stable, secure and predictable IT service
Source: The authors acknowledge Dr. Eliyahu Goldratt, creator of the Theory of Constraints and author of The Goal, has written extensively on the theory and practice of identifying and resolving core, chronic conflicts.
@RealGeneKim, genek@realgenekim.me
Every Company Is An IT Company…
95% of all capital projects have an IT component…
50% of all capital spending is technology-related
We are here…
Where we need to be…
IT is always in the way(again…)
@RealGeneKim, genek@realgenekim.me
There Must Be A Better Way…
15
@RealGeneKim, genek@realgenekim.meSource: John Allspaw
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.meSource: John Allspaw
@RealGeneKim, genek@realgenekim.meSource: John Allspaw
@RealGeneKim, genek@realgenekim.meSource: John Allspaw
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.meSource: Theo Schlossnagle
@RealGeneKim, genek@realgenekim.meSource: Theo Schlossnagle
@RealGeneKim, genek@realgenekim.meSource: Theo Schlossnagle
@RealGeneKim, genek@realgenekim.meSource: James Wickett
@RealGeneKim, genek@realgenekim.meSource: John Jenkins, Amazon.com
@RealGeneKim, genek@realgenekim.me
The Three WaysAnd Six Prescriptive StepsInfosec Can Take
27
@RealGeneKim, genek@realgenekim.me
If I Could Wave A Magic Wand, Everyone Will…
Become conversant with DevOps and recognize the practices when you see them
Be energized about how information practitioners can contribute in this organizational journey
Leave with some concrete steps to get some great outcomes
Become a part of a team that starts putting DevOps practices into place
28
@RealGeneKim, genek@realgenekim.me
The First Way:Systems Thinking
@RealGeneKim, genek@realgenekim.me
The First Way:Systems Thinking
(Business) (Customer)
@RealGeneKim, genek@realgenekim.me
The First Way:Systems Thinking (Left To Right)
Understand the flow of work Always seek to increase flow Never unconsciously pass defects downstream Never allow local optimization to cause global
degradation Achieve profound understanding of the system
@RealGeneKim, genek@realgenekim.me
“Annual business planning sessions can be madding. They think IT Operations is an ‘all you can eat buffet.’”
-Ben Rockwood, Director Systems Engineering, Joyent
@RealGeneKim, genek@realgenekim.me
Practice #1: Define The Work and Make It Visible
Business projects (e.g., new order entry system) Internal IT projects (e.g., create new
environments, infosec remediation) Changes (e.g., deploys, improve database
performance) Unplanned work (e.g., site down, site impaired,
security incident)
33
@RealGeneKim, genek@realgenekim.me
Day 2: PMO Meeting
@RealGeneKim, genek@realgenekim.me
Practice #2: Create One Step Environment Creation Process
Make environments available early in the Development process
Make sure Dev builds the code and environment at the same time
Create a common Dev, QA and Production environment creation process
@RealGeneKim, genek@realgenekim.me
Change the Agile sprint policy:
“At the end of each sprint, we must have working code and the environment it runs in!”
@RealGeneKim, genek@realgenekim.me
Infosec Insurgency
Find the automated infrastructure project team (e.g., puppet, chef) Release managers can provide hardening guidance Integrate and extend their production configuration
monitoring Put ASSERTs to find misconfigurations, enforce https,
etc. Define what changes/deploys cannot be made
without triggering full retest
37
@RealGeneKim, genek@realgenekim.me
The First Way:Outcomes
Creating single repository for code and environments
Determinism in the release process
Consistent Dev, QA, Int, and Staging environments, all properly built before deployment begins
Decreased cycle time
Reduce deployment times from 6 hours to 45 minutes Refactor deployment process that had 1300+ steps
spanning 4 weeks Faster release cadence
@RealGeneKim, genek@realgenekim.me
The Second Way:Amplify Feedback Loops
@RealGeneKim, genek@realgenekim.me
The Second Way:Amplify Feedback Loops (Right to Left)
Understand and respond to the needs of all customers, internal and external
Shorten and amplify all feedback loops: stop the line when necessary
Create quality at the source Create and embed knowledge where we need it
@RealGeneKim, genek@realgenekim.me
The Toyota Andon Cord
41
@RealGeneKim, genek@realgenekim.me
“We found that when we woke up developers at 2am, defects got fixed faster than ever.”
Patrick Lightbody CEO, BrowserMob
@RealGeneKim, genek@realgenekim.me
Pattern #3: Embed Dev Into IT Ops
Embed Dev into IT Ops incident escalation process
Invite Dev to post-mortems/root cause analysis meeting
Have Dev and Infosec cross-train IT Operations Ensure application monitoring/metrics to aid in
Ops and Infosec work (e.g., incident/problem management)
@RealGeneKim, genek@realgenekim.me
The Second Way:Outcomes
Defects and security issues getting fixed faster than ever
Reusable Ops and Infosec user stories now part of the Agile process
All groups communicating and coordinating better
Everybody is getting more work done
@RealGeneKim, genek@realgenekim.me
The Third Way:Culture Of Continual Experimentation And Learning
@RealGeneKim, genek@realgenekim.me
The Third Way:Culture Of Continual Experimentation And Learning
Foster a culture that rewards: Experimentation (taking risks) and learning from
failure Repetition is the prerequisite to mastery
Why? You need a culture that keeps pushing into the danger
zone And have the habits that enable you to survive in the
danger zone
@RealGeneKim, genek@realgenekim.me
Break Things Early And Often
“Do painful things more frequently, so you can make it less painful… We don’t get pushback from Dev, because they know it makes rollouts smoother.”
-- Adrian Cockcroft, Architect, Netflix
@RealGeneKim, genek@realgenekim.me48
@RealGeneKim, genek@realgenekim.me
Pattern #5: Inject Failures Often
@RealGeneKim, genek@realgenekim.me
You Don’t Choose Chaos Monkey…Chaos Monkey Chooses You
@RealGeneKim, genek@realgenekim.me
Pattern #6: Break Things Before Production
Enforce consistency in code, environments and configurations across the environments
Add your ASSERTs to find misconfigurations, enforce https, etc.
Add static code analysis to automated continuous integration and testing process
@RealGeneKim, genek@realgenekim.me
Pattern #6: Allocate 20% Of Cycles To Technical Debt Reduction
@RealGeneKim, genek@realgenekim.me
Recognize Compounding Technical Debt…
@RealGeneKim, genek@realgenekim.me
That Gets Worse…
@RealGeneKim, genek@realgenekim.me
And Fixing It…
Source: Pingdom
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me
An Innovation Culture
“By installing a rampant innovation culture, they now do 165 experiments in the three months of tax season.
Our business result? Conversion rate of the website is up 50 percent. Employee result? Everyone loves it, because now their ideas can make it to market.”
--Scott Cook, Intuit Founder
57
@RealGeneKim, genek@realgenekim.me
Why Do I Think This IsImportant?
58
@RealGeneKim, genek@realgenekim.me59
The DownwardSpiral…
@RealGeneKim, genek@realgenekim.me
@RealGeneKim, genek@realgenekim.me62
The Three Ways: Some Patterns
First Way Second Way Third WayDefine The Work And Make It Visible
Make Environments Available Early
Wake Up Developers
Embed Dev Into IT Operations
Break Things Early And Often
Reserve 20% Of Cycles For Technical Debt Reduction
@RealGeneKim, genek@realgenekim.me63
@RealGeneKim, genek@realgenekim.me
Help The Business Win…
@RealGeneKim, genek@realgenekim.me
With Support From Your Peers…
@RealGeneKim, genek@realgenekim.me
And Do More With Less Effort…
@RealGeneKim, genek@realgenekim.me67
@RealGeneKim, genek@realgenekim.me
When IT Fails: A Business Novel and The DevOps Cookbook
Coming January 15, 2013 and Q1 2013
“The greatest IT management book of our generation.” Branden Williams, CTO Marketing, RSA
“The lessons in When IT Fails might just save your business if IT fails for you. Every IT executive should share this book with their business peers.” James Turnbull, VP Operations, Puppet Labs and author of “Pro Puppet”
“This book will have a profound effect on IT, just as The Goal did for manufacturing.’ Jez Humble, co-author of the Jolt award-winning book Continuous Delivery, and Principal at ThoughtWorks Studios.
@RealGeneKim, genek@realgenekim.me
Our Mission: Positively Impact The Lives Of One Million IT Workers By 2017
For these slides, the “Top 10 Things You Need To Know About DevOps,” Rugged DevOps resources, and updates on the book:
Sign up at http://itrevolution.com Email genek@realgenekim.me
Or text “[email] 74730” to +1 (858) 598-3980
Visit: http://www.instantcustomer.com/go/74730
top related