developing a rugged dev ops approach to cloud security (updated)
TRANSCRIPT
Copyright © 2015 evident.io1
THE MARRIAGE OF SECOPS AND DEVOPS
Adapted from material presented by DevOps.com and Evident.io
Sebastian Taphanel, CISSP-ISSEPPrincipal Solutions ArchitectSeptember 29th, 2016
Copyright © 2015 evident.io2
Alan Shimel, Founder and Editor-In-Chief at DevOps.com, is an often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology.
CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.
Original Contributors:
.
Gene Kim is a multiple award winning CTO, researcher and author. He was founder and CTO of Tripwire for 13 years. He has written three books, including The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win and the upcoming DevOps Handbook. He has worked with some of the top Internet companies on improving deployment flow and increasing the rigor around IT operational processes.
Shannon Lietz has over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow, Sony, and consulted for many Fortune 500 organizations.
Copyright © 2015 evident.io3
…DevSecOps is an Evolving Story
Copyright © 2015 evident.io4
CLOUD SECURITY THEN AND NOW
From:To:
Copyright © 2015 evident.io5
DEVSECOPS: INNOVATIVE SOLUTIONSIssues:• DevOps Requires Continuous Deployments• Fast Decision Making is Critical to Success• Traditional Security Doesn’t Scale or Move Fast Enough
DevSecOps Solutions:• Security Automation• Security to Scale• Objective Criteria• Proactive Security Monitoring• Continuous Detection & Response
Copyright © 2015 evident.io6
THE DEVSECOPS MANIFESTO
• Leaning in vs. Saying “No”• Data & Security Science vs. FUD• Open Collaboration vs. Security-Only Requirements• Security Services with APIs vs. Mandated Controls• Business Driven Security vs. Rubber Stamp Security• Red & Blue Team Exploit Testing vs. Theoretical Vulnerabilities• 24x7 Proactive Security vs. Reacting• Shared Threat Intelligence vs. Silos• Compliance Operations vs. Checklists
Via: http://www.devsecops.org
Copyright © 2015 evident.io7
SECURITY AS CODE
The code that describes the infrastructure should inherit the same values applied to application code:
• Not JUST Revision Control
• Make Use of Bug Tracking/Ticketing Systems
• Peer Reviews of Changes Before They Happen
• Establish Infrastructure Code Patterns/Designs
• Test Infrastructure Changes Like Code Changes Security as Code
VS.
Page 3 of 433
Copyright © 2015 evident.io8
Copyright © 2015 evident.io9
Copyright © 2015 evident.io10
Copyright © 2015 evident.io11
Copyright © 2015 evident.io12
SECURITY VIA API’S
• Programmatically Test Environments• Determine State at a Specific Point in Time• Repeatable Processes• Scalable Operations• Easy Automation• Repeatable• Auditable• Easy to Iterate• Environmental Consistency
Copyright © 2015 evident.io13
DEVSECOPS IS A TEAM SPORT
Operations
Red Team
Blue Team
Developers
Security
Copyright © 2015 evident.io14
BE READY TO MAKE DECISIONS
Copyright © 2015 evident.io15
DEVSECOPS SUCCESS
Keys to Success:• Detecting and Resolving Security Issues Quickly
• Using Native Security Capabilities When Possible
• Enlisting and Enabling the Organization
• Educating Inline with Bite-Size Chunks
Copyright © 2015 evident.io16
DEVSECOPS PRINCIPLES
• DevSecOps is a Journey, not a Destination• Small Security Teams Can Have a Profound Impact• Organize Around Self-Service and Enablement• Translate Security for the Layperson• Perfection is the Enemy… get Rugged
Copyright © 2015 evident.io17
Copyright © 2015 evident.io18
Copyright © 2015 evident.io19
Alan Shimel• DevOps.com• [email protected]• @ashimmy
Gene Kim• [email protected] • @RealGeneKim
Tim Prendergast:• Evident.io• [email protected]• @auxome
Original Contributors:
Shannon Lietz• Intuit.com• [email protected]
Copyright © 2015 evident.io20
Q & A - ANY QUESTIONS?