DEVOPS TALKS

CONFERENCE

2018

MELBOURNEMarch 22-23

DEVOPS TALKS

MELBOURNEMarch 22-23

CONFERENCE

Mission Possible:

Balancing DevOps Velocity with Security Risk

Elizabeth LawlerVice President, DevOps Security, CyberArk

09.04.2018 3Melbourne — March 22-23

DEVOPS TALKS CONFERENCE 2018

What I Get Excited About….

Cybersecurity and DevOps

Providing better security related

experiences

Access controls at scale for “silica

users”

My husband, kids, dog, cat and chickens

09.04.2018 4Melbourne — March 22-23

DEVOPS TALKS CONFERENCE 2018

Developers want to run fast, but are organizations equipped to handle the security risk that comes with

DevOps speed?

5

Source: EMA, “DevOps/Continuous Delivery Tooling: Launchpad for the Digital Enterprise,” 2017.

Companies with faster code

delivery were

62%more likely to see YoY revenue

growth of 25% or more

Slower Code Delivery

Faster Code Delivery

CODE DELIVERY = REVENUE GROWTH

$

6

CLOUD-NATIVE

CONTAINERS

DEVOPS CONTINUOUSDELIVERY

MICROSERVICES

THE NEW NORM

7

Sources: F5 “The Evolving Role of CISOs and the Importance to the Business”

CyberArk “2018 Threat Landscape Report”

BUT

51%

of security pros says there is no relationship

between IT security and business innovation

75%

of organizations don’t have a privileged

account security strategy in place for DevOps

50%

don’t have a privileged account security

strategy in place for for Cloud

8

Manual

DevOps

Maturity

Low

High

DevOps Technology & Approaches

Fully

AutomatedHybrid

Risk

CURRENT STATE OF MANY DEVOPS DEPLOYMENTS

• Security as a separate concern

• Deliver at an independent rate

• Not all cybersecurity tools are

fit for purpose

DEVOPS NEEDS ITS OWN “SECURITY STACK”

10

Cloud

NW Perimeter

System Build

Configurations

VM and Container

Images

Key Management

CROWNJEWELSSensitive Infrastructure,

Assets, and Data

Vulnerability

Management

Application

Vulnerabilities

Code

Scanning/Static

Analysis

Data Loss

Prevention

11

• More Infrastructure

• More Applications

• More Privileged Actors

• More Automation

THE NEW NORM: CUSTOMER AND INDUSTRY REALITIES

IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams

12

IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams

THESE REALITIES CONTRIBUTE TO EXPANDED ATTACK SURFACE

• More Infrastructure

• More Applications

• More Privileged Actors

• More Automation

• More Privileged Security Risk

GET BUY-IN PLAN IMPROVE

PLAN FOR CONTINUOUS SECURITY AND COMPLIANCE

• Get management buy-in to include security and compliance work in the normal planning

and delivery processes

• Plan and work with Stories: Story #1: “Meet the compliance team [Spike]”

• Don’t let security and compliance be unplanned work

SECURING DEVOPS INITIATIVES IS A TEAM SPORT

TAKE SIMPLE STEPS TO SECURE DEVOPS

Assess risks across Cloud and DevOps environments.

Address basic Cloud and DevOps hygiene.

Embed Security with developers and DevOps teams.

Embrace security engineering and security automation.

1

2

4

3

DEVOPS TALKS

MELBOURNEMarch 22-23

CONFERENCE

Thank You

Elizabeth Lawler

Vice President, DevOps Security, CyberArkElizabeth.Lawler@cyberark.com