devops talks conference 2018€¦ · 09.04.2018 melbourne —march 22-23 3 devops talks conference...
TRANSCRIPT
DEVOPS TALKS
CONFERENCE
2018
MELBOURNEMarch 22-23
DEVOPS TALKS
MELBOURNEMarch 22-23
CONFERENCE
Mission Possible:
Balancing DevOps Velocity with Security Risk
Elizabeth LawlerVice President, DevOps Security, CyberArk
09.04.2018 3Melbourne — March 22-23
DEVOPS TALKS CONFERENCE 2018
What I Get Excited About….
Cybersecurity and DevOps
Providing better security related
experiences
Access controls at scale for “silica
users”
My husband, kids, dog, cat and chickens
09.04.2018 4Melbourne — March 22-23
DEVOPS TALKS CONFERENCE 2018
Developers want to run fast, but are organizations equipped to handle the security risk that comes with
DevOps speed?
5
Source: EMA, “DevOps/Continuous Delivery Tooling: Launchpad for the Digital Enterprise,” 2017.
Companies with faster code
delivery were
62%more likely to see YoY revenue
growth of 25% or more
Slower Code Delivery
Faster Code Delivery
CODE DELIVERY = REVENUE GROWTH
$
6
CLOUD-NATIVE
CONTAINERS
DEVOPS CONTINUOUSDELIVERY
MICROSERVICES
THE NEW NORM
7
Sources: F5 “The Evolving Role of CISOs and the Importance to the Business”
CyberArk “2018 Threat Landscape Report”
BUT
51%
of security pros says there is no relationship
between IT security and business innovation
75%
of organizations don’t have a privileged
account security strategy in place for DevOps
50%
don’t have a privileged account security
strategy in place for for Cloud
8
Manual
DevOps
Maturity
Low
High
DevOps Technology & Approaches
Fully
AutomatedHybrid
Risk
CURRENT STATE OF MANY DEVOPS DEPLOYMENTS
• Security as a separate concern
• Deliver at an independent rate
• Not all cybersecurity tools are
fit for purpose
DEVOPS NEEDS ITS OWN “SECURITY STACK”
10
Cloud
NW Perimeter
System Build
Configurations
VM and Container
Images
Key Management
CROWNJEWELSSensitive Infrastructure,
Assets, and Data
Vulnerability
Management
Application
Vulnerabilities
Code
Scanning/Static
Analysis
Data Loss
Prevention
11
• More Infrastructure
• More Applications
• More Privileged Actors
• More Automation
THE NEW NORM: CUSTOMER AND INDUSTRY REALITIES
IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams
12
IT Admins, End Users, Privileged Business Users, SaaS Admins, DevOps Teams
THESE REALITIES CONTRIBUTE TO EXPANDED ATTACK SURFACE
• More Infrastructure
• More Applications
• More Privileged Actors
• More Automation
• More Privileged Security Risk
GET BUY-IN PLAN IMPROVE
PLAN FOR CONTINUOUS SECURITY AND COMPLIANCE
• Get management buy-in to include security and compliance work in the normal planning
and delivery processes
• Plan and work with Stories: Story #1: “Meet the compliance team [Spike]”
• Don’t let security and compliance be unplanned work
SECURING DEVOPS INITIATIVES IS A TEAM SPORT
TAKE SIMPLE STEPS TO SECURE DEVOPS
Assess risks across Cloud and DevOps environments.
Address basic Cloud and DevOps hygiene.
Embed Security with developers and DevOps teams.
Embrace security engineering and security automation.
1
2
4
3
DEVOPS TALKS
MELBOURNEMarch 22-23
CONFERENCE
Thank You
Elizabeth Lawler
Vice President, DevOps Security, [email protected]