Security In A DevOps World: Can It Happen?

745 views
610 views

Published on

Dyn Chief Technologist Cory von Wallenstein and New Context Practice Owner John Martin conducted a webinar on how the culture of DevOps and security can co-exist. Enjoy these slides and be sure to check out their webinar at Dyn.com/webinars.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
745
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security In A DevOps World: Can It Happen?

  1. 1. Security in a DevOps World Collaboration, Automation and Compliance Cory von Wallenstein Chief Technologist, Dyn @cvwdyn John Martin Practice Owner, New Context @tekbuddha
  2. 2. Pg. 2 Security in a DevOps World @cvwdyn @tekbuddha Cory von Wallenstein Chief Technologist, Dyn @cvwdyn John Martin Practice Owner, New Context @tekbuddha
  3. 3. Pg. 3 Security in a DevOps World @cvwdyn @tekbuddha • Greater agility fuels competitive advantage • Your business wants needs to deliver new products in a faster, safer manner • Time between deploys is shrinking • Continuous [Delivery|Deployment] is becoming the norm Why?
  4. 4. Pg. 4 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural
  5. 5. Pg. 5 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural
  6. 6. Pg. 6 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural Tooling
  7. 7. Pg. 7 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural Tooling Collaboration Fueling Agility
  8. 8. Pg. 8 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural Tooling Collaboration Fueling Agility “Conduct blameless post- mortems, and you’ll be set”
  9. 9. Pg. 9 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural Tooling Collaboration Fueling Agility “Use config management framework X, and you’ll be set” “Conduct blameless post- mortems, and you’ll be set”
  10. 10. Pg. 10 Security in a DevOps World @cvwdyn @tekbuddha DevOps Cultural Structural Tooling Collaboration Fueling Agility “Use config management framework X, and you’ll be set” “Conduct blameless post- mortems, and you’ll be set” “Give root access to all devs, and you’ll be set”
  11. 11. Pg. 11 Security in a DevOps World @cvwdyn @tekbuddha Security From the PCI DSS requirements: 6.4.1 Separate development/test and production environments 6.4.2 Separation of duties between development/test and production environments
  12. 12. Pg. 12 Security in a DevOps World @cvwdyn @tekbuddha DevOps AND Security Three Stories
  13. 13. Pg. 13 Security in a DevOps World @cvwdyn @tekbuddha story #1 The Situation: • Lots of “legacy” culture, but desire to become a DevOps shop • PCI compliance requirements • Hard work to increase collaboration between Dev & Ops • Developers on-call • Developers in production • How to maintain compliance?
  14. 14. Pg. 14 Security in a DevOps World @cvwdyn @tekbuddha story #1The Solution: • Provide tooling to empower teams to have information necessary to do their job. – Puppet/Chef – Splunk – OpenTSDB • When SSH was needed, it was granted and audited. • Auditor’s satisfaction: High
  15. 15. Pg. 15 Security in a DevOps World @cvwdyn @tekbuddha story #2 – New ContextThe Situation: • No PCI compliance requirements • But “eat our own dog food” practitioners • Security highly important • Developers in production • How to stay secure?
  16. 16. Pg. 16 Security in a DevOps World @cvwdyn @tekbuddha story #2 – New ContextThe Solution: • Provide tooling to empower teams to have information necessary to do their job. – Chef – Logstash – Graphite/statsd, dashing – Home grown auditing tooling • When SSH is needed, it is granted and audited.
  17. 17. Pg. 17 Security in a DevOps World @cvwdyn @tekbuddha story #3 – DynThe Situation: • 16 year overnight success story, now nearly 300 people worldwide, many global systems • Sales channels from self-service to enterprise to OEM – Lots of credit cards, ACH, POs, etc. • Mission critical infrastructure – security compliance • Scaling a team and systems rapidly, while ensuring business agility and security
  18. 18. Pg. 18 Security in a DevOps World @cvwdyn @tekbuddha story #3 – DynThe Solution: • People – Spent nine months finding the RIGHT security director – Cross-functional security vs silo security; educational approach – Part of our scrums… DevSecOps… AllOps… *Ops • Scope and Architecture – Avoiding monolithic architectures that require everyone to have access to everything – Smart microservices for scoping balance of agility and security risk – Tokenize payment card info, and may make sense to outsource
  19. 19. Pg. 19 Security in a DevOps World @cvwdyn @tekbuddha whois New Context • Systems Automation Reduces costs and error rates, improves time to market and begins to secure sensitive areas • Information Assurance The key function in a trusted data infrastructure, alerts of inside or outside hacking, prevents data loss, and identifies forgeries • Cloud Orchestration This is being prepared for success, how you scale to meet demand, how you remove single points of failure and serve every customer CLOUD ORCHESTRATION INFORMATION ASSURANCE SYSTEMS AUTOMATION
  20. 20. Pg. 20 Security in a DevOps World @cvwdyn @tekbuddha whois Dyn Dyn /delivers/ Internet Performance • Traffic management (user types “twitter.com”) • Message management (user receives “file shared” email from Box) • Performance assurance (understand your Internet performance)
  21. 21. Pg. 21 Security in a DevOps World @cvwdyn @tekbuddha dyn.com/webinars • How to move your DC to cloud infrastructure (securely) • DNS Security: How to be PCI compliant • Everything you need to know about DNS security • Everything you need to know about DDoS

×