Security Loves DevOps: DevOpsDays Austin 2012

DevOps & Security James Turnbull Puppet Labs DEVOPSDAYS AUSTIN 2012

Who me?• Puppet Labs employee• Security boffin• Open source fan• Author• Australian• Expletives DEVOPSDAYS AUSTIN 2012

More introductionsDoes anyone here work in Security? DEVOPSDAYS AUSTIN 2012

Three things I hated about Security1. Not being liked2. Not being effective3. Not being happy DEVOPSDAYS AUSTIN 2012

Meme theft… DEVOPSDAYS AUSTIN 2012

What IT think Security do DEVOPSDAYS AUSTIN 2012

What the business think Security do DEVOPSDAYS AUSTIN 2012

What Security people think they do DEVOPSDAYS AUSTIN 2012

What Security Isn’t DEVOPSDAYS AUSTIN 2012

What Security Is (or Should Be)• Partnership not conflict• Servicing and Protecting all customers• Allowing increased risk appetite• Enabling the business to do business DEVOPSDAYS AUSTIN 2012

The Intersection DEVOPSDAYS AUSTIN 2012

Security people are people too DEVOPSDAYS AUSTIN 2012

Security people are people too• Developer People• Ops People• DBA People• Network People• Storage People DEVOPSDAYS AUSTIN 2012

DevOps & SecurityYou should care about security too! DEVOPSDAYS AUSTIN 2012

DevOps & Security Evolution is mutual DEVOPSDAYS AUSTIN 2012

Getting Security to Listen It’s all about the culture DEVOPSDAYS AUSTIN 2012

Getting Security to ListenDestroy the blame culture DEVOPSDAYS AUSTIN 2012

Getting Security to Listen Speak the same language DEVOPSDAYS AUSTIN 2012

Getting Security to Listen "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducingrisk to an acceptable level, based on the value of the information resource to the organization.” DEVOPSDAYS AUSTIN 2012 - CISA

Getting Security to ListenLet the business do business with the right controls DEVOPSDAYS AUSTIN 2012

Talking Controls• Provisioning & Deployment: Efficiency• Configuration Management: Inconsistency is the enemy of security• Incident Management: Information is King• Audit: Magic away auditors DEVOPSDAYS AUSTIN 2012

Ideas for Collaboration DEVOPSDAYS AUSTIN 2012

DevOps & Security• Get roles and responsibilities right• Security people are (skilled) people too• Risk Register diving DEVOPSDAYS AUSTIN 2012

Dev & Security• Put Security people into Dev• Gather security requirements early• Designed for security == Deployed sanely & securely DEVOPSDAYS AUSTIN 2012

Ops & Security• Embed Security into Ops escalation• Invite Security to post-mortems• Expose Security to your metrics & data DEVOPSDAYS AUSTIN 2012

Thanks James Turnbulljames@puppetlabs.com @kartar http://www.kartar.net DEVOPSDAYS AUSTIN 2012

http://devopsangle.com	66
http://siliconangle.com	41
http://www.linkedin.com	3
https://twimg0-a.akamaihd.net	1
https://si0.twimg.com	1
http://coderwall.com	1

Security Loves DevOps: DevOpsDays Austin 2012

by James Turnbull on Apr 02, 2012

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 113

Statistics

Security Loves DevOps: DevOpsDays Austin 2012 Presentation Transcript