Presentation about Cloud Security at Scania 2019. At the yearly auto:CODE we.CONECT conference in Berlin.
What needs have drive the Cloud movement and how to further improve agility with empowered feature teams that securely work autonomous in AWS Cloud.
3. Disclaimer
There is no official Scania “DevSecOps manifest definition”.
DevSecOps in this presentation is only one view of
DevSecOps. Based on the presenters experience in building,
deploying and operating software in a secure way.
4. in the early days…
More features
quicker Stability
11. Deploy frequency
- Scania Connected Services
• 2015
– Agile teams
• 12 deploys per year
• 2016
– Autonomous Teams
• Continuous Delivery
• 30+ Prod deploys per day
• 2011
– Software projects
• 2-3 in parallel
• 3 deploys per year
1. Microservice Architecture
2. Challenged and improved
infra related processes
3. Trust and courage from
management
Continuous Integration
Infrastructure
changes NOT
included
15. 1000+ Engineers and 400+ AWS accounts
= Feature TeamFT DE = Delivery Engineering (Cloud Satellite)
DE
FT
FT
FT
FT
FT
FT
FT
FT
DE
FT
FT
FT
FT
FT
DE
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
FT
Multiple other departments
co-located in same building
Cloud Adoption
(~10 engineers)
Dev-teams that move to
“DevOps”-teams with no
investment tend to struggle
in their cloud journey
16. Greenfield AWS setup
Version Control
cloud enabled
AWS multi
account strategy
Immutable
infrastructure
In each
Feature Team!
Read Only in Prod
for human beings
NO
CLOUD
OPS
18. Cloud Security Team - Mission
Increase organizational awareness of Cloud security through education,
visualization and communication. Creating a risk aware culture that makes
continuous security compliance everyone’s responsibility.
19. Cloud Security Team - Principles
Gamifying Security
Get out from the cave Don’t just say “NO”
Ubiquitous encryption
Cloud Native Security
Share failures
Scania’s DevSecOps Approach – Gamifying Security in the Cloud
Anders will share Scania’s journey to the Cloud. How we have transformed the organization and our strategies for enabling teams to work autonomous with building, shipping and securing their applications in AWS.
Key Takeaways
* Establishing Self-Sufficient, Autonomous Software Teams
* Managing 100+ Teams and 400+ Accounts in The Cloud
* How We Make Security Fun for Developers via Gamification
* Security Is Everyone’s Job!
Ops1: “Wait until Tuesdays CAB!”
Dev1: “You must start to code and version your stuff”
Dev2: “Use my repo. I’ll be contributing”
Ops1: “Wait until Tuesdays CAB!”
Dev1: “You must start to code and version your stuff”
Dev2: “Use my repo. I’ll be contributing”
2+ servers (load balanced)
No state on servers
Live upgrade of Database schema
2+ servers (load balanced)
No state on servers
Live upgrade of Database schema
Moved from software projects to agile teams and continuous integration.
Even with continuous integration and agile teams it is hard to maintain a big codebase
Also about 4 times more check-ins with the microservice architecture.
Version Control hosted in cloud: VCS is like bread and butter: Free for everyone Enabled fully automation in AWS
$en,Joanna$ Over 50 engineers participated in the security jam.
$en,Joanna$ 13 teams with 4 engineers in each team.
$en,Joanna$ Hello. This is a summary of the AWS Security Jam event hosted by AWS professional services and Scania Cloud Adoption.
$en,Joanna$ The day started with a short introduction on how to register and get started with the Security Jam.
$en,Joanna$ There were 10 challenges of various difficulty. Taking clues reduced the score for accomplish a challenge.
$en,Joanna$ 6 hours of focused work ended up in, without doubt, amazing results.
$en,Joanna$ Exciting to follow the scoreboard as the day progressed.