Security & DevOps - What We Have Here Is a Failure to Communicate!

COPYRIGHT © 2020 ACCELERATED STRATEGIES GROUP, INC. ALL RIGHTS RESERVED.
March 11, 2020
Webinar Sponsored by

COPYRIGHT © 2020 ACCELERATED STRATEGIES GROUP, INC. ALL RIGHTS RESERVED
Speaker Introduction
Mitch Ashley
CEO and Managing Analyst
Security Product CTO, Product Dev
Enterprise and US Dept of Defense
CIO, IT Dev and Security
Cloud-Native, SaaS, Large systems and Mobile

Accelerated Strategies Group
Analysts
Digital Transformation, DevOps,
Cloud-Native and Cybersecurity
Open Source Business Model
Analyze • Inform • Advise • Realize
Industry Leaders: Analysts, Practitioners,
Speakers and Authors

Dev
+
Security
= ?
DevSecOps

Code Vulnerability Scanning
Software Composition Analysis
PAM (Privileged Access Management)
Secrets Manager
Confidentiality, Integrity, Availability
Build Run
SecOps
ShiftLeft
Incident Response
Audits
Compliance and Controls
Software Is Eating The World
DevOps
Toolchain
Pipeline
Cloud-Native
PKI
Zero Trust Model
APIs
Attack Surface
Patterns
Containers
Risk Management
Open Source
ATP
Identity Management SRE
Threat Management
Automation
CI/CD

“What we've got here is…
failure to communicate
- Captain, Cool Hand Luke
Cool Hand Luke, Credit: Warner Bros. Entertainment [Public Domain]

Security across the organization
Governance
Zero Trust
Security through Obscurity
Security Controls and Audit
Threat Response
Privacy
Speed and Reliability
Creativity & Design
Deploy - Rapidly Deliver New Capabilities
Automation
Quality
Friction & Delays are the Enemy
Shorten the Dev Cycle
Motivations : Compatibility / Conflict

DevSecOps & ShiftLeft:
Can Security and Dev Work Together?

Defining DevSecOps
Credit: Shannon Lietz, Director DevSecOps, Intuit
Creator of DevSecOps.com and DevSecOps Manafesto, 2012-2015

”Creating a well-designed cloud Identity Architecture
brings development and security together, creating a
foundation to work together and build upon.”
- CISO, A Fortune 500 Food Services Company

- Informal/Team security controls
- Account Sharing
- Across multiple oss/tools/vaults
- Compliance & Policy Violations
Dev Team

- Account Sharing
- Lifecycle Management
- Credential injection
- On Prem and Cloud
- Policy Engine, Audit, Compliance
Privileged Access ManagementDev Team

- Account Sharing
- On Prem and Cloud
Privileged Access Management
- Security Champion(s) in Dev
- APIs : Dev/Automation Friendly
- High Performance
- Distributed Dev
- Community & DevRel support
Dev <-> DevSecOps
Dev Team

- Account Sharing
- On Prem and Cloud
Privileged Access Management
- Security Champion(s) in Dev
- APIs : Dev/Automation Friendly
- High Performance
- Distributed Dev
- Community & DevRel support
Dev <-> DevSecOps
- Building Trust
- Shared Security Responsibilities
- Push button compliance
- On Prem / Hybrid / Multi-cloud
- Shared Security Architectures
- SecOps Friendly
- Cross Education / Learning
Security <-> DevSecOps
Dev Team

Mitch Ashley
CEO and Managing Analyst
mitchell@accelst.com
303-881-9353
Accelerated Strategies Group, Inc.
https://accelst.com
https://twitter.com/mitchellashley
https://linkedin.com/in/mitchellashley
https://twitter.com/accelst1

KNOWLEDGE WANTS TO BE FREE

Jason Jones
Product Manager
jjones@beyondtrust.com

DISCOVERY • THREAT ANALYTICS • REPORTING • CONNECTORS • CENTRAL POLICY & MANAGEMENT
PRIVILEGED PASSWORD
MANAGEMENT
ENDPOINT PRIVILEGE
MANAGEMENT
SECURE REMOTE
ACCESS
Discover, manage, audit, and
monitor privileged accounts
and sessions of all types
Remove excessive end user
privileges on Windows, Mac,
Unix, Linux and network
devices
Secure, manage, and audit
remote privileged access
sessions for vendors, admins
and the service desk
BEYONDINSIGHT
PLATFORM
Maximize visibility, simplify deployment, automate tasks, improve security and
reduce privilege-related risks with the industry’s most innovative and
comprehensive privileged access management platform
ON-PREMISE CLOUD HYBRID
©BeyondTrust 2020 | 2

PAM Components
Privilege Access Management (PAM) Criteria
Privileged Access
Governance & Admin
Formally manage privilege assignment,
periodically review & certify privileged
access, ensure segregation of duties based
on a set of policies
Privileged Session
Management
Manages a privileged user session for
human interaction sessions from initial
authentication through checking a
privileged credential out and back in again
Privileged Task
Automation
Automating multistep, repetitive tasks
related to privileged operations that are
orchestrated and/or executed over a range
of systems
Privileged Account
Discovery & Onboarding
Identify and onboard all privileged accounts
and related credentials in all platforms and
environments
Privileged Access for
Apps & Services
Manages privileged access for nonhuman
use cases such as machines, applications,
services, scripts, processes and
DevSecOps pipelines
Privileged Access
Analytics & Response
Employs analytics (using machine learning)
on privileged account activities to detect
and flag anomalies, including baselining,
risk scoring and alerting
Privileged Credentials
Management
Manage and protect system- and
enterprise-defined shared account
credentials or secrets
Privileged Access
Logging, Reporting
Auditing
Records all single events, including
changes and operations, as part of the
PAM operation
Privileged Elevation &
Delegation Management
Enforcing policies to allow authorized
commands or applications to run under
elevated privileges
Integration with
Adjacent
Systems
Integrate and interact with
adjacent security and
service management
capabilities.
Ease of
Deployment &
Availability
Simplify the
deployment of the PAM
solution while ensuring
availability,
recoverability,
performance and
scalability.
3© BeyondTrust 2019

© BeyondTrust 2019
Security and IAM teams are tasked with
• Including DEV and PROD
environments
Controlling privileges across the entire infrastructure
• Secure people as well as
automated tools
May require different solutions

© BeyondTrust 2019
Gain Consensus
• Be proactive – evaluate and find the right solution for your needs
• Get buy-in from security – would they care about the tech stack? Do they have
any recommendations?
• Beware of tool sprawl – be smart about selecting effective tools for all your use
cases

© BeyondTrust 2019
Find the right solution
• Minimize impact to your workflows
• Don’t ignore the needs of security teams
• Make sure it can satisfy audit and business objectives

© BeyondTrust 2019
What does success look like?
ü Centralized secrets management – no more islands of security,
increased visibility and control of secrets usage and management
ü Built for security – consolidate all secrets management approaches
into one, built with security as the driving factor
ü Built for agility – Enables the developer, does not inhibit the speed
and agility needed in DevOps workflows
ü Highly available - Does not become a single-point of failure and
slows down or halts work
ü Auditable – Identify security issues and helps to meet compliance
requirements
Strike a balance between, security and agility while achieving compliance

© BeyondTrust 2019
DevOps
Secrets Safe
SECURE SECRETS
MANAGEMENT FOR
ENTERPRISE DEVOPS
Secrets Management
Securely store and centrally manage any Secrets (passwords, API
keys, certificates, etc.) for DevOps workflows
Micro-Services
Scalable, fault tolerant, highly available. Built on Docker
containers targeting Kubernetes for deployment
Audit
Audit every action
API
API first / everything
CLI tool for easy API interaction

Security & DevOps - What We Have Here Is a Failure to Communicate!

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Security & DevOps - What We Have Here Is a Failure to Communicate!

Similar to Security & DevOps - What We Have Here Is a Failure to Communicate! (20)

More from DevOps.com

More from DevOps.com (20)

Recently uploaded

Recently uploaded (20)

Security & DevOps - What We Have Here Is a Failure to Communicate!