This is the talk that I gave at InfoSec Europe - DevOps Connect on June 4, 2015. It lays out Continuous Secrets Delivery and our open source project - summon.
1. SecDevOps 2.0 - Managing Your Robot Army
(A.K.A Securing your Cattle from Rustlers)
Josh Bregman
Vice President/Evangelist
@kingoauth
2. Elizabeth Lawler - CEO/Founder Conjur, Inc.
Elizabeth Lawler is CEO and Co-founder of Conjur, Inc.,
a security company which focuses on security for next
generation infrastructure. Lawler has over 20 years of
experience working in highly regulated and sensitive data
environments. Prior to founding Conjur, she was Chief
Data Officer of Generation Health and held a leadership
position in research at the Department of Veterans
Affairs. She has been a programmer herself, and is
constantly working to make software development and IT
systems easier to manage for people working in
regulated industries.
Elizabeth’s RSA Presentation “Is DevOps Breaking your Company?” is still
available on line
3. Josh Bregman - “Enterprise Guy”/Evangelist
Josh has 20 years experience successfully
architecting, evangelizing, and delivering innovative
identity management and security products to
customers. Prior to joining Conjur , Josh spent a
decade as a solutions and pre-sales leader in the
Oracle ecosystem. A developer at heart, early in his
career Josh worked as a software engineer at IBM,
GTE Labs, and Netegrity. He has 2 U.S. patents and
received a B.A. in Math from the University of
Rochester in 1995.
Elizabeth’s RSA Presentation “Is DevOps Breaking your Company?” is still
available on line
4. My Hiring Process at Conjur - Pets vs. Cattle
◁ Conjur is in a “hot” space - just out of stealth
◁ Team dynamic is SUPER important
◁ Project Based Interview
“We secure cattle.
Put together some
go-to market
materials”
5. Securing Cattle from Rustlers – Step 1
● Maintain Good Records of the Cattle that You
Own
7. Securing Cattle from Rustlers – Step 2
● Make sure all of your cattle have their tags
and/or have been branded with the brand of
your farm or ranch
8. Securing Cattle from Rustlers – Step 4
● Ensure the proper location of your handling
facilities or loading areas meet farm bio-
security measures
9. My Hiring Process at Conjur - Pets vs. Cattle - cont
“...actually Josh, Pets
vs. Cattle is a
common meme in
DevOps”
◁ Got some more guidance from Elizabeth
When you treat your servers like Cattle, this
introduces a number of security challenges...
10. SecDevOps 1.0: Current State of Evolution
◆ Source Control
◆ Automated Build and Test
◆ Configuration Management
◆ Orchestration
◆ Software-Defined
Networking
◆ Monitoring
11. SecDevOps 1.0 - Challenges
◁ Lack of Visibility
⊃ Compliance Challenges
◁ Wrong Tool for the Job
⊃ Production Only-Workflows
⊃ Human Bottlenecks
⊃ Conflation of Concerns
◁ Configuration Management as DIY
Security System
12. What is SecDevOps 2.0?
Security Orchestration System
RBAC for people, machines and code | Self Auditing |Fully programmable with fine granularity | Highly
available across any cloud, hybrid and global architecture |End to end encryption
DevOps Enabled EnterpriseUsers
13. Process Environment
SecDevOps 2.0 - Reference Architecture
Security Orchestration System
DevOps Toolchain Process Environment
.secrets
Summon
Summon Driver
SCM/CM/CI
Host
Factory
Secrets
Storage
S
D
F
“Host” - xxx
Service
to Service
Access
SSH
Access
Policy
Users
14. SecDevOps 2.0 - Continuous Secrets Delivery
Policy
Summon/
.secrets
Host
Factory
High
Availability
Tools
● 5 step process based on
years of delivering secrets
management solutions to
highly regulated industries
● Skipping steps will result
in issues down the road
and cause disruption and
delay
● DIY projects that start with
tools and then try to work
backward are extremely
difficult
15. SECRETS
SOURCE
(Vault, Keywhiz,
AWS IAM…)
SUMMON
PROCESS ENVIRONMENT
DOCKER
CONTAINE
R
Summon uses a pluggable secrets
provider to load secrets into the
environment of an application, service
or container.
Introducing Cauldron Summon
16. Get Involved in Summon
● Summon is coming soon
○ Sign up to be notified when it’s ready!
○ If you’re doing DIY or even using another open source project,
you can build a driver - spread the word!
● Try to adopt the Continuous Secrets Delivery approach
○ If you think it’s no good, let’s hash it out - join the discussion
● Get Connected
○ Follow us on Twitter (@conjurinc) and LinkedIn