Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2017-07-12 GovLoop: New Era of Digital Security

102 views

Published on

What is DevOpsSec, the Red Hat way?

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

2017-07-12 GovLoop: New Era of Digital Security

  1. 1. NEW ERA OF DIGITAL SECURITY Shawn Wells Chief Security Strategist U.S. Public Sector shawn@redhat.com || 443-534-0130
  2. 2. Technology for the Digital World 2
  3. 3. When New Technologies are adopted, the Security team gets involved SECURITY 3
  4. 4. Securing the Enterprise is Harder Than Ever 4 Applications & devices outside of IT control Cloud computing Software-defined infrastructure Dissolving security perimeter The way we develop, deploy and manage IT is changing dramatically TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH Menacing threat landscape
  5. 5. THE COST OF SECURITY BREACHES 5 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Total average costs are increasing: 2016 $4.0 million 2015 $3.8 million 2014 $3.5 million While “soft” costs are impacting your business ● Business disruption ● Lost employee and customer trust ● Brand erosion ● Shareholder anger ● etc
  6. 6. 6 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Malicious or criminal attack System glitch Human error 48% 27% 25% MULTIPLE SOURCES OF RISKS
  7. 7. 7 Source: TechValidate. https://www.techvalidate.com/tvid/885-BC3-190 TRYING TO INNOVATE AND REMAIN SECURE AT THE SAME TIME Funding for cloud infrastructure is taking a clear priority in 2017, with security and management still mandatory investments to keep it all under control. What are you organization’s top IT funding priorities for 2017?* 70% 49% 48% 42% 36% 31% 29% 28% 23% Cloud infrastructure (private, public or hybrid) Security and compliance IT Management, automation, orchestration Big data, analytics Optimizing or modernizing existing IT Integration of applications, data or processes Containers Cloud-native or mobile applications Storage *Select all that apply
  8. 8. IMPLEMENT BOTH AGILE & IMPROVED GOVERNANCE PROCESSES 8 Source: TechValidate. https://www.techvalidate.com/tvid/7A6-663-C71 Compliance and governance remain a top priority, but agile and DevOps processes have shot to the top of our customers list this year. This is the only way they will achieve innovation at the speed they need to compete and win. 64% 54% 41% 26% 23% 11% Agile development DevOps processes or methodologies Compliance or governance processes User experience Digital strategies Using more open source IT staff training IT staff retention IT staff recruitment 23% 10% 6% 3%Stopping shadow IT What are you organization’s top priorities around IT cultural or process changes?* *Select all that apply
  9. 9. 9 Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT SECURITY CHECKLIST SECURITY MUST EVOLVE
  10. 10. Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT 10 Identify security requirements & governance models Built-in from the start; not bolted-on Deploy to trusted platforms with enhanced security capabilities Automate systems for security & compliance Revise, update, remediate as the landscape changes SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle
  11. 11. DESIGN BUILD RUN MANAGE ADAPT 11 Define security requirements based on NIST 800-53 Build required protections like web SSO into your applications Run on platforms with embedded protective technology like SELinux Automate compliance with DISA STIG; use automated detection & remediation technologies Continuously evaluate effectiveness and revise as needed CONTINUOUS SECURITY WITH NIST Protect Identify Detect Recover Respond COMMUNICATE
  12. 12. Risk Management 12 Identify Analyse Plan Track Control Communicate The objectives of risk management are to identify, address, and eliminate software risk items before they become either threats to successful software operation or major sources of software rework. Barry W Boehm Approaches to dealing with risk: Reduction - reduce likelihood Protection - bottom-up prevention Transfer - let someone else share or hold Pecuniary - set aside contingency fund of resources
  13. 13. WHY OPEN SOURCE?
  14. 14. OPEN SOURCE DEVELOPMENT DRIVES RAPID INNOVATION
  15. 15. OPEN SOURCE ADOPTION...SOARING 78% 65% of enterprises run open source. of companies are contributing to open software. [1] Black Duck Software, 9th Annual Future of Open Source survey, 2015. www.blackducksoftware.com/2015-future-of-open-source [2] Black Duck Software, 10th Annual Future of Open Source survey, 2016. www.blackducksoftware.com/2016-future-of-open-source [2] [1]
  16. 16. 16 OPEN SOURCE CULTURE Collaboration Transparency (both access and the ability to act) Shared problems are solved faster Working together creates standardization *
  17. 17. AGILITY, WITH SECURITY
  18. 18. The Problem Applications require complicated installation and integration every time they are deployed 18
  19. 19. THE PROBLEM I.T. OPERATIONSDEVELOPERS 19
  20. 20. DEVOPS Everything as code Automate everything Application is always “releaseable” Continuous Integration/Delivery Application monitoring Rapid feedback Delivery pipeline Rebuild vs. Repair 20
  21. 21. A Solution Adopting a container strategy will allow applications to be easily shared and deployed. 21
  22. 22. 22 WHAT ARE CONTAINERS? It Depends Who You Ask ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
  23. 23. A SOLUTION Hardware Virtual Machine Operating System Container App Controlled by Developers Controlled by IT Operations 23
  24. 24. A SOLUTION I.T. OPERATIONSDEVELOPERS 24
  25. 25. $ docker build -t app:v1 . 25
  26. 26. $ docker build -t app:v1 . $ docker run app:v1 26
  27. 27. physical virtual private cloud public cloud 27
  28. 28. 28 DEVOPS WITH CONTAINERS source repository CI/CD engine dev container physical virtual private cloud public cloud 28
  29. 29. ? 29
  30. 30. ? 30
  31. 31. Scheduling Decide where to deploy containers 31 WE NEED MORE THAN JUST CONTAINERS Lifecycle and health Keep containers running despite failures Discovery Find other containers on the network Monitoring Visibility into running containers Security Control who can do what Scaling Scale containers up and down Persistence Survive data beyond container lifecycle Aggregation Compose apps from multiple containers 31
  32. 32. Kubernetes is an open-source system for automating deployment, operations, and scaling of containerized applications across multiple hosts kubernetes 32
  33. 33. kubernetes 33
  34. 34. DEVOPS WITH CONTAINERS AND KUBERNETES 34
  35. 35. INDUSTRY CONVERGING ON KUBERNETES 35
  36. 36. INDUSTRY CONVERGING ON KUBERNETES 36
  37. 37. DEVOPS WITH CONTAINERS AND KUBERNETES NETWORK Not enough! Need networking 37
  38. 38. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY NETWORK Not enough! Need an image registry 38
  39. 39. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY METRICS AND LOGGING NETWORK heapster Not enough! Need metrics and logging 39
  40. 40. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application lifecycle management APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 40
  41. 41. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application services e.g. database and messaging APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 41
  42. 42. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need self-service portal SELF-SERVICE APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 42
  43. 43. NOT ENOUGH, THERE IS MORE! Routing & Load Balancing Multi-tenancy CI/CD Pipelines Role-based Authorization Capacity Management Chargeback Vulnerability Scanning Container Isolation Image Build Automation Quota Management Teams and Collaboration Infrastructure Visibility 43
  44. 44. Container application platform based on Docker and Kubernetes for building, distributing and running containers at scale 44
  45. 45. 45 Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT SECURITY CHECKLIST REMEMBER THIS?
  46. 46. 46 OpenShift for Government Accreditations & Standards RHEL7 COMMON CRITERIA - EAL4+ - Container Framework - Secure Multi-tenancy RHEL7 FIPS 140-2 CERTIFIED - Data at Rest - Data in Transport OPENSHIFT BLUEPRINT FOR AZURE (FedRAMP MODERATE) OCTOBER 2016 DECEMBER 2016 JUNE 2017 INDUSTRY FIRST: NIST CERTIFIED CONFIGURATION AND VULNERABILITY SCANNER FOR CONTAINER MARCH 2017
  47. 47. 47 WANT TO HEAR MORE?
  48. 48. plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews THANK YOU

×