Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SRE and Security: Natural Force Multipliers

Presentation delivered at SRECon Americas 2018.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

SRE and Security: Natural Force Multipliers

  1. 1. SRE Bruno Connelly Security & SRE: Natural Force Multipliers SREcon18 Cory Scott CHIEF INFORMATION SECURITY OFFICER
  2. 2. Why should Security and SRE be so closely aligned?
  3. 3. LinkedIn’s Engineering Hierarchy of Needs Magic Site Up & Secure Technology at Scale Development at Scale Solid APIs & Building Blocks
  4. 4. "the fox knows many things, but the hedgehog knows one big thing." -- Archilochus, Greek Poet
  5. 5. 2018
  6. 6. “What’s the state of product development and infrastructure?” ? ? ? ? MICROSERVICE ARCHITECTURE SCALING TO MEET DEMANDS 3RD PARTY ADOPTION EXPLODING DATACENTER TECH ACCESSIBLE FOR EVERYONE FAST RATE OF EVOLUTION PRODUCT VISUALIZED IN AM, DEPLOYED IN PM ! ! ! ! That seems….. great?
  7. 7. “How are we doing on defense?” ? ? ? ? ! ! ! ! COMPLIANCE INITIATIVES? MAGIC BOXES? CUSTOMER ASSURANCE? NETWORK ACCESS CONTROL? ENDPOINT SECURITY PRODUCTS SUCH AS ANTI-VIRUS? BOUNTIES? What!?!
  8. 8. ...
  9. 9. Site Reliability Hierarchy of Needs Product Monitoring & Incident Response Post-Mortem & Analysis Testing & Release Procedures Capacity Planning SRE Hierarchy of Needs from Google SRE book
  10. 10. “Changes in production applications are happening at a greater rate than ever before. New product ideas can be visualized in the morning and implemented in code in the afternoon.”
  11. 11. Innovation and Rate Of Change Embrace the Error Budget • Self Healing & Auto Remediation • Reduction of Manual Process Inject Engineering Discipline • Review when architecture changes reach a certain complexity point. “Trust but Verify” • Security to follow SRE “trust but verify” approach towards engineering partners
  12. 12. “Testing in production is the new norm”
  13. 13. Establishing Safe & Reliable Test Environments SRE SECURITY
  14. 14. “Microservice architectures are exploding to meet scalability requirements”
  15. 15. Microservice Architecture SECURITY CHALLENGES ARE SIMILAR TO SRE ● Authentication ● Authorization ● Access Control Logic SRE Challenges Security Challenges ● Latency & Performance Impact ● Cascading Failure Scenarios ● Service Discovery
  16. 16. “Dependencies on third-party code and services can be collected faster than you can inventory them.”
  17. 17. Visibility in Your Third-Party Services
  18. 18. “Data center technologies can all be controlled with a single web application in the hands of a devops intern.”
  19. 19. Production Access & Change Control Configuration as code, leveraging source code control paradigms, are a huge boon to security. Rollback ruthlessly. ● Start with a known-good state ● Asset management and change control discipline ● Ensure visibility ● Validate consistently and constantly
  20. 20. TAKEAWAYS OR GIVEAWAYS (DEPENDING ON YOUR POSITION IN THE AUDIENCE)
  21. 21. Overall Lessons for Security Human-in-the-loop is your last resort, not your first option 2 All security solutions must be scalable and default-on, just like SREs build it 3 Your data pipeline is your security lifeblood 1
  22. 22. Overall Lessons for SRE Remove single points of security failure like you do for availability 1 Assume that an attacker can be anywhere in your system or flow 2 Capture and measure meaningful security telemetry 3

×