John Willis, profile picture
Uploaded byJohn Willis
PDF, PPTX399 views

Automated Governance

This document provides an overview of automated governance and DevSecOps. It discusses using automated governance to reduce audit time, increase efficacy, shorten feedback loops, and enable trust. Automated governance can enforce policies to block vulnerabilities and misconfigurations. The remainder of the document discusses industry trends and outlines a reference architecture for implementing DevSecOps automated governance across development, non-production, and production stages.

Embed presentation

Download as PDF, PPTX
An Overview Automated Governance John WIllis Global Transformation Office 1
2 Outline ● Global Transformation Overview ● DevSecOps ● Automated Governance
GTO
● Strategy review ● Industry trends ● Progress monitoring ● Leadership 4 GTO Guiding Coalition Platform - Coalition Jabe Bloom Sr Dir, Global Transformation CSTO, CTO SocioTechnical Systems | Speaker Critical Irritant | Transition Designer Andrew Clay Shafer VP, Global Transformation Founder: Puppet, DevOpsDays, Author Web Operations IT Optimizer | Change Agent Founder | Organizer Kevin Behr Sr Dir, Global Transformation Author, Phoenix Project, Visible Ops CIO, CTO IT Strategist | Speaker Enterprise CXO Advisor John Willis Sr Dir, Global Transformation Author, DevOps Handbook, Beyond the Phoenix Project CIO, CTO IT Strategist | Founder Speaker | Author @littleidea @kevinbehr @botchagalupe @cyetain
● Reduce Audit Time ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 5 Automated Goverance Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Audit and Control
6 DevSecOps Dojo ● Increase collaboration and innovation ● Shared Responsibility Model ● Cloud/Platform Enablement ● Templates, Models, and Pipelines ● Automated Governance ● Outcome Based Metrics ● Chaos Engineering ● Skills Liquidity Enablement Platform - Adopt
● Common Devops Metrics ○ Lead Time ○ Deploys ○ MTTR ○ Change Success ● Advanced Devops Metrics ○ Flow Metrics ○ Change failure rate by team ○ Change failure rate by work type7 Delivery Metrics Platform - Adopt
8 Economic Impact Analysis ● Consistency ● Toil ● Risk ● Testing ● Automation
9 Economic Impact ● Waste: ○ Possibly >30% (on a 450m budget) $135M wasted on general processing. ● Consistency: ○ Another 10% to 15% on lost opportunity cost (low or no automation) $45m to $67M ● Risk: ○ Negative Risk ROI.
DevSecOps
● DevOps Automated Governance ● Automated Cloud Governance 11 Industry Working Groups
Minimum Viable Security Posture
Changing Subjective attestation into Objective attestation
The Trusted Software Supply Chain 15 TRUSTED CODE REPOS CCB RAPID ATO OPENSHIFT SOFTWARE FACTORY • Che • Github • Cucumber • Junit • Sonarqube • Fortify • AtomicScan • Anchore • Twistlock AUTOMATED QUALITY REQ • Jira DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD • Sysdig • EFK CM CS Service Mesh
● Reduce Audit Time ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 16 Objective Evidence and Closed Feedback Loops Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Audit and Control
Automated Governance
2015 2018 2019
• Universal artifact metadata • Metadata API • Strong access controls • Rich query-ability Audit and Govern the Software Supply Chain
● Reduce Audit Time ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 22 DevOps Automated Governance Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Safe Cloud Usage
Devops automated Governance Reference Architecture Development Non Prod Deploy PackageBuild Prod Deploy Dependency Mgmt Artifact Repo Common Control 1. Access Control 2. Audit Train/log 3. Everything source control 4. Usage policies Common Actors 1. Auditor, Risk/Compliance Office 2. (system) 3. Tools Admin
Source Code Repository Stage
Build Stage
Dependency Management Stage
Package Stage
Artifact Stage
Prod Stage
Stage Control Example Control Source Integration Elements Source Code Repo Pull Request GitHub Webhook pull_request repository Source Code Repo Peer Review GitHub Webhook actor pull_request repository Source Code Repo Unit Test SonarQube Pipeline new_coverage Source Code Repo Clean Dependency Artifactory Pipeline dependency source Source Code Repo Information Leakage GitHub Webhook (custom) Source Code Repo Static Code Analysis Muse Webhook pull_request repository
Stage Control Example Control Source Integration Elements Build Build Definition Jenkins & GitHub Pipeline Peer Review Checkout Build Immutable Build Jenkins Pipeline TBD Build Upstream Approved Dependency Artifactory Jenkins TBD Build Unit Test SonarQube Jenkins TBD Build Linting SonarQube Jenkins TBD Build Static Security Analysis Checkmarx Jenkins TBD
Stage Control Example Control Source Integration Elements Package Trusted Dependency Store Artifactory Jenkins TBD Package License Check Artifactory Jenkins TBD Package Vulnerability Scan Aqua Jenkins TBD Package Trusted Authority Artifactory Jenkins TBD Package Versioning Artifactory Jenkins TBD Package Usage Policy Artifactory Jenkins TBD
Stage Control Example Control Source Integration Elements Production Deploy Trusted Sources Artifactory Jenkins TBD Production Deploy Trusted Configurations GitHub Jenkins TBD Production Deploy Intrusion Detection TBD Jenkins TBD Production Deploy Monitoring & Alerting Elastic, PagerDuty Jenkins TBD Production Deploy Change Management ServiceNow Jenkins TBD Production Deploy Secrets Management Vault Jenkins TBD Production Deploy Unauthorized Change Detection Jenkins Jenkins TBD Production Deploy Production Access Control Vault Jenkins TBD Production Deploy Deployment Strategy Jenkins, Helm Jenkins TBD
Policy as Code • Human Readable (YAML) • Machine Interpreted • Version Controlled • Models Attestations and Enforcement
Policy As Code
Event Driven Architecture
Automated Data Pipeline with Objective Compliance Platform is a Secure and Auditable Control Point Inspection based on policy Enforcement by Policy Attestation Datastore Policy as Code Subjective to Objective
Cloud Automated Governance
Cloud Automated Governance
linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Thank you jwillis@redhat.com @botchagalupe 45

More Related Content

PDF
WTF is GitOps and Why You Should Care?
byWeaveworks
 
PDF
Get started with gitops and flux
byLibbySchulze1
 
PDF
Building Better Data Pipelines using Apache Airflow
bySid Anand
 
PPTX
Apache Airflow overview
byNikolayGrishchenkov
 
PDF
Infrastructure & System Monitoring using Prometheus
byMarco Pas
 
PDF
Apache airflow
byPurna Chander
 
PDF
Building an analytics workflow using Apache Airflow
byYohei Onishi
 
PDF
Free GitOps Workshop + Intro to Kubernetes & GitOps
byWeaveworks
 
WTF is GitOps and Why You Should Care?
byWeaveworks
 
Get started with gitops and flux
byLibbySchulze1
 
Building Better Data Pipelines using Apache Airflow
bySid Anand
 
Apache Airflow overview
byNikolayGrishchenkov
 
Infrastructure & System Monitoring using Prometheus
byMarco Pas
 
Apache airflow
byPurna Chander
 
Building an analytics workflow using Apache Airflow
byYohei Onishi
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
byWeaveworks
 

What's hot

PDF
Designing a complete ci cd pipeline using argo events, workflow and cd products
byJulian Mazzitelli
 
PDF
Getting Started with Consul
byRamit Surana
 
PPTX
Introduction to GItlab CICD Presentation.pptx
byKnoldus Inc.
 
PDF
Apache Airflow Architecture
byGerard Toonstra
 
PDF
Apache Airflow
byKnoldus Inc.
 
PDF
How I learned to time travel, or, data pipelining and scheduling with Airflow
byPyData
 
PDF
Timeseries - data visualization in Grafana
byOCoderFest
 
PPTX
Airflow - a data flow engine
byWalter Liu
 
PDF
Apache Airflow
bySumit Maheshwari
 
PDF
Gitops Hands On
byBrice Fernandes
 
PDF
Introducing Apache Airflow and how we are using it
byBruno Faria
 
PDF
Airflow Best Practises & Roadmap to Airflow 2.0
byKaxil Naik
 
PDF
Getting Started with Kubernetes
byVMware Tanzu
 
PDF
Airflow presentation
byIlias Okacha
 
PDF
Introduction to Github Actions
byKnoldus Inc.
 
PDF
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
byJulian Mazzitelli
 
ODP
Monitoring With Prometheus
byKnoldus Inc.
 
PDF
Services in kubernetes-KnolX .pdf
byKnoldus Inc.
 
PDF
GitOps A/B testing with Istio and Helm
byWeaveworks
 
PDF
Airflow introduction
byChandler Huang
 
Designing a complete ci cd pipeline using argo events, workflow and cd products
byJulian Mazzitelli
 
Getting Started with Consul
byRamit Surana
 
Introduction to GItlab CICD Presentation.pptx
byKnoldus Inc.
 
Apache Airflow Architecture
byGerard Toonstra
 
Apache Airflow
byKnoldus Inc.
 
How I learned to time travel, or, data pipelining and scheduling with Airflow
byPyData
 
Timeseries - data visualization in Grafana
byOCoderFest
 
Airflow - a data flow engine
byWalter Liu
 
Apache Airflow
bySumit Maheshwari
 
Gitops Hands On
byBrice Fernandes
 
Introducing Apache Airflow and how we are using it
byBruno Faria
 
Airflow Best Practises & Roadmap to Airflow 2.0
byKaxil Naik
 
Getting Started with Kubernetes
byVMware Tanzu
 
Airflow presentation
byIlias Okacha
 
Introduction to Github Actions
byKnoldus Inc.
 
A GitOps Kubernetes Native CICD Solution with Argo Events, Workflows, and CD
byJulian Mazzitelli
 
Monitoring With Prometheus
byKnoldus Inc.
 
Services in kubernetes-KnolX .pdf
byKnoldus Inc.
 
GitOps A/B testing with Istio and Helm
byWeaveworks
 
Airflow introduction
byChandler Huang
 

Similar to Automated Governance

PDF
What is GitOps? How GitOps works? we discuss Key Challanges.
byaniporwal00
 
PDF
What is GitOps? How GitOps works? we discuss Key Challanges.
byaniporwal00
 
PDF
Dear security, compliance, and auditing: We’re sorry. Love, DevOps | DevNatio...
byRed Hat Developers
 
PPTX
SecDevOps: The New Black of IT
byCloudPassage
 
PPTX
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
PPTX
From Chaos to Compliance: The New Digital Governance for DevOps
byXebiaLabs
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
PDF
DevOps Pragmatic Overview
byMykola Marzhan
 
PDF
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
PDF
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PDF
PuppetConf track overview: Culture
byPuppet
 
PPTX
2015 DevOps Breakfast - DevOps in Action
byNVISIA
 
PDF
Automated Governance for the DevOps Institutions.pdf
byVishwas N
 
PPTX
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
PPTX
DevSecOps: Key Controls to Modern Security Success
byPuma Security, LLC
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
byDevOps.com
 
PDF
A Discussion of Automated Infrastructure Security with a Practical Example
byDeborah Schalm
 
PPTX
Empowering developers and operators through Gitlab and HashiCorp
byMitchell Pronschinske
 
PDF
Enabling shift-left for 12k banking developers from scratch and without break...
byErnesto Bethencourt
 
What is GitOps? How GitOps works? we discuss Key Challanges.
byaniporwal00
 
What is GitOps? How GitOps works? we discuss Key Challanges.
byaniporwal00
 
Dear security, compliance, and auditing: We’re sorry. Love, DevOps | DevNatio...
byRed Hat Developers
 
SecDevOps: The New Black of IT
byCloudPassage
 
Are your DevOps and Security teams friends or foes?
byReuven Harrison
 
From Chaos to Compliance: The New Digital Governance for DevOps
byXebiaLabs
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
byAlex Senkevitch
 
DevOps Pragmatic Overview
byMykola Marzhan
 
DevSecOps - Background, Status and Future Challenges
bydsc71656
 
DevSecOps: What Why and How : Blackhat 2019
byNotSoSecure Global Services
 
PuppetConf track overview: Culture
byPuppet
 
2015 DevOps Breakfast - DevOps in Action
byNVISIA
 
Automated Governance for the DevOps Institutions.pdf
byVishwas N
 
How to get the best out of DevSecOps - an operations perspective
byColin Domoney
 
DevSecOps: Key Controls to Modern Security Success
byPuma Security, LLC
 
A Discussion of Automated Infrastructure Security with a Practical Example
byDevOps.com
 
A Discussion of Automated Infrastructure Security with a Practical Example
byDeborah Schalm
 
Empowering developers and operators through Gitlab and HashiCorp
byMitchell Pronschinske
 
Enabling shift-left for 12k banking developers from scratch and without break...
byErnesto Bethencourt
 

More from John Willis

PDF
Devops Long Strange Trip
byJohn Willis
 
PDF
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
PDF
Math is cool
byJohn Willis
 
PDF
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
PDF
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
PDF
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
byJohn Willis
 
PDF
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
PDF
Devops - A Long Strange Trip It's Been
byJohn Willis
 
PDF
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PDF
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
PDF
Why Executives Can't Change
byJohn Willis
 
PDF
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
PDF
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
PDF
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
PDF
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
PDF
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
PDF
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 
Devops Long Strange Trip
byJohn Willis
 
I Got 99 Problems and a Bash DSL Ain't One of Them
byJohn Willis
 
Math is cool
byJohn Willis
 
The 7 deadly diseases of DevOps 2019
byJohn Willis
 
Next Generation Infrastructure - Devops Enterprise Summit 2018
byJohn Willis
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
byJohn Willis
 
Divine and felonios cyber security devopsdays austin 2018
byJohn Willis
 
Devops - A Long Strange Trip It's Been
byJohn Willis
 
DevopsdaysNYC - Almost 10 Years - What A Strange Long Trip It's Been
byJohn Willis
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
Art of the Possible - Serverless Conference NYC 2017
byJohn Willis
 
Why Executives Can't Change
byJohn Willis
 
Devops Kaizen - DevopsDays Dallas 2017
byJohn Willis
 
Evolve 2017 - Vegas - Devops, Docker and Security
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Open Source
byJohn Willis
 
Alibaba Cloud Conference 2016 - Docker Enterprise
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2017 RSAC
byJohn Willis
 
Breaking Bad Equilibrium - Devops Connect 2016 LA
byJohn Willis
 
All daydevops 2016 - Turning Human Capital into High Performance Organizati...
byJohn Willis
 
Turning Human Capital into High Performance Organizational Capital
byJohn Willis
 

Recently uploaded

PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
API-First Architecture in Financial Systems
bycyy111112
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

Automated Governance

  • 1.
    An Overview Automated Governance JohnWIllis Global Transformation Office 1
  • 2.
    2 Outline ● Global TransformationOverview ● DevSecOps ● Automated Governance
  • 3.
  • 4.
    ● Strategy review ●Industry trends ● Progress monitoring ● Leadership 4 GTO Guiding Coalition Platform - Coalition Jabe Bloom Sr Dir, Global Transformation CSTO, CTO SocioTechnical Systems | Speaker Critical Irritant | Transition Designer Andrew Clay Shafer VP, Global Transformation Founder: Puppet, DevOpsDays, Author Web Operations IT Optimizer | Change Agent Founder | Organizer Kevin Behr Sr Dir, Global Transformation Author, Phoenix Project, Visible Ops CIO, CTO IT Strategist | Speaker Enterprise CXO Advisor John Willis Sr Dir, Global Transformation Author, DevOps Handbook, Beyond the Phoenix Project CIO, CTO IT Strategist | Founder Speaker | Author @littleidea @kevinbehr @botchagalupe @cyetain
  • 5.
    ● Reduce AuditTime ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 5 Automated Goverance Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Audit and Control
  • 6.
    6 DevSecOps Dojo ● Increasecollaboration and innovation ● Shared Responsibility Model ● Cloud/Platform Enablement ● Templates, Models, and Pipelines ● Automated Governance ● Outcome Based Metrics ● Chaos Engineering ● Skills Liquidity Enablement Platform - Adopt
  • 7.
    ● Common DevopsMetrics ○ Lead Time ○ Deploys ○ MTTR ○ Change Success ● Advanced Devops Metrics ○ Flow Metrics ○ Change failure rate by team ○ Change failure rate by work type7 Delivery Metrics Platform - Adopt
  • 8.
    8 Economic Impact Analysis ●Consistency ● Toil ● Risk ● Testing ● Automation
  • 9.
    9 Economic Impact ● Waste: ○Possibly >30% (on a 450m budget) $135M wasted on general processing. ● Consistency: ○ Another 10% to 15% on lost opportunity cost (low or no automation) $45m to $67M ● Risk: ○ Negative Risk ROI.
  • 10.
  • 11.
    ● DevOps AutomatedGovernance ● Automated Cloud Governance 11 Industry Working Groups
  • 12.
  • 14.
  • 15.
    The Trusted SoftwareSupply Chain 15 TRUSTED CODE REPOS CCB RAPID ATO OPENSHIFT SOFTWARE FACTORY • Che • Github • Cucumber • Junit • Sonarqube • Fortify • AtomicScan • Anchore • Twistlock AUTOMATED QUALITY REQ • Jira DEV UNIT TEST CODE QUAL SEC SCAN INT TEST QA UAT PROD • Sysdig • EFK CM CS Service Mesh
  • 16.
    ● Reduce AuditTime ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 16 Objective Evidence and Closed Feedback Loops Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Audit and Control
  • 17.
  • 18.
  • 20.
    • Universal artifactmetadata • Metadata API • Strong access controls • Rich query-ability Audit and Govern the Software Supply Chain
  • 22.
    ● Reduce AuditTime ● Increase Audit Efficacy ● Shorten Feedback Loops ● Local Authority ● Minimize Handoffs ● Enable Trust 22 DevOps Automated Governance Enforce and Audit Policy Block critical vulnerabilities Block misconfigured infrastructure Safe Cloud Usage
  • 23.
    Devops automated GovernanceReference Architecture Development Non Prod Deploy PackageBuild Prod Deploy Dependency Mgmt Artifact Repo Common Control 1. Access Control 2. Audit Train/log 3. Everything source control 4. Usage policies Common Actors 1. Auditor, Risk/Compliance Office 2. (system) 3. Tools Admin
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
    Stage Control ExampleControl Source Integration Elements Source Code Repo Pull Request GitHub Webhook pull_request repository Source Code Repo Peer Review GitHub Webhook actor pull_request repository Source Code Repo Unit Test SonarQube Pipeline new_coverage Source Code Repo Clean Dependency Artifactory Pipeline dependency source Source Code Repo Information Leakage GitHub Webhook (custom) Source Code Repo Static Code Analysis Muse Webhook pull_request repository
  • 31.
    Stage Control ExampleControl Source Integration Elements Build Build Definition Jenkins & GitHub Pipeline Peer Review Checkout Build Immutable Build Jenkins Pipeline TBD Build Upstream Approved Dependency Artifactory Jenkins TBD Build Unit Test SonarQube Jenkins TBD Build Linting SonarQube Jenkins TBD Build Static Security Analysis Checkmarx Jenkins TBD
  • 32.
    Stage Control ExampleControl Source Integration Elements Package Trusted Dependency Store Artifactory Jenkins TBD Package License Check Artifactory Jenkins TBD Package Vulnerability Scan Aqua Jenkins TBD Package Trusted Authority Artifactory Jenkins TBD Package Versioning Artifactory Jenkins TBD Package Usage Policy Artifactory Jenkins TBD
  • 33.
    Stage Control ExampleControl Source Integration Elements Production Deploy Trusted Sources Artifactory Jenkins TBD Production Deploy Trusted Configurations GitHub Jenkins TBD Production Deploy Intrusion Detection TBD Jenkins TBD Production Deploy Monitoring & Alerting Elastic, PagerDuty Jenkins TBD Production Deploy Change Management ServiceNow Jenkins TBD Production Deploy Secrets Management Vault Jenkins TBD Production Deploy Unauthorized Change Detection Jenkins Jenkins TBD Production Deploy Production Access Control Vault Jenkins TBD Production Deploy Deployment Strategy Jenkins, Helm Jenkins TBD
  • 35.
    Policy as Code •Human Readable (YAML) • Machine Interpreted • Version Controlled • Models Attestations and Enforcement
  • 36.
  • 37.
  • 39.
    Automated Data Pipelinewith Objective Compliance Platform is a Secure and Auditable Control Point Inspection based on policy Enforcement by Policy Attestation Datastore Policy as Code Subjective to Objective
  • 40.
  • 41.
  • 45.