The document summarizes a presentation about deploying security at scale. It discusses the tradeoffs of building security controls into systems versus bolting them on later. It also covers how the Let's Encrypt initiative has made certificates free and easy to consume via APIs. However, the presentation argues that APIs alone are not sufficient for security and events still need to be monitored and addressed. The overall message is that while technologies like APIs and Docker help, more work is still needed in areas like security monitoring, control of metadata, and integrating systems to enable security at scale.

1. Deploying Security at Scale
Chris Swan, VP CTO GIS
@cpswan

2. 2June 9, 2016
Why Me?

3. 3June 9, 2016
Disclaimer… Presently checked out

4. 4June 9, 2016
Agenda
Build in or bolt on – the audit paradox
API enabled – Let’s Encrypt
We’re not done yet

5. 5June 9, 2016 5June 9, 2016
The Audit Paradox

6. 6June 9, 2016
Building in
CC photo by WorldSkills

7. 7June 9, 2016
What building in looks like

8. 8June 9, 2016
Bolting on
CC photo by arbyreed

9. 9June 9, 2016
What bolting on looks like

10. 10June 9, 2016
PaaS gives us a chance to bolt in

11. 11June 9, 2016
But Docker adoption shows a movement against opinionated
platforms

12. 12June 9, 2016 12June 9, 2016
Certificates

13. 13June 9, 2016
Who remembers this company?

14. 14June 9, 2016
Things worked out better for this chap

15. 15June 9, 2016
Because he got to go to space

16. 16June 9, 2016
The sticker cost

17. 17June 9, 2016
Alternatively

18. 18June 9, 2016
But

19. 19June 9, 2016
Sidebar… we should really be using

20. 20June 9, 2016
But now certificates are free

21. 21June 9, 2016
Well, actually they have been for ages

22. 22June 9, 2016
But there’s a difference now
CC BY-SA 2.0 image by Aaron Fulkerson https://flic.kr/p/9F3a2b

23. 23June 9, 2016
It’s as much about ease of consuming APIs

24. 24June 9, 2016 24June 9, 2016
Not so fast…

25. 25June 9, 2016
If a security events happens and it isn’t monitored

26. 26June 9, 2016
ToDo: SecDevOps
APIs are necessary but not sufficient:
Need to have them integrated into the
overall system
Control metadata (and its mutability):
Must be visible and understandable
Security events need to be captured:
Then turned into something humans can
action

27. 27June 9, 2016 27June 9, 2016
Summing up

28. 28June 9, 2016
You have been watching
Build in or bolt on – the audit paradox
API enabled – Let’s Encrypt
We’re not done yet

29. 29June 9, 2016 29June 9, 2016
Thank you for listening

30. 30June 9, 2016 30June 9, 2016
Questions?