Uploaded byTechWell
108 views

Developing a Rugged DevOps Approach to Cloud Security

This document summarizes a presentation by Tim Prendergast of Evident.io on developing a rugged DevOps approach to cloud security. It discusses how attackers have advantages over defenders due to their ability to automate attacks. It argues that in order to match attackers, security practices need to be automated and integrated into DevOps workflows through a DevSecOps model. This involves embracing principles like treating security as code, testing security at all stages of development, and ensuring security practices are collaborative rather than siloed. The goal is to minimize the time window attackers have to exploit vulnerabilities before they are detected and remediated.

Embed presentation

Download to read offline
DT3 Session 6/9/16 1:30 PM Developing a Rugged DevOps Approach to Cloud Security Presented by: Tim Prendergast Evident.io Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888---268---8770 ·· 904---278---0524 - info@techwell.com - http://www.techwell.com/
Tim Prendergast Evident.io Co-founder and CEO of Evident.io Tim Prendergast (@Auxome) is a passionate security practitioner who seeks to help others avoid the pain he endured when leading Adobe's initiative to adopt the cloud at a massive level. After more than fifteen years of building, operating, and securing services in AWS, including eight years in AWS security and three years building the Adobe AWS infrastructure, Tim has set out to make security approachable and repeatable for organizations of all sizes by creating the first security company focused solely on programmatic infrastructures in the cloud. Tim previously led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.
Copyright © 2015 evident.io1 DEVELOPING A RUGGED DEVOPS APPROACH TO CLOUD SECURITY Tim Prendergast (@auxome) Copyright © 2015 evident.io2 9 “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” Published: 15 April 2015
 How much responsibility do we have?
Copyright © 2015 evident.io3 AGREEING ON TERMINOLOGY What is “the Cloud”?
 Programmatic infrastructure and services evolved for dynamic use. Copyright © 2015 evident.io4 AGREEING ON TERMINOLOGY How can I get some “DevOps”?
 Engineers building and managing things 
 smarter, faster, and with more automation.
Copyright © 2015 evident.io5 AGREEING ON TERMINOLOGY How can I get some “DevOps”?
 Engineers building and managing things 
 smarter, faster, and with more automation. Copyright © 2015 evident.io6 SPRINKLE ON SOME “RUGGED”? Rugged DevOps • Authored for RSA 2015 • Aggregation of philosophy from: Gene Kim, Damon Edwards, Rich Mogull, Josh Corman, James Wicket, and that Tim Prendergast weirdo • Free download from: https:// evident.io/resources/rugged-devops/
Copyright © 2015 evident.io7 WHY DO WE NEED TO GET RUGGED? DevOps Security The Pit of Despair Copyright © 2015 evident.io8 THESE THINGS BELONG TOGETHER & & & & &
Copyright © 2015 evident.io9 BAD GUYS HAVE ADVANTAGES • We have budgets, they have #winnings • We have finite project cycles, they have a lifetime • We have to sleep, they do not (as much) • There are thousands of them, and often less than 3 or 4 of us. • We cannot afford to hyper focus on any particular area… Context Switching is the enemy of Security Copyright © 2015 evident.io10 THE CONTINUOUSLY DELIVERING ATTACKER Attacker IPv4 Space of AWS IPv4 Space of GCE IPv4 Space of Azure SCAN IDENTIFY COMPROMISE Vulnerable Instance Misconfigured Storage Weak LB Ciphers “FREE CANDY” Drop rootkit, exfiltrate data, deploy bot, proceed to SCAN Dump data, locate high-value data targets, sink hooks Traffic interception/redirection, decryption, and manipulation Deploy batch jobs, mine bitcoin, setup botnet/SCAN nodes, set phishing campaign, exploit identity relationships, etc…
Copyright © 2015 evident.io11 THE EASY WIN Sometimes people accidentally give away their keys via code, SCM, and even support tickets. Copyright © 2015 evident.io12 THERE ARE TEN RUGGED CORE PRINCIPALS Attackers are Automated, so we must be, too.
Copyright © 2015 evident.io13 UNDERMINING CONTINUOUS ATTACKS IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) __________________________________ | | Attack Lifecycle Copyright © 2015 evident.io14 REACTION TIME (DEFENDER CYCLE) IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________|
Copyright © 2015 evident.io15 PROACTION (?!) TIME IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________| |__________| Proactive Security Copyright © 2015 evident.io16 … AND THE REMAINDER IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________| |__________| Proactive Security |—————> Game Over
Copyright © 2015 evident.io17 ANYONE DOING SAT PREP? Minutes (>, <, =) Weeks Copyright © 2015 evident.io18 ANYONE DOING SAT PREP? Minutes < Weeks
Copyright © 2015 evident.io19 THE REAL EQUATION ISSUE Minutes < Weeks(Attackers) (Defenders) Copyright © 2015 evident.io20 RUGGED DEVOPS IS EQUALIZING IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt |_________________| |__________| Preventative Measure |—————> Automated Incident Response
Copyright © 2015 evident.io21 OWNERSHIP IS SHARED IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt (Ops) |_________________| |__________| Preventative Measure (Dev) |—————> Automated Incident Response (Security) Copyright © 2015 evident.io22 AND NEW BONDS ARE FORMED IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt (DevSecOps) |_________________| |__________| Preventative Measure (DevSecOps) |—————> Automated Incident Response (DevSecOps)
Copyright © 2015 evident.io23 TIMING IS EVERYTHING TTD TTR TTC TTE = = = = Time to Detect Time to Respond Time to Contain Time to Expunge Think biological Copyright © 2015 evident.io24 THERE ARE TEN RUGGED CORE PRINCIPALS Automate for (Acceleration + Force-Multiplication)
Copyright © 2015 evident.io25 TEAMS, NOT SILOS DevOps + Security Copyright © 2015 evident.io26 TEAMS, NOT SILOS DevSecOps Handoffs Fail. Collaborations win.
Copyright © 2015 evident.io27 THERE ARE TEN RUGGED CORE PRINCIPALS • Don’t give up if you don’t get everything at first • Mutual goals and respect = mutual wins. • Be at the design table early, and often. Copyright © 2015 evident.io28 SAY WHAT? If you cannot articulate your security requirements, you cannot create security as code.
Copyright © 2015 evident.io29 SECURITY CLARITY IS NECESSITY PCI DSS Req 3.5.1: Restrict access to cryptographic keys to the fewest number of custodians necessary. Translation: We never want more than 2 custodians with access to keys used for encrypting sensitive data. If there are more than two, we need to know (organization-wide) to prevent abuse or malicious access. Copyright © 2015 evident.io30 THIS LEADS TO SECURITY-AS-CODE { "Sid": “PCI DSS 3.5.1 - Control Key Access”, "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::0123456789:user/Custodian1", "arn:aws:iam::0123456789:role/Custodian2" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } configure do |c| c.deep_inspection = [:alias_name, :alias_arn, :target_key_id, :description, :creation_date, :key_state, :deletion_date, :key_policies] c.unique_identifier = [:alias_name] end def perform(aws) key_aliases = aws.kms.list_aliases.aliases key_aliases.each do |key_alias| key_policies = aws.kms.list_key_policies({key_id:key_alias}) @custodians = key_policies.principal custodians.each do |users| {HERE'S THE FUN STUFF}
Copyright © 2015 evident.io31 … AND THAT LEADS TO AUTOMATED TESTING Code Check-in Unit Tests Functional Tests Security Tests Environment Promotion Yes/ No Copyright © 2015 evident.io32 CONTINUOUS BEHAVIOR IS THE KEY • Now you not only can continuously measure security posture • … But you can: • Proactively stop undesired risk from being promoted to prod • Take automated mitigation steps against malicious changes • Ensure corporate and regulatory policy conformity • Obtain situational awareness of your dynamic environments
Copyright © 2015 evident.io33 OPEN YOUR TECHNOLOGY TO THE ORG The broader discussion is more valuable than closed-door one(s) THANK YOU PS - We’re Hiring!

More Related Content

PPTX
The Importance of Consolidating Your Infrastructure Security – by United Secu...
byUnited Security Providers AG
 
PPTX
Alfresco Virtual DevCon 2020 - Security First!
byJason Jolley
 
PDF
How to perform an Infrastructure Security Gap Analysis
byCarlo Dapino
 
PDF
Who owns security in the cloud
byTrend Micro
 
PDF
Demisto Webinar - When Shrinkage is Good
byRishi Bhargava
 
PDF
DTS Solution - Company Presentation
byShah Sheikh
 
PPTX
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
byEvident.io
 
PPTX
Cyber security event
byTryzens
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
byUnited Security Providers AG
 
Alfresco Virtual DevCon 2020 - Security First!
byJason Jolley
 
How to perform an Infrastructure Security Gap Analysis
byCarlo Dapino
 
Who owns security in the cloud
byTrend Micro
 
Demisto Webinar - When Shrinkage is Good
byRishi Bhargava
 
DTS Solution - Company Presentation
byShah Sheikh
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
byEvident.io
 
Cyber security event
byTryzens
 

What's hot

PPTX
Governance and Security in Cloud and Mobile Apps
byMichael Scheidell
 
PPT
CCNA Security 02- fundamentals of network security
byAhmed Habib
 
PDF
Laser Pioneer Secures Network End-to-End to Protect Assets
byCisco Security
 
PDF
Advantages of privacy by design in IoE
byMarc Vael
 
PDF
NIST Zero Trust Explained
byrtp2009
 
PPTX
Cisco Connect 2018 Indonesia - Cybersecurity Strategy
byNetworkCollaborators
 
PPTX
Threat Modeling In 2021
byAdam Shostack
 
PDF
Cloud security lessons learned and audit
byMarc Vael
 
PPTX
Automating your AWS Security Operations
byEvident.io
 
PDF
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
byEvident.io
 
PDF
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
byscoopnewsgroup
 
PPTX
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
byPatrick Coble
 
PDF
How secure are chat and webconf tools
byMarc Vael
 
PPT
Cy Cops Company Presentation
byChaitanyaS
 
PDF
Is talent shortage ws marco morana
byMarco Morana
 
PDF
OFFICE 365 SECURITY
bySylvain Martinez
 
PDF
Cloud Security Guide - Ref Architecture and Gov. Model
byVishal Sharma
 
PDF
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
byInfosecurity2010
 
PPTX
Cloud Security Strategy by McAfee
byCristian Garcia G.
 
PDF
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 
Governance and Security in Cloud and Mobile Apps
byMichael Scheidell
 
CCNA Security 02- fundamentals of network security
byAhmed Habib
 
Laser Pioneer Secures Network End-to-End to Protect Assets
byCisco Security
 
Advantages of privacy by design in IoE
byMarc Vael
 
NIST Zero Trust Explained
byrtp2009
 
Cisco Connect 2018 Indonesia - Cybersecurity Strategy
byNetworkCollaborators
 
Threat Modeling In 2021
byAdam Shostack
 
Cloud security lessons learned and audit
byMarc Vael
 
Automating your AWS Security Operations
byEvident.io
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
byEvident.io
 
Devil's Bargain: Sacrificing Strategic Investments to Fund Today's Problems
byscoopnewsgroup
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
byPatrick Coble
 
How secure are chat and webconf tools
byMarc Vael
 
Cy Cops Company Presentation
byChaitanyaS
 
Is talent shortage ws marco morana
byMarco Morana
 
OFFICE 365 SECURITY
bySylvain Martinez
 
Cloud Security Guide - Ref Architecture and Gov. Model
byVishal Sharma
 
Nick Barcet, Open Source tijdens Infosecurity.nl Storage Expo en Tooling Even...
byInfosecurity2010
 
Cloud Security Strategy by McAfee
byCristian Garcia G.
 
Talk1 esc3 muscl-standards and regulation_v1_1
bySylvain Martinez
 

Viewers also liked

PDF
Continuous Integration as a Development Team’s Way of Life
byTechWell
 
PDF
Applying Lean Startup Principles to Agile Projects
byTechWell
 
PDF
From Unclear and Unrealistic Requirements to Achievable User Stories
byTechWell
 
PDF
Testing in a Super-Agile Software Development Environment
byTechWell
 
PDF
You Don't Have All the Answers: So Stop Giving Advice and Start Asking Questions
byTechWell
 
PDF
IoT and Embedded Testing: A Roku Case Study
byTechWell
 
PDF
Performance Testing in Agile and DevOps Environments
byTechWell
 
PDF
Become an Influential Tester: Learn How to Be Heard
byTechWell
 
PDF
Testers in Agile Teams—Isolation or Collaboration?
byTechWell
 
PDF
Better Together: Group Exploratory Testing
byTechWell
 
Continuous Integration as a Development Team’s Way of Life
byTechWell
 
Applying Lean Startup Principles to Agile Projects
byTechWell
 
From Unclear and Unrealistic Requirements to Achievable User Stories
byTechWell
 
Testing in a Super-Agile Software Development Environment
byTechWell
 
You Don't Have All the Answers: So Stop Giving Advice and Start Asking Questions
byTechWell
 
IoT and Embedded Testing: A Roku Case Study
byTechWell
 
Performance Testing in Agile and DevOps Environments
byTechWell
 
Become an Influential Tester: Learn How to Be Heard
byTechWell
 
Testers in Agile Teams—Isolation or Collaboration?
byTechWell
 
Better Together: Group Exploratory Testing
byTechWell
 

Similar to Developing a Rugged DevOps Approach to Cloud Security

PDF
Implementing the Top 10 AWS Security Best Practices
bySebastian Taphanel CISSP-ISSEP
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PDF
Rugged Building Materials and Creating Agility with Security
byDavid Etue
 
PDF
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
bySebastian Taphanel CISSP-ISSEP
 
PPTX
Overcoming Security Challenges in DevOps
byAlert Logic
 
PDF
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
PDF
Lab 5.2 Cloud Security Assessments - 2nd Sight Lab Cloud Security
by2nd Sight Lab
 
PPTX
Security on AWS
byCloudHesive
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
PDF
Journey to the Center of Security Operations
by♟Sergej Epp
 
PDF
Cloud Intrusion Detection Reloaded - 2018
byrandomuserid
 
PPTX
CSO CXO Series Breakfast
byCSO_Presentations
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
PDF
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
byEvident.io
 
PDF
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
PPTX
Security perspective -human factor
byArtur Marek Maciąg
 
PDF
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
PDF
Thinking Evil Thoughts
byGareth Rushgrove
 
PPTX
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 
Implementing the Top 10 AWS Security Best Practices
bySebastian Taphanel CISSP-ISSEP
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
Rugged Building Materials and Creating Agility with Security
byDavid Etue
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
bySebastian Taphanel CISSP-ISSEP
 
Overcoming Security Challenges in DevOps
byAlert Logic
 
DevSecOps: Taking a DevOps Approach to Security
byAlert Logic
 
Lab 5.2 Cloud Security Assessments - 2nd Sight Lab Cloud Security
by2nd Sight Lab
 
Security on AWS
byCloudHesive
 
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
Journey to the Center of Security Operations
by♟Sergej Epp
 
Cloud Intrusion Detection Reloaded - 2018
byrandomuserid
 
CSO CXO Series Breakfast
byCSO_Presentations
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
bySilvioHayashi
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
byEvident.io
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
Security perspective -human factor
byArtur Marek Maciąg
 
Daniel Grabski | Microsofts cybersecurity story
byMicrosoft Österreich
 
Thinking Evil Thoughts
byGareth Rushgrove
 
TiEcon 2016 Keynote - Security Challenges & Opportunities with Public Cloud A...
byRavinder Reddy Amanaganti
 

More from TechWell

PDF
Failing and Recovering
byTechWell
 
PDF
Instill a DevOps Testing Culture in Your Team and Organization
byTechWell
 
PDF
Test Design for Fully Automated Build Architecture
byTechWell
 
PDF
System-Level Test Automation: Ensuring a Good Start
byTechWell
 
PDF
Build Your Mobile App Quality and Test Strategy
byTechWell
 
PDF
Testing Transformation: The Art and Science for Success
byTechWell
 
PDF
Implement BDD with Cucumber and SpecFlow
byTechWell
 
PDF
Develop WebDriver Automated Tests—and Keep Your Sanity
byTechWell
 
PDF
Ma 15
byTechWell
 
PDF
Eliminate Cloud Waste with a Holistic DevOps Strategy
byTechWell
 
PDF
Transform Test Organizations for the New World of DevOps
byTechWell
 
PDF
The Fourth Constraint in Project Delivery—Leadership
byTechWell
 
PDF
Resolve the Contradiction of Specialists within Agile Teams
byTechWell
 
PDF
Pin the Tail on the Metric: A Field-Tested Agile Game
byTechWell
 
PDF
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
byTechWell
 
PDF
A Business-First Approach to DevOps Implementation
byTechWell
 
PDF
Databases in a Continuous Integration/Delivery Process
byTechWell
 
PDF
Mobile Testing: What—and What Not—to Automate
byTechWell
 
PDF
Cultural Intelligence: A Key Skill for Success
byTechWell
 
PDF
Turn the Lights On: A Power Utility Company's Agile Transformation
byTechWell
 
Failing and Recovering
byTechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
byTechWell
 
Test Design for Fully Automated Build Architecture
byTechWell
 
System-Level Test Automation: Ensuring a Good Start
byTechWell
 
Build Your Mobile App Quality and Test Strategy
byTechWell
 
Testing Transformation: The Art and Science for Success
byTechWell
 
Implement BDD with Cucumber and SpecFlow
byTechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
byTechWell
 
Ma 15
byTechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
byTechWell
 
Transform Test Organizations for the New World of DevOps
byTechWell
 
The Fourth Constraint in Project Delivery—Leadership
byTechWell
 
Resolve the Contradiction of Specialists within Agile Teams
byTechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
byTechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
byTechWell
 
A Business-First Approach to DevOps Implementation
byTechWell
 
Databases in a Continuous Integration/Delivery Process
byTechWell
 
Mobile Testing: What—and What Not—to Automate
byTechWell
 
Cultural Intelligence: A Key Skill for Success
byTechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
byTechWell
 

Recently uploaded

DOCX
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
PDF
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
PDF
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
PDF
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PPTX
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 
PDF
2026-01-26 - AWS - Architecting Multi-Agent Developer Workflows.pdf
byhlibco
 
PDF
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
PDF
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
The Rise of Headless CMS in Modern Web Development.docx
bywork4noahmiller
 
Build a Scalable On-Demand Courier Service App.pdf
byV3CUBE TECHNOLABS
 
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
LogiNext Media Kit & Company Overview 2025
bypriyajoshi2929
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
Applicius Technologies: Full Service Overview for Branding, SEO, Web & App De...
byappliciustech
 
2026-01-26 - AWS - Architecting Multi-Agent Developer Workflows.pdf
byhlibco
 
LogiNext Media Kit & Company Overview 2025
byswatishahz9031
 
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Pet Care Service App Development Company
byV3CUBE TECHNOLABS
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
LogiNext Media Kit & Company Overview 2025
bysanikaroy72
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
谷歌留痕技术教程[ 𝙩𝙤𝙥 𝟮𝟯𝟯. 𝙘 𝙤𝙢 ]
by6stynggfo
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 

Developing a Rugged DevOps Approach to Cloud Security

  • 1.
  • 2.
  • 3.
    Copyright © 2015evident.io1 DEVELOPING A RUGGED DEVOPS APPROACH TO CLOUD SECURITY Tim Prendergast (@auxome) Copyright © 2015 evident.io2 9 “Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.” Published: 15 April 2015
 How much responsibility do we have?
  • 4.
    Copyright © 2015evident.io3 AGREEING ON TERMINOLOGY What is “the Cloud”?
 Programmatic infrastructure and services evolved for dynamic use. Copyright © 2015 evident.io4 AGREEING ON TERMINOLOGY How can I get some “DevOps”?
 Engineers building and managing things 
 smarter, faster, and with more automation.
  • 5.
    Copyright © 2015evident.io5 AGREEING ON TERMINOLOGY How can I get some “DevOps”?
 Engineers building and managing things 
 smarter, faster, and with more automation. Copyright © 2015 evident.io6 SPRINKLE ON SOME “RUGGED”? Rugged DevOps • Authored for RSA 2015 • Aggregation of philosophy from: Gene Kim, Damon Edwards, Rich Mogull, Josh Corman, James Wicket, and that Tim Prendergast weirdo • Free download from: https:// evident.io/resources/rugged-devops/
  • 6.
    Copyright © 2015evident.io7 WHY DO WE NEED TO GET RUGGED? DevOps Security The Pit of Despair Copyright © 2015 evident.io8 THESE THINGS BELONG TOGETHER & & & & &
  • 7.
    Copyright © 2015evident.io9 BAD GUYS HAVE ADVANTAGES • We have budgets, they have #winnings • We have finite project cycles, they have a lifetime • We have to sleep, they do not (as much) • There are thousands of them, and often less than 3 or 4 of us. • We cannot afford to hyper focus on any particular area… Context Switching is the enemy of Security Copyright © 2015 evident.io10 THE CONTINUOUSLY DELIVERING ATTACKER Attacker IPv4 Space of AWS IPv4 Space of GCE IPv4 Space of Azure SCAN IDENTIFY COMPROMISE Vulnerable Instance Misconfigured Storage Weak LB Ciphers “FREE CANDY” Drop rootkit, exfiltrate data, deploy bot, proceed to SCAN Dump data, locate high-value data targets, sink hooks Traffic interception/redirection, decryption, and manipulation Deploy batch jobs, mine bitcoin, setup botnet/SCAN nodes, set phishing campaign, exploit identity relationships, etc…
  • 8.
    Copyright © 2015evident.io11 THE EASY WIN Sometimes people accidentally give away their keys via code, SCM, and even support tickets. Copyright © 2015 evident.io12 THERE ARE TEN RUGGED CORE PRINCIPALS Attackers are Automated, so we must be, too.
  • 9.
    Copyright © 2015evident.io13 UNDERMINING CONTINUOUS ATTACKS IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) __________________________________ | | Attack Lifecycle Copyright © 2015 evident.io14 REACTION TIME (DEFENDER CYCLE) IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________|
  • 10.
    Copyright © 2015evident.io15 PROACTION (?!) TIME IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________| |__________| Proactive Security Copyright © 2015 evident.io16 … AND THE REMAINDER IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Post-vulnerability Defense Window |_________________| |__________| Proactive Security |—————> Game Over
  • 11.
    Copyright © 2015evident.io17 ANYONE DOING SAT PREP? Minutes (>, <, =) Weeks Copyright © 2015 evident.io18 ANYONE DOING SAT PREP? Minutes < Weeks
  • 12.
    Copyright © 2015evident.io19 THE REAL EQUATION ISSUE Minutes < Weeks(Attackers) (Defenders) Copyright © 2015 evident.io20 RUGGED DEVOPS IS EQUALIZING IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt |_________________| |__________| Preventative Measure |—————> Automated Incident Response
  • 13.
    Copyright © 2015evident.io21 OWNERSHIP IS SHARED IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt (Ops) |_________________| |__________| Preventative Measure (Dev) |—————> Automated Incident Response (Security) Copyright © 2015 evident.io22 AND NEW BONDS ARE FORMED IDENTIFY COMPROMISESCAN |____| |____| Time (t) Time (t) Proactive Security Posture Mgmt (DevSecOps) |_________________| |__________| Preventative Measure (DevSecOps) |—————> Automated Incident Response (DevSecOps)
  • 14.
    Copyright © 2015evident.io23 TIMING IS EVERYTHING TTD TTR TTC TTE = = = = Time to Detect Time to Respond Time to Contain Time to Expunge Think biological Copyright © 2015 evident.io24 THERE ARE TEN RUGGED CORE PRINCIPALS Automate for (Acceleration + Force-Multiplication)
  • 15.
    Copyright © 2015evident.io25 TEAMS, NOT SILOS DevOps + Security Copyright © 2015 evident.io26 TEAMS, NOT SILOS DevSecOps Handoffs Fail. Collaborations win.
  • 16.
    Copyright © 2015evident.io27 THERE ARE TEN RUGGED CORE PRINCIPALS • Don’t give up if you don’t get everything at first • Mutual goals and respect = mutual wins. • Be at the design table early, and often. Copyright © 2015 evident.io28 SAY WHAT? If you cannot articulate your security requirements, you cannot create security as code.
  • 17.
    Copyright © 2015evident.io29 SECURITY CLARITY IS NECESSITY PCI DSS Req 3.5.1: Restrict access to cryptographic keys to the fewest number of custodians necessary. Translation: We never want more than 2 custodians with access to keys used for encrypting sensitive data. If there are more than two, we need to know (organization-wide) to prevent abuse or malicious access. Copyright © 2015 evident.io30 THIS LEADS TO SECURITY-AS-CODE { "Sid": “PCI DSS 3.5.1 - Control Key Access”, "Effect": "Allow", "Principal": {"AWS": [ "arn:aws:iam::0123456789:user/Custodian1", "arn:aws:iam::0123456789:role/Custodian2" ]}, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } configure do |c| c.deep_inspection = [:alias_name, :alias_arn, :target_key_id, :description, :creation_date, :key_state, :deletion_date, :key_policies] c.unique_identifier = [:alias_name] end def perform(aws) key_aliases = aws.kms.list_aliases.aliases key_aliases.each do |key_alias| key_policies = aws.kms.list_key_policies({key_id:key_alias}) @custodians = key_policies.principal custodians.each do |users| {HERE'S THE FUN STUFF}
  • 18.
    Copyright © 2015evident.io31 … AND THAT LEADS TO AUTOMATED TESTING Code Check-in Unit Tests Functional Tests Security Tests Environment Promotion Yes/ No Copyright © 2015 evident.io32 CONTINUOUS BEHAVIOR IS THE KEY • Now you not only can continuously measure security posture • … But you can: • Proactively stop undesired risk from being promoted to prod • Take automated mitigation steps against malicious changes • Ensure corporate and regulatory policy conformity • Obtain situational awareness of your dynamic environments
  • 19.
    Copyright © 2015evident.io33 OPEN YOUR TECHNOLOGY TO THE ORG The broader discussion is more valuable than closed-door one(s) THANK YOU PS - We’re Hiring!