Recommended
More Related Content
What's hot
What's hot (6)
Similar to How to decentralise controls with BDD
Similar to How to decentralise controls with BDD (20)
More from Ebru Cucen Çüçen
More from Ebru Cucen Çüçen (10)
Recently uploaded
Recently uploaded (20)
How to decentralise controls with BDD
- 1. How to Decentralise Controls? <Policies with BDD>
- 2. whoami? 22 Developer at heart Lead Principal Consultant Vegan Mum
- 3. 3 Agenda 01 | Problems with Cloud Security Guard Rails 02 | How we enabled collaboration? 03 | What challenges we had?
- 4. Key Takeaways 44 ● Application teams should contribute to the cloud security controls, as it is not just security team’s responsibility ● BDD offers a great way to provide human-readable tests to increase collaboration across multiple functional teams. ● Try small iteration & innovate
- 6. 6 Day1: Preparing Cloud 6 Guard rails?
- 7. Day2: Check in-house Controls 77
- 8. “They simply do not fit to cloud” Day 3: Lift/Shift Attempt 8
- 9. “They simply do not fit to cloud” Day 3: Lift/Shift Attempt 9
- 10. Day4: Upskilling 10 Can I bring our own key? What is our retention policy? For signed url, can we audit/stop the call if source IP is not in our allowed list?
- 11. Day5: Workshops 11 What decisions are taken? Who is invited?
- 13. “I want to define my own subnet” “I want to access to storage account” “I want to purge the secrets” Day6: Platform Ready(ish) 1313
- 14. “I want to define my own subnet” “I want to access to storage account” “I want to purge the secrets” Day6: Platform Ready(ish) 1414
- 16. Day1: Invite Application Teams to Workshops 16
- 17. Day2: Build Policy Pyramid 17 Baseline Policies Shared Policies App Policies
- 18. Day2: Security Team focus on Base Policy 18 Which regions are allowed? What are tagging policies? Which resources will be allowed? 18
- 19. Submit a PR of policies - We need a use case for KeyVault - x/y/z permissions - To be applied on Management Group ! All in code ! With tests associated with them Day3: App Team Contributes 19
- 20. Day3: Collaboration 20 Policy is Live!
- 21. BDD 21 Feature File - Scenarios - Gherkin (GWT) - Tags Cucumber.JS
- 22. BDD 22 Step Definition File - Before/After - Gherkin (GWT) - Regular Expression Typescript
- 23. What challenges we had?
- 24. Azure Policy - Trade Offs 24 1. Policy Engine is not effective real-time 2. Policy Engine has (different) wait time for each effect 3. Azure Policy Repo versioning is not enforced 1. We assumed worst case 24 hour into plan of pipeline 2. We favoured Deny policy over Audit policy 3. We favored Custom Policies over Built-in Policies to track versioning internally 24
- 25. Assignment Effects 25 Enforcements can have several effects depending on both requirements and Policy type ●Audit: generates a warning event in activity log but doesn't fail the request ●AuditIfNotExists: generates a warning event in activity log if a related resource doesn't exist Deny generates an event in the activity log and fails the request Disabled doesn't evaluate resources for compliance to the policy rule Most Restrictive ● Append: adds the defined set of fields to the request ● DeployIfNotExists: deploys a related resource if it doesn't already exist ● Modify: adds, updates, or removes the defined tags from a resource TimeLeast Restrictive
- 26. BDD - Trade Offs 26 1.Decision on Language (Golang/ Typescript/Java) 2. Decision on when to run the tests? 3. Decisions on where to run the tests? 1.We favoured top in-house skillset (Typescript) 2. Executed with the policy assignment 3. A dedicated integration environment
- 28. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io