The document discusses implementing secure Docker environments at scale. It outlines roles and responsibilities for security teams, development teams, and DevOps teams. It presents conceptual designs for architectural diagrams that show secure environments for development, staging, and production. It describes moving from today's designs to better designs with more security controls like isolation, delivery reviews, and delivery-aware security tools. Finally, it discusses three common pitfalls to avoid, such as having compliance policies that are too granular, only monitoring in production, and over-trusting network security tools.
7. • Security Team
• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
Roles and Responsibilities
Roles and Responsibilities
8. • Security Team
• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
Roles and Responsibilities
Roles and Responsibilities
9. • Security Team
• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
• Dev Team
• Vulnerabilities/patching, infrastructure, identities/access
Fix
Proactively consider security
Roles and Responsibilities
Roles and Responsibilities
10. • Security Team
• Design secure continuum
Compliance
Micro service aware active threat protection
Synergy with developers
• Dev Team
• Vulnerabilities/patching, infrastructure, identities/access
Fix
Proactively consider security
• Devops Team
Implementation
Daily security operations
Roles and Responsibilities
Roles and Responsibilities
12. Today
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
13. Today
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
14. Architectural Diagram
Milestone Review
Review Setup Scripts, Security Testing, App Compliance
Communicate Infra Requirements to IT
Development&Staging
Micro-Segmentation E-W FWs
Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
IPS/IDS
Deception
1st / Next Gen Firewall
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Traffic Encryption
Data Encryption
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
15. Architectural Diagram
Development&Staging
Production Maintenance
Security Operation Team
Offline
Guidance
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
“IT” Operation Team
Offline
Communications
Offline
Review
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Platform/Host
“IT” Operation Team
“IT” Operation TeamDevelopment Team
“IT” Operation Team “IT” Operation Team
MS MS
16. Staging
Architectural Diagram
Development Production Maintenance
Security Operation Team
Set
Policy
Isolation
Network
Set
Policy
Dev/Devops Team
Pre-Checkin Review
Code Analysis
User Behavior Analytics
IdentityPlatform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Dev/Devops Team
18. Staging
Architectural Diagram
Development Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Set
Policy
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
Dev/Devops Team
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery Review
CVE checks, Signing, Base Image, Other Metadata
Ports, Volumes, Devices, Processes
Delivery Aware Network Restrictions
Delivery Aware Anomaly Detection
Delivery Aware Deception
Dev/Devops Team
19. Staging
Architectural Diagram
Development Production
Updates
Security Alerts / Patches
Maintenance
Security Operation Team
Set
Policy
Set
Policy
Handle
Notifications
Isolation
Network
Set
Policy
Handle
Notifications
Dev/Devops Team
Set
Policy
Pre-Checkin Review
Code Analysis
User Behavior Analytics
Identity
Handle
Notifications
Set
Policy
Host Configuration Compliance
Platform/Host
Dev/Devops Team
Dev/Devops TeamDevelopment Team
“IT” Operation Team Dev/Devops/ IT Team
MS MS
Delivery Review
CVE checks, Signing, Base Image, Other Metadata
Ports, Volumes, Devices, Processes
Delivery Aware Network Restrictions
Delivery Aware Anomaly Detection
Delivery Aware Deception
Dev/Devops Team
Fuzzing, Sandboxing
Delivery Aware Pen-Tests
21. • Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
Three Common Pitfalls
Battle Tested
22. • Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
• Delivery hygiene
Monitoring only in production
Monitor early in CI/CD and in production
Three Common Pitfalls
Battle Tested
23. • Compliance Policies
Adjust per micro-service
Adjust per R&D team / Org / Application Group.
• Delivery hygiene
Monitoring only in production
Monitor early in CI/CD and in production
• Active Threat Protection
Trust your “application / next-gen firewall”
Use “delivery aware” active threat protection
Three Common Pitfalls
Battle Tested