SlideShare a Scribd company logo

Is DevOps Braking Your Company?

Download as PPTX, PDF
C
conjur_inc

This document discusses how DevOps practices can sometimes break traditional security and compliance practices, and proposes an approach called SecDevOps 2.0 to better integrate the two. It outlines how SecDevOps 2.0 would define policies, identities, and networks in a way that supports continuous delivery while maintaining security and compliance. Key elements include defining security policies in code, using machine identities at scale for access control, and implementing new tools like secrets as a service and software-defined firewalls. The overall goal is to make security controls more transparent and integrated with automation.

1 of 39
Is DevOps Braking Your Company? Elizabeth Lawler CEO & Co-Founder, Conjur, Inc. @elizabethlawler
Agenda I. Security + DevOps Recap DevOps as a transformation DevOps Workflow Unstoppable Force vs Immovable Object Wrong Tools for the Job II. SecDevOps 2.0: Defined Motivation and Requirements Policy, Identity and Network 2.0 Best Practices III. SecDevOps 2.0: In Practice New Tools Case Study Takeaways IV. Q&A Thank you!
Top Takeaways 1) Start conversations with all the stakeholders to address current security and compliance challenges 2) Map security and compliance best practice and principles into continuous delivery 3) Expect this to be iterative and evolving process
I. Security + DevOps Recap
How does DevOps work? Magic. How does DevOps work? Magic.
Security and Compliance Concerns : DevOps Source: DevOps: The Worst-Kept Secret to Winning in the Application Economy by CA Technologies, October 2014 (http://rewrite.ca.com/us/~/media/rewrite/pdfs/white-papers/devops-winning-in-application-economy.pdf) These are cultural challenges with a technical component.
Q: Is DevOps Breaking Your Company? A: No, but security may break (or brake) your DevOps! DevOps leverages a set of tools and processes that are constantly striving to go faster to meet business needs. Some DevOps tools/processes don’t easily lend themselves to existing information security best practices.
We’re All In It Together
Start The Conversation! ● Security, Compliance, Developers, and Operations need personal relationships and mutual understanding. ● Differences in language: The way that security, compliance, developers and ops talk about the same problem can be bridged. ● Transparency and clear understanding of security topology is good for the entire organization
II. SecDevOps 1.0 Duct Tape and Bailing Wire
DevOps is : Continuous Delivery Dev, Test, & Prod Environments Code Review Infrastructure Source Code Infrastructure Code Developer deploy Continuous Build & Unit Test Config, Release, Deployment commit on branch build check approval tests pass Holistic, Automated Processes To Build And Deliver Software/IT Infrastructure
Let’s Create : Continuous Compliance ● Robust security and compliance controls … with ● Full support for automation
SecDevOps 1.0: Where Are We Today? Source Control Automated Build and Test Configuration Management Orchestration Software-Defined Networking Monitoring
Continuous Delivery ● Code is the new privileged user/sys admin ● Who and what can touch the code is critical to security ● Fewer people → more trusted services ● Machine identity and trust is critical ● Automation is a Force Multiplier and a Double- Edged Sword ● Good: Patch management ● Bad: Vulnerability “globally” at the speed of light ● Ugly: Catastrophic failure
Continuous Delivery: Compliance Issues Lack of transparency is the #1 obstacle to compliance ● Policies are buried in code ● Security for automation is ill- defined ● Realtime reporting of controls can be piecemeal The User Experience is Lousy
Tools Are Being Pushed Beyond Their Intended Function “Sometimes when all you have is a hammer, everything looks like a nail.” ● SCM: Collaboration, not least privilege ● CI: Powerful system accounts ● Configuration Management (Puppet/Chef): not secrets management
Anti-Pattern: Production-only Workflows Problem: Security controls that developers cannot replicate locally Result: Speed-killer
Anti-Pattern: Human Bottlenecks Problem: Security controls that require manual intervention for routine tasks Result: Tech resources are wasted on trivial tasks, unclear organizational ownership of tasks, throughput suffers, and so does morale. “Cool” DIY security projects become albatrosses
Anti-Pattern: Conflation of Concerns
Example : Mastering Secrets in Configuration Management Two orthogonal concerns: 1. Install packages and establish configuration settings. 2. “Wire up” the system with identity and secrets. System “wiring” should not be in the domain of configuration management.
Anti-patterns create “Security Debt” DevOps addressing security bottlenecks and issues are often deferred, until… New Product Feature New Security Feature
Worst-Case Scenario? Full Stop ● Regulated Workloads Aren’t brought into the DevOps workflow ● Security Incident o Breach or unauthorized access because of workflow challenges in getting the job done ● Static Workflow Caps Velocity o Changing is too hard or too risky o Toolchain
III. SecDevOps Version 2
SecDevOps 2.0: High-Level Goals 1. Code is the new “Privileged User” 2. Scale-out with granular permissions management 3. Highly durable and scalable - like cloud infrastructure itself 4. Make the brakes as powerful as the engine
Challenges in mapping the organization to dynamic infrastructure: ● Practical Separation of Duties ● Least Privilege Access via Role- Based Access Control ● Audit and Reporting Application Auth Systems Access Internal Network Physical Infrastructure Firewall Control Plane Mind The Gap: Access Control for Automation
Works with automation Supports agile development and continuous delivery Is intuitive to security and compliance teams We Need To Rethink How We Define Policies, Identities And Networks In A Way That...
DevOps = Code = Security In Source Control Security setup should be declarative in code. 1. Visible to all teams that depend on security. 2. Resolves confusion around where things are, what they are named, who/what has access to what. 3. Changes to topology are versioned and can be reviewed. 4. At Run-Time : Code is privileged, Secrets are injected
SecDevOps 2.0: Security Policy As Code dev prod stage Conjur Policy DSL
SecDevOps 2.0: Identity For Machines At Scale ● Each Server (VM), Container (Docker, LXC) and Service needs to have an identity for access control to be meaningful ● Provisioning of these identities needs to be automated and included in SecDevOps workflow ● Machine-to-machine trust
New Tools: Identity Management For Robots Machine trust and identity that works for servers, VMs, containers, and IOT. Apply known tools and techniques from traditional identity management to robots Example: Segregation of regulated applications/cloud into distinct application layers using policies that govern each service
Identity: Benefits For Access Control Ops Dev Group 1 Dev Group 2 App 1 App 2 App 3 App 4● Identities provisioned at a granular level allow for the creation of meaningful authorization policy ● Machine identities can be grouped into applications or environmental layers to simplify policy creation ● “Carbon Identities” can also be organized into groups and have their access limited to certains sets of machine identities
Opportunities To Improve Practices ● Provide a facility outside of operational tools to access/include sensitive information. ● Create multiple environments organized by risk. ● Audit everything, including automation exceptions (one- off builds).
New Tools : Secrets as a Service Chef node ? ? SecDevOps 1.0 ✱ decryption keys are secrets themselves ✱ key storage and retrieval is complicated ✱ one decryption key per node ✱ access logs difficult to search and manage ✱ chef-vault makes key distribution easier at the expense of auto-scaling SecDevOps 2.0 Chef node ✱ Nodes have an identity, use that to fetch secrets. Easily given and revoked ✱ Permissions are role- based, applied to layers not hosts ✱ Chef library encapsulates authenticated HTTPS call ✱ full audit log of changes https RESTful API audit log
New Tools: Software-Defined Firewall X
New Tools : Control Plane Microservices ● Delegate routine tasks to trusted microservices that are governed by highly limited access control policies and continuously audited ● Use Foundation/Golden Images to “bake in” trust in core services, such as identity management, configuration management, secrets-as-a-service and audit
Result: Clear Controls And Processes Problem: Solution:
Takeaways 1) Start conversations with all the stakeholders to address current security and compliance challenges 2) Map security and compliance best practice and principles into continuous delivery 3) Expect this to be iterative and evolving process
IV. Q & A
Thank You! Additional Questions? Connect... Elizabeth Lawler ● email: elawler@conjur.net ● phone: (617) 906-8216 ● web: www.conjur.net ● twitter: @elizabethlawler /@conjurinc

Recommended

Security For Humans
Security For HumansSecurity For Humans
Security For Humans
conjur_inc
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail
Bryan Sterling
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
conjur_inc
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 

Recommended

Security For Humans
Security For HumansSecurity For Humans
Security For Humans
conjur_inc
 
The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail The 5 Stages of Secrets Management Grief, And How to Prevail
The 5 Stages of Secrets Management Grief, And How to Prevail
Bryan Sterling
 
Using Puppet With A Secrets Server
Using Puppet With A Secrets ServerUsing Puppet With A Secrets Server
Using Puppet With A Secrets Server
conjur_inc
 
Stephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloudStephen Sadowski - Securely automating infrastructure in the cloud
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
Priyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azure
kloia
 
Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets management
Kevin Gilpin
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightning
Kevin Gilpin
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 
Pets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud StoryPets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud Story
Randy Bias
 
DevOps Practices: Configuration as Code
DevOps Practices: Configuration as CodeDevOps Practices: Configuration as Code
DevOps Practices: Configuration as Code
Doug Seven
 

More Related Content

What's hot

Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets management
Kevin Gilpin
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightning
Kevin Gilpin
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
SeniorStoryteller
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
DevSecCon
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
Shannon Lietz
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
DevSecOpsSg
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
Sumo Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
Archana Joshi
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
Sonatype
 

What's hot (20)

Recipe for good secrets management
Recipe for good secrets managementRecipe for good secrets management
Recipe for good secrets management
 
Zero trust server management - lightning
Zero trust server management - lightningZero trust server management - lightning
Zero trust server management - lightning
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
DevSecOps - The big picture
DevSecOps - The big pictureDevSecOps - The big picture
DevSecOps - The big picture
 
You Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOpsYou Build It, You Secure It: Introduction to DevSecOps
You Build It, You Secure It: Introduction to DevSecOps
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 

Viewers also liked

Pets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud StoryPets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud Story
Randy Bias
 
DevOps Practices: Configuration as Code
DevOps Practices: Configuration as CodeDevOps Practices: Configuration as Code
DevOps Practices: Configuration as Code
Doug Seven
 
DevOps
DevOpsDevOps
DevOps
Matthew Jones
 
Introducing DevOps
Introducing DevOpsIntroducing DevOps
Introducing DevOps
Nishanth K Hydru
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
Ernest Mueller
 
How to stand out online
How to stand out onlineHow to stand out online
How to stand out online
Mars Dorian
 
2012 and We're STILL Using PowerPoint Wrong
2012 and We're STILL Using PowerPoint Wrong2012 and We're STILL Using PowerPoint Wrong
2012 and We're STILL Using PowerPoint Wrong
The Presentation Designer
 
Your Speech is Toxic
Your Speech is ToxicYour Speech is Toxic
Your Speech is Toxic
Chiara Ojeda
 
Great Speakers Tell Stories
Great Speakers Tell StoriesGreat Speakers Tell Stories
Great Speakers Tell Stories
Slides That Rock
 
Improve the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov VadimImprove the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov Vadim
SoftServe
 
Slides That Rock
Slides That RockSlides That Rock
Slides That Rock
Slides That Rock
 
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
Empowered Presentations
 

Viewers also liked (12)

Pets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud StoryPets vs. Cattle: The Elastic Cloud Story
Pets vs. Cattle: The Elastic Cloud Story
 
DevOps Practices: Configuration as Code
DevOps Practices: Configuration as CodeDevOps Practices: Configuration as Code
DevOps Practices: Configuration as Code
 
DevOps
DevOpsDevOps
DevOps
 
Introducing DevOps
Introducing DevOpsIntroducing DevOps
Introducing DevOps
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
How to stand out online
How to stand out onlineHow to stand out online
How to stand out online
 
2012 and We're STILL Using PowerPoint Wrong
2012 and We're STILL Using PowerPoint Wrong2012 and We're STILL Using PowerPoint Wrong
2012 and We're STILL Using PowerPoint Wrong
 
Your Speech is Toxic
Your Speech is ToxicYour Speech is Toxic
Your Speech is Toxic
 
Great Speakers Tell Stories
Great Speakers Tell StoriesGreat Speakers Tell Stories
Great Speakers Tell Stories
 
Improve the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov VadimImprove the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov Vadim
 
Slides That Rock
Slides That RockSlides That Rock
Slides That Rock
 
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
SMOKE - The Convenient Truth [1st place Worlds Best Presentation Contest] by ...
 

Similar to Is DevOps Braking Your Company?

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
LeMeniz Infotech
 
About DevOps in simple steps
About DevOps in simple stepsAbout DevOps in simple steps
About DevOps in simple steps
Ihor Odynets
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
Xavor Corporation - Redefining Health Technology
 
Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and Transparency
Kevin Gilpin
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
Reuven Harrison
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
Gordon Haff
 
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
Matthew Skelton
 
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
Young Suk Ahn Park
 
Infrastructure as Code Maturity Model v1
Infrastructure as Code Maturity Model v1Infrastructure as Code Maturity Model v1
Infrastructure as Code Maturity Model v1
Gary Stafford
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
Kevin Gilpin
 
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
James Kelly
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
Amazon Web Services
 
Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]
Dynatrace
 
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
Larry Eichenbaum
 

Similar to Is DevOps Braking Your Company? (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
 
About DevOps in simple steps
About DevOps in simple stepsAbout DevOps in simple steps
About DevOps in simple steps
 
DevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docxDevSecOps – The Importance of DevOps Security in 2023.docx
DevSecOps – The Importance of DevOps Security in 2023.docx
 
The Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docxThe Importance of DevOps Security in 2023.docx
The Importance of DevOps Security in 2023.docx
 
Bio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and TransparencyBio IT World 2015 - DevOps Security and Transparency
Bio IT World 2015 - DevOps Security and Transparency
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?Are your DevOps and Security teams friends or foes?
Are your DevOps and Security teams friends or foes?
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
5 practical operability techniques for teams - Matthew Skelton - SQUID meetup...
 
Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)Intro to Cloud Native _ v1.0en (2021/01)
Intro to Cloud Native _ v1.0en (2021/01)
 
Infrastructure as Code Maturity Model v1
Infrastructure as Code Maturity Model v1Infrastructure as Code Maturity Model v1
Infrastructure as Code Maturity Model v1
 
Building A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and ComplianceBuilding A Self-Documenting Application: A Study in Chef and Compliance
Building A Self-Documenting Application: A Study in Chef and Compliance
 
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
Network Reliability Engineering and DevNetOps - Presented at ONS March 2018
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]Accelerate User Driven Innovation [Webinar]
Accelerate User Driven Innovation [Webinar]
 
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
Chef Automating Everything-AWS-PubSec-SAO-WashDC_2018
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 

Is DevOps Braking Your Company?

  • 1. Is DevOps Braking Your Company? Elizabeth Lawler CEO & Co-Founder, Conjur, Inc. @elizabethlawler
  • 2. Agenda I. Security + DevOps Recap DevOps as a transformation DevOps Workflow Unstoppable Force vs Immovable Object Wrong Tools for the Job II. SecDevOps 2.0: Defined Motivation and Requirements Policy, Identity and Network 2.0 Best Practices III. SecDevOps 2.0: In Practice New Tools Case Study Takeaways IV. Q&A Thank you!
  • 3. Top Takeaways 1) Start conversations with all the stakeholders to address current security and compliance challenges 2) Map security and compliance best practice and principles into continuous delivery 3) Expect this to be iterative and evolving process
  • 4. I. Security + DevOps Recap
  • 5. How does DevOps work? Magic. How does DevOps work? Magic.
  • 6. Security and Compliance Concerns : DevOps Source: DevOps: The Worst-Kept Secret to Winning in the Application Economy by CA Technologies, October 2014 (http://rewrite.ca.com/us/~/media/rewrite/pdfs/white-papers/devops-winning-in-application-economy.pdf) These are cultural challenges with a technical component.
  • 7. Q: Is DevOps Breaking Your Company? A: No, but security may break (or brake) your DevOps! DevOps leverages a set of tools and processes that are constantly striving to go faster to meet business needs. Some DevOps tools/processes don’t easily lend themselves to existing information security best practices.
  • 8. We’re All In It Together
  • 9. Start The Conversation! ● Security, Compliance, Developers, and Operations need personal relationships and mutual understanding. ● Differences in language: The way that security, compliance, developers and ops talk about the same problem can be bridged. ● Transparency and clear understanding of security topology is good for the entire organization
  • 10. II. SecDevOps 1.0 Duct Tape and Bailing Wire
  • 11. DevOps is : Continuous Delivery Dev, Test, & Prod Environments Code Review Infrastructure Source Code Infrastructure Code Developer deploy Continuous Build & Unit Test Config, Release, Deployment commit on branch build check approval tests pass Holistic, Automated Processes To Build And Deliver Software/IT Infrastructure
  • 12. Let’s Create : Continuous Compliance ● Robust security and compliance controls … with ● Full support for automation
  • 13. SecDevOps 1.0: Where Are We Today? Source Control Automated Build and Test Configuration Management Orchestration Software-Defined Networking Monitoring
  • 14. Continuous Delivery ● Code is the new privileged user/sys admin ● Who and what can touch the code is critical to security ● Fewer people → more trusted services ● Machine identity and trust is critical ● Automation is a Force Multiplier and a Double- Edged Sword ● Good: Patch management ● Bad: Vulnerability “globally” at the speed of light ● Ugly: Catastrophic failure
  • 15. Continuous Delivery: Compliance Issues Lack of transparency is the #1 obstacle to compliance ● Policies are buried in code ● Security for automation is ill- defined ● Realtime reporting of controls can be piecemeal The User Experience is Lousy
  • 16. Tools Are Being Pushed Beyond Their Intended Function “Sometimes when all you have is a hammer, everything looks like a nail.” ● SCM: Collaboration, not least privilege ● CI: Powerful system accounts ● Configuration Management (Puppet/Chef): not secrets management
  • 17. Anti-Pattern: Production-only Workflows Problem: Security controls that developers cannot replicate locally Result: Speed-killer
  • 18. Anti-Pattern: Human Bottlenecks Problem: Security controls that require manual intervention for routine tasks Result: Tech resources are wasted on trivial tasks, unclear organizational ownership of tasks, throughput suffers, and so does morale. “Cool” DIY security projects become albatrosses
  • 20. Example : Mastering Secrets in Configuration Management Two orthogonal concerns: 1. Install packages and establish configuration settings. 2. “Wire up” the system with identity and secrets. System “wiring” should not be in the domain of configuration management.
  • 21. Anti-patterns create “Security Debt” DevOps addressing security bottlenecks and issues are often deferred, until… New Product Feature New Security Feature
  • 22. Worst-Case Scenario? Full Stop ● Regulated Workloads Aren’t brought into the DevOps workflow ● Security Incident o Breach or unauthorized access because of workflow challenges in getting the job done ● Static Workflow Caps Velocity o Changing is too hard or too risky o Toolchain
  • 24. SecDevOps 2.0: High-Level Goals 1. Code is the new “Privileged User” 2. Scale-out with granular permissions management 3. Highly durable and scalable - like cloud infrastructure itself 4. Make the brakes as powerful as the engine
  • 25. Challenges in mapping the organization to dynamic infrastructure: ● Practical Separation of Duties ● Least Privilege Access via Role- Based Access Control ● Audit and Reporting Application Auth Systems Access Internal Network Physical Infrastructure Firewall Control Plane Mind The Gap: Access Control for Automation
  • 26. Works with automation Supports agile development and continuous delivery Is intuitive to security and compliance teams We Need To Rethink How We Define Policies, Identities And Networks In A Way That...
  • 27. DevOps = Code = Security In Source Control Security setup should be declarative in code. 1. Visible to all teams that depend on security. 2. Resolves confusion around where things are, what they are named, who/what has access to what. 3. Changes to topology are versioned and can be reviewed. 4. At Run-Time : Code is privileged, Secrets are injected
  • 28. SecDevOps 2.0: Security Policy As Code dev prod stage Conjur Policy DSL
  • 29. SecDevOps 2.0: Identity For Machines At Scale ● Each Server (VM), Container (Docker, LXC) and Service needs to have an identity for access control to be meaningful ● Provisioning of these identities needs to be automated and included in SecDevOps workflow ● Machine-to-machine trust
  • 30. New Tools: Identity Management For Robots Machine trust and identity that works for servers, VMs, containers, and IOT. Apply known tools and techniques from traditional identity management to robots Example: Segregation of regulated applications/cloud into distinct application layers using policies that govern each service
  • 31. Identity: Benefits For Access Control Ops Dev Group 1 Dev Group 2 App 1 App 2 App 3 App 4● Identities provisioned at a granular level allow for the creation of meaningful authorization policy ● Machine identities can be grouped into applications or environmental layers to simplify policy creation ● “Carbon Identities” can also be organized into groups and have their access limited to certains sets of machine identities
  • 32. Opportunities To Improve Practices ● Provide a facility outside of operational tools to access/include sensitive information. ● Create multiple environments organized by risk. ● Audit everything, including automation exceptions (one- off builds).
  • 33. New Tools : Secrets as a Service Chef node ? ? SecDevOps 1.0 ✱ decryption keys are secrets themselves ✱ key storage and retrieval is complicated ✱ one decryption key per node ✱ access logs difficult to search and manage ✱ chef-vault makes key distribution easier at the expense of auto-scaling SecDevOps 2.0 Chef node ✱ Nodes have an identity, use that to fetch secrets. Easily given and revoked ✱ Permissions are role- based, applied to layers not hosts ✱ Chef library encapsulates authenticated HTTPS call ✱ full audit log of changes https RESTful API audit log
  • 35. New Tools : Control Plane Microservices ● Delegate routine tasks to trusted microservices that are governed by highly limited access control policies and continuously audited ● Use Foundation/Golden Images to “bake in” trust in core services, such as identity management, configuration management, secrets-as-a-service and audit
  • 36. Result: Clear Controls And Processes Problem: Solution:
  • 37. Takeaways 1) Start conversations with all the stakeholders to address current security and compliance challenges 2) Map security and compliance best practice and principles into continuous delivery 3) Expect this to be iterative and evolving process
  • 38. IV. Q & A
  • 39. Thank You! Additional Questions? Connect... Elizabeth Lawler ● email: elawler@conjur.net ● phone: (617) 906-8216 ● web: www.conjur.net ● twitter: @elizabethlawler /@conjurinc