Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
1 like•359 views
The document discusses the integration of security practices (DevSecOps) into the DevOps framework, highlighting its evolving nature and the need for fast, automated, and proactive security measures. Key contributors, including industry leaders like Alan Shimel and Gene Kim, emphasize the importance of collaboration, security as code, and educating teams for effective implementation. The document outlines challenges faced, solutions offered, and principles guiding successful DevSecOps practices.
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
- 1. Copyright © 2015 evident.io1 THE MARRIAGE OF SECOPS AND DEVOPS Adapted from material presented by DevOps.com and Evident.io Sebastian Taphanel, CISSP-ISSEP Principal Solutions Architect September 29th, 2016
- 2. Copyright © 2015 evident.io2 Alan Shimel, Founder and Editor-In-Chief at DevOps.com, is an often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. CEO Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee. Original Contributors: . Gene Kim is a multiple award winning CTO, researcher and author. He was founder and CTO of Tripwire for 13 years. He has written three books, including The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win and the upcoming DevOps Handbook. He has worked with some of the top Internet companies on improving deployment flow and increasing the rigor around IT operational processes. Shannon Lietz has over two decades of experience pursuing advanced security defenses and next generation security solutions. Ms. Lietz is currently the DevSecOps Leader for Intuit where she is responsible for setting and driving the company’s cloud security strategy, roadmap and implementation in support of corporate innovation. Previous to joining Intuit, Ms. Lietz worked for ServiceNow, Sony, and consulted for many Fortune 500 organizations.
- 3. Copyright © 2015 evident.io3 …DevSecOps is an Evolving Story
- 4. Copyright © 2015 evident.io4 CLOUD SECURITY THEN AND NOW From: To:
- 5. Copyright © 2015 evident.io5 DEVSECOPS: INNOVATIVE SOLUTIONS Issues: • DevOps Requires Continuous Deployments • Fast Decision Making is Critical to Success • Traditional Security Doesn’t Scale or Move Fast Enough DevSecOps Solutions: • Security Automation • Security to Scale • Objective Criteria • Proactive Security Monitoring • Continuous Detection & Response
- 6. Copyright © 2015 evident.io6 THE DEVSECOPS MANIFESTO • Leaning in vs. Saying “No” • Data & Security Science vs. FUD • Open Collaboration vs. Security-Only Requirements • Security Services with APIs vs. Mandated Controls • Business Driven Security vs. Rubber Stamp Security • Red & Blue Team Exploit Testing vs. Theoretical Vulnerabilities • 24x7 Proactive Security vs. Reacting • Shared Threat Intelligence vs. Silos • Compliance Operations vs. Checklists Via: http://www.devsecops.org
- 7. Copyright © 2015 evident.io7 SECURITY AS CODE The code that describes the infrastructure should inherit the same values applied to application code: • Not JUST Revision Control • Make Use of Bug Tracking/Ticketing Systems • Peer Reviews of Changes Before They Happen • Establish Infrastructure Code Patterns/Designs • Test Infrastructure Changes Like Code Changes Security as Code VS. Page 3 of 433
- 8. Copyright © 2015 evident.io8
- 9. Copyright © 2015 evident.io9
- 10. Copyright © 2015 evident.io10
- 11. Copyright © 2015 evident.io11
- 12. Copyright © 2015 evident.io12 SECURITY VIA API’S • Programmatically Test Environments • Determine State at a Specific Point in Time • Repeatable Processes • Scalable Operations • Easy Automation • Repeatable • Auditable • Easy to Iterate • Environmental Consistency
- 13. Copyright © 2015 evident.io13 DEVSECOPS IS A TEAM SPORT Operations Red Team Blue Team Developers Security
- 14. Copyright © 2015 evident.io14 BE READY TO MAKE DECISIONS
- 15. Copyright © 2015 evident.io15 DEVSECOPS SUCCESS Keys to Success: • Detecting and Resolving Security Issues Quickly • Using Native Security Capabilities When Possible • Enlisting and Enabling the Organization • Educating Inline with Bite-Size Chunks
- 16. Copyright © 2015 evident.io16 DEVSECOPS PRINCIPLES • DevSecOps is a Journey, not a Destination • Small Security Teams Can Have a Profound Impact • Organize Around Self-Service and Enablement • Translate Security for the Layperson • Perfection is the Enemy… get Rugged
- 17. Copyright © 2015 evident.io17
- 18. Copyright © 2015 evident.io18
- 19. Copyright © 2015 evident.io19 Alan Shimel • DevOps.com • [email protected] • @ashimmy Gene Kim • [email protected] • @RealGeneKim Tim Prendergast: • Evident.io • [email protected] • @auxome Original Contributors: Shannon Lietz • Intuit.com • [email protected]
- 20. Copyright © 2015 evident.io20 Q & A - ANY QUESTIONS?