IBM InterConnect 2016: Security for DevOps in an Enterprise
2 likes1,619 views
1) The document discusses security considerations for DevOps enterprises, including securing the perimeter, delivery pipeline, and deliverables. It outlines risks like vulnerabilities in the supply chain, insider attacks, and errors in development. 2) It recommends adopting a DevOps architecture with an industrialized core and agile/innovation edge to support both traditional and cloud-native applications. This involves transforming traditional IT and adopting practices like infrastructure as code. 3) The document provides an example of mapping a delivery pipeline to identify bottlenecks and shows where security testing and controls can be implemented at each stage, from idea to production. It emphasizes the need for continuous security.
IBM InterConnect 2016: Security for DevOps in an Enterprise
- 1. 5930B Security and DevOps: How to Manage Security in a DevOps Enterprise Sanjeev Sharma CTO, DevOps Technical Sales and Adoption Distinguished Engineer, IBM Cloud
- 2. Please Note: 1 • IBM’s statements regarding its plans,directions,and intentare subjectto change or withdrawalwithoutnotice atIBM’s sole discretion. • Information regarding potential future products is intended to outline our general productdirection and itshould notbe relied on in making a purchasing decision. • The information mentioned regarding potential future products is nota commitment, promise,or legal obligation to deliver any material,code or functionality.Information aboutpotentialfuture products may notbe incorporated into any contract. • The development,release,and timing ofany future features or functionality described for our products remains atour sole discretion. • Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.The actual throughputor performance thatany user will experience willvary depending upon many factors,including considerations such as the amountofmultiprogramming in the user’s job stream,the I/O configuration,the storage configuration,and the workload processed. Therefore,no assurance can be given thatan individual user willachieveresults similar to those stated here.
- 3. Agenda 2 • DevOps refresher • Security and the Application Delivery Pipeline • Adopting a (Secure) DevOps Architecture • Where do I start?
- 5. 4 © IBM Corporation DevOps: Origins
- 6. What does the Line of Business want from IT? Product Owner Senior Executives Users Domain ExpertsAuditors Gold Owner Support Staff ExternalSystem Team Operations Staff Team MemberTeam Lead Team MemberTeam Member Line-of-business Customer IT Agility - Velocity - Innovation
- 7. DevOps approach: Apply Lean principles accelerate feedback and improve time to value 6 People Process Line-of- business Customer 1 3 2 1. Get ideas into production fast 2. Get people to use it 3. Get feedback ContinuouslyImprove: I. Application Delivered II. EnvironmentDeployed III. Application and EnvironmentDeliveryProcess
- 8. Security and the Application Delivery Pipeline
- 9. Delivering a Business Capability – Hybrid Applications, Hybrid Platforms, Hybrid Teams Application A Application B Application C Application N BusinessCapability …
- 10. Three Levels of Security 9 1. Secure the Perimeter 2. Secure the Delivery Pipeline 3. Secure the Deliverable http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
- 12. Secure the Delivery Pipeline 11 Secure Engineering Access and Control Secure Build and Deploy Security Testing of Scripts Separation of Duties
- 13. Secure the Deliverable 12 Application Middleware Config Middleware OS Config Hardware FullStack Blueprint Policies Secure: • Code • Packages • Components • Configurations • Content • Policies • Roles
- 14. Risks and Vulnerabilities - Delivery Pipeline and Deliverables 13 • Vulnerabilities related to the supply chain • Insider attacks • Errors and mistakes in the development project • Weaknesses in the design, code, and integration • API Economy and Security http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
- 15. Vulnerabilities related to the supply chain 14 External Supplier A External Supplier B Internal SupplierA Internal Supplier B
- 17. Errors and mistakes in the development project 16 1 per min 1 per min 4 per min 1 per min 4 per min 4 per min • Reduce Batch size – Integrated Delivery Pipeline – Agile Development • Continuous Security Testing • Continuous Validation
- 18. Weaknesses in the design, code, and integration 17http://www-03.ibm.com/security/secure-engineering/
- 19. 18 The API economy and security
- 20. Adopting a (Secure) DevOps Architecture
- 21. Adopting Bi-modal IT World – Transformation Industrialized Core Traditional Development->DevOps, Legacy ->Cloud-ready Traditional Middleware ->Middleware on Cloud, APIs, Software DefinedInfrastructure Agile/Innovation Edge Traditional Development -> Cloud Native, 12-factor Apps, DevOps, PaaS Partner Ecosystem Point-to-Point Integration -> API Economy APIs APIs APIs
- 22. DevOps Multi-Speed IT Architecture IBM Architecture Center BLUEMIX DELIVERY PIPELINESOURCE CONTROL .js LIVE SYNC WEB IDE ACTIVE DEPLOY AUTO SCALING SECURE GATEWAY ON-PREMISES SYSTEMS API MANAGEMENT TRACK & PLAN TRACK & PLAN DEVELOP BUILD DEPLOY RELEASE TEST RUNTIME ENVIRONMENTS RUNTIMES & CONTAINERS 1 2 3 6 7 9 10 8 1 2 4 5 10 https://developer.ibm.com/architecture/
- 23. Start Here: Value Stream Mapping for Identifying and Addressing bottlenecks
- 24. Mapping your Delivery Pipeline Idea/Feature/Bug Fix/ Enhancement Production Development Build QA SIT UAT Prod PMO Requirements/ Analyst Developer CustomersLine of Business Build Engineer QA Team Integration Tester User/Tester Operations Artifact Repository Deployment Engineer Release Management Code Repository Deploy Get Feedback Infrastructure as Code/ Cloud Patterns Feedback Customer or Customer Surrogate Metrics - Reporting/Dashboarding Tasks Artifacts
- 25. Notices and Disclaimers 24 Copyright © 2016by International Business Machines Corporation(IBM). No part ofthis document may bereproduced or transmittedin anyform withoutwrittenpermission from IBM. U.S. Government UsersRestricted Rights - Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM. Informationin thesepresentations (including informationrelatingto products thathave not yetbeenannounced byIBM) has been reviewedfor accuracy as ofthe dateof initial publication andcould includeunintentional technical or typographical errors. IBM shall haveno responsibility to update this information.THIS DOCUMENT IS DISTRIBUTED "ASIS"WITHOUT ANYWARRANTY, EITHER EXPRESSOR IMPLIED. IN NO EVENT SHALLIBM BELIABLEFOR ANY DAMAGEARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSSOF DATA,BUSINESS INTERRUPTION,LOSS OF PROFIT OR LOSSOF OPPORTUNITY. IBM products andservicesare warrantedaccording tothe terms andconditions of the agreements under which they areprovided. Any statements regarding IBM's future direction, intent or product plansaresubject to change or withdrawalwithout notice. Performancedatacontainedhereinwas generally obtainedin a controlled, isolatedenvironments. Customer examplesare presentedas illustrations of how thosecustomers have usedIBM products andtheresults theymay have achieved. Actual performance, cost, savingsor other results in other operating environments may vary. References in this document to IBM products, programs, or services doesnotimply thatIBM intends tomake such products, programs or servicesavailablein all countries in which IBM operatesor does business. Workshops, sessions and associatedmaterials may havebeenprepared byindependent sessionspeakers, anddo not necessarily reflect the views of IBM. All materials and discussionsare provided for informational purposesonly,andare neither intendedto, nor shall constitute legal or other guidanceor adviceto any individual participant or their specific situation. It is the customer’s responsibility to insureits own compliancewith legal requirements and toobtainadvice ofcompetent legal counsel as totheidentification and interpretationof any relevant laws and regulatory requirements that mayaffect the customer’s business andany actions thecustomer may needto taketo comply with such laws. IBM does not providelegal advice or representor warrantthat its services or products will ensurethat the customer is in compliancewith any law
- 26. Notices and Disclaimers Con’t. 25 Informationconcerningnon-IBM productswas obtained from the suppliers of thoseproducts, their publishedannouncementsor other publicly available sources. IBM hasnot tested thoseproducts in connectionwith this publicationandcannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questionson the capabilities of non-IBM products shouldbe addressedto thesuppliers of thoseproducts.IBM does not warrantthequality of any third-party products, or the ability of any suchthird-partyproducts to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMSALL WARRANTIES,EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESSFOR A PARTICULAR PURPOSE. The provision oftheinformation containedh ereinis not intendedto, and does not, grantany right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, Aspera®, Bluemix,BlueworksLive,CICS, Clearcase,Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global BusinessServices ®, Global Technology Services ®, IBM ExperienceOne™,IBM SmartCloud®,IBM Social Business®, Informationon Demand,ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,OpenPower, PureAnalytics™,PureApplication®, pureCluster™, PureCoverage®,PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®,QRadar®, Rational®, Rhapsody®, Smarter Commerce®,SoDA, SPSS, SterlingCommerce®, StoredIQ,Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®,Worklight®, X-Force® and System z® Z/OS, aretrademarks of International Business Machines Corporation, registeredin many jurisdictions worldwide. Other product andservicenames might betrademarks of IBM or other companies. A current list of IBM trademarks is availableon the Webat "Copyrightandtrademark information" at: www.ibm.com/legal/copytrade.shtml.
- 27. Thank You Your Feedback is Important! Access the InterConnect 2016 Conference Attendee Portal to complete your session surveys from your smartphone, laptop or conference kiosk.