Finding Security a Home in a DevOps World
-
Upload
shannon-lietz -
Category
Technology
-
view
159 -
download
0
Transcript of Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
@devsecopshttp://devsecops.org
Who I am
• 25+ yrs Technology & Security • Background in Security R&D• Working with the Cloud
before it was called “The Cloud”
• Manage my teams using DevOps & Scrum
• Big Scale IR & Crisis Management
-- FOUNDER --
Why I‘m @ DevOps Summit
• Awesome Venue to talk to like-minded individuals
• Increase viability through collaboration• Customer Research & Feedback• Because DevOps Summit Rocks!!
How can Security enable a DevOps World?
Here’s how to listen if you are a…
Your Role Your InterestDevOps Less Friction, Faster DecisionsSecurity Value CreationManagement Faster Delivery of Customer
Features with Better Security
Are you tired of the Traditional Security grind? Is Security preventing your DevOps success?
• Double-click installer• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"
• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"• Click "Next"
• Click "Next"• Enter credentials• Click "Next"• Click "Finish"
Page 3 of 267
Security Configuration ProceduresV 3.6.0.1.1,January 2011
UBERSECRET
Frozen in Time
Is bureaucracy getting in the way of Continuous Deployments and Real Security?
Why does it take so long for features?
?
YOU YOUR CUSTOMER
CISO
Hopefully it’s not going to be
another round of “No’s”…
Does it feel like a Waste of Time?
!
Making you feel like this….
BangHead Here
Because you want to fulfill on these promises….
KEEP CUSTOMER
DATA SAFE!!!
JOB #1 =
SOLVE CUSTOMER
PROBLEMS!!!
JOB #2 =
BUT what if you could make good security decisions with guidelines like these?
On-Prem Partial On-Prem Outsource w/ No Indemnif.
Outsource w/ Part.Indemnif.
Outsource w/ Full Indemnif.
Who is responsible?
INTERNAL
You You You You + Partner Partner
PARTNERS
Which minimal controls are needed?
Physical Security; Secure Handling &
Disposal
File or Object Encryption for Sensitive Data;
Physical Security; Secure Handling &
Disposal
File or Object Encryption for Sensitive Data;
Partner Security; SOC Attestation
File or Object Encryption for Sensitive Data;
Partner Security; SOC Attestation
Partner Security Controls; SOC
Attestation
Where does data transit and get stored?
company “owned” data center or co-
location
any compute & transit; data stored
on-prem
public cloud; free services
SaaS; public cloud; free services; private cloud
managed services; SaaS; private cloud
What are the innovation benefits?
reduced latency; search sensitive
data
speed; reduced friction; search sensitive data
speed; reduced friction; evolving
patterns; community
speed; reduced friction; evolving
patterns; community
speed; reduced friction;
indemnification
What are the potential risks?
SQL Injection; Internal Threats;
Mistakes; Phishing; Increased Friction;
Slow
Latency; SQL Injection; Internal Threats; Mistakes;
Phishing; Increased Friction; Slow
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown; Reduced Financial
responsibility
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown
Inability to Search Sensitive Data; SQL Injection; Internal Threats; Mistakes;
Phishing; Govt. Requests Unknown
Because your Security Team does this:
DevSecOpsSecurity
Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
And this…
Pull Push
Source Code
Repository
BaselineIAM Catalog
Trusting BU Accounts
SecRoleIAM Role
DevelopReviewTestApproveCommit
Ruby
AKID/SAK
1 2
Admin
3
5
STSCreds
4
Using these tools…
insightssecuritysciencesecurity
tools & data
AWS accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
And these…
Central Account(Trusted)
Admin
IAM IAMIAM IAM IAM IAM
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
How did we decide which roles would be deployed?• Human
• IAM Admin• Incident Response• Read Only
• Services• IAM Grantor• Instance Roles required to support security
services• Read Only
And these…$ bundle exec bin/tk help configUsage: tk config
Options: -i, [--interactive], [--no-interactive] # interactive mode for q&a to set up config -p, [--profile-name=PROFILE_NAME] # profile name in .aws config file -r, [--master-region=MASTER_REGION] # region for master account # Default: us-west-2 -a, [--master-account=MASTER_ACCOUNT] # 12 digit AWS account number without dashes -n, [--master-role-name=MASTER_ROLE_NAME] # name of master role to assume cross-account roles # Default: master-auditor -t, [--target-account-list=TARGET_ACCOUNT_LIST] # location for csv file containing accounts list to audit # Default: config/accounts.csv -d, [--output-dir=OUTPUT_DIR] # directory for storing results # Default: home -f, [--output-type=OUTPUT_TYPE] # supports csv # Default: csv
Description: Using the devsecops toolkit requires a master configuration file to establish the credentials, role, MFA, etc. used to support cross-account usage. This command provides you with an interactive and advanced interface for creating a configuration file to support your usage. The configuration file can be found in your home directory under .tk/config and you can also hand edit this file using yaml.
Experimenting like this:
Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection
via Security Operations
Experiment: Compliance
via DevSecOps
toolkit
Experiment: Science via
Profiling
DevOps + Security
DevOps + DevSecOps
Compliance Operations? Science?
Start Here?
So that Security can be simple like this…
And you can improve the security of your app via Self-Service….
And you can collaborate like this…
So that you and your customers can feel like this…
With monitoring like this…
24x7
So you and your customers can sleep like this…
ZZZ
What if Security were MORE than just friction?
What if our experimentation helped us determine that we might have fewer of these…
STOP THE DATA BREACHES!!!
If we did more of this…
RED TEAM HACK DAYS
INCIDENT DRIVEN DEVELOPMENT METRICS
LEAN
EXPERIMENTS
DEVOPS
And less of this… Because it doesn’t work…
• Manual Reviews• Paper Threat Modeling• Gating Processes• Approvals & Exceptions• Reactive Incident Response• Theoretical Evaluations• F.U.D.
What would you do with all your free time?
Innovate!Innovate!
Innovate!
Innovate! Innovate!
Innovate!
Innovate!
Innovate!
Isn’t it time for you to demand a better world for DevOps?
Join the Community:@devsecops
http://devsecops.org
LinkedIn: DevSecOps