OpenControl Overview - Joshua McKenty
-
Upload
julie-coonce -
Category
Technology
-
view
220 -
download
0
Transcript of OpenControl Overview - Joshua McKenty
1 © 2014 Pivotal Software, Inc. All rights reserved. 1 © 2014 Pivotal Software, Inc. All rights reserved.
Compliance as Code thru Continuous Authorization for A&A
Joshua McKenty, Pivotal
3 © 2014 Pivotal Software, Inc. All rights reserved.
What: Automated Pipelines of A&A
As TDD is to Development, and
DevOps is to Operations, so
OpenControl is to Compliance.
4 © 2014 Pivotal Software, Inc. All rights reserved.
Why?
� Speed is everything – Respond quickly to CVEs – Respond quickly to mission requirements – Deploy frequently to avoid “Big-Bang” risks
� Automation makes Speed possible
� (Bonus: Automation makes security BETTER!)
5 © 2014 Pivotal Software, Inc. All rights reserved.
How (Theory)
� Unified or parallel pipelines of code and compliance
� Pipeline requirements: – Dependency injection – Task reuse – Multiple inputs, multiple outputs
� Common schema, common components
� Separation of components from system details
6 © 2014 Pivotal Software, Inc. All rights reserved.
How (Practice): http://open-control.org � Schema (YAML)
� Tools (CLI and web)
� Pipelines (Concourse.ci)
� Common compliance packages (800-53, FedRAMP, etc)
7 © 2014 Pivotal Software, Inc. All rights reserved. 7 © 2014 Pivotal Software, Inc. All rights reserved.
YAML!!!!!
9 © 2014 Pivotal Software, Inc. All rights reserved.
How (Practice)
� Inputs: – Certifications – Standards – Component Controls – System Details
� Outputs: – BoE / SPP (as a .docx) – Inventory reports (in .xsl) – POAM details – OpenSCAP config
16 © 2014 Pivotal Software, Inc. All rights reserved. 16 © Copyright 2014 Pivotal. All rights reserved.
"Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day.”
- Frances Hesselbein