OpenControl Overview - Joshua McKenty

1 © 2014 Pivotal Software, Inc. All rights reserved. 1 © 2014 Pivotal Software, Inc. All rights reserved.

Compliance as Code thru Continuous Authorization for A&A

Joshua McKenty, Pivotal

“Bureaucracy is the art of making the possible impossible.”

~ Javier Pascal Salcedo

3 © 2014 Pivotal Software, Inc. All rights reserved.

What: Automated Pipelines of A&A

As TDD is to Development, and

DevOps is to Operations, so

OpenControl is to Compliance.


Why?

� Speed is everything –  Respond quickly to CVEs –  Respond quickly to mission requirements –  Deploy frequently to avoid “Big-Bang” risks

� Automation makes Speed possible

�  (Bonus: Automation makes security BETTER!)


How (Theory)

� Unified or parallel pipelines of code and compliance

� Pipeline requirements: –  Dependency injection –  Task reuse –  Multiple inputs, multiple outputs

� Common schema, common components

� Separation of components from system details


How (Practice): http://open-control.org � Schema (YAML)

� Tools (CLI and web)

� Pipelines (Concourse.ci)

� Common compliance packages (800-53, FedRAMP, etc)

7 © 2014 Pivotal Software, Inc. All rights reserved. 7 © 2014 Pivotal Software, Inc. All rights reserved.

YAML!!!!!


How (Practice)

�  Inputs: –  Certifications –  Standards –  Component Controls –  System Details

� Outputs: –  BoE / SPP (as a .docx) –  Inventory reports (in .xsl) –  POAM details –  OpenSCAP config


Community


Schemas

16 © 2014 Pivotal Software, Inc. All rights reserved. 16 © Copyright 2014 Pivotal. All rights reserved.

"Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day.”

- Frances Hesselbein

OpenControl Overview - Joshua McKenty

Technology

Transcript of OpenControl Overview - Joshua McKenty