Download - Security In A DevOps World: Can It Happen?
Security in a DevOps WorldCollaboration, Automation and ComplianceCory von Wallenstein
Chief Technologist, Dyn
@cvwdyn
John Martin
Practice Owner, New Context
@tekbuddha
Pg. 2 Security in a DevOps World @cvwdyn @tekbuddha
Cory von WallensteinChief Technologist, Dyn
@cvwdyn
John MartinPractice Owner, New Context
@tekbuddha
Pg. 3 Security in a DevOps World @cvwdyn @tekbuddha
• Greater agility fuels competitive advantage• Your business wants needs to deliver new
products in a faster, safer manner• Time between deploys is shrinking• Continuous [Delivery|Deployment] is
becoming the norm
Why?
Pg. 4 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural
Pg. 5 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
Pg. 6 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
Tooling
Pg. 7 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
ToolingCollaboration
FuelingAgility
Pg. 8 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
ToolingCollaboration
FuelingAgility
“Conduct blameless post-mortems, and you’ll be set”
Pg. 9 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
ToolingCollaboration
FuelingAgility
“Use config management
framework X, and you’ll be set”
“Conduct blameless post-mortems, and you’ll be set”
Pg. 10 Security in a DevOps World @cvwdyn @tekbuddha
DevOps
Cultural Structural
ToolingCollaboration
FuelingAgility
“Use config management
framework X, and you’ll be set”
“Conduct blameless post-mortems, and you’ll be set”
“Give root access to all devs, and you’ll be set”
Pg. 11 Security in a DevOps World @cvwdyn @tekbuddha
SecurityFrom the PCI DSS requirements:
6.4.1 Separate development/test and production environments
6.4.2 Separation of duties between development/test and production environments
Pg. 12 Security in a DevOps World @cvwdyn @tekbuddha
DevOps AND Security
Three Stories
Pg. 13 Security in a DevOps World @cvwdyn @tekbuddha
story #1The Situation:• Lots of “legacy” culture, but desire to become a DevOps shop• PCI compliance requirements• Hard work to increase collaboration between Dev & Ops
• Developers on-call• Developers in production
• How to maintain compliance?
Pg. 14 Security in a DevOps World @cvwdyn @tekbuddha
story #1The Solution:• Provide tooling to empower teams to have information necessary to do
their job.– Puppet/Chef– Splunk– OpenTSDB
• When SSH was needed, it was granted and audited.
• Auditor’s satisfaction: High
Pg. 15 Security in a DevOps World @cvwdyn @tekbuddha
story #2 – New ContextThe Situation:• No PCI compliance requirements• But “eat our own dog food” practitioners• Security highly important
• Developers in production
• How to stay secure?
Pg. 16 Security in a DevOps World @cvwdyn @tekbuddha
story #2 – New ContextThe Solution:• Provide tooling to empower teams to have information
necessary to do their job.– Chef– Logstash– Graphite/statsd, dashing– Home grown auditing tooling
• When SSH is needed, it is granted and audited.
Pg. 17 Security in a DevOps World @cvwdyn @tekbuddha
story #3 – DynThe Situation:• 16 year overnight success story, now nearly 300 people
worldwide, many global systems• Sales channels from self-service to enterprise to OEM
– Lots of credit cards, ACH, POs, etc.
• Mission critical infrastructure – security compliance• Scaling a team and systems rapidly, while ensuring business
agility and security
Pg. 18 Security in a DevOps World @cvwdyn @tekbuddha
story #3 – DynThe Solution:• People
– Spent nine months finding the RIGHT security director– Cross-functional security vs silo security; educational approach– Part of our scrums… DevSecOps… AllOps… *Ops
• Scope and Architecture– Avoiding monolithic architectures that require everyone to have
access to everything– Smart microservices for scoping balance of agility and security risk– Tokenize payment card info, and may make sense to outsource
Pg. 19 Security in a DevOps World @cvwdyn @tekbuddha
whois New Context
• Systems AutomationReduces costs and error rates, improves timeto market and begins to secure sensitive areas
• Information AssuranceThe key function in a trusted data infrastructure, alerts of inside or outside hacking, prevents data loss, and identifies forgeries
• Cloud OrchestrationThis is being prepared for success, how you scale to meet demand, how you remove single points of failure and serve every customer
CLOUD ORCHESTRATION
INFORMATIONASSURANCE
SYSTEMSAUTOMATION
Pg. 20 Security in a DevOps World @cvwdyn @tekbuddha
whois Dyn
Dyn /delivers/ Internet Performance• Traffic management (user types “twitter.com”)• Message management (user receives “file
shared” email from Box)• Performance assurance (understand your
Internet performance)
Pg. 21 Security in a DevOps World @cvwdyn @tekbuddha
dyn.com/webinars• How to move your DC to cloud infrastructure
(securely)• DNS Security: How to be PCI compliant• Everything you need to know about DNS
security• Everything you need to know about DDoS