elizabeth lawler - devops, security, and compliance working in unison
TRANSCRIPT
![Page 1: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/1.jpg)
Join the conversation #devseccon
DevOps, Security, and Compliance
WORKING IN UNISON
![Page 2: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/2.jpg)
Co-Founder, Conjur Inc
What I get excited about….
Cybersecurity as a “public health” problem
Providing better security related experiences as a business
Access controls at scale for “silica users” and “robots”
My husband, kids, dog, cat, & chickens
![Page 3: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/3.jpg)
![Page 4: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/4.jpg)
![Page 5: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/5.jpg)
![Page 6: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/6.jpg)
![Page 8: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/8.jpg)
At risk connections (Cloud & IOT)
![Page 9: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/9.jpg)
People can’t keep upThen Now
Complexity Known # of identifiable components
100s- Millions of system components
Provisioned by People +/- approvals People, Code - ? approvals, ? traceable
Provisioned with
days-weeks-months- … years.... seconds-minutes
Threat concerns
Insiders, Physical/Environmental Tampered code, hijacked systems
Mainframe
Client/Server Web Containerized Cloud
![Page 10: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/10.jpg)
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
The business sees … Velocity!
![Page 11: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/11.jpg)
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
Credentials in github
Malware injection
DDOS platform
Side-channel IT resources for bitcoin mining
Out of date libraries
Security and compliance sees….Phished admin creds
![Page 12: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/12.jpg)
![Page 13: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/13.jpg)
Can we trust these people?
![Page 14: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/14.jpg)
Story #1: “Meet the compliance team [Spike]”
• Don’t let security and compliance be unplanned work
GET BUY-IN PLAN IMPROVE
![Page 15: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/15.jpg)
Start Here: Persona Map of Your Organization
Security strategy aligned with
business goals
Policies that map to security and
compliance controls and key threats
Simple security model that scales , no pager
fatigue
Application security policies that work from dev to prod and don’t
mess with “flow”
![Page 16: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/16.jpg)
![Page 17: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/17.jpg)
Say ….“What?!”
• Directive 95/46/EC• HIPAA• NIST-CSF• SOX• PCI• PIPEDA
• ID.AM-2: Software platforms within the organization are inventoried
• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
• CCS CSC 2• COBIT 5 BAI09.01,
BAI09.02, BAI09.05• ISA 62443-2-1:2009
4.2.3.4• ISA 62443-3-3:2013 SR
7.8• ISO/IEC 27001:2013
A.8.1.1, A.8.1.2• NIST SP 800-53 Rev. 4
CM-8• COBIT 5 APO01.02,
DSS06.03• ISA 62443-2-1:2009
4.3.2.3.3• ISO/IEC 27001:2013
A.6.1.1• NIST SP 800-53 Rev. 4
CP-2, PS-7, PM-11
![Page 18: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/18.jpg)
Technology serves compliant and secure behavior
![Page 19: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/19.jpg)
Step 2: Categorize Risk By Severity/Prevalence
![Page 20: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/20.jpg)
Common threat actions are often “in-scope”
1.Access control
2.Management of virtual assets and inventories
3.Credentials and shared accounts
Source Verizon Breach Report 2015 “Threat Actions by Type”
![Page 21: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/21.jpg)
Step 3: Describe the risk and proposed mitigation
R3. An external actor gains unauthorized access to production or pre-production environments
CS3. Unauthorized access is prevented, detected, and corrected through the regular review of access credentials and system configuration
Source: DevOps Audit Defense Toolkit 2015
![Page 22: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/22.jpg)
INFRASTRUCTURE
Check
Deploy
Dev team, tools, & tools admins
Dev teamDeveloper
Dev team, tools, tools admins, &
operators
Can you run the control through this system?
![Page 23: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/23.jpg)
Step 3: Then Automate the Process (…or not!)
EXAMPLE COMPLIANCE
CONTROL
PR.AC-1: Identities and credentials are managed for authorized devices and users
STATIC OR ACTIVE
ANALYSIS
Processes and procedures for managing identities and credentials are documented
STATIC ANALYSISCompliance procedures
like checklists with signoff, tickets, forms, periodic “hunts” for
violations
EVENT
Hire a new person
Provision a new device
Elevate auth for a system admin
ACTIVE ANALYSISAutomated tooling to provide function or
gate processes, continuous logging of
activities, active autimated warnings,
and executive reporting views as real
time risk communication
![Page 24: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/24.jpg)
Step 4: Test and Verify the Control
Teams that focus on testing, early detection, and measuring progress have 30% fewer [security] defects in production
Source: The Journey to DevSecOps, Shannon Lietz, 2016
NIST CONTROL PR.AC-4
Describe compliance in plain english
What do you have in
place/plan to have in place?
Describe passing
scenarios
Write code that leads to consistent pass state
FAIL
Write tests and run them
Source: Audit Compliance with BDD tools,, Conjur blog
![Page 25: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/25.jpg)
Step 5: Communicate controls to stake holders “Excuse me … do you speak JSON?”
• Repeatable• Reliable • Fast
• Auditable• Reportable• Informative
![Page 26: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/26.jpg)
Improve www.10factor.ci
![Page 27: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/27.jpg)
Where do you fall on the cybersecurity spectrum?
Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESSTIER 1 - PartialTIER 2 - Risk InformedTIER 3 - RepeatableTIER 4 - Adaptive
Automated
There is always more….
![Page 28: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/28.jpg)
Robot, IOT & Machine Identity and Access Control
![Page 29: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/29.jpg)
AI & Access Controls … Access Control for AIs!
![Page 30: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/30.jpg)
Join the conversation #devseccon
Thank YouElizabeth Lawler
@ElizabethLawlerconjur.net
“It takes a village”... Thank you
Kevin GilpinSteve CoplanJosh BregmanAndy EllicottDustin Collins Bryan Sterlingand the team at Conjur
![Page 31: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/31.jpg)
Source: Verizon 2016 Data Breach Investigations Report
![Page 32: Elizabeth Lawler - Devops, security, and compliance working in unison](https://reader035.vdocuments.mx/reader035/viewer/2022062823/58ce629b1a28ab2f268b5c21/html5/thumbnails/32.jpg)
Translating to Something Actionable
Control Domains(NIST framework)
● Identify● Protect● Detect● Respond● Recover
Control Activities & Services for Operators● Asset Management (CMDB)● Network Security, Authentication, Key
Management● Log Aggregation and Reporting● Alerting, Incident Communication and
Escalation Plan● Post-mortems, metrics tracking (e.g.,
MTTD, MTTR)