the case for continuous security
Post on 18-Nov-2014
332 Views
Preview:
DESCRIPTION
TRANSCRIPT
THE CASE FOR CONTINUOUS SECURITY
By Pete Cheslock Senior Director of Ops and Support at Threat Stack
@petecheslock
DevOps is a term that has absolutely blown up in the last 5 years.
However, many had an immediate adverse reaction towards Yet Another Buzzword
…especially when the core concepts of “DevOps” were things people had been doing for YEARS!
To shorten the feedback loop in development cycles,
allowing teams to iterate quickly on changes and ship features to customer sooner.
The Core Tenant of DevOps
Mainstream DevOps =
Easily accessible cloud infrastructure+
Maturity of operational tooling
For companies starting new product development initiatives,
using Configuration Management is table stakes to iterate quickly!
IaaS providers today make it as easy as possible to provision systems
to meet infrastructure needs — and quickly.
Physical Data Center
Public Compute Resources
for flexibility and accessibility provided by Amazon, Google, Microsoft
Companies leverage Infrastructure as Code for major speed to market benefits
The Competitive Advantage
Companies can now provision hundreds (or thousands) of compute
instances in mere minutes. !
This is an every day activity!
Continuous Integration
Continuous Deployment
But who (or what) is continually monitoring the state of your
operational security?!
Junior sysadmins can now make changes to:!
• a Chef Recipe• a Puppet Manifest• an Ansible Playbook
!
!
…and deploy it to production — in minutes…
Today…
What is the scope of that change?
to be slowed down by the security team!
or !
configuration management changes to be passed through a Change Control Board
Sysadmins DON’T Want:
to change a variable, open a pull request, and once merged, their operational tooling to do the rest!!
They want their change to hit production servers ASAP.
Sysadmins Want:
This is where SecDevOps (or SecOps) comes in.
(ignore the fact that it’s a silly buzzword just like DevOps…)
If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions…
Developers Operations
value constant change value stability
…then SecDevOps seeks to evoke the SAME outcome with Security teams
(and the rest of the business)
If you’re continually deploying changes,you must be continually monitoring
security implications for operational changes.
Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.
And, if you have a traditional network security organization
that manually reviews and approves changes to production… !
!
You’ve introduced the newest bottleneck in your organization. !
!
!
!
!
!
A SecDevOps methodology allows you to improve your security monitoring
and response times, while maintaining your ability to continually
deploy changes
SecDevOps is the answer to this discussion.
This is the most important (and exciting!) problem to solve in many organizations!
But it is also one of the hardest problems to solve. !
This is why at Threat Stack, we’re all excited to be in a unique position to actively
help companies solve this.
top related