devops or security: moving to “and”...“devops is the practice of operations and development...
TRANSCRIPT
DevOps OR security: moving to “AND”
Red Hat Day Canada
Mike BursellChief Security Architect20th, 22nd June 2017
INSERT DESIGNATOR, IF NEEDED2
Agenda
● What is DevOps? And DevSecOps?● Steps in DevOps: security through the process● The case for Containers● Opportunities● Summary
INSERT DESIGNATOR, IF NEEDED3
What is DevOps? And DevSecOps?
[1] https://theagileadmin.com/what-is-devops/[2] https://upload.wikimedia.org/wikipedia/commons/0/05/Devops-toolchain.svg, by Kharnagy (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons
“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]
INSERT DESIGNATOR, IF NEEDED4
What is DevOps? And DevSecOps?
[1] https://theagileadmin.com/what-is-devops/[2] https://upload.wikimedia.org/wikipedia/commons/0/05/Devops-toolchain.svg, by Kharnagy (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons[3] http://www.devsecops.org/blog/2015/2/15/what-is-devsecops
“DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.”[1]
“The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’...”[3]
INSERT DESIGNATOR, IF NEEDED5
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
INSERT DESIGNATOR, IF NEEDED6
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
INSERT DESIGNATOR, IF NEEDED7
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project
Design
Develop
Test
Stage
Deploy
INSERT DESIGNATOR, IF NEEDED8
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project
Design
Develop
Test
Stage
Deploy
Security!
INSERT DESIGNATOR, IF NEEDED9
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - project manager’s hope
Design
Develop
Test
Stage
Deploy
Security!
INSERT DESIGNATOR, IF NEEDED10
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - security architect’s guesstimate
Design
Develop
Test
Stage
Deploy
Security!
INSERT DESIGNATOR, IF NEEDED11
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
Classic waterfall project - actual
Design
Develop
Test
Stage
De
Security!
INSERT DESIGNATOR, IF NEEDED12
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
INSERT DESIGNATOR, IF NEEDED13
DevOps and DevSecOps
“For 20 years, people have been leaving security till last” - colleague
“…you could have missed the last two words out.” - me
At what point do you insert security into this process?
INSERT DESIGNATOR, IF NEEDED14
Steps in DevOps
INSERT DESIGNATOR, IF NEEDED15
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
“Security is a process, not a product.[1]”
[1] Bruce Schneier, Secrets & Lies, Digital Security in a Networked World. p.273
INSERT DESIGNATOR, IF NEEDED16
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
INSERT DESIGNATOR, IF NEEDED17
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
INSERT DESIGNATOR, IF NEEDED18
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
INSERT DESIGNATOR, IF NEEDED19
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
INSERT DESIGNATOR, IF NEEDED20
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
INSERT DESIGNATOR, IF NEEDED21
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
INSERT DESIGNATOR, IF NEEDED22
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
These steps are the “most obviously” Dev and Ops
INSERT DESIGNATOR, IF NEEDED23
Steps in the process
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
Identify security requirements & governance models
Built-in from the start; not bolted on
Deploy to trusted platforms with enhanced security capabilities
Automate systems with security & compliance
Revise, update, remediate as the landscape changes
These steps are the “most obviously” Dev and Ops
But without these steps you’re not “doing” DevOps
INSERT DESIGNATOR, IF NEEDED24
The case for Containers
Containers Transform
Applications
Monolith
N-Tier
Microservices
Infrastructures
Datacenter
Hosted
Hybrid
Processes
Waterfall
Agile
DevOps
INSERT DESIGNATOR, IF NEEDED26
Containers and DevOps
VMs/Legacy DevOps
Size Heavyweight Lightweight
State management Stateful Stateless
Composition Monolithic Decomposed
Infrastructure coupling Tight Loose
Development cycle Long Short
Update speed Slow Quick
INSERT DESIGNATOR, IF NEEDED27
Containers and DevOps
VMs/Legacy DevOps
Size Heavyweight Lightweight
State management Stateful Stateless
Composition Monolithic Decomposed
Infrastructure coupling Tight Loose
Development cycle Long Short
Update speed Slow Quick
Which of these are security issues?
INSERT DESIGNATOR, IF NEEDED28
Containers and DevOps
VMs/Legacy DevOps
Size Heavyweight Lightweight
State management Stateful Stateless
Composition Monolithic Decomposed
Infrastructure coupling Tight Loose
Development cycle Long Short
Update speed Slow Quick
Which of these are security issues?
INSERT DESIGNATOR, IF NEEDED29
Opportunities
INSERT DESIGNATOR, IF NEEDED30
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
INSERT DESIGNATOR, IF NEEDED31
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
● Where do your containers come from?● Need a regularly updated registry● Ensure strong controls on access
INSERT DESIGNATOR, IF NEEDED32
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
● Will what’s inside your container compromise your infrastructure?
● Vulnerabilities in the app layer?● Are runtime & OS up-to-date?
CONTAINER
OS
RUNTIME
APPLICATION
INSERT DESIGNATOR, IF NEEDED33
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
Security & continuous integration● Layered packaging model supports separation of concerns● Integrate security testing into your build / CI process● Use automated policies to flag builds with issues● Trigger automated rebuilds
Operations Architects Application developers
INSERT DESIGNATOR, IF NEEDED34
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
Security & continuous deployment● Use policies to gate what can be
deployed● e.g. if a container requires root
access, prevent deployment● Monitor image registry to
automatically replace affected images
● Message, log and audit
INSERT DESIGNATOR, IF NEEDED35
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
The host O/S matters● You need an O/S with built-in
security features isolating containers from○ other containers○ the kernel.
INSERT DESIGNATOR, IF NEEDED36
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
Use separate networks for different types of access● Isolate applications from other
applications within a cluster● Isolate environments (Dev / Test /
Prod) from other environments within a cluster
INSERT DESIGNATOR, IF NEEDED37
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
Container platform & application APIs● Authentication and authorization● LDAP integration● End-point access controls● Rate limiting (helps limit DDoS...)
INSERT DESIGNATOR, IF NEEDED38
Some specific opportunities - Containers
1. Provenance2. Contents3. Building4. Deploying5. The host6. Network isolation7. API management8. The platform
Use a container platform with integrated security features including● Role-based Access Controls with
LDAP and OAuth integration● Integrated Registry● Integrated CI/CD with configurable
policies● Integrated host OS with embedded
security features● Networking management● Storage plug-ins● API management
INSERT DESIGNATOR, IF NEEDED39
Summary
INSERT DESIGNATOR, IF NEEDED40
Summary
● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later
● Containers help: they’re well-suited to DevOps○ And there are specific areas of opportunity
Q. But where’s the definition of DevSecOps?
INSERT DESIGNATOR, IF NEEDED41
Summary
● DevOps allows and forces you to integrate security○ It has to part of the story, because you can’t bolt it on later
● Containers help: they’re well-suited to DevOps○ And there are specific areas of opportunity
Q. But where’s the definition of DevSecOps?
A. There isn’t one: it’s a change in mindset, not just tools, technology or processes
INSERT DESIGNATOR, IF NEEDED42
A reminder
Security policy, process &
procedures
DESIGNBUILD
RUN
MANAGE
ADAPT
“Security is a process, not a product.[1]”
[1] Bruce Schneier, Secrets & Lies, Digital Security in a Networked World. p.273
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews