Security and DevOps - Managing Security in a DevOps Enterprise

  • Published on
    16-Jan-2017

  • View
    404

  • Download
    0

Embed Size (px)

Transcript

<ul><li><p> 2015 IBM Corporation</p><p>Sanjeev Sharma</p><p>CTO, DevOps Technical Sales and </p><p>Adoption</p><p>IBM Distinguished Engineer</p><p>Security and DevOps: How to Manage Security in a DevOps Enterprise</p></li><li><p>2Page 2015 IBM Corporation</p><p>DevOps Review</p></li><li><p>3Page 2015 IBM Corporation</p><p>DevOps: Origins</p></li><li><p>4Page 2015 IBM Corporation</p><p>What does the Line of Business want from IT?</p><p>Product Owner</p><p>Senior Executives</p><p>Users Domain ExpertsAuditors</p><p>Gold Owner Support Staff</p><p>External System </p><p>Team</p><p>Operations</p><p>Staff</p><p>Team MemberTeam Lead</p><p>Team MemberTeam Member</p><p>Line-of-business CustomerIT</p><p>Agility - Velocity - Innovation</p></li><li><p>5Page 2015 IBM Corporation</p><p>DevOps approach: Apply Lean principles accelerate </p><p>feedback and improve time to value</p><p>5</p><p>People</p><p>Process</p><p>Line-of-</p><p>businessCustomer</p><p>1</p><p>3</p><p>2</p><p>1. Get ideas into production fast</p><p>2. Get people to use it</p><p>3. Get feedback </p><p>Continuously Improve:</p><p>I. Application Delivered</p><p>II. Environment Deployed</p><p>III. Application and Environment Delivery Process</p></li><li><p> 2015 IBM Corporation</p><p>Security and the Application Delivery Pipeline</p></li><li><p>7Page 2015 IBM Corporation</p><p>Delivering a Business Capability Hybrid Applications, Hybrid </p><p>Platforms, Hybrid Teams</p><p>Application A</p><p>Application B</p><p>Application C</p><p>Application N</p><p>Bu</p><p>sin</p><p>ess C</p><p>ap</p><p>ab</p><p>ility</p></li><li><p>8Page 2015 IBM Corporation</p><p>Three Levels of Security</p><p>8</p><p>1. Secure the Perimeter</p><p>2. Secure the Delivery Pipeline</p><p>3. Secure the Deliverable</p><p>http://www.ibm.com/developerworks/library/d-security-</p><p>considerations-devops-adoption/</p></li><li><p>Secure the Perimeter</p><p>9</p></li><li><p>10Page 2015 IBM Corporation</p><p>Secure the Delivery Pipeline</p><p>1</p><p>0</p><p>Secure Engineering</p><p>Access and Control</p><p>Secure Build and Deploy</p><p>Security Testing of Scripts</p><p>Separation of Duties</p></li><li><p>11Page 2015 IBM Corporation</p><p>Secure the Deliverable</p><p>1</p><p>1</p><p>Application</p><p>Middleware Config</p><p>Middleware</p><p>OS Config</p><p>HardwareFu</p><p>ll S</p><p>tac</p><p>k </p><p>Blu</p><p>ep</p><p>rin</p><p>t</p><p>Po</p><p>licie</p><p>s</p><p>Secure:</p><p> Code</p><p> Packages</p><p> Components</p><p> Configurations</p><p> Content</p><p> Policies</p><p> Roles</p></li><li><p>12Page 2015 IBM Corporation</p><p>Risks and Vulnerabilities - Delivery Pipeline and </p><p>Deliverables</p><p>1</p><p>2</p><p>1. Vulnerabilities related to the supply chain</p><p>2. Insider attacks</p><p>3. Errors and mistakes in the development project</p><p>4. Weaknesses in the design, code, and integration</p><p>5. API Economy and Security</p><p>http://www.ibm.com/developerworks/library/d-security-</p><p>considerations-devops-adoption/</p></li><li><p>13Page 2015 IBM Corporation</p><p>Vulnerabilities related to the supply chain</p><p>1</p><p>3</p><p>External Supplier A</p><p>External Supplier B</p><p>Internal Supplier A</p><p>Internal Supplier B</p></li><li><p>Insider attacks</p><p>1</p><p>4</p></li><li><p>15Page 2015 IBM Corporation</p><p>Errors and mistakes in the development project</p><p>1</p><p>5</p><p>1 per min 1 per min</p><p>4 per min 1 per min</p><p>4 per min 4 per min</p><p> Reduce Batch size</p><p> Integrated Delivery Pipeline</p><p> Agile Development</p><p> Continuous Security </p><p>Testing</p><p> Continuous Validation</p></li><li><p>Weaknesses in the design, code, and integration</p><p>1</p><p>6</p><p>http://www-03.ibm.com/security/secure-engineering/</p></li><li><p>17Page 2015 IBM Corporation</p><p>The API economy and security</p><p>1</p><p>7</p></li><li><p> 2015 IBM Corporation</p><p>Adopting a (Secure) DevOps Architecture</p></li><li><p>19Page 2015 IBM Corporation</p><p>Multi-Speed IT Innovation vs Optimization</p><p>Agile/Innovation EdgeRapid Delivery for Innovation Agile Antifragile Experimentation New and Innovative</p><p>Hybrid Cloud PaaS</p><p>Industrialized CoreDeliver at regular cadence Waterfall -&gt; Agile Stability Predictability Lean Delivery pipeline </p><p>Core and Legacy</p><p>Hybrid Infrastructure Physical, Cloud IaaS/PaaS</p><p>Sp</p><p>eed</p><p> vs R</p><p>isk</p><p>App Development, Orchestration, Integration, Security, Management, Governance</p></li><li><p>20Page 2015 IBM Corporation</p><p>Multi-Speed IT Touchpoints</p><p>Agile/Innovation EdgeCloud Native, 12-factor Apps, Microservices, DevOps </p><p>PaaS, Containers</p><p>IBM Bluemix Platform Containers Microservices</p><p>IBM Garage Method</p><p>Industrialized CoreTraditional Development, DevOps, Monolithic Apps, Cloud-ready</p><p>Traditional IT, Private/Local Cloud, Dedicated Off-prem Cloud, Public Cloud, PaaS, Contaiers</p><p>UrbanCode IBM Rational Tools Middleware Portfolio API Management ITSM</p><p>IBM Cloud Orchestrator IBM PureApplication Gravitant</p><p>Release </p><p>Manage</p><p>ment</p><p>Planning Deployment Automation, </p><p>Orchestration, Brokerage</p><p>Test </p><p>VirtualizationAPIs</p></li><li><p>21Page 2015 IBM Corporation</p><p>Reference Architecture : DevOps Multi-Speed IT</p><p>IBM Architecture Center</p><p>BLUEMIX</p><p>DELIVERY PIPELINESOURCE CONTROL</p><p>.js</p><p>LIVE SYNC</p><p>WEB IDE ACTIVE DEPLOY</p><p>AUTO SCALING</p><p>SECURE GATEWAY</p><p>ON-PREMISES </p><p>SYSTEMS</p><p>API MANAGEMENT</p><p>TRACK &amp; PLAN</p><p>TRACK &amp; PLAN DEVELOP BUILD DEPLOY</p><p>RELEASE TEST</p><p>RUNTIME ENVIRONMENTS</p><p>RUNTIMES &amp;</p><p>CONTAINERS</p><p>1</p><p>2</p><p>3</p><p>6 7</p><p>9</p><p>10</p><p>8</p><p>1</p><p>2</p><p>4</p><p>5</p><p>10</p><p>https://developer.ibm.com/architecture/</p></li><li><p>22Page 2015 IBM Corporation</p><p>Start Here:</p><p>Value Stream Mapping for</p><p>Identifying and Addressing </p><p>bottlenecks</p></li><li><p>23Page 2015 IBM Corporation</p><p>Mapping your Delivery Pipeline</p><p>Idea/Feature/Bug Fix/</p><p>EnhancementProduction</p><p>Development Build QA SIT UAT Prod</p><p>PMO</p><p>Requirements/</p><p>Analyst</p><p>Developer</p><p>CustomersLine of Business</p><p>Build</p><p>EngineerQA Team Integration Tester User/Tester Operations</p><p>Artifact Repository</p><p>Deployment Engineer</p><p>Release Management</p><p>Code Repository</p><p>Deploy</p><p>Get Feedback</p><p>Infrastructure as Code/</p><p>Cloud Patterns</p><p>Feedback</p><p>Customer or </p><p>Customer Surrogate</p><p>Metrics - Reporting/Dashboarding</p><p>Tasks</p><p>Artifacts</p></li><li><p>24Page 2015 IBM Corporation</p><p>Questions?</p><p>24</p></li></ul>