View
2.918
Download
1
Embed Size (px)
DESCRIPTION
Discusses the intersection between security and DevOps and how Security people can leverage DevOps and vice versa.
Citation preview
DEVOPSDAYS AUSTIN 2012
DevOps & Security
James TurnbullPuppet Labs
DEVOPSDAYS AUSTIN 2012
Who me?
• Puppet Labs employee• Security boffin• Open source fan• Author• Australian• Expletives
DEVOPSDAYS AUSTIN 2012
More introductions
Does anyone here work in Security?
DEVOPSDAYS AUSTIN 2012
Three things I hated about Security
1. Not being liked2. Not being effective3. Not being happy
DEVOPSDAYS AUSTIN 2012
Meme theft…
DEVOPSDAYS AUSTIN 2012
What IT think Security do
DEVOPSDAYS AUSTIN 2012
What the business think Security do
DEVOPSDAYS AUSTIN 2012
What Security people think they do
DEVOPSDAYS AUSTIN 2012
What Security Isn’t
DEVOPSDAYS AUSTIN 2012
What Security Is (or Should Be)
• Partnership not conflict• Servicing and Protecting all customers• Allowing increased risk appetite• Enabling the business to do business
DEVOPSDAYS AUSTIN 2012
The Intersection
DEVOPSDAYS AUSTIN 2012
Security people are people too
DEVOPSDAYS AUSTIN 2012
Security people are people too
• Developer People• Ops People• DBA People• Network People• Storage People
DEVOPSDAYS AUSTIN 2012
DevOps & Security
You should care about security too!
DEVOPSDAYS AUSTIN 2012
DevOps & Security
Evolution is mutual
DEVOPSDAYS AUSTIN 2012
Getting Security to Listen
It’s all about the culture
DEVOPSDAYS AUSTIN 2012
Getting Security to Listen
Destroy the blame culture
DEVOPSDAYS AUSTIN 2012
Getting Security to Listen
Speak the same language
DEVOPSDAYS AUSTIN 2012
Getting Security to Listen
"Risk management is the process of identifying vulnerabilities and threats to the information
resources used by an organization in achieving business objectives, and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of
the information resource to the organization.”- CISA
DEVOPSDAYS AUSTIN 2012
Getting Security to Listen
Let the business do business with the right controls
DEVOPSDAYS AUSTIN 2012
Talking Controls
• Provisioning & Deployment: Efficiency • Configuration Management: Inconsistency is
the enemy of security• Incident Management: Information is King• Audit: Magic away auditors
DEVOPSDAYS AUSTIN 2012
Ideas for Collaboration
DEVOPSDAYS AUSTIN 2012
DevOps & Security
• Get roles and responsibilities right• Security people are (skilled) people too• Risk Register diving
DEVOPSDAYS AUSTIN 2012
Dev & Security
• Put Security people into Dev• Gather security requirements early• Designed for security == Deployed sanely &
securely
DEVOPSDAYS AUSTIN 2012
Ops & Security
• Embed Security into Ops escalation• Invite Security to post-mortems• Expose Security to your metrics & data