How To Use The Cloud For Dev Ops

Similar documents
Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Journey to the Cloud and Application Release Automation Shane Pearson VP, Portfolio & Product Management

DevOps Course Content

SESSION 703 Wednesday, November 4, 9:00am - 10:00am Track: Advancing ITSM

Cloud Essentials for Architects using OpenStack

Java PaaS Enabling CI, CD, and DevOps

Cloud Services Catalog with Epsilon

Who moved my cloud? Part I: Introduction to Private, Public and Hybrid clouds and smooth migration

Information & Asset Protection with SIEM and DLP

How To Manage A Cloud System

Enterprise Cloud Security via DevSecOps

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

CLOUDFORMS Open Hybrid Cloud

The Tools For Continuous Delivery

Moving beyond Virtualization as you make your Cloud journey. David Angradi

Logging and Alerting for the Cloud

A Sumo Logic White Paper. Harnessing Continuous Intelligence to Enable the Modern DevOps Team

Agile Delivery Framework Automation & Deployment With Puppet

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Virtualization and IaaS management

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Management for the Mobile-Cloud Era

Trend Micro. Advanced Security Built for the Cloud

The Virtualization Practice

Business Values of Network and Security Virtualization

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

CREATING AN INTERNAL CLOUD: EPAM DEVELOPS A CUSTOM SOLUTION. Time-consuming infrastructure configuration and maintenance

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

NEXT-GENERATION, CLOUD-BASED SERVER MONITORING AND SYSTEMS MANAGEMENT

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

Ayla Networks, Inc. SOC 3 SysTrust 2015

Research Perspectives

Accelerate Software Development with DevOps and Hybrid Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Getting Started with DevOps Automation

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

Web Application Platform for Sandia

Cloud Computing Thunder and Lightning on Your Horizon?

The Defense RESTs: Automation and APIs for Improving Security


FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Automate Key Network Compliance Tasks

An Application-Centric Infrastructure Will Enable Business Agility

Copyright 2015 EMC Corporation. All rights reserved. 1

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Service Orchestration

How To Protect Your Cloud From Attack

Getting Started with Clearlogin A Guide for Administrators V1.01

Dell Active System, Enabling service-centric IT, the path to the Cloud. Pavlos Kitsanelis Enterprise Solutions Lead Greece, Cyprus, Malta

Building an Enterprise Hybrid Cloud with the VMware vcloud Solution

Close-Up on Cloud Security Audit

Identity and Access Management for the Cloud What You Need to Know About Managing Access to Your Clouds

Application Security Best Practices. Matt Tavis Principal Solutions Architect

David Corriveau, CEO Radix Technologies. Copyright 2011 Radix Technologies

Netzwerkvirtualisierung? Aber mit Sicherheit!

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

Designing Virtual Network Security Architectures Dave Shackleford

Intelligent End User Compute Strategy. Ted Smith Nigel Brown

Managed Cloud Services

Cloud Platform: the Intelligent Infrastructure Approach

DevOps Best Practices for Mobile Apps. Sanjeev Sharma IBM Software Group

WHITE PAPER: Egenera Cloud Suite

Introductions. KPMG Presenters: Jay Schulman - Managing Director, Advisory - KPMG National Leader Identity and Access Management

How to Grow and Transform your Security Program into the Cloud

Cloud Computing with Amazon Web Services and the DevOps Methodology.

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

How to Achieve Operational Assurance in Your Private Cloud

DevOps Best Practices: Combine Coding with Collaboration

Service Desks of the Future

AWS Account Management Guidance

Easily Managing User Accounts on Your Cloud Servers. How modern IT and ops teams leverage their existing LDAP/Active Directory for their IaaS

A Look at the New Converged Data Center

Software Defined Everything

Why continuous delivery needs devops, and why devops needs infrastructure-as-code. Sriram 25-Oct-2012

How to Consolidate your App Monitoring Strategy: End-to-End User Experience Monitoring for Your BSM October 20, 2015

DevOps. Josh Preston Solutions Architect Stardate

How Cisco IT Automated End-to-End Infrastructure Provisioning In an Internal Private Cloud

ITIL Asset and Configuration. Management in the Cloud

Be Fast, but be Secure a New Approach to Application Security July 23, 2015

SAP Business One mobile app for Android Version 1.0.x November 2013

Transcription:

Secure Cloud Development Resources with DevOps SESSION ID: CSV-F01 Andrew Storms & Eric Hoffmann Andrew Storms - Director of DevOps Eric Hoffmann Director of QA CloudPassage

Teach Old Dogs New Tricks Applying old thinking to using the cloud for DevOps means: You are non-compliant and will never be compliant. Devs are smart and will find ways to work around security roadblocks. You simply cannot bolt on old security tactics and hope

Shared Responsibility Model Merge DevOps + Shared Responsibility Models Requires coordination, inter-company & cross functional groups Requires leadership, training & champions Requires shared vision & objectives

Delivering The Shared Responsibility Model 1. Policies 2. Handling exceptions 3. Service catalogs 4. Orchestration 5. Reign in shadow IT 6. Tools

Policies Define Your Policies What policies are needed? SANS templates Specific Cloud Vendor Tools & Interfaces AWS mgmt console roles, groups, etc AWS firewall groups Require MFA

Policy Management Get Buy-In and Agreement No vacuums allowed in policy definition Security, ops, dev, audit, management teams Bake-in your policies with orchestration Policy Violators Define up front what happens when someone deviates from policy Intentional or Approved Violator? What if someone NEEDS to go out of policy?

The Dreaded, But Common Exception Cases How To Address Exceptions Use cross functional teams, champions, visions & leaders Pre define the ideal case of what should happen Be Agile, Use Existing Toolsets Leverage existing security approved tools Keep it public, let ops, dev & security review

The Service Catalog Create A Service Catalog Predefined sets of system images Meets security controls Adheres to the company policies The One Stop Shop Used by all departments Used within all practices (Dev, Test, Modeling, Etc)

Orchestration The Automated Service Catalog Can be predetermined image Can be predetermined recipes Always use APIs Single toolset. Single Interface Make available to everyone Teach everyone to use

Orchestration - Shared Tools Make It Available To Everyone Encourage everyone to develop & improve Check into your source code system Security Can Audit & Approve & Improve Peer review Internal audit

Reign in Shadow IT Dev, QA & Others Are Playing IT & Ops Ops isn t delivering the goods in time Choke Points Are Bad. Enablers Are Good Need to understand user s needs and deliver them Allow everyone do what they do best Understand That Dev and Ops Have Similar Skills This is DevOps after all

What the Cloud Promises Economies of scale Self-provisioning agility... Servers compromised in 4 hours Priceless Live Server Exploitation Exercise Zero to little server security configuration applied Server fully compromised by a single individual in four hours

What We Learned From The Gauntlet Report Require Basic Security Tools & Policies For Cloud Servers Access controls Monitoring Alerting

Access Control Tools Require Stronger Passwords Linux PAM system-auth settings Windows policy settings L0phtCrack Multi Factor Duo security Google authenticator

Access Controls With Orchestration Making Use Of Multi Factor Authentication REQUIRE IT! Policy creation Duo security Chef, Puppet AWS MFA

Monitoring & Alerting Monitoring Is A Big Space To Cover Server uptime, performance etc. Inventory, usage, costs Server, Application Watch Services Cloud vendor specific offerings De Facto: Nagios, Munin, Cacti

Monitoring & Alerting - The CIA Triad Availability Continuous Monitoring Change Alerting

Monitoring & Alerting Log Review & Alerting

Monitoring & Alerting Stats & App Performance

Monitoring & Alerting Overall Usage & Costs

Sum This Up 1. Adoption of cloud resources by development teams has created a security problem. 2. The self-service and on-demand nature of the cloud increases the company attack surface 3. Traditional castles and walls were outdated long ago. 4. Get your head out of sand and do something now. Its not too late, but never is not an option.

Sum This Up 1. Extend the shared responsibility model internally 2. 5 Steps to delivering secure development in the cloud 3. Tool talk

Take Action Only You Can Prevent Bad Things Where do you sit in the development and/or security processes? Create real and useful security policies. Use orchestration in delivery of a secure eco system. Use service catalogs to pre build approved systems. Make use of the various available existing services.

Questions? Andrew Storms @St0rmz, astorms@cloudpassage.com Eric Hoffmann, ehoffmann@cloudpassage.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information