The Intersection of Security & DevOps
0 likes284 views
1. As developers have become the driving force behind cloud adoption, there is a need to realign security practices with DevOps workflows and priorities. 2. A blueprint approach to cloud security involves enumerating cloud assets, threat modeling for common workloads, and integrating controls across the full technology stack. 3. With a blueprint model and automated security tools integrated into the development pipeline, security can provide coverage throughout the software development lifecycle without slowing innovation or agility.
The Intersection of Security & DevOps
- 1. THE INTERSECTION OF SECURITY & DEVOPS Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
- 2. Summary 1. DevOps implications on Security 2. Developing a Blueprint approach to cloud security
- 3. What Drives Cloud Adoption? • Developers are the driving force behind cloud adoption • Main reason developers are using cloud services? Innovation ability to move fast deploy infrastructure without IT overhead ship code without delays
- 4. Software Drives Business Innovation
- 5. Developer Perspective 2013 2017 89% of developers use public cloud * RightScale Survey 2016
- 6. The Innovation Power Shift ITSECURITY COMPLIANCE SOFTWARE DEVELOPERS
- 7. DevOps Drives Security Agility Sonatype 72 % NO
- 8. Aligning DevOps with Security Critical questions to answer: 1. What are we protecting? 2. What controls must be in place? 3. How do you integrate security into your daily workflow?
- 9. Reshaping the Security/Dev/Ops Relationship old school classic IT new school sec/dev/ops
- 10. Rules of the Road No Yes 1 Random opinions Everyone works from same security blueprint 2 General set of controls Controls specific to your cloud blueprint 3 Security gateways and overlays Security is part of immutable infrastructure 4 Periodic audits Security testing part of regression framework 5 Vulnerabilities are escalated and negotiated for resolution Vulnerabilities are bugs Critical vulnerabilities are critical bugs
- 11. Perception vs Reality Our ability to accurately estimate attack surface is compromised by our weak sense of perception More reliable approach: 1. Identify your cloud assets 2. Measure your exposure 3. Implement controls
- 12. Blueprint Model for DevOps Security
- 13. Enumerate Your Cloud Footprint Generalize common workloads into infrastructure-’blueprints’ Blueprint Driven Approach Key target assets Across the Full Stack 1. Magento application and plugins 2. PHP 3. Apache 4. NGINX 5. Redis 6. Maria DB, Elastic Search 7. Linux OS and system tools 8. AWS services EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB MariaDB MariaDB AvailabilityzoneAAvailabilityzoneB Auto scaling group Apache PHP Auto scaling group EC2 instances EC2 instances FPM S3
- 14. Threat model Identify Most Relevant Threats Create a threat model for these blueprints Blueprint Threat Model Blueprint Threat Model Exposure analysis Post compromise analysis Configuration & Vulnerability Coverage Required Threat Coverage (pre-compromise) Required Threat Coverage (post-compromise) Required threat analytics pre-compromise post-compromise Required incident analytics Required data-sources Pre compromise analysis
- 15. Integrated Alert Logic Controls for Broad Coverage Build Coverage Model Blueprint 3-Tier Classic Web Micro- service E-Com Blueprint CMS Blueprint Magento Blueprint Wordpress Blueprint Drupal Blueprint OWASP Top 10 SQL-Injection attacks LAMP target coverage Critical application coverage Deep HTTP inspection with anomaly detection Supervised Machine learning Data-driven intrusion defense Coverage for key app components
- 16. Full Stack Security Coverage Pre-compromise Compromise Lateral Movement Incident Investigation System Visual | Context | Hunt Collect web, host, network data Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics SECURITY EXPERTS Assess Exposure Block Critical Attacks
- 17. Cloud Security Maturity Model Basic Cloud Security Tooling 2 2. Basic Cloud Security • Agile development team, coupled to immature security program • Minimal use of cloud provider and OSS security tools Traditional Security 1. Non-Cloud Native • Lift & Ship infrastructure migration • Traditional on-premises security tools and processes • Limited agility 1 DevOps Integration 3 3. Cloud Native Security • Security infrastructure part of deployment pipeline • Full stack protection across networks, systems and applications • Security does not slow down innovation SecDevOps Integration D 4. Cloud Security Lifecycle • Security process part of continuous integration pipeline • Mature security assessment and testing program part of code deployment process • Maximum agility and security
- 18. Thank you.