Security and DevOps - Managing Security in a DevOps Enterprise
-
Upload
claudia-ring -
Category
Software
-
view
423 -
download
0
Transcript of Security and DevOps - Managing Security in a DevOps Enterprise
© 2015 IBM Corporation
Sanjeev Sharma
CTO, DevOps Technical Sales and
Adoption
IBM Distinguished Engineer
Security and DevOps: How to Manage Security in a DevOps Enterprise
4Page© 2015 IBM Corporation
What does the Line of Business want from IT?
Product Owner
Senior Executives
Users Domain ExpertsAuditors
Gold Owner Support Staff
External System
Team
Operations
Staff
Team MemberTeam Lead
Team MemberTeam Member
Line-of-business CustomerIT
Agility - Velocity - Innovation
5Page© 2015 IBM Corporation
DevOps approach: Apply Lean principles accelerate
feedback and improve time to value
5
People
Process
Line-of-
businessCustomer
1
3
2
1. Get ideas into production fast
2. Get people to use it
3. Get feedback
Continuously Improve:
I. Application Delivered
II. Environment Deployed
III. Application and Environment Delivery Process
7Page© 2015 IBM Corporation
Delivering a Business Capability – Hybrid Applications, Hybrid
Platforms, Hybrid Teams
Application A
Application B
Application C
Application N
Bu
sin
ess C
ap
ab
ility
…
8Page© 2015 IBM Corporation
Three Levels of Security
8
1. Secure the Perimeter
2. Secure the Delivery Pipeline
3. Secure the Deliverable
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/
10Page© 2015 IBM Corporation
Secure the Delivery Pipeline
1
0
Secure Engineering
Access and Control
Secure Build and Deploy
Security Testing of Scripts
Separation of Duties
11Page© 2015 IBM Corporation
Secure the Deliverable
1
1
Application
Middleware Config
Middleware
OS Config
HardwareFu
ll S
tac
k
Blu
ep
rin
t
Po
licie
s
Secure:
• Code
• Packages
• Components
• Configurations
• Content
• Policies
• Roles
12Page© 2015 IBM Corporation
Risks and Vulnerabilities - Delivery Pipeline and
Deliverables
1
2
1. Vulnerabilities related to the supply chain
2. Insider attacks
3. Errors and mistakes in the development project
4. Weaknesses in the design, code, and integration
5. API Economy and Security
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/
13Page© 2015 IBM Corporation
Vulnerabilities related to the supply chain
1
3
External Supplier A
External Supplier B
Internal Supplier A
Internal Supplier B
15Page© 2015 IBM Corporation
Errors and mistakes in the development project
1
5
1 per min 1 per min
4 per min 1 per min
4 per min 4 per min
• Reduce Batch size
– Integrated Delivery Pipeline
– Agile Development
• Continuous Security
Testing
• Continuous Validation
Weaknesses in the design, code, and integration
1
6
http://www-03.ibm.com/security/secure-engineering/
19Page© 2015 IBM Corporation
Multi-Speed IT – Innovation vs Optimization
Agile/Innovation EdgeRapid Delivery for Innovation • Agile • Antifragile • Experimentation • New and Innovative
Hybrid Cloud • PaaS
Industrialized CoreDeliver at regular cadence • Waterfall -> Agile • Stability • Predictability • Lean Delivery pipeline •
Core and Legacy
Hybrid Infrastructure – Physical, Cloud • IaaS/PaaS
Sp
eed
vs R
isk
App Development, Orchestration, Integration, Security, Management, Governance
20Page© 2015 IBM Corporation
Multi-Speed IT– Touchpoints
Agile/Innovation EdgeCloud Native, 12-factor Apps, Microservices, DevOps
PaaS, Containers
IBM Bluemix Platform • Containers • Microservices
IBM Garage Method
Industrialized CoreTraditional Development, DevOps, Monolithic Apps, Cloud-ready
Traditional IT, Private/Local Cloud, Dedicated Off-prem Cloud, Public Cloud, PaaS, Contaiers
UrbanCode • IBM Rational Tools • Middleware Portfolio • API Management • ITSM
IBM Cloud Orchestrator • IBM PureApplication • Gravitant
Release
Manage
ment
Planning Deployment Automation,
Orchestration, Brokerage
Test
VirtualizationAPIs
21Page© 2015 IBM Corporation
Reference Architecture : DevOps Multi-Speed IT
IBM Architecture Center
BLUEMIX
DELIVERY PIPELINESOURCE CONTROL
.js
LIVE SYNC
WEB IDE ACTIVE DEPLOY
AUTO SCALING
SECURE GATEWAY
ON-PREMISES
SYSTEMS
API MANAGEMENT
TRACK & PLAN
TRACK & PLAN DEVELOP BUILD DEPLOY
RELEASE TEST
RUNTIME ENVIRONMENTS
RUNTIMES &
CONTAINERS
1
2
3
6 7
9
10
8
1
2
4
5
10
https://developer.ibm.com/architecture/
22Page© 2015 IBM Corporation
Start Here:
Value Stream Mapping for
Identifying and Addressing
bottlenecks
23Page© 2015 IBM Corporation
Mapping your Delivery Pipeline
Idea/Feature/Bug Fix/
EnhancementProduction
Development Build QA SIT UAT Prod
PMO
Requirements/
Analyst
Developer
CustomersLine of Business
Build
EngineerQA Team Integration Tester User/Tester Operations
Artifact Repository
Deployment Engineer
Release Management
Code Repository
Deploy
Get Feedback
Infrastructure as Code/
Cloud Patterns
Feedback
Customer or
Customer Surrogate
Metrics - Reporting/Dashboarding
Tasks
Artifacts