SlideShare a Scribd company logo

2017-07-12 GovLoop: New Era of Digital Security

S
Shawn Wells

This document discusses the new era of digital security in light of emerging technologies like cloud computing, software-defined infrastructure, and the increased use of applications and devices outside of IT's control. It argues that traditional network-based defenses are no longer enough and that security must evolve to be continuous and integrated throughout the IT lifecycle. It presents containers and container platforms like Kubernetes as an approach that can help achieve both agility and improved security by allowing for easy and secure application deployment across hybrid environments.

Related slideshows

Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
Avoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediationAvoid Meltdown from the Spectre - How to measure impact and track remediation
Avoid Meltdown from the Spectre - How to measure impact and track remediation
 
1 of 49
Download to read offline
NEW ERA OF DIGITAL SECURITY Shawn Wells Chief Security Strategist U.S. Public Sector shawn@redhat.com || 443-534-0130
Technology for the Digital World 2
When New Technologies are adopted, the Security team gets involved SECURITY 3
Securing the Enterprise is Harder Than Ever 4 Applications & devices outside of IT control Cloud computing Software-defined infrastructure Dissolving security perimeter The way we develop, deploy and manage IT is changing dramatically TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH Menacing threat landscape
THE COST OF SECURITY BREACHES 5 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Total average costs are increasing: 2016 $4.0 million 2015 $3.8 million 2014 $3.5 million While “soft” costs are impacting your business ● Business disruption ● Lost employee and customer trust ● Brand erosion ● Shareholder anger ● etc
6 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Malicious or criminal attack System glitch Human error 48% 27% 25% MULTIPLE SOURCES OF RISKS
7 Source: TechValidate. https://www.techvalidate.com/tvid/885-BC3-190 TRYING TO INNOVATE AND REMAIN SECURE AT THE SAME TIME Funding for cloud infrastructure is taking a clear priority in 2017, with security and management still mandatory investments to keep it all under control. What are you organization’s top IT funding priorities for 2017?* 70% 49% 48% 42% 36% 31% 29% 28% 23% Cloud infrastructure (private, public or hybrid) Security and compliance IT Management, automation, orchestration Big data, analytics Optimizing or modernizing existing IT Integration of applications, data or processes Containers Cloud-native or mobile applications Storage *Select all that apply
IMPLEMENT BOTH AGILE & IMPROVED GOVERNANCE PROCESSES 8 Source: TechValidate. https://www.techvalidate.com/tvid/7A6-663-C71 Compliance and governance remain a top priority, but agile and DevOps processes have shot to the top of our customers list this year. This is the only way they will achieve innovation at the speed they need to compete and win. 64% 54% 41% 26% 23% 11% Agile development DevOps processes or methodologies Compliance or governance processes User experience Digital strategies Using more open source IT staff training IT staff retention IT staff recruitment 23% 10% 6% 3%Stopping shadow IT What are you organization’s top priorities around IT cultural or process changes?* *Select all that apply
9 Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT SECURITY CHECKLIST SECURITY MUST EVOLVE
Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT 10 Identify security requirements & governance models Built-in from the start; not bolted-on Deploy to trusted platforms with enhanced security capabilities Automate systems for security & compliance Revise, update, remediate as the landscape changes SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle
DESIGN BUILD RUN MANAGE ADAPT 11 Define security requirements based on NIST 800-53 Build required protections like web SSO into your applications Run on platforms with embedded protective technology like SELinux Automate compliance with DISA STIG; use automated detection & remediation technologies Continuously evaluate effectiveness and revise as needed CONTINUOUS SECURITY WITH NIST Protect Identify Detect Recover Respond COMMUNICATE
Risk Management 12 Identify Analyse Plan Track Control Communicate The objectives of risk management are to identify, address, and eliminate software risk items before they become either threats to successful software operation or major sources of software rework. Barry W Boehm Approaches to dealing with risk: Reduction - reduce likelihood Protection - bottom-up prevention Transfer - let someone else share or hold Pecuniary - set aside contingency fund of resources
WHY OPEN SOURCE?
OPEN SOURCE DEVELOPMENT DRIVES RAPID INNOVATION
OPEN SOURCE ADOPTION...SOARING 78% 65% of enterprises run open source. of companies are contributing to open software. [1] Black Duck Software, 9th Annual Future of Open Source survey, 2015. www.blackducksoftware.com/2015-future-of-open-source [2] Black Duck Software, 10th Annual Future of Open Source survey, 2016. www.blackducksoftware.com/2016-future-of-open-source [2] [1]
16 OPEN SOURCE CULTURE Collaboration Transparency (both access and the ability to act) Shared problems are solved faster Working together creates standardization *
AGILITY, WITH SECURITY
The Problem Applications require complicated installation and integration every time they are deployed 18
THE PROBLEM I.T. OPERATIONSDEVELOPERS 19
DEVOPS Everything as code Automate everything Application is always “releaseable” Continuous Integration/Delivery Application monitoring Rapid feedback Delivery pipeline Rebuild vs. Repair 20
A Solution Adopting a container strategy will allow applications to be easily shared and deployed. 21
22 WHAT ARE CONTAINERS? It Depends Who You Ask ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
A SOLUTION Hardware Virtual Machine Operating System Container App Controlled by Developers Controlled by IT Operations 23
A SOLUTION I.T. OPERATIONSDEVELOPERS 24
$ docker build -t app:v1 . 25
$ docker build -t app:v1 . $ docker run app:v1 26
physical virtual private cloud public cloud 27
28 DEVOPS WITH CONTAINERS source repository CI/CD engine dev container physical virtual private cloud public cloud 28
? 29
? 30
Scheduling Decide where to deploy containers 31 WE NEED MORE THAN JUST CONTAINERS Lifecycle and health Keep containers running despite failures Discovery Find other containers on the network Monitoring Visibility into running containers Security Control who can do what Scaling Scale containers up and down Persistence Survive data beyond container lifecycle Aggregation Compose apps from multiple containers 31
Kubernetes is an open-source system for automating deployment, operations, and scaling of containerized applications across multiple hosts kubernetes 32
kubernetes 33
DEVOPS WITH CONTAINERS AND KUBERNETES 34
INDUSTRY CONVERGING ON KUBERNETES 35
INDUSTRY CONVERGING ON KUBERNETES 36
DEVOPS WITH CONTAINERS AND KUBERNETES NETWORK Not enough! Need networking 37
DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY NETWORK Not enough! Need an image registry 38
DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY METRICS AND LOGGING NETWORK heapster Not enough! Need metrics and logging 39
DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application lifecycle management APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 40
DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application services e.g. database and messaging APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 41
DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need self-service portal SELF-SERVICE APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 42
NOT ENOUGH, THERE IS MORE! Routing & Load Balancing Multi-tenancy CI/CD Pipelines Role-based Authorization Capacity Management Chargeback Vulnerability Scanning Container Isolation Image Build Automation Quota Management Teams and Collaboration Infrastructure Visibility 43
Container application platform based on Docker and Kubernetes for building, distributing and running containers at scale 44
45 Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT SECURITY CHECKLIST REMEMBER THIS?
46 OpenShift for Government Accreditations & Standards RHEL7 COMMON CRITERIA - EAL4+ - Container Framework - Secure Multi-tenancy RHEL7 FIPS 140-2 CERTIFIED - Data at Rest - Data in Transport OPENSHIFT BLUEPRINT FOR AZURE (FedRAMP MODERATE) OCTOBER 2016 DECEMBER 2016 JUNE 2017 INDUSTRY FIRST: NIST CERTIFIED CONFIGURATION AND VULNERABILITY SCANNER FOR CONTAINER MARCH 2017
47 WANT TO HEAR MORE?
2017-07-12 GovLoop: New Era of Digital Security
plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews THANK YOU

More Related Content

2017-07-12 GovLoop: New Era of Digital Security

  • 1. NEW ERA OF DIGITAL SECURITY Shawn Wells Chief Security Strategist U.S. Public Sector shawn@redhat.com || 443-534-0130
  • 2. Technology for the Digital World 2
  • 3. When New Technologies are adopted, the Security team gets involved SECURITY 3
  • 4. Securing the Enterprise is Harder Than Ever 4 Applications & devices outside of IT control Cloud computing Software-defined infrastructure Dissolving security perimeter The way we develop, deploy and manage IT is changing dramatically TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH Menacing threat landscape
  • 5. THE COST OF SECURITY BREACHES 5 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Total average costs are increasing: 2016 $4.0 million 2015 $3.8 million 2014 $3.5 million While “soft” costs are impacting your business ● Business disruption ● Lost employee and customer trust ● Brand erosion ● Shareholder anger ● etc
  • 6. 6 2016 Cost of Data Breach Study: Global, June, 2016. Ponemon Institute LLC© Research Report Malicious or criminal attack System glitch Human error 48% 27% 25% MULTIPLE SOURCES OF RISKS
  • 7. 7 Source: TechValidate. https://www.techvalidate.com/tvid/885-BC3-190 TRYING TO INNOVATE AND REMAIN SECURE AT THE SAME TIME Funding for cloud infrastructure is taking a clear priority in 2017, with security and management still mandatory investments to keep it all under control. What are you organization’s top IT funding priorities for 2017?* 70% 49% 48% 42% 36% 31% 29% 28% 23% Cloud infrastructure (private, public or hybrid) Security and compliance IT Management, automation, orchestration Big data, analytics Optimizing or modernizing existing IT Integration of applications, data or processes Containers Cloud-native or mobile applications Storage *Select all that apply
  • 8. IMPLEMENT BOTH AGILE & IMPROVED GOVERNANCE PROCESSES 8 Source: TechValidate. https://www.techvalidate.com/tvid/7A6-663-C71 Compliance and governance remain a top priority, but agile and DevOps processes have shot to the top of our customers list this year. This is the only way they will achieve innovation at the speed they need to compete and win. 64% 54% 41% 26% 23% 11% Agile development DevOps processes or methodologies Compliance or governance processes User experience Digital strategies Using more open source IT staff training IT staff retention IT staff recruitment 23% 10% 6% 3%Stopping shadow IT What are you organization’s top priorities around IT cultural or process changes?* *Select all that apply
  • 10. Security policy, process & procedures DESIGN BUILD RUN MANAGE ADAPT 10 Identify security requirements & governance models Built-in from the start; not bolted-on Deploy to trusted platforms with enhanced security capabilities Automate systems for security & compliance Revise, update, remediate as the landscape changes SECURITY MUST BE CONTINUOUS And integrated throughout the IT lifecycle
  • 11. DESIGN BUILD RUN MANAGE ADAPT 11 Define security requirements based on NIST 800-53 Build required protections like web SSO into your applications Run on platforms with embedded protective technology like SELinux Automate compliance with DISA STIG; use automated detection & remediation technologies Continuously evaluate effectiveness and revise as needed CONTINUOUS SECURITY WITH NIST Protect Identify Detect Recover Respond COMMUNICATE
  • 12. Risk Management 12 Identify Analyse Plan Track Control Communicate The objectives of risk management are to identify, address, and eliminate software risk items before they become either threats to successful software operation or major sources of software rework. Barry W Boehm Approaches to dealing with risk: Reduction - reduce likelihood Protection - bottom-up prevention Transfer - let someone else share or hold Pecuniary - set aside contingency fund of resources
  • 14. OPEN SOURCE DEVELOPMENT DRIVES RAPID INNOVATION
  • 15. OPEN SOURCE ADOPTION...SOARING 78% 65% of enterprises run open source. of companies are contributing to open software. [1] Black Duck Software, 9th Annual Future of Open Source survey, 2015. www.blackducksoftware.com/2015-future-of-open-source [2] Black Duck Software, 10th Annual Future of Open Source survey, 2016. www.blackducksoftware.com/2016-future-of-open-source [2] [1]
  • 16. 16 OPEN SOURCE CULTURE Collaboration Transparency (both access and the ability to act) Shared problems are solved faster Working together creates standardization *
  • 18. The Problem Applications require complicated installation and integration every time they are deployed 18
  • 20. DEVOPS Everything as code Automate everything Application is always “releaseable” Continuous Integration/Delivery Application monitoring Rapid feedback Delivery pipeline Rebuild vs. Repair 20
  • 21. A Solution Adopting a container strategy will allow applications to be easily shared and deployed. 21
  • 22. 22 WHAT ARE CONTAINERS? It Depends Who You Ask ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
  • 23. A SOLUTION Hardware Virtual Machine Operating System Container App Controlled by Developers Controlled by IT Operations 23
  • 25. $ docker build -t app:v1 . 25
  • 26. $ docker build -t app:v1 . $ docker run app:v1 26
  • 28. 28 DEVOPS WITH CONTAINERS source repository CI/CD engine dev container physical virtual private cloud public cloud 28
  • 29. ? 29
  • 30. ? 30
  • 31. Scheduling Decide where to deploy containers 31 WE NEED MORE THAN JUST CONTAINERS Lifecycle and health Keep containers running despite failures Discovery Find other containers on the network Monitoring Visibility into running containers Security Control who can do what Scaling Scale containers up and down Persistence Survive data beyond container lifecycle Aggregation Compose apps from multiple containers 31
  • 32. Kubernetes is an open-source system for automating deployment, operations, and scaling of containerized applications across multiple hosts kubernetes 32
  • 34. DEVOPS WITH CONTAINERS AND KUBERNETES 34
  • 35. INDUSTRY CONVERGING ON KUBERNETES 35
  • 36. INDUSTRY CONVERGING ON KUBERNETES 36
  • 37. DEVOPS WITH CONTAINERS AND KUBERNETES NETWORK Not enough! Need networking 37
  • 38. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY NETWORK Not enough! Need an image registry 38
  • 39. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY METRICS AND LOGGING NETWORK heapster Not enough! Need metrics and logging 39
  • 40. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application lifecycle management APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 40
  • 41. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need application services e.g. database and messaging APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 41
  • 42. DEVOPS WITH CONTAINERS AND KUBERNETES IMAGE REGISTRY Not enough! Need self-service portal SELF-SERVICE APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK 42
  • 43. NOT ENOUGH, THERE IS MORE! Routing & Load Balancing Multi-tenancy CI/CD Pipelines Role-based Authorization Capacity Management Chargeback Vulnerability Scanning Container Isolation Image Build Automation Quota Management Teams and Collaboration Infrastructure Visibility 43
  • 44. Container application platform based on Docker and Kubernetes for building, distributing and running containers at scale 44
  • 46. 46 OpenShift for Government Accreditations & Standards RHEL7 COMMON CRITERIA - EAL4+ - Container Framework - Secure Multi-tenancy RHEL7 FIPS 140-2 CERTIFIED - Data at Rest - Data in Transport OPENSHIFT BLUEPRINT FOR AZURE (FedRAMP MODERATE) OCTOBER 2016 DECEMBER 2016 JUNE 2017 INDUSTRY FIRST: NIST CERTIFIED CONFIGURATION AND VULNERABILITY SCANNER FOR CONTAINER MARCH 2017