This document discusses the close alignment between security (SRE) and site reliability engineering (SRE). It notes that both fields face challenges around authentication, authorization, access control, latency, cascading failures, service discovery, third-party dependencies, production access, and change control. Key lessons highlighted include making security scalable and default-on like SRE solutions, removing single points of security failure, and capturing meaningful security telemetry, as SREs do for reliability. The document argues that as development and infrastructure evolve rapidly, embracing an error budget, injecting engineering discipline, and following a "trust but verify" model are important for both security and SRE.
7. “What’s the state of product
development and infrastructure?”
?
?
?
?
MICROSERVICE
ARCHITECTURE
SCALING TO MEET
DEMANDS
3RD PARTY
ADOPTION
EXPLODING
DATACENTER
TECH ACCESSIBLE
FOR EVERYONE
FAST RATE OF
EVOLUTION
PRODUCT
VISUALIZED IN AM,
DEPLOYED IN PM
!
!
!
!
That seems….. great?
8. “How are we doing on defense?”
?
?
?
?
!
!
!
!
COMPLIANCE
INITIATIVES?
MAGIC BOXES?
CUSTOMER
ASSURANCE?
NETWORK
ACCESS
CONTROL?
ENDPOINT SECURITY
PRODUCTS SUCH AS
ANTI-VIRUS?
BOUNTIES?
What!?!
10. Site Reliability Hierarchy of Needs
Product
Monitoring & Incident Response
Post-Mortem & Analysis
Testing & Release
Procedures
Capacity Planning
SRE Hierarchy of
Needs from Google
SRE book
11. “Changes in production applications are
happening at a greater rate than ever before.
New product ideas can be visualized in the
morning and implemented in code in the
afternoon.”
12. Innovation and Rate Of Change
Embrace the Error Budget
• Self Healing & Auto Remediation
• Reduction of Manual Process
Inject Engineering Discipline
• Review when architecture changes reach a
certain complexity point.
“Trust but Verify”
• Security to follow SRE “trust but verify”
approach towards engineering partners
19. “Data center technologies can all be
controlled with a single web application in
the hands of a devops intern.”
20. Production Access & Change Control
Configuration as code,
leveraging source code
control paradigms, are a
huge boon to security.
Rollback ruthlessly.
● Start with a known-good state
● Asset management and change control discipline
● Ensure visibility
● Validate consistently and constantly
22. Overall Lessons for Security
Human-in-the-loop is your
last resort, not your first
option
2
All security solutions must
be scalable and default-on,
just like SREs build it
3
Your data pipeline is your
security lifeblood
1
23. Overall Lessons for SRE
Remove single points of
security failure like you do
for availability
1
Assume that an attacker can
be anywhere in your system
or flow
2
Capture and measure
meaningful security
telemetry
3