SlideShare a Scribd company logo

SRE and Security: Natural Force Multipliers

Cory Scott
Cory Scott

This document discusses the close alignment between security (SRE) and site reliability engineering (SRE). It notes that both fields face challenges around authentication, authorization, access control, latency, cascading failures, service discovery, third-party dependencies, production access, and change control. Key lessons highlighted include making security scalable and default-on like SRE solutions, removing single points of security failure, and capturing meaningful security telemetry, as SREs do for reliability. The document argues that as development and infrastructure evolve rapidly, embracing an error budget, injecting engineering discipline, and following a "trust but verify" model are important for both security and SRE.

1 of 23
SRE Bruno Connelly Security & SRE: Natural Force Multipliers SREcon18 Cory Scott CHIEF INFORMATION SECURITY OFFICER
Why should Security and SRE be so closely aligned?
LinkedIn’s Engineering Hierarchy of Needs Magic Site Up & Secure Technology at Scale Development at Scale Solid APIs & Building Blocks
"the fox knows many things, but the hedgehog knows one big thing." -- Archilochus, Greek Poet
SRE and Security: Natural Force Multipliers
2018
“What’s the state of product development and infrastructure?” ? ? ? ? MICROSERVICE ARCHITECTURE SCALING TO MEET DEMANDS 3RD PARTY ADOPTION EXPLODING DATACENTER TECH ACCESSIBLE FOR EVERYONE FAST RATE OF EVOLUTION PRODUCT VISUALIZED IN AM, DEPLOYED IN PM ! ! ! ! That seems….. great?
“How are we doing on defense?” ? ? ? ? ! ! ! ! COMPLIANCE INITIATIVES? MAGIC BOXES? CUSTOMER ASSURANCE? NETWORK ACCESS CONTROL? ENDPOINT SECURITY PRODUCTS SUCH AS ANTI-VIRUS? BOUNTIES? What!?!
...
Site Reliability Hierarchy of Needs Product Monitoring & Incident Response Post-Mortem & Analysis Testing & Release Procedures Capacity Planning SRE Hierarchy of Needs from Google SRE book
“Changes in production applications are happening at a greater rate than ever before. New product ideas can be visualized in the morning and implemented in code in the afternoon.”
Innovation and Rate Of Change Embrace the Error Budget • Self Healing & Auto Remediation • Reduction of Manual Process Inject Engineering Discipline • Review when architecture changes reach a certain complexity point. “Trust but Verify” • Security to follow SRE “trust but verify” approach towards engineering partners
“Testing in production is the new norm”
Establishing Safe & Reliable Test Environments SRE SECURITY
“Microservice architectures are exploding to meet scalability requirements”
Microservice Architecture SECURITY CHALLENGES ARE SIMILAR TO SRE ● Authentication ● Authorization ● Access Control Logic SRE Challenges Security Challenges ● Latency & Performance Impact ● Cascading Failure Scenarios ● Service Discovery
“Dependencies on third-party code and services can be collected faster than you can inventory them.”
Visibility in Your Third-Party Services
“Data center technologies can all be controlled with a single web application in the hands of a devops intern.”
Production Access & Change Control Configuration as code, leveraging source code control paradigms, are a huge boon to security. Rollback ruthlessly. ● Start with a known-good state ● Asset management and change control discipline ● Ensure visibility ● Validate consistently and constantly
TAKEAWAYS OR GIVEAWAYS (DEPENDING ON YOUR POSITION IN THE AUDIENCE)
Overall Lessons for Security Human-in-the-loop is your last resort, not your first option 2 All security solutions must be scalable and default-on, just like SREs build it 3 Your data pipeline is your security lifeblood 1
Overall Lessons for SRE Remove single points of security failure like you do for availability 1 Assume that an attacker can be anywhere in your system or flow 2 Capture and measure meaningful security telemetry 3

More Related Content

SRE and Security: Natural Force Multipliers

  • 1. SRE Bruno Connelly Security & SRE: Natural Force Multipliers SREcon18 Cory Scott CHIEF INFORMATION SECURITY OFFICER
  • 2. Why should Security and SRE be so closely aligned?
  • 3. LinkedIn’s Engineering Hierarchy of Needs Magic Site Up & Secure Technology at Scale Development at Scale Solid APIs & Building Blocks
  • 4. "the fox knows many things, but the hedgehog knows one big thing." -- Archilochus, Greek Poet
  • 7. “What’s the state of product development and infrastructure?” ? ? ? ? MICROSERVICE ARCHITECTURE SCALING TO MEET DEMANDS 3RD PARTY ADOPTION EXPLODING DATACENTER TECH ACCESSIBLE FOR EVERYONE FAST RATE OF EVOLUTION PRODUCT VISUALIZED IN AM, DEPLOYED IN PM ! ! ! ! That seems….. great?
  • 8. “How are we doing on defense?” ? ? ? ? ! ! ! ! COMPLIANCE INITIATIVES? MAGIC BOXES? CUSTOMER ASSURANCE? NETWORK ACCESS CONTROL? ENDPOINT SECURITY PRODUCTS SUCH AS ANTI-VIRUS? BOUNTIES? What!?!
  • 9. ...
  • 10. Site Reliability Hierarchy of Needs Product Monitoring & Incident Response Post-Mortem & Analysis Testing & Release Procedures Capacity Planning SRE Hierarchy of Needs from Google SRE book
  • 11. “Changes in production applications are happening at a greater rate than ever before. New product ideas can be visualized in the morning and implemented in code in the afternoon.”
  • 12. Innovation and Rate Of Change Embrace the Error Budget • Self Healing & Auto Remediation • Reduction of Manual Process Inject Engineering Discipline • Review when architecture changes reach a certain complexity point. “Trust but Verify” • Security to follow SRE “trust but verify” approach towards engineering partners
  • 13. “Testing in production is the new norm”
  • 14. Establishing Safe & Reliable Test Environments SRE SECURITY
  • 15. “Microservice architectures are exploding to meet scalability requirements”
  • 16. Microservice Architecture SECURITY CHALLENGES ARE SIMILAR TO SRE ● Authentication ● Authorization ● Access Control Logic SRE Challenges Security Challenges ● Latency & Performance Impact ● Cascading Failure Scenarios ● Service Discovery
  • 17. “Dependencies on third-party code and services can be collected faster than you can inventory them.”
  • 18. Visibility in Your Third-Party Services
  • 19. “Data center technologies can all be controlled with a single web application in the hands of a devops intern.”
  • 20. Production Access & Change Control Configuration as code, leveraging source code control paradigms, are a huge boon to security. Rollback ruthlessly. ● Start with a known-good state ● Asset management and change control discipline ● Ensure visibility ● Validate consistently and constantly
  • 21. TAKEAWAYS OR GIVEAWAYS (DEPENDING ON YOUR POSITION IN THE AUDIENCE)
  • 22. Overall Lessons for Security Human-in-the-loop is your last resort, not your first option 2 All security solutions must be scalable and default-on, just like SREs build it 3 Your data pipeline is your security lifeblood 1
  • 23. Overall Lessons for SRE Remove single points of security failure like you do for availability 1 Assume that an attacker can be anywhere in your system or flow 2 Capture and measure meaningful security telemetry 3