Compliance as Code
- 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski
@pczarkowski
Compliance as Code
- 2. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Paul Czarkowski
@pczarkowski
Ugh, not another devops talk
- 3. Paul Czarkowski Developer Advocate at Pivotal Software
● Systems Administrator
● DevOps Practitioner
● Open Source Contributor
- 6. What is Compliance ?
Self Imposed
● CIS Controls / Benchmarks
● Security Technical Implementation Guide (STIG)
● Allowed opensource licenses
Regulatory
● PCI (US)
● HIPAA (US)
● Sarbanes-Oxley (US)
● EU GDPR
● NZ Information Security Manual (NZISM)
- 7. Verification
Validation of compliance based on
Controls in place.
● Checklists
● External Auditors
Checklists
Practice, Policy or Procedure
established to meet compliance
requirements.
● Spreadsheets
● Checklists
● Sharepoint Pages
Specifications
Documentation of requirements that
need to be met in order to be
compliant.
● PDFs
● Verbose
Compliance Controls Audit
- 25. Embedded OS
(Windows & Linux)
NSX-T
CPI (15 methods)
v1
v2
v3
...
CVEs
Product Updates
Java | .NET | NodeJS
Pivotal Application
Service (PAS)
Application Code & Frameworks
Buildpacks | Spring Boot | Spring Cloud |
Steeltoe
Elastic | Packaged Software | Spark
Pivotal Container
Service (PKS)
>cf push >kubectl run
YOU build the containerWE build the container
vSphere
Azure &
Azure StackGoogle CloudAWSOpenstack
Pivotal
Network
“3Rs”
Github
Concourse
Concourse
Pivotal Services
Marketplace
Pivotal and
Partner Products
Continuous
delivery
Public Cloud
Services
Customer
Managed
Services
OpenServiceBrokerAPI
Repair
— CVEs
Repave Rotate
— Credhub
- 26. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
- 27. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
- 28. PIVOTAL CLOUD FOUNDRY OPS
Powered by BOSH
BOSH is an open source tool
for release engineering,
deployment, lifecycle
management, and monitoring
of distributed systems.
BOSH
Packaging w/ embedded OS
Server provisioning on any IaaS
Software deployment across availability
zones
Health monitoring (server AND processes)
Self-healing w/ Resurrector
Storage management
Rolling upgrades via canaries
Easy scaling of clusters
- 38. Adopting a DevOps culture
Despite varying approaches to describing high-performance teams
there is a set of common characteristics that are recognised to lead to
success.
● Participative leadership – using a democratic leadership style that involves and engages team members
● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that
nature of the decision task
● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective
communication methods and channels
● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of
viewpoints, leading to better decision making and solutions
● Mutual trust – trusting in other team members and trusting in the team as an entity
● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and
resonance for each team member, building commitment and engagement
● Defined roles and responsibilities – each team member understands what they must do (and what they must not
do) to demonstrate their commitment to the team and to support team success
● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to
deliver success
https://en.wikipedia.org/wiki/High-performance_teams
- 42. Mappable Processes that include Security / Compliance
Application Release
● Vulnerability Scanning
● Security Scanning (sql
injection etc)
● License Scanning
● Attribution
Compliance Audits
● Vulnerability Scanning
● Security Scanning (sql
injection etc)
● Package updates
● OS inspection
Infrastructure Provisioning
● OS Hardening
● Firewalling
● User Management
● Remote logging and auditing
● Intrusion Detection
● Vulnerability Scanning
- 43. Value Stream map for Provisioning a New Server
Current State
Prepare
Request
Network
/ VLANs
Launch VM
/ Install OS
Test
Compliance
Deliver
1-5
days
1-5
days
1-5
days
1-5
days
1-2
days
1-2
days
1-2
days
1-2
days
- 44. Value Stream map for Provisioning a New Server
Future State
Deploy
VM
Configure
VM
Test
Compliance
Deliver
1-5
days
1-5
days
1-5
days
1-2
hours
1-2
hours
1-2
Hours
- 49. ● Implements STIG controls via Ansible playbooks
● Opensource project started at Rackspace
● Plays well with existing config management
● Easily override problematic controls
● Extends RSPEC for Compliance testing
● Similar to Serverspec, but better.
● Easy to go from serverspec to inspec
● Inspec-STIG is all of STIG already written into
inspec tests.
- 68. Other Security / Compliance tools
● Gauntlt ( Security Testing Framework )
● Metasploit ( Penetration Testing)
● Syntribos ( API security testing)
● Pivotal LicenseFinder ( Scanning licenses of dependencies )
● Snort ( Intrusion Detection )
● Fossology ( license compliance )
● OpenVAS ( vulnerability scanning )
● OSSEC ( Intrustion Detection )
- 70. Transforming How The World Builds Software
© Copyright 2018 Pivotal Software, Inc. All rights Reserved.