SlideShare a Scribd company logo

Security and DevOps - Managing Security in a DevOps Enterprise

Claudia Ring
Claudia Ring

Looking at security and DevOps requires a view across two dimensions: Securing the application; and Securing the application delivery pipeline Securing the application focuses on ensuring the application being developed and delivered, and the associated data, are secure. This means building and delivering them using secure engineering practices that ensure their security and integrity, as well as that of the business and end-users. Securing the application delivery pipeline focuses on securing the delivery platform itself, so that the application development and delivery tools, the Infrastructure and environments, configurations, automation tools, repositories, and associated services and APIs are all secure. Join us to hear an overview of these concepts, how they can be applied across the software delivery pipeline and IBM offerings that can help you on your journey to secure DevOps.

Related slideshows

Creating a DevOps Team that Isn't Evil
Creating a DevOps Team that Isn't EvilCreating a DevOps Team that Isn't Evil
Creating a DevOps Team that Isn't Evil
 
A DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scaleA DevOps adoption playbook- achieving business value at scale
A DevOps adoption playbook- achieving business value at scale
 
IBM InterConnect 2016: Security for DevOps in an Enterprise
IBM InterConnect 2016: Security for DevOps in an Enterprise IBM InterConnect 2016: Security for DevOps in an Enterprise
IBM InterConnect 2016: Security for DevOps in an Enterprise
 
1 of 24
Download to read offline
© 2015 IBM Corporation Sanjeev Sharma CTO, DevOps Technical Sales and Adoption IBM Distinguished Engineer Security and DevOps: How to Manage Security in a DevOps Enterprise
2Page© 2015 IBM Corporation DevOps Review
3Page© 2015 IBM Corporation DevOps: Origins
4Page© 2015 IBM Corporation What does the Line of Business want from IT? Product Owner Senior Executives Users Domain ExpertsAuditors Gold Owner Support Staff External System Team Operations Staff Team MemberTeam Lead Team MemberTeam Member Line-of-business Customer IT Agility - Velocity - Innovation
5Page© 2015 IBM Corporation DevOps approach: Apply Lean principles accelerate feedback and improve time to value 5 People Process Line-of- business Customer 1 3 2 1. Get ideas into production fast 2. Get people to use it 3. Get feedback Continuously Improve: I. Application Delivered II. Environment Deployed III. Application and Environment Delivery Process
© 2015 IBM Corporation Security and the Application Delivery Pipeline
7Page© 2015 IBM Corporation Delivering a Business Capability – Hybrid Applications, Hybrid Platforms, Hybrid Teams Application A Application B Application C Application N BusinessCapability …
8Page© 2015 IBM Corporation Three Levels of Security 8 1. Secure the Perimeter 2. Secure the Delivery Pipeline 3. Secure the Deliverable http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
Secure the Perimeter 9
10Page© 2015 IBM Corporation Secure the Delivery Pipeline 1 Secure Engineering Access and Control Secure Build and Deploy Security Testing of Scripts Separation of Duties
11Page© 2015 IBM Corporation Secure the Deliverable 1 Application Middleware Config Middleware OS Config Hardware FullStack Blueprint Policies Secure: • Code • Packages • Components • Configurations • Content • Policies • Roles
12Page© 2015 IBM Corporation Risks and Vulnerabilities - Delivery Pipeline and Deliverables 1 1. Vulnerabilities related to the supply chain 2. Insider attacks 3. Errors and mistakes in the development project 4. Weaknesses in the design, code, and integration 5. API Economy and Security http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
13Page© 2015 IBM Corporation Vulnerabilities related to the supply chain 1 External Supplier A External Supplier B Internal Supplier A Internal Supplier B
Insider attacks 1
15Page© 2015 IBM Corporation Errors and mistakes in the development project 1 1 per min 1 per min 4 per min 1 per min 4 per min 4 per min • Reduce Batch size – Integrated Delivery Pipeline – Agile Development • Continuous Security Testing • Continuous Validation
Weaknesses in the design, code, and integration 1http://www-03.ibm.com/security/secure-engineering/
17Page© 2015 IBM Corporation The API economy and security 1
© 2015 IBM Corporation Adopting a (Secure) DevOps Architecture
19Page© 2015 IBM Corporation Multi-Speed IT – Innovation vs Optimization Agile/Innovation Edge Rapid Delivery for Innovation • Agile • Antifragile • Experimentation • New and Innovative Hybrid Cloud • PaaS Industrialized Core Deliver at regular cadence • Waterfall -> Agile • Stability • Predictability • Lean Delivery pipeline • Core and Legacy Hybrid Infrastructure – Physical, Cloud • IaaS/PaaS SpeedvsRisk App Development, Orchestration, Integration, Security, Management, Governance
20Page© 2015 IBM Corporation Multi-Speed IT– Touchpoints Agile/Innovation Edge Cloud Native, 12-factor Apps, Microservices, DevOps PaaS, Containers IBM Bluemix Platform • Containers • Microservices IBM Garage Method Industrialized Core Traditional Development, DevOps, Monolithic Apps, Cloud-ready Traditional IT, Private/Local Cloud, Dedicated Off-prem Cloud, Public Cloud, PaaS, Contaiers UrbanCode • IBM Rational Tools • Middleware Portfolio • API Management • ITSM IBM Cloud Orchestrator • IBM PureApplication • Gravitant Release Manage ment Planning Deployment Automation, Orchestration, Brokerage Test VirtualizationAPIs
21Page© 2015 IBM Corporation Reference Architecture : DevOps Multi-Speed IT IBM Architecture Center BLUEMIX DELIVERY PIPELINESOURCE CONTROL .js LIVE SYNC WEB IDE ACTIVE DEPLOY AUTO SCALING SECURE GATEWAY ON-PREMISES SYSTEMS API MANAGEMENT TRACK & PLAN TRACK & PLAN DEVELOP BUILD DEPLOY RELEASE TEST RUNTIME ENVIRONMENTS RUNTIMES & CONTAINERS 1 2 3 6 7 9 10 8 1 2 4 5 10 https://developer.ibm.com/architecture/
22Page© 2015 IBM Corporation Start Here: Value Stream Mapping for Identifying and Addressing bottlenecks
23Page© 2015 IBM Corporation Mapping your Delivery Pipeline Idea/Feature/Bug Fix/ Enhancement Production Development Build QA SIT UAT Prod PMO Requirements/ Analyst Developer CustomersLine of Business Build Engineer QA Team Integration Tester User/Tester Operations Artifact Repository Deployment Engineer Release Management Code Repository Deploy Get Feedback Infrastructure as Code/ Cloud Patterns Feedback Customer or Customer Surrogate Metrics - Reporting/Dashboarding Tasks Artifacts
24Page© 2015 IBM Corporation Questions? 24

More Related Content

Security and DevOps - Managing Security in a DevOps Enterprise

  • 1. © 2015 IBM Corporation Sanjeev Sharma CTO, DevOps Technical Sales and Adoption IBM Distinguished Engineer Security and DevOps: How to Manage Security in a DevOps Enterprise
  • 2. 2Page© 2015 IBM Corporation DevOps Review
  • 3. 3Page© 2015 IBM Corporation DevOps: Origins
  • 4. 4Page© 2015 IBM Corporation What does the Line of Business want from IT? Product Owner Senior Executives Users Domain ExpertsAuditors Gold Owner Support Staff External System Team Operations Staff Team MemberTeam Lead Team MemberTeam Member Line-of-business Customer IT Agility - Velocity - Innovation
  • 5. 5Page© 2015 IBM Corporation DevOps approach: Apply Lean principles accelerate feedback and improve time to value 5 People Process Line-of- business Customer 1 3 2 1. Get ideas into production fast 2. Get people to use it 3. Get feedback Continuously Improve: I. Application Delivered II. Environment Deployed III. Application and Environment Delivery Process
  • 6. © 2015 IBM Corporation Security and the Application Delivery Pipeline
  • 7. 7Page© 2015 IBM Corporation Delivering a Business Capability – Hybrid Applications, Hybrid Platforms, Hybrid Teams Application A Application B Application C Application N BusinessCapability …
  • 8. 8Page© 2015 IBM Corporation Three Levels of Security 8 1. Secure the Perimeter 2. Secure the Delivery Pipeline 3. Secure the Deliverable http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
  • 10. 10Page© 2015 IBM Corporation Secure the Delivery Pipeline 1 Secure Engineering Access and Control Secure Build and Deploy Security Testing of Scripts Separation of Duties
  • 11. 11Page© 2015 IBM Corporation Secure the Deliverable 1 Application Middleware Config Middleware OS Config Hardware FullStack Blueprint Policies Secure: • Code • Packages • Components • Configurations • Content • Policies • Roles
  • 12. 12Page© 2015 IBM Corporation Risks and Vulnerabilities - Delivery Pipeline and Deliverables 1 1. Vulnerabilities related to the supply chain 2. Insider attacks 3. Errors and mistakes in the development project 4. Weaknesses in the design, code, and integration 5. API Economy and Security http://www.ibm.com/developerworks/library/d-security- considerations-devops-adoption/
  • 13. 13Page© 2015 IBM Corporation Vulnerabilities related to the supply chain 1 External Supplier A External Supplier B Internal Supplier A Internal Supplier B
  • 15. 15Page© 2015 IBM Corporation Errors and mistakes in the development project 1 1 per min 1 per min 4 per min 1 per min 4 per min 4 per min • Reduce Batch size – Integrated Delivery Pipeline – Agile Development • Continuous Security Testing • Continuous Validation
  • 16. Weaknesses in the design, code, and integration 1http://www-03.ibm.com/security/secure-engineering/
  • 17. 17Page© 2015 IBM Corporation The API economy and security 1
  • 18. © 2015 IBM Corporation Adopting a (Secure) DevOps Architecture
  • 19. 19Page© 2015 IBM Corporation Multi-Speed IT – Innovation vs Optimization Agile/Innovation Edge Rapid Delivery for Innovation • Agile • Antifragile • Experimentation • New and Innovative Hybrid Cloud • PaaS Industrialized Core Deliver at regular cadence • Waterfall -> Agile • Stability • Predictability • Lean Delivery pipeline • Core and Legacy Hybrid Infrastructure – Physical, Cloud • IaaS/PaaS SpeedvsRisk App Development, Orchestration, Integration, Security, Management, Governance
  • 20. 20Page© 2015 IBM Corporation Multi-Speed IT– Touchpoints Agile/Innovation Edge Cloud Native, 12-factor Apps, Microservices, DevOps PaaS, Containers IBM Bluemix Platform • Containers • Microservices IBM Garage Method Industrialized Core Traditional Development, DevOps, Monolithic Apps, Cloud-ready Traditional IT, Private/Local Cloud, Dedicated Off-prem Cloud, Public Cloud, PaaS, Contaiers UrbanCode • IBM Rational Tools • Middleware Portfolio • API Management • ITSM IBM Cloud Orchestrator • IBM PureApplication • Gravitant Release Manage ment Planning Deployment Automation, Orchestration, Brokerage Test VirtualizationAPIs
  • 21. 21Page© 2015 IBM Corporation Reference Architecture : DevOps Multi-Speed IT IBM Architecture Center BLUEMIX DELIVERY PIPELINESOURCE CONTROL .js LIVE SYNC WEB IDE ACTIVE DEPLOY AUTO SCALING SECURE GATEWAY ON-PREMISES SYSTEMS API MANAGEMENT TRACK & PLAN TRACK & PLAN DEVELOP BUILD DEPLOY RELEASE TEST RUNTIME ENVIRONMENTS RUNTIMES & CONTAINERS 1 2 3 6 7 9 10 8 1 2 4 5 10 https://developer.ibm.com/architecture/
  • 22. 22Page© 2015 IBM Corporation Start Here: Value Stream Mapping for Identifying and Addressing bottlenecks
  • 23. 23Page© 2015 IBM Corporation Mapping your Delivery Pipeline Idea/Feature/Bug Fix/ Enhancement Production Development Build QA SIT UAT Prod PMO Requirements/ Analyst Developer CustomersLine of Business Build Engineer QA Team Integration Tester User/Tester Operations Artifact Repository Deployment Engineer Release Management Code Repository Deploy Get Feedback Infrastructure as Code/ Cloud Patterns Feedback Customer or Customer Surrogate Metrics - Reporting/Dashboarding Tasks Artifacts
  • 24. 24Page© 2015 IBM Corporation Questions? 24