secdevops 2.0 - managing your robot army
TRANSCRIPT
SecDevOps 2.0 - Managing Your Robot Army(A.K.A Securing your Cattle from Rustlers)
Josh BregmanVice President/Evangelist
@kingoauth
Elizabeth Lawler - CEO/Founder Conjur, Inc.
Elizabeth Lawler is CEO and Co-founder of Conjur,
Inc., a security company which focuses on
security for next generation infrastructure. Lawler
has over 20 years of experience working in highly
regulated and sensitive data environments. Prior
to founding Conjur, she was Chief Data Officer of
Generation Health and held a leadership position
in research at the Department of Veterans Affairs.
She has been a programmer herself, and is
constantly working to make software
development and IT systems easier to manage for
people working in regulated industries.Elizabeth’s RSA Presentation “Is DevOps Breaking your Company?” is still available on line
Josh Bregman - “Enterprise Guy”/Evangelist
Josh has 20 years experience successfully
architecting, evangelizing, and delivering
innovative identity management and security
products to customers. Prior to joining Conjur ,
Josh spent a decade as a solutions and pre-
sales leader in the Oracle ecosystem. A
developer at heart, early in his career Josh
worked as a software engineer at IBM, GTE
Labs, and Netegrity. He has 2 U.S. patents and
received a B.A. in Math from the University of
Rochester in 1995. Elizabeth’s RSA Presentation “Is DevOps Breaking your Company?” is still available on line
My Hiring Process at Conjur - Pets vs. Cattle
◁ Conjur is in a “hot” space - just out of stealth
◁ Team dynamic is SUPER important
◁ Project Based Interview
“We secure cattle. Put together some go-to market materials”
Securing Cattle from Rustlers – Step 2
● Make sure all of your cattle have their tags and/or have been branded with the brand of your farm or ranch
Securing Cattle from Rustlers – Step 4
● Ensure the proper location of your handling facilities or loading areas meet farm bio-security measures
My Hiring Process at Conjur - Pets vs. Cattle - cont
◁ Got some more guidance from Elizabeth
When you treat your servers like Cattle, this introduces a number of security challenges...
“...actually Josh, Pets vs. Cattle is a common meme in DevOps”
SecDevOps 1.0: Current State of Evolution
◆ Source Control◆ Automated Build and Test◆ Configuration Management◆ Orchestration◆ Software-Defined
Networking◆ Monitoring
SecDevOps 1.0 - Challenges
◁ Lack of Visibility
⊃ Compliance Challenges
◁ Wrong Tool for the Job
⊃ Production Only-Workflows
⊃ Human Bottlenecks
⊃ Conflation of Concerns
◁ Configuration Management as DIY
Security System
What is SecDevOps 2.0?
Security Orchestration SystemRBAC for people, machines and code | Self Auditing |Fully programmable with fine granularity | Highly
available across any cloud, hybrid and global architecture |End to end encryption
DevOps Enabled EnterpriseUsers
Process Environment
SecDevOps 2.0 - Reference Architecture
Security Orchestration System
DevOps Toolchain Process Environment
.secrets
Cauldron
Cauldron Driver
SCM/CM/CI
HostFactory
SecretsStorage
SDF
“Host” - xxx
Serviceto Service
Access
SSHAccess
Policy
Users
SecDevOps 2.0 - Continuous Secrets Delivery
Policy
Cauldron/.secrets
Host Factory
HighAvailability
Tools
● 5 step process based on years of delivering secrets management solutions to highly regulated industries
● Skipping steps will result in issues down the road and cause disruption and delay
● DIY projects that start with tools and then try to work backward are extremely difficult
SECRETS SOURCE(Vault,
Keywhiz, AWS IAM…)
SUMMON
PROCESS ENVIRONMENT
DOCKER CONTAINER
Summon uses a pluggable secrets provider to load secrets into the environment of an application, service or container.
Introducing Summon
Get Involved in Cauldron
● Summon is coming soon○ Sign up to be notified when it’s ready!○ If you’re doing DIY or even using another open source
project, you can build a driver - spread the word!● Try to adopt the Continuous Secrets Delivery approach
○ If you think it’s no good, let’s hash it out - join the discussion #cauldron
● Get Connected○ Follow us on Twitter and LinkedIn