Does agile make us less secure? Security in a post devops world - PowerPoint PPT Presentation

Does agile make us less secure? Security in a post devops world YOW! Sydney 2019 Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall He/His/Him michael@bruntonspall.com Michael Brunton-Spall Bruntonspall Ltd

The second most scariest words in the English language Michael Brunton-Spall Bruntonspall Ltd

The second most scariest words in the English language “Hi, I’m from the Government and I’m here to help” Michael Brunton-Spall Bruntonspall Ltd

The scariest words in the English language? Michael Brunton-Spall Bruntonspall Ltd

The scariest words in the English language? “Hi, I’m from security and I’m here to help” Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

https://cyberweekly.net Michael Brunton-Spall Bruntonspall Ltd

Why is security evolving Where we’ve come from Where we are going Michael Brunton-Spall Bruntonspall Ltd

How to rethink security practices in organisations Michael Brunton-Spall Bruntonspall Ltd

Some Context Michael Brunton-Spall Bruntonspall Ltd

2006 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 12

2010 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 13

2013 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 14

2015 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 15

2019 Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 16

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 21

Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 22

Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 23

Michael Brunton-Spall Bruntonspall Ltd 06/12/2019 24

Michael Brunton-Spall Bruntonspall Ltd

Maginot Line

1930 France Michael Brunton-Spall Bruntonspall Ltd

“We’d really like Germany not to invade us” Michael Brunton-Spall Bruntonspall Ltd

In WW1, they came slowly overland and built trenches Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

The Germans had invented Blitzkrieg “Lightning Strike” which simply went around Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

The French were fighting a war from 1920 against an adversary using 1939 techniques Michael Brunton-Spall Bruntonspall Ltd

Evolution

Michael Brunton-Spall Bruntonspall Ltd

Custom built minicomputer Michael Brunton-Spall Bruntonspall Ltd

Servers in data center Michael Brunton-Spall Bruntonspall Ltd

Colocated servers Michael Brunton-Spall Bruntonspall Ltd

Virtual private servers Michael Brunton-Spall Bruntonspall Ltd

Virtual machines at scale Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Why Wardley Maps? Michael Brunton-Spall Bruntonspall Ltd

We can see changing landscapes Michael Brunton-Spall Bruntonspall Ltd

We can discuss strategies Michael Brunton-Spall Bruntonspall Ltd

A map isn’t reality, it’s just an abstraction Michael Brunton-Spall Bruntonspall Ltd

Things evolve Michael Brunton-Spall Bruntonspall Ltd

As servers move from physical to virtual, single to multiple, practice evolves Michael Brunton-Spall Bruntonspall Ltd

Coevolution of product and practice

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

How do we administer servers? Michael Brunton-Spall Bruntonspall Ltd

Worries about hard drives, CPU’s, power etc Michael Brunton-Spall Bruntonspall Ltd

Cloud providers give us abstractions Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

We stop worrying about whether a hard drive fails in a server Michael Brunton-Spall Bruntonspall Ltd

This results in changing operations practice Michael Brunton-Spall Bruntonspall Ltd

DevOps, SRE Michael Brunton-Spall Bruntonspall Ltd

This results in different developer consumption of operations Michael Brunton-Spall Bruntonspall Ltd

Kubernetes, Serverless Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

What does this mean for security? Michael Brunton-Spall Bruntonspall Ltd

How we think about security has to change Michael Brunton-Spall Bruntonspall Ltd

Security practices have to evolve Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Traditional security is about assurance Michael Brunton-Spall Bruntonspall Ltd

Where will my data sit Michael Brunton-Spall Bruntonspall Ltd

Where does the data go Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

This works when you have individual servers Michael Brunton-Spall Bruntonspall Ltd

This doesn’t work with modern cloud Michael Brunton-Spall Bruntonspall Ltd

This doesn’t work th the e same same with modern cloud Michael Brunton-Spall Bruntonspall Ltd

Security is currently fighting a war from a decade ago Michael Brunton-Spall Bruntonspall Ltd

Mapping Security

Michael Brunton-Spall Bruntonspall Ltd

“Skate to where the puck is going, not where it has been” Wayne Gretsky Michael Brunton-Spall Bruntonspall Ltd

Where the puck was yesterday Michael Brunton-Spall Bruntonspall Ltd

What are solved problems? Michael Brunton-Spall Bruntonspall Ltd

Commonly solved the same way Michael Brunton-Spall Bruntonspall Ltd

Productionised processes Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

SDLC, Assurance of suppliers, network assurance, hardware assurance Michael Brunton-Spall Bruntonspall Ltd

All cloud customers have similar concerns in this area Michael Brunton-Spall Bruntonspall Ltd

Buy don’t Build Michael Brunton-Spall Bruntonspall Ltd

Compliance via certificates ISO27001, CSA, ISO27017, SOC, FISMA, HIPAA … Michael Brunton-Spall Bruntonspall Ltd

Where the puck is today Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

Continuous Integration, Continuous Deployment, DevOps Michael Brunton-Spall Bruntonspall Ltd

Patching Michael Brunton-Spall Bruntonspall Ltd

How quickly can you patch? Michael Brunton-Spall Bruntonspall Ltd

DevOps Michael Brunton-Spall Bruntonspall Ltd

How secure is your code? Michael Brunton-Spall Bruntonspall Ltd

Code review and Pull requests Michael Brunton-Spall Bruntonspall Ltd

Staff identity and single sign on Michael Brunton-Spall Bruntonspall Ltd

Zero Trust Networking Michael Brunton-Spall Bruntonspall Ltd

Michael Brunton-Spall Bruntonspall Ltd

But where is the puck going? Michael Brunton-Spall Bruntonspall Ltd