Devopsconnect 2015apr20
•Télécharger en tant que PPTX, PDF•
0 j'aime•1,056 vues
Video Link: https://devops.com/7598-2/ (Deprecated) Video Link of preso at DevOpsConnect RSA Conference 2015: <a>https://www.youtube.com/watch?v=NlTVu7wSi_w&feature=youtu.be</a> DevOps is not at war with security, compliance or proper change management. If anything, meaningful leveraging of the DevOps automation toolset, mindset - and most of all, values - wins operational excellence, security, and visible change management without a lot of process overhead or unnecessary costs! The core adherence to automation, visibility and accountability with smart, streamlined approach to tooling can get organizations where they want to be: Operating securely, nimbly and accurately - with joy in practicing work at high levels of excellence.
Recommandé
Contenu connexe
Plus de Julie Tsai
Plus de Julie Tsai (9)
Dernier
Dernier (20)
Devopsconnect 2015apr20
- 1. W I N D F A L L W I N S D E V O P S D R I V E S A G I L E S E C U R I T Y & C O M P L I A N C E Presented on April 20, 2015 by Julie Tsai, Industry Professional & DevOps Practitioner R S A C O N F E R E N C E 2 0 1 5 - D E V O P S C O N N E C T
- 2. The DevOps Unicorn! Image Ref: http://howard118maddiew.wikispaces.com, courtesy Creative Commons Attribution Share-Alike 3.0 License D E V O P S : M Y T H ? O R …
- 3. Image Ref: http://www.modernmythology.net, courtesy CC Attribution-NonCommercial-NoDerivs 3.0 Unported License ( R ) E V O L U T I O N , T H E U L T I M A T E H Y B R I D ?
- 4. Dev & Ops co-existing harmoniously? Image Ref: https://www.pinterest.com/pin/18084835974424623/, courtesy Pinterest Terms of Use W H A T I S D E V O P S ?
- 5. Gartner: “DevOps Needs to Become DevOpsSec” S O F T D E V N E W S W P R O D U C T S & D E M A N D T E C H O P S R E L I A B I L I T Y , P E R F O R M A N C E & S C A L I N G I N F O S E C C O N F I D E N T I A L I T Y , I N T E G R I T Y & A V A I L A B I L I T Y DEV OPS SEC N O W , D E V O P S S E C ?
- 6. Image Ref: http://commons.wikimedia.org, courtesy CC Attribution ShareAlike 3.0 License D E V O P S E C V A L U E 1 : A U T O M A T I O N
- 7. Image Ref: https://www.flickr.com, courtesy CC Attribution Non-Commercial ShareAlike 2.0 License D E V O P S E C V A L U E 2 : V I S I B I L I T Y
- 8. Image Ref: http://pixabay.com, courtesy CC Deeds CC0 D E V O P S E C V A L U E 3 : A C C O U N T A B I L I T Y
- 9. 1. Published Versioned Configs in SCM Ref: Updated from an older presentation of mine at http://www.slideshare.net 2. Central Master Server of Gold Configs 3. Auto Config Propagation to Enforce on Endpoints 4. Monitoring + Alerting —> Centralized Logging 5. Event- Driven Self-Healing from Configs T H E D E V O P S S E C V I R T U O U S C I R C L E
- 10. • Pic? Image Ref: http://pixabay.com, courtesy CC Deeds CC0 C A S E S T U D Y 1 - P C I
- 11. Image Ref: http://pixabay.com courtesy CC Deeds CC0 C A S E S T U D Y 2 - S O X
- 12. Image Ref: http://pixabay.com/courtesy CC Deeds CC0 C A S E S T U D Y 3 - I P O - R E A D I N E S S
- 13. • Executive Support & Necessary Empowerment • Know What - and How - To Measure Real Progress • Clear of Roadblocks C A U T I O N A R Y T A L E S
- 14. Presentations and tutorials uploaded at http://www.slideshare.net/jtslideshare A P P E N D I X
- 15. • Creative Commons and Public Domain • Ex-teractive crew - esp. Ops Director and team • Auditors that you want to work with: ZZ Servers & DRG. Knight Financial Plans and Services • Personal • OSS & GNU Foundation A C K N O W L E D G M E N T S
Notes de l'éditeur
- Slide 1 Title - 1/2 min Disclaimers General case studies - names and places removed to protect innocent, guilty, and over-earnest I am speaking today as 18-year industry professional, with 10 yrs of DevOps tools and culture experience, but only one yr of that was spent with a DevOps title.
- Slide 2 - 1/2 min * Two-for-One? (works in small company or fast-prototype situations where you can scale your app and your ppl organically, in customizable ways) — sometimes can lead to unicorns * DevOps as NoOps - this is basically leasing or renting infra from someone else
- Slide 3 - 1 min Best (rather than worst) of Both Worlds Dev: Focus on programmatic repeatable improvement, Src Control, Testing Ops: Emphasizes empirical uptime and reliability, Managing complexity and brittleness by simplifying and reducing tight-coupling —> Autonomous but interdependent parts Learn to speak not just each other’s language but each other’s values - in each other’s domains To be conversant takes maybe 1-2 years, but to be really proficient in either takes about 10 yrs - (10,000 hr rule)
- Slide 4 - 3 min DevOps as a valuestream, more than just as two-for-one or elimination of in-house Ops departments, etc. - and broad enough to be beyond just deployment or tools. Deployments are a handshake between changes in code/systems - ideally automated - and robust configuration management within the environment. Without one, the other fails. In that sense DevOps can encompass both. In the world of tools, it can be considered Ops-oriented tools for Devs, or Dev-oriented tools for Ops and thus again covers a very wide swath. Why the conflicts? Devs send to sit closer to the business and product lifecycle - more well-understood revenue drivers. Ops (and Security) tend to be at the other end of the product release lifecycle - aka Downhill where stuff flows. And all risk there is immediately real rather than potential. Separation of responsibilities should flow to group with most proximate knowledge and authorization to repair - streamline away unnecessary processes, middlemen, or even tools. Automate in finer-grained controls, flexibility Knowledge is Power With Great Power Comes Great Responsibility Rights and Responsibility go hand in hand Consequently Rights should flow to those who can use Knowledge Responsibly
- Slide 5 - 1 min Adapted diagram borrowed from Visible Ops Security The silos do have tendencies towards or against change, but that can be reframed. Especially with reliable smart automation. Smart, Strategic Automation and Operational Best Practices that’s underpinned the highest performing orgs and Centers of Excellence all along Why is this alignment so critical? DevOps brings the efficiency and visibility - Security and Compliance bring the business driver. Now IT is solving a tangible *business* problem - regulatory, branding, trust, reputation - not just the latest performance tuning fad.
- Slide 6 - 2 min From DevOps notes
- Slide 7 - 2 min From DevOps notes
- Slide 8 - 2 min From DevOps notes How well do we trust where someone - or something - has said something has been done? “Trust Logs, not People”… but we need to trust people sometimes. When, how much, and what context? Record of verifiability becomes credibility To the extent there exists credibility In the scope of what we’re investigating, and what we know - or trust.
- Slide 9 - 4 min This can be tool of your choice: Git, Perforce, SourceSave, SVN, CVS etc. This can be a fileserver, or a master server from which your self-healing automation tool fetches approved Known Good configs on a predictable schedule. This can be one of a number of endpoint self-healing automation tools in the arena right now - cfengine is my preferred model, but you can accomplish same ends with puppet, chef, saltstack, etc., provided they are automatically enforcing the Known Goods on a regular basis. This is key to curbing invisible changes, entropy, unpredictable states. Again, variety of tools to do this - Nagios, HP OpenView, device specific monitoring/alerting. Key is that it’s usable to your team, the signal-to-noise ratio is good, and you have the important elements - including health of self-healing enforcement endpoint agents - going to central logging, i.e. syslog, arcsight, collected, etc. This is often the last 10% that’s hardest to achieve, but could drive seamless corrections. It’s essential that this be implemented Accurately to ensure competing race condition errors don’t occur. But reaching this step means that there would be no disconnect between what is published and expected in Config Management, Change Management, and Incident Management - more details in links in other presentation.
- Slide 10 - 4 min Key Wins * Continued internal reputation for uptime and deployment stability * Continued relatively strong rates of change - at the time, doing 10-12 different app code pushes a week plus regular maintenances * With team 1/3 its original size and 20% budget cuts Lessons Learned * Managing (and Selling) Out and Up * Situational Awareness * There is much beyond your control
- Slide 11 - 4 min Key Wins * Raced against the clock (two months) to fix significant deficiencies that were headed for the BoD Annual Report * Leveraged OSS * Credibility built with quick wins Lessons Learned * Organizational Alignment * Strategic consolidation of allies * Empiricism
- Slide 12 - 2 min Key Wins * The foundational automation and visibility had already been built - so all we had to do was overlay process, lightweight authorization gates/hooks, and connect to ticketing * Change Management policy completed and accepted for IPO-readiness within 3 weeks. * Efficient resourcing - just 1.5 people’s time over that period of time Lessons Learned * DevOps can be considered a myriad of things (as discussed earlier) * Key to get credit and alignment on the top on definitions and resourcing * Important to help socialize ppl who have been working in silos
- Slide 13 - 3 min Executive Support for Necessary Empowerment - this is essential for knowing what authority and resources to have and negotiate for. If alignment here isn’t possible in an acceptable amount of time, best to walk away. Know What and How to Measure - This should be simple to grasp, especially to start. And specific to your group’s customers’ needs. Only you and your customer can determine what those truly are, and problem situations require special focus. From Visible Ops Security (p. 23): “Learning usually passes through through three stages. In the beginning, you learn the right answers. In the second stage, you learn the right questions. In the third and final stage, you learn which questions are worth asking.” Clear of Roadblocks - If you are the powers-that-be, know when to get out of the way. If you are not, know who you need to persuade to get out of the way and how to do so gracefully. This goes along with right people, right empowerment, right resources.
- Slide 14 - 1/2 min
- Slide 15 - 1/2 min