Video Link: https://devops.com/7598-2/
(Deprecated) Video Link of preso at DevOpsConnect RSA Conference 2015:
<a>https://www.youtube.com/watch?v=NlTVu7wSi_w&feature=youtu.be</a>
DevOps is not at war with security, compliance or proper change management. If anything, meaningful leveraging of the DevOps automation toolset, mindset - and most of all, values - wins operational excellence, security, and visible change management without a lot of process overhead or unnecessary costs! The core adherence to automation, visibility and accountability with smart, streamlined approach to tooling can get organizations where they want to be: Operating securely, nimbly and accurately - with joy in practicing work at high levels of excellence.
1. W I N D F A L L W I N S
D E V O P S D R I V E S A G I L E
S E C U R I T Y & C O M P L I A N C E
Presented on April 20, 2015
by Julie Tsai, Industry Professional & DevOps Practitioner
R S A C O N F E R E N C E 2 0 1 5 - D E V O P S C O N N E C T
3. Image Ref: http://www.modernmythology.net, courtesy CC Attribution-NonCommercial-NoDerivs 3.0 Unported License
( R ) E V O L U T I O N , T H E U L T I M A T E
H Y B R I D ?
5. Gartner: “DevOps Needs to Become DevOpsSec”
S O F T D E V
N E W S W
P R O D U C T S &
D E M A N D
T E C H O P S
R E L I A B I L I T Y ,
P E R F O R M A N C
E & S C A L I N G
I N F O S E C
C O N F I D E N T I A L I T Y
, I N T E G R I T Y &
A V A I L A B I L I T Y
DEV
OPS
SEC
N O W , D E V O P S S E C ?
9. 1. Published
Versioned
Configs in
SCM
Ref: Updated from an older presentation of mine at http://www.slideshare.net
2. Central
Master Server
of
Gold Configs
3. Auto Config
Propagation to
Enforce on
Endpoints
4. Monitoring
+ Alerting —>
Centralized
Logging
5. Event-
Driven
Self-Healing
from Configs
T H E D E V O P S S E C V I R T U O U S
C I R C L E
10. • Pic?
Image Ref: http://pixabay.com, courtesy CC Deeds CC0
C A S E S T U D Y 1 - P C I
15. • Creative Commons and Public Domain
• Ex-teractive crew - esp. Ops Director and team
• Auditors that you want to work with: ZZ Servers &
DRG. Knight Financial Plans and Services
• Personal
• OSS & GNU Foundation
A C K N O W L E D G M E N T S
Notes de l'éditeur
Slide 1 Title - 1/2 min
Disclaimers
General case studies - names and places removed to protect innocent, guilty, and over-earnest
I am speaking today as 18-year industry professional, with 10 yrs of DevOps tools and culture experience, but only one yr of that was spent with a DevOps title.
Slide 2 - 1/2 min
* Two-for-One? (works in small company or fast-prototype situations where you can scale your app and your ppl organically, in customizable ways) — sometimes can lead to unicorns
* DevOps as NoOps - this is basically leasing or renting infra from someone else
Slide 3 - 1 min
Best (rather than worst) of Both Worlds
Dev: Focus on programmatic repeatable improvement, Src Control, Testing
Ops: Emphasizes empirical uptime and reliability, Managing complexity and brittleness by simplifying and reducing tight-coupling —> Autonomous but interdependent parts
Learn to speak not just each other’s language but each other’s values - in each other’s domains
To be conversant takes maybe 1-2 years, but to be really proficient in either takes about 10 yrs - (10,000 hr rule)
Slide 4 - 3 min
DevOps as a valuestream, more than just as two-for-one or elimination of in-house Ops departments, etc. - and broad enough to be beyond just deployment or tools.
Deployments are a handshake between changes in code/systems - ideally automated - and robust configuration management within the environment. Without one, the other fails. In that sense DevOps can encompass both.
In the world of tools, it can be considered Ops-oriented tools for Devs, or Dev-oriented tools for Ops and thus again covers a very wide swath.
Why the conflicts? Devs send to sit closer to the business and product lifecycle - more well-understood revenue drivers. Ops (and Security) tend to be at the other end of the product release lifecycle - aka Downhill where stuff flows. And all risk there is immediately real rather than potential.
Separation of responsibilities should flow to group with most proximate knowledge and authorization to repair - streamline away unnecessary processes, middlemen, or even tools. Automate in finer-grained controls, flexibility
Knowledge is Power
With Great Power Comes Great Responsibility
Rights and Responsibility go hand in hand
Consequently Rights should flow to those who can use Knowledge Responsibly
Slide 5 - 1 min
Adapted diagram borrowed from Visible Ops Security
The silos do have tendencies towards or against change, but that can be reframed. Especially with reliable smart automation.
Smart, Strategic Automation and Operational Best Practices that’s underpinned the highest performing orgs and Centers of Excellence all along
Why is this alignment so critical?
DevOps brings the efficiency and visibility - Security and Compliance bring the business driver. Now IT is solving a tangible *business* problem - regulatory, branding, trust, reputation - not just the latest performance tuning fad.
Slide 6 - 2 min
From DevOps notes
Slide 7 - 2 min
From DevOps notes
Slide 8 - 2 min
From DevOps notes
How well do we trust where someone - or something - has said something has been done?
“Trust Logs, not People”… but we need to trust people sometimes.
When, how much, and what context?
Record of verifiability becomes credibility
To the extent there exists credibility
In the scope of what we’re investigating, and what we know - or trust.
Slide 9 - 4 min
This can be tool of your choice: Git, Perforce, SourceSave, SVN, CVS etc.
This can be a fileserver, or a master server from which your self-healing automation tool fetches approved Known Good configs on a predictable schedule.
This can be one of a number of endpoint self-healing automation tools in the arena right now - cfengine is my preferred model, but you can accomplish same ends with puppet, chef, saltstack, etc., provided they are automatically enforcing the Known Goods on a regular basis. This is key to curbing invisible changes, entropy, unpredictable states.
Again, variety of tools to do this - Nagios, HP OpenView, device specific monitoring/alerting. Key is that it’s usable to your team, the signal-to-noise ratio is good, and you have the important elements - including health of self-healing enforcement endpoint agents - going to central logging, i.e. syslog, arcsight, collected, etc.
This is often the last 10% that’s hardest to achieve, but could drive seamless corrections. It’s essential that this be implemented Accurately to ensure competing race condition errors don’t occur. But reaching this step means that there would be no disconnect between what is published and expected in Config Management, Change Management, and Incident Management - more details in links in other presentation.
Slide 10 - 4 min
Key Wins
* Continued internal reputation for uptime and deployment stability
* Continued relatively strong rates of change - at the time, doing 10-12 different app code pushes a week plus regular maintenances
* With team 1/3 its original size and 20% budget cuts
Lessons Learned
* Managing (and Selling) Out and Up
* Situational Awareness
* There is much beyond your control
Slide 11 - 4 min
Key Wins
* Raced against the clock (two months) to fix significant deficiencies that were headed for the BoD Annual Report
* Leveraged OSS
* Credibility built with quick wins
Lessons Learned
* Organizational Alignment
* Strategic consolidation of allies
* Empiricism
Slide 12 - 2 min
Key Wins
* The foundational automation and visibility had already been built - so all we had to do was overlay process, lightweight authorization gates/hooks, and connect to ticketing
* Change Management policy completed and accepted for IPO-readiness within 3 weeks.
* Efficient resourcing - just 1.5 people’s time over that period of time
Lessons Learned
* DevOps can be considered a myriad of things (as discussed earlier)
* Key to get credit and alignment on the top on definitions and resourcing
* Important to help socialize ppl who have been working in silos
Slide 13 - 3 min
Executive Support for Necessary Empowerment - this is essential for knowing what authority and resources to have and negotiate for. If alignment here isn’t possible in an acceptable amount of time, best to walk away.
Know What and How to Measure - This should be simple to grasp, especially to start. And specific to your group’s customers’ needs. Only you and your customer can determine what those truly are, and problem situations require special focus. From Visible Ops Security (p. 23): “Learning usually passes through through three stages. In the beginning, you learn the right answers. In the second stage, you learn the right questions. In the third and final stage, you learn which questions are worth asking.”
Clear of Roadblocks - If you are the powers-that-be, know when to get out of the way. If you are not, know who you need to persuade to get out of the way and how to do so gracefully. This goes along with right people, right empowerment, right resources.