Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

The Psychology of Security Automation

314 vues

Publié le

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2gvfe16.

Jason Chan discusses how security teams can use thoughtful tools and automation to improve relationships with development teams while creating a more secure and manageable environment. Filmed at qconsf.com.

Jason Chan is an Engineering Director at Netflix. His areas of responsibility include application, infrastructure, and operational security for the Netflix streaming video service as well as corporate information security. Prior to joining Netflix, he led the information security team at VMware and spent most of his earlier career in security consulting for firms such as @stake and iSEC Partners.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

The Psychology of Security Automation

  1. 1. The Psychology of Security Automation Jason Chan QCon San Francisco 2016 @chanjbs
  2. 2. InfoQ.com: News & Community Site • 750,000 unique visitors/month • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • News 15-20 / week • Articles 3-4 / week • Presentations (videos) 12-15 / week • Interviews 2-3 / week • Books 1 / month Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ security-automationi-collaboration
  3. 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  4. 4. Opportunities for Developers are also Opportunities for Security Teams
  5. 5. Opportunities + History = Powerful Tools
  6. 6. Design Principles for Security Automation
  7. 7. Design Principles Integrate Security++ Transparency Low Touch and Decoupled Reduce Cognitive Load
  8. 8. SSL
  9. 9. Lemur https://github.com/Netflix/lemur
  10. 10. Lemur One-stop shop for SSL certificate management Request, provision, deploy, monitor, escrow Identify SSL configuration issues Plugin architecture to extend as necessary
  11. 11. Lemur Certificate Creation Create and Escrow Keys Create CSR Certificate Authority Issue Certificate Deploy to AWS Account(s)
  12. 12. Lemur Takeaways APIs = Opportunities Focus automation investments on persistent, difficult, common problems Security++
  13. 13. Permissions Management and Access Control
  14. 14. Goal = Least Privilege
  15. 15. But . . .
  16. 16. “It is often easier to ask for forgiveness than to ask for permission” – Grace Hopper
  17. 17. AWS Permissions Management •  Innovation is enabled by composition of multiple services, but . . . . •  Sophisticated policy language •  2500+ individual API calls •  New services and features released weekly
  18. 18. Repoman: Right-Sizing AWS Permissions
  19. 19. Repoman Benefits Low-risk access reduction Transparent and versioned operations Enables innovation and high-velocity development Security++
  20. 20. Rollie Pollie – AWS Permissions Management via ChatOps
  21. 21. ChatOps Basics
  22. 22. Rollie Pollie
  23. 23. Rollie Pollie Benefits Engineering-native workflows Transparent decisions Automated, secure, consistent ChatOps allows quicker changes and reduced context switching
  24. 24. Security in the Development Lifecycle
  25. 25. Security in the Agile Lifecycle 17 steps across 7 phases L
  26. 26. Application Risk Assessment
  27. 27. Application Risk Assessment Historic Issues Spreadsheet and human-driven One-time Presupposes managed intake Now Objective observability Ongoing analysis No humans required!
  28. 28. Penguin Shortbread: Automated Risk Analysis for Microservice Architectures
  29. 29. Penguin Shortbread Operation Passively and continually analyze system dimensions, e.g.: •  Instance count •  Dependencies •  Connectivity to sensitive systems •  Internet-accessibility •  AWS account location
  30. 30. Risk Assessment Develop risk scoring based on observations Use risk scoring to prioritize efforts
  31. 31. Application Risk Metric Metric summary Scoring
  32. 32. Application Risk Rollup Metrics Risk metrics by region/environment
  33. 33. Developer View in Context
  34. 34. Penguin Shortbread Benefits Low touch and ongoing Objective and transparent view to application risk Simple prioritization helps reduce cognitive load
  35. 35. Security Requirements
  36. 36. Security Requirements via Production Ready
  37. 37. Production Ready SRE-driven developer outreach program Evangelize well-established patterns and practices, e.g.: •  Deployment •  Monitoring and Alerting •  Testing Automated scoring Uncover risk and reward operational excellence
  38. 38. Security-Specific Production Ready Measures App-Specific Security Group App-Specific IAM Role No plaintext secrets in code
  39. 39. Production Ready Scorecard Tracking over time
  40. 40. Production Ready Benefits Security integrated with other measures of readiness Simple to evaluate compliance Paved road lowers cognitive load Easy to extend as capabilities expand
  41. 41. Takeaways •  Security teams can and should leverage the high- velocity development ecosystem •  Shared history provides both lessons and input to development •  Aim to make security more integrated and ubiquitous while also improving other system characteristics
  42. 42. Questions? Jason Chan QCon San Francisco 2016 @chanjbs
  43. 43. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ security-automationi-collaboration