• Home

  • Documents

  • Continuous Security – Securing Clouds in a DevOps World
23
Vinay Bansal Security Architect, Cisco Systems Oct. 2016 Continuous Security Securing Clouds in a DevOps World

Continuous Security – Securing Clouds in a DevOps World

Embed Size (px)

Citation preview

Page 1: Continuous Security – Securing Clouds in a DevOps World

Vinay Bansal

Security Architect, Cisco Systems

Oct. 2016

Continuous Security –Securing Clouds in a DevOps World

Page 2: Continuous Security – Securing Clouds in a DevOps World

• Cloud and Devops

• Why traditional security does not help

• Automation Demo

• Building Security with Devops• Security is visible

• Security is Automated

• Security Individuals Embedded

• Key Takeaways

Outline

Page 3: Continuous Security – Securing Clouds in a DevOps World

Nexus of Four Forces

Cloud

Agile

Devops

Stack

Page 4: Continuous Security – Securing Clouds in a DevOps World

Security: Traditional vs. New Reality

Page 5: Continuous Security – Securing Clouds in a DevOps World

• Security Slows down

• Security always says “No”

• Infosec not embracing new norms• Cloud

• Agile

• Virtualization

Devops : Security Preconception

Page 6: Continuous Security – Securing Clouds in a DevOps World

DevOps Reaction to Security

Page 7: Continuous Security – Securing Clouds in a DevOps World

Breaches and Security Threats on Rise

Page 8: Continuous Security – Securing Clouds in a DevOps World

1. Insecure Configs and Setups

2. Stack (Opensource) Vulnerabilities

3. Credential Management

4. Appcode (homegrown) Vulnerabilities

5. Lack of Active Log Analysis and Monitoring

Top Reasons for Security Incidents

Page 9: Continuous Security – Securing Clouds in a DevOps World

• 100 % Security – Right?

What is Security Goal?

Page 10: Continuous Security – Securing Clouds in a DevOps World

What is Security Goal?

Page 11: Continuous Security – Securing Clouds in a DevOps World

How ?

Page 12: Continuous Security – Securing Clouds in a DevOps World
Page 13: Continuous Security – Securing Clouds in a DevOps World
Page 14: Continuous Security – Securing Clouds in a DevOps World
Page 15: Continuous Security – Securing Clouds in a DevOps World
Page 16: Continuous Security – Securing Clouds in a DevOps World
Page 17: Continuous Security – Securing Clouds in a DevOps World

Security Automation: Demo

Page 18: Continuous Security – Securing Clouds in a DevOps World

MULTIPLE DEPLOYMENT MODELS

NORAD CLOUD(SECaaS)

• Plug and Play for users

NORAD HYBRID• User leverage Norad

Relay machine to

preform scans of

private assets

• Results still stored in

Norad Cloud

ENTERPRISE

• On-site deployment of all Norad infrastructure

Page 19: Continuous Security – Securing Clouds in a DevOps World

Demo

Page 20: Continuous Security – Securing Clouds in a DevOps World

NORAD Capabilities- Current and Planned

Platform Features

• Blackbox and Whitebox testing

• Cloud, hybrid, and on-prem operational models

• Web UI for defining assets, launching tests, and

viewing results

• Full API support for automation

• Cross-platform agent

• Cisco SSO integration

• Email notifications

• Community-based model for adding and

developing security test content

• Security containers for security tests

Security Tests Included

• Qualys vulnerability scanning

• Qualys WAS testing (OWASP top 10 testing)

• Qualys Compliance Check Scanning

• CIS Server Benchmarks

• CIS Docker Host hardening validation

• Docker Image vuln scanning

• OpenStack hardening validation

• Nmap/sslyze crypto tests

• Credentials brute-force testing

• CSDL PSB Validation (12)SEC-OPS-PUBCRYP-2, SEC-OPS-STRENGTH, SEC-DEF-CRED-2, SEC-INT-CRED-2, SEC-CRY-PRM, SEC-AUT-ACCDEF, SEC-CRY-STDCODE, SEC-509-CERTEXT, SEC-509-CHAIN, SEC-509-FQDN, SEC-509-LIFETIME, SEC-509-REVOKE

Page 21: Continuous Security – Securing Clouds in a DevOps World
Page 22: Continuous Security – Securing Clouds in a DevOps World

Questions?

Page 23: Continuous Security – Securing Clouds in a DevOps World

SECURING DEVOPS AT THE SPEED OF BUSINESS - Venafi · 2019-12-12 · Page 3 of 8 I SECURING DEVOPS AT THE SPEED OF BUSINESS But the speed of DevOps does not have to come at the expense

SECURING DEVOPS AT THE SPEED OF BUSINESS - Venafi · 2019-12-12 · Page 3 of 8 I SECURING DEVOPS AT THE SPEED OF BUSINESS But the speed of DevOps does not have to come at the expense

Documents
Securing DevOps

Securing DevOps

Presentations & Public Speaking
Securing Serverless and Container Services...Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors DevOps Automation

Securing Serverless and Container Services...Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors DevOps Automation

Documents
PRINCIPLES FOR Securing DevOps...As DevOps thought leader Gene Kim has noted, DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly”

PRINCIPLES FOR Securing DevOps...As DevOps thought leader Gene Kim has noted, DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly”

Documents
Securing Kubernetes Workloads on AWS · 2020-04-22 · Securing Kubernetes Workloads on AWS As companies increasingly adopt DevOps practices and the cloud-native stack, they must

Securing Kubernetes Workloads on AWS · 2020-04-22 · Securing Kubernetes Workloads on AWS As companies increasingly adopt DevOps practices and the cloud-native stack, they must

Documents
FIVE PRINCIPLES FOR Securing DevOps - Bitpipedocs.media.bitpipe.com/io_13x/io_134470/item_1441706/Five... · 2016-10-28 · FIVE PRINCIPLES FOR SECURING . DEVOPS 3. THIS PAPER. ovides

FIVE PRINCIPLES FOR Securing DevOps - Bitpipedocs.media.bitpipe.com/io_13x/io_134470/item_1441706/Five... · 2016-10-28 · FIVE PRINCIPLES FOR SECURING . DEVOPS 3. THIS PAPER. ovides

Documents
Securing Systems at Cloud Scale · 2015-12-02 · Securing Systems at Cloud Scale Ian Massingham, Technical Evangelist @IanMmmm. DevSecOps ... secure. What is DevSecOps DevOps = Efficiencies

Securing Systems at Cloud Scale · 2015-12-02 · Securing Systems at Cloud Scale Ian Massingham, Technical Evangelist @IanMmmm. DevSecOps ... secure. What is DevSecOps DevOps = Efficiencies

Documents
Securing Servers in Public and Hybrid Clouds

Securing Servers in Public and Hybrid Clouds

Technology
Securing Your Public Hybrid Cloud · Hybrid IT Infrastructure A hybrid cloud that mixes on-premise data centers/private clouds with public clouds requires rigorous management. Fortinet

Securing Your Public Hybrid Cloud · Hybrid IT Infrastructure A hybrid cloud that mixes on-premise data centers/private clouds with public clouds requires rigorous management. Fortinet

Documents
SECURING DEVOPS AT THE SPEED OF BUSINESS - Venafi · PDF file Page 2 of 8 I SECURING DEVOPS AT THE SPEED OF BUSINESS Introduction ... developers find it easier to ignore certificates

SECURING DEVOPS AT THE SPEED OF BUSINESS - Venafi · PDF file Page 2 of 8 I SECURING DEVOPS AT THE SPEED OF BUSINESS Introduction ... developers find it easier to ignore certificates

Documents
What SDN Really Means to Enterprise IT in the Age of DevOps & Open Clouds

What SDN Really Means to Enterprise IT in the Age of DevOps & Open Clouds

Technology
DASA DEVOPS FUNDAMENTALS - EDUCORE...• Different Types of Clouds to Operate Automated Provisioning Concepts: • Desired State Configuration • Automated Provisioning with Mutable

DASA DEVOPS FUNDAMENTALS - EDUCORE...• Different Types of Clouds to Operate Automated Provisioning Concepts: • Desired State Configuration • Automated Provisioning with Mutable

Documents
Taking a DevOps Approach to Securing Privileged ... · SESSION ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia

Taking a DevOps Approach to Securing Privileged ... · SESSION ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia

Documents
Managing 50K+ Redis Databases Over 4 Public Clouds ... with a Tiny Devops Team

Managing 50K+ Redis Databases Over 4 Public Clouds ... with a Tiny Devops Team

Technology
Top 10 Considerations for Securing Private Clouds

Top 10 Considerations for Securing Private Clouds

Technology
T-DOSE 2010 - Agile Enterprise, CLouds and Devops

T-DOSE 2010 - Agile Enterprise, CLouds and Devops

Technology
SPACE4Clouds: a DevOps Environment for multi-Clouds Applications

SPACE4Clouds: a DevOps Environment for multi-Clouds Applications

Software
Securing the container DevOps pipeline by William Henry

Securing the container DevOps pipeline by William Henry

Presentations & Public Speaking
SECURING DEVOPS AT THE SPEED OF BUSINESS

SECURING DEVOPS AT THE SPEED OF BUSINESS

Documents
Securing Your Data for the Journey to the Clouds - SNIA · PDF fileSecuring Your Data for the Journey to the Clouds ... •DLP, cloud data security, big data & security, math modeling

Securing Your Data for the Journey to the Clouds - SNIA · PDF fileSecuring Your Data for the Journey to the Clouds ... •DLP, cloud data security, big data & security, math modeling

Documents
A Security Control Language for Securing Continuous ... · A Security Control Language for Securing Continuous Deployments Brian Eddy, Norman Wilde. The Problem DevOps Agile deployment

A Security Control Language for Securing Continuous ... · A Security Control Language for Securing Continuous Deployments Brian Eddy, Norman Wilde. The Problem DevOps Agile deployment

Documents
A 360˚ Approach in Securing Cloud - Qualys€¦ · Securing Public Clouds Using Qualys Customer Case Studies Reduced application releases from 2 weeks to 24 hrs by automating security

A 360˚ Approach in Securing Cloud - Qualys€¦ · Securing Public Clouds Using Qualys Customer Case Studies Reduced application releases from 2 weeks to 24 hrs by automating security

Documents
Devops Devops Devops

Devops Devops Devops

Technology
DevOps in the clouds

DevOps in the clouds

Technology
DevOps Pipelines with Jenkins X on SUSE CaaS Platform...Kubernetes deployment and configuration tool (multi -clouds)-« CI/CD/DevOps » tooling using Git, Jenkins, Skaffold, Helm…-Simple/efficient

DevOps Pipelines with Jenkins X on SUSE CaaS Platform...Kubernetes deployment and configuration tool (multi -clouds)-« CI/CD/DevOps » tooling using Git, Jenkins, Skaffold, Helm…-Simple/efficient

Documents
Securing DevOps, RMF and STIG

Securing DevOps, RMF and STIG

Documents
SAAM1146BES Best Practices for Securing Hybrid … Greenberg | Head of Cloud Security BU SAAM1146BES #VMworld #SAAM1146BES Best Practices for Securing Hybrid Clouds with VMware, AWS

SAAM1146BES Best Practices for Securing Hybrid … Greenberg | Head of Cloud Security BU SAAM1146BES #VMworld #SAAM1146BES Best Practices for Securing Hybrid Clouds with VMware, AWS

Documents
Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile

Securing 5G Mobile Networks Built on Distributed Telco · PDF fileSecuring 5G Mobile Networks Built on Distributed Telco Clouds ... for individual applications ... Securing 5G Mobile

Documents
DevOps, CI, APIs, Oh My! Security Gone Agile - SANS · DevOps, CI, APIs, Oh My! Security Gone Agile Matt Tesauro, SANS AppSec 2014 – Austin, TX, February 2014 . RACKSPACE ... Securing

DevOps, CI, APIs, Oh My! Security Gone Agile - SANS · DevOps, CI, APIs, Oh My! Security Gone Agile Matt Tesauro, SANS AppSec 2014 – Austin, TX, February 2014 . RACKSPACE ... Securing

Documents
Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their

Securing DevOps...The Evolution and Revolution Today, DevOps is an understood set of practices and cultural values that has been proven to help organizations of all sizes improve their

Documents