Security and DevOps - Managing Security in a DevOps Enterprise

© 2015 IBM Corporation

Sanjeev Sharma

CTO, DevOps Technical Sales and

Adoption

IBM Distinguished Engineer

Security and DevOps: How to Manage Security in a DevOps Enterprise

2Page© 2015 IBM Corporation

DevOps Review


DevOps: Origins


What does the Line of Business want from IT?

Product Owner

Senior Executives

Users Domain ExpertsAuditors

Gold Owner Support Staff

External System

Team

Operations

Staff

Team MemberTeam Lead

Team MemberTeam Member

Line-of-business CustomerIT

Agility - Velocity - Innovation


DevOps approach: Apply Lean principles accelerate

feedback and improve time to value

5

People

Process

Line-of-

businessCustomer

1

3

2

1. Get ideas into production fast

2. Get people to use it

3. Get feedback

Continuously Improve:

I. Application Delivered

II. Environment Deployed

III. Application and Environment Delivery Process


Security and the Application Delivery Pipeline


Delivering a Business Capability – Hybrid Applications, Hybrid

Platforms, Hybrid Teams

Application A

Application B

Application C

Application N

Bu

sin

ess C

ap

ab

ility

…


Three Levels of Security

8

1. Secure the Perimeter

2. Secure the Delivery Pipeline

3. Secure the Deliverable

http://www.ibm.com/developerworks/library/d-security-

considerations-devops-adoption/

Secure the Perimeter

9


Secure the Delivery Pipeline

1

0

Secure Engineering

Access and Control

Secure Build and Deploy

Security Testing of Scripts

Separation of Duties


Secure the Deliverable

1

1

Application

Middleware Config

Middleware

OS Config

HardwareFu

ll S

tac

k

Blu

ep

rin

t

Po

licie

s

Secure:

• Code

• Packages

• Components

• Configurations

• Content

• Policies

• Roles


Risks and Vulnerabilities - Delivery Pipeline and

Deliverables

1

2

1. Vulnerabilities related to the supply chain

2. Insider attacks

3. Errors and mistakes in the development project

4. Weaknesses in the design, code, and integration

5. API Economy and Security

http://www.ibm.com/developerworks/library/d-security-

considerations-devops-adoption/


Vulnerabilities related to the supply chain

1

3

External Supplier A

External Supplier B

Internal Supplier A

Internal Supplier B

Insider attacks

1

4


Errors and mistakes in the development project

1

5

1 per min 1 per min

4 per min 1 per min

4 per min 4 per min

• Reduce Batch size

– Integrated Delivery Pipeline

– Agile Development

• Continuous Security

Testing

• Continuous Validation

Weaknesses in the design, code, and integration

1

6

http://www-03.ibm.com/security/secure-engineering/


The API economy and security

1

7


Adopting a (Secure) DevOps Architecture


Multi-Speed IT – Innovation vs Optimization

Agile/Innovation EdgeRapid Delivery for Innovation • Agile • Antifragile • Experimentation • New and Innovative

Hybrid Cloud • PaaS

Industrialized CoreDeliver at regular cadence • Waterfall -> Agile • Stability • Predictability • Lean Delivery pipeline •

Core and Legacy

Hybrid Infrastructure – Physical, Cloud • IaaS/PaaS

Sp

eed

vs R

isk

App Development, Orchestration, Integration, Security, Management, Governance


Multi-Speed IT– Touchpoints

Agile/Innovation EdgeCloud Native, 12-factor Apps, Microservices, DevOps

PaaS, Containers

IBM Bluemix Platform • Containers • Microservices

IBM Garage Method

Industrialized CoreTraditional Development, DevOps, Monolithic Apps, Cloud-ready

Traditional IT, Private/Local Cloud, Dedicated Off-prem Cloud, Public Cloud, PaaS, Contaiers

UrbanCode • IBM Rational Tools • Middleware Portfolio • API Management • ITSM

IBM Cloud Orchestrator • IBM PureApplication • Gravitant

Release

Manage

ment

Planning Deployment Automation,

Orchestration, Brokerage

Test

VirtualizationAPIs


Reference Architecture : DevOps Multi-Speed IT

IBM Architecture Center

BLUEMIX

DELIVERY PIPELINESOURCE CONTROL

.js

LIVE SYNC

WEB IDE ACTIVE DEPLOY

AUTO SCALING

SECURE GATEWAY

ON-PREMISES

SYSTEMS

API MANAGEMENT

TRACK & PLAN

TRACK & PLAN DEVELOP BUILD DEPLOY

RELEASE TEST

RUNTIME ENVIRONMENTS

RUNTIMES &

CONTAINERS

1

2

3

6 7

9

10

8

1

2

4

5

10

https://developer.ibm.com/architecture/


Start Here:

Value Stream Mapping for

Identifying and Addressing

bottlenecks


Mapping your Delivery Pipeline

Idea/Feature/Bug Fix/

EnhancementProduction

Development Build QA SIT UAT Prod

PMO

Requirements/

Analyst

Developer

CustomersLine of Business

Build

EngineerQA Team Integration Tester User/Tester Operations

Artifact Repository

Deployment Engineer

Release Management

Code Repository

Deploy

Get Feedback

Infrastructure as Code/

Cloud Patterns

Feedback

Customer or

Customer Surrogate

Metrics - Reporting/Dashboarding

Tasks

Artifacts


Questions?

24

Security and DevOps - Managing Security in a DevOps Enterprise

Software

Transcript of Security and DevOps - Managing Security in a DevOps Enterprise