10. What Security Is (or Should Be)
• Partnership not conflict
• Servicing and Protecting all customers
• Allowing increased risk appetite
• Enabling the business to do business
DEVOPSDAYS AUSTIN 2012
19. Getting Security to Listen
"Risk management is the process of
identifying vulnerabilities and threats to the
information resources used by an
organization in achieving business
objectives, and deciding what
countermeasures, if any, to take in reducing
risk to an acceptable level, based on the value
of the information resource to the
organization.”
DEVOPSDAYS AUSTIN 2012
- CISA
20. Getting Security to Listen
Let the business do business with the
right controls
DEVOPSDAYS AUSTIN 2012
21. Talking Controls
• Provisioning & Deployment: Efficiency
• Configuration Management: Inconsistency is
the enemy of security
• Incident Management: Information is King
• Audit: Magic away auditors
DEVOPSDAYS AUSTIN 2012
23. DevOps & Security
• Get roles and responsibilities right
• Security people are (skilled) people too
• Risk Register diving
DEVOPSDAYS AUSTIN 2012
24. Dev & Security
• Put Security people into Dev
• Gather security requirements early
• Designed for security == Deployed sanely &
securely
DEVOPSDAYS AUSTIN 2012
25. Ops & Security
• Embed Security into Ops escalation
• Invite Security to post-mortems
• Expose Security to your metrics & data
DEVOPSDAYS AUSTIN 2012
26. Thanks
James Turnbull
james@puppetlabs.com
@kartar
http://www.kartar.net
DEVOPSDAYS AUSTIN 2012
Hinweis der Redaktion
----- Meeting Notes (4/1/12 15:14) -----1. Firewall rules faster2. Three things: - Information: What's vuln - Remediation: Fix it once and fast. - Consistency - things stay fixed