Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Compliance as Code

64 Aufrufe

Veröffentlicht am

As presented at Wellington Code Camp.

DevOps is not just about deploying software, it’s about reducing bottlenecks and bringing value to the business. By utilizing DevOps techniques we can build a strong security practice that everybody is invested in, even your Developers and Operations Teams!

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Compliance as Code

  1. 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Compliance as Code
  2. 2. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Paul Czarkowski @pczarkowski Ugh, not another devops talk
  3. 3. Paul Czarkowski Developer Advocate at Pivotal Software ● Systems Administrator ● DevOps Practitioner ● Open Source Contributor
  4. 4. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
  5. 5. What is Compliance ?
  6. 6. What is Compliance ? Self Imposed ● CIS Controls / Benchmarks ● Security Technical Implementation Guide (STIG) ● Allowed opensource licenses Regulatory ● PCI (US) ● HIPAA (US) ● Sarbanes-Oxley (US) ● EU GDPR ● NZ Information Security Manual (NZISM)
  7. 7. Verification Validation of compliance based on Controls in place. ● Checklists ● External Auditors Checklists Practice, Policy or Procedure established to meet compliance requirements. ● Spreadsheets ● Checklists ● Sharepoint Pages Specifications Documentation of requirements that need to be met in order to be compliant. ● PDFs ● Verbose Compliance Controls Audit
  8. 8. Example of Compliance Specifications
  9. 9. Example of Compliance Specifications
  10. 10. Compliance Officer Operations Security Officer Auditor
  11. 11. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
  12. 12. What is DevOps ?
  13. 13. LEAN
  14. 14. http://blog.d2-si.fr/2016/02/22/devopsconnection/
  15. 15. Rugged DevOps DevSecOps Secure DevOps
  16. 16. Cover w/ Image Agenda ■ Who I Am ■ What is Compliance? ■ What is DevOps ? ■ Compliance as Code ■ Q+A
  17. 17. Compliance as Code
  18. 18. Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run YOU build the containerWE build the container vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
  19. 19. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  20. 20. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  21. 21. PIVOTAL CLOUD FOUNDRY OPS Powered by BOSH BOSH is an open source tool for release engineering, deployment, lifecycle management, and monitoring of distributed systems. BOSH Packaging w/ embedded OS Server provisioning on any IaaS Software deployment across availability zones Health monitoring (server AND processes) Self-healing w/ Resurrector Storage management Rolling upgrades via canaries Easy scaling of clusters
  22. 22. Culture
  23. 23. Adopting a DevOps culture Despite varying approaches to describing high-performance teams there is a set of common characteristics that are recognised to lead to success. ● Participative leadership – using a democratic leadership style that involves and engages team members ● Effective decision-making – using a blend of rational and intuitive decision making methods, depending on that nature of the decision task ● Open and clear communication – ensuring that the team mutually constructs shared meaning, using effective communication methods and channels ● Valued diversity – valuing a diversity of experience and background in team, contributing to a diversity of viewpoints, leading to better decision making and solutions ● Mutual trust – trusting in other team members and trusting in the team as an entity ● Clear goals – goals that are developed using SMART criteria; also each goal must have personal meaning and resonance for each team member, building commitment and engagement ● Defined roles and responsibilities – each team member understands what they must do (and what they must not do) to demonstrate their commitment to the team and to support team success ● Positive atmosphere – an overall team culture that is open, transparent, positive, future-focused and able to deliver success https://en.wikipedia.org/wiki/High-performance_teams
  24. 24. Lean
  25. 25. https://imgur.com/gallery/kMJWs
  26. 26. https://www.slideshare.net/KarenMartinGroup/value-stream-mapping-in-office-service-setttings
  27. 27. Mappable Processes that include Security / Compliance Application Release ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● License Scanning ● Attribution Compliance Audits ● Vulnerability Scanning ● Security Scanning (sql injection etc) ● Package updates ● OS inspection Infrastructure Provisioning ● OS Hardening ● Firewalling ● User Management ● Remote logging and auditing ● Intrusion Detection ● Vulnerability Scanning
  28. 28. Value Stream map for Provisioning a New Server Current State Prepare Request Network / VLANs Launch VM / Install OS Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-5 days 1-2 days 1-2 days 1-2 days 1-2 days
  29. 29. Value Stream map for Provisioning a New Server Future State Deploy VM Configure VM Test Compliance Deliver 1-5 days 1-5 days 1-5 days 1-2 hours 1-2 hours 1-2 Hours
  30. 30. Value Stream map for Provisioning a New Server Future State
  31. 31. Automation
  32. 32. ● Implements STIG controls via Ansible playbooks ● Opensource project started at Rackspace ● Plays well with existing config management ● Easily override problematic controls ● Extends RSPEC for Compliance testing ● Similar to Serverspec, but better. ● Easy to go from serverspec to inspec ● Inspec-STIG is all of STIG already written into inspec tests.
  33. 33. Example of Compliance Specifications
  34. 34. Measurement
  35. 35. Sharing
  36. 36. What’s Next ?
  37. 37. LEAN
  38. 38. https://en.wikipedia.org/wiki/Continuous_delivery
  39. 39. Other Security / Compliance tools ● Gauntlt ( Security Testing Framework ) ● Metasploit ( Penetration Testing) ● Syntribos ( API security testing) ● Pivotal LicenseFinder ( Scanning licenses of dependencies ) ● Snort ( Intrusion Detection ) ● Fossology ( license compliance ) ● OpenVAS ( vulnerability scanning ) ● OSSEC ( Intrustion Detection )
  40. 40. Questions ?
  41. 41. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.

×