4. Securing the Enterprise is Harder Than Ever
4
Applications &
devices outside
of IT control
Cloud
computing
Software-defined
infrastructure
Dissolving
security
perimeter
The way we develop, deploy and manage IT is
changing dramatically
TRADITIONAL NETWORK-BASED DEFENSES ARE NO LONGER ENOUGH
Menacing
threat
landscape
7. 7 Source: TechValidate. https://www.techvalidate.com/tvid/885-BC3-190
TRYING TO INNOVATE AND
REMAIN SECURE AT THE SAME TIME
Funding for cloud
infrastructure is taking a clear
priority in 2017, with security
and management still
mandatory investments to
keep it all under control.
What are you organization’s top IT funding priorities for 2017?*
70%
49%
48%
42%
36%
31%
29%
28%
23%
Cloud infrastructure (private, public or hybrid)
Security and compliance
IT Management, automation, orchestration
Big data, analytics
Optimizing or modernizing existing IT
Integration of applications, data or processes
Containers
Cloud-native or mobile applications
Storage
*Select all that apply
8. IMPLEMENT BOTH AGILE & IMPROVED
GOVERNANCE PROCESSES
8 Source: TechValidate. https://www.techvalidate.com/tvid/7A6-663-C71
Compliance and governance
remain a top priority, but agile and
DevOps processes have shot to
the top of our customers list this
year. This is the only way they will
achieve innovation at the speed
they need to compete and win.
64%
54%
41%
26%
23%
11%
Agile development
DevOps processes or methodologies
Compliance or governance processes
User experience
Digital strategies
Using more open source
IT staff training
IT staff retention
IT staff recruitment
23%
10%
6%
3%Stopping shadow IT
What are you organization’s top priorities around IT cultural or process changes?*
*Select all that apply
10. Security policy,
process &
procedures
DESIGN
BUILD
RUN
MANAGE
ADAPT
10
Identify security
requirements &
governance models
Built-in from the start;
not bolted-on
Deploy to trusted
platforms with
enhanced security
capabilities
Automate systems for
security & compliance
Revise, update,
remediate as the
landscape changes
SECURITY MUST BE CONTINUOUS
And integrated throughout the IT lifecycle
11. DESIGN
BUILD
RUN
MANAGE
ADAPT
11
Define security
requirements based
on NIST 800-53
Build required
protections like web
SSO into your
applications
Run on platforms with
embedded protective
technology like SELinux
Automate compliance with DISA
STIG; use automated detection &
remediation technologies
Continuously
evaluate
effectiveness and
revise as needed
CONTINUOUS SECURITY WITH NIST
Protect
Identify
Detect
Recover
Respond
COMMUNICATE
12. Risk Management
12
Identify
Analyse
Plan
Track
Control
Communicate
The objectives of risk management are to identify,
address, and eliminate software risk items before
they become either threats to successful software
operation or major sources of software rework.
Barry W Boehm
Approaches to dealing with risk:
Reduction - reduce likelihood
Protection - bottom-up prevention
Transfer - let someone else share or hold
Pecuniary - set aside contingency fund of
resources
15. OPEN SOURCE ADOPTION...SOARING
78%
65%
of enterprises run open source.
of companies are contributing to
open software.
[1] Black Duck Software, 9th Annual Future of Open Source survey, 2015. www.blackducksoftware.com/2015-future-of-open-source
[2] Black Duck Software, 10th Annual Future of Open Source survey, 2016. www.blackducksoftware.com/2016-future-of-open-source
[2]
[1]
20. DEVOPS
Everything as code
Automate everything
Application is always “releaseable”
Continuous Integration/Delivery
Application monitoring
Rapid feedback
Delivery pipeline
Rebuild vs. Repair
20
21. A Solution
Adopting a container
strategy will allow
applications to be easily
shared and deployed.
21
22. 22
WHAT ARE CONTAINERS?
It Depends Who You Ask
● Sandboxed application processes on a
shared Linux OS kernel
● Simpler, lighter, and denser than virtual
machines
● Portable across different environments
● Package my application and all of its
dependencies
● Deploy to any environment in seconds and
enable CI/CD
● Easily access and share containerized
components
INFRASTRUCTURE APPLICATIONS
31. Scheduling
Decide where to deploy containers
31
WE NEED MORE THAN JUST CONTAINERS
Lifecycle and health
Keep containers running despite failures
Discovery
Find other containers on the network
Monitoring
Visibility into running containers
Security
Control who can do what
Scaling
Scale containers up and down
Persistence
Survive data beyond container lifecycle
Aggregation
Compose apps from multiple containers
31
32. Kubernetes is an open-source
system for automating deployment,
operations, and scaling of
containerized applications across
multiple hosts
kubernetes
32
39. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
METRICS AND LOGGING
NETWORK
heapster
Not enough! Need metrics and logging
39
40. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need application lifecycle management
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
40
41. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need application services e.g. database and messaging
APP SERVICES
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
41
42. DEVOPS WITH
CONTAINERS AND KUBERNETES
IMAGE
REGISTRY
Not enough! Need self-service portal
SELF-SERVICE
APP SERVICES
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
42
43. NOT ENOUGH, THERE IS MORE!
Routing & Load Balancing
Multi-tenancy
CI/CD Pipelines
Role-based Authorization
Capacity Management
Chargeback
Vulnerability Scanning
Container Isolation
Image Build Automation
Quota Management
Teams and Collaboration
Infrastructure Visibility
43
46. 46
OpenShift for Government
Accreditations & Standards
RHEL7 COMMON CRITERIA
- EAL4+
- Container Framework
- Secure Multi-tenancy
RHEL7 FIPS 140-2 CERTIFIED
- Data at Rest
- Data in Transport
OPENSHIFT BLUEPRINT FOR
AZURE
(FedRAMP MODERATE)
OCTOBER
2016
DECEMBER
2016
JUNE 2017
INDUSTRY FIRST: NIST
CERTIFIED CONFIGURATION AND
VULNERABILITY SCANNER FOR
CONTAINER
MARCH
2017