Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
The Changing Landscape of Information Security
1. The Changing Landscape of
Information Security
1
Applications
DevSecOps
Hybrid IT
Automation
Viren Mantri
All views expressed here are entirely mine, do not represent those of my current and past employers.
2. 2
Backdrop
• Criminals Profit
• Espionage Intelligence
• Warriors Disruption
• Terrorists Ideology
• The question is
not whether but when?
Cyber attacks
6. 6
DevSecOps – on a serious note
o Baking security in design
o From BRD/FSD to weekly huddles and feature releases
o Externalizing authentication and authorization
o Using encryption and tokenization for data protection
o Building resilience to vulnerabilities and exploits
o Educating developers on security
7. 7
DevOps ToolSet
• Developer scan
• Build scan
• Infrastructure
• Automation
• Vulnerability reporting
• Remediation workflow
• Risk assessment
• Security dashboard
SCM Build Deploy Cloud OS Security
Repo Package Release IaaS VM Scanning
CI Provision Test PaaS App/Web VA
Workflow Config Monitoring SaaS DB PenTest
9. 9
Hybrid IT
• Growing acceptance
• Initial euphoria over
(in)security mellowed
• Cloud providers
challenging On-Prem
• Need to support legacy
while striving to be agile
• Agility flexes rigidity,
breaks down silos
10. 10
Automation
• The right level eliminates inefficiencies
• Delivers economies of scale
• Ensures repeatable processes
11. 11
Matured teams
• Recognize Information security is everyone’s business
• Develop a blueprint providing clarity and rationale
• Know why we are doing what we are doing