Are your DevOps and Security teams friends or foes?
1. Are your DevOps and Security teams
friends or foes?
Colby Dyess, Director Cloud Marketing, Tufin
Reuven Harrison Co-founder & CTO, Tufin
2. 2
Yes, we have a DevOps team. I have no idea
what they’re up to, but my team [Security] is
responsible for securing their apps.
“
”
—Tufin Customer
2018
4. 4
• Collaboration between Developers and IT Operations
• To speed up things
• Through automation
• And shared responsibility
DevOps Origin
5. 5
DevOps Today
GOALS
Improved deployment frequency
Faster time to market
Less failure rate to new releases
Short lead time between fixes
Improve mean time to recovery
RESPONSIBILITIES
CI/CD pipelines
Dev environments
Run-time environments
DevOps is about Speed and Repeatability
7. 7
CD
Continuous deployment is a strategy for software releases wherein any code commit that passes the
automated testing phase is automatically released into the production environment, making changes that are
visible to the software's users.
Unit Test Platform Test Deliver to Staging
Application
Acceptance Tests
Deploy to
Production
Post Deploy Tests
Auto
Continuous Delivery
Auto Auto Manual Auto
Unit Test Platform Test Deliver to Staging
Application
Acceptance Tests
Deploy to
Production
Post Deploy Tests
Auto
Continuous Deployment
Auto Auto AutoAuto
8. 8
From IT to No IT
1980’s 1999 2006 2013 2015 2015
9. 9
• Deployments should be based on a descriptive language
• Code AND infrastructure should be defined in a code repository like github
Infrastructure as Code
11. 11
Advantages:
• Deployments are repeatable and automated
• Easier troubleshooting because the state is known (no one manipulates it after
deployment)
• Automatic audit trail for all changes
• Easy upgrades and rollbacks
Infrastructure as Code & Immutable Infrastructure
14. 14
Agility
Digital Transformation, powered by
cloud-native platforms, is increasing
business agility and accelerating
innovation.
Security in this new world requires a
totally different approach where
traditional tools and practices are
unsuitable.
Security
Agility vs. Security
15. 15
The New Stack
App
Switches and Routers
Firewalls
Compute
Load Balancers
Cloud
Service Service Service
Service Service Service
Service Service Service
App
NewOld
16. 16
App
New Roles and Responsibilities
Switches and Routers
Firewalls
Compute
Load Balancers
Cloud
Service Service Service
Service Service Service
Service Service Service
App
Dev
IT / Security
Dev
DevOps
NewOld
17. 17
• In order to segment, we need to categorize our resources
• Traditional security zones are based on IP addresses, Subnets and VLANs
• As we move to higher-level abstractions, these become less suitable
Bye Bye IP
WHO?
18. 18
• Security Groups
• Roles (IAM)
• Tags and Labels
• Domain names (FQDN) - *.aws.com
• Subnets are still used but to a lesser extent (usually for connectivity to external,
legacy environments)
Policy Categories that Work (Instead of IP Addresses)
19. 19
Challenges
Don’t have access – limited visibility
Traditional tools don’t work – limited control
Existing tools & practices will break agility
21. 21
CI/CD to the Rescue
Development
Source
Control
Build
Testing
Commit
Initiate
CI Process
TestReport
22. 22
Monitoring, alerting,
enforcement, threat
detection & response
Shift Left
Appsec
Static code analysis
Vulnerability analysis
Security testing
Check Infrastructure
as Code against
policies
Code Build & Test Deploy Operate
Shift left
23. 23
Monitoring, alerting,
enforcement, threat
detection & response
Shift Left
Appsec
Static code analysis
Vulnerability analysis
Security testing
Check Infrastructure
as Code against
policies
Code Build & Test Deploy Operate
Shift left
NEW:
Auto-Policy
Generation
24. 24
Learn the Policy
Automatically
Automatically discover which services are deployed,
how they are connected, and which external services
they rely on.
Visibility Learn Review Enforce
Service A
Service C
Service B
Github Azure
29. 29
• DevOps is about collaboration
• Security must be part of that
• There will be a learning curve
• Assign owners to make security work in the DevOps environments
• Task them with learning and bridging the gap
Collaborate!
You will get much better security!
30. 30
Tufin Cloud Security
• Gain visibility into cloud-native environments
• Define and control security policies
• Security automation in the CI/CD pipeline
DevOps is an engineering methodology for streamlining app development
If something needs to be done more than once – automate it!
Git: Developers cooperate and communicate through this platform
Jenkins: the main pivot
No config changes after deployment
Organizations are under constant pressure to innovate and remain competitive, while reducing costs. This has driven business leaders to push for digital transformation, often powered by cloud-native platforms and DevOps practices that boost business agility.
Security teams, however, have been left behind – forced to rely on tools and practices that were not designed for cloud and agile environments. As a result, organizations have had to trade agility for security.
How did we get here?
Traditionally, applications were built on top of infrastructure – both physical and virtual – and security teams had standard practices for provisioning, managing and operating the infrastructure. Applications took months, sometimes years to build and might get updated only a handful of times each year. For the most part, security teams could keep pace with new app deployments and change requests.
<CLICK>
But over the past several years, developers have turned to public clouds for rapid provisioning and organizations have adopted DevOps practices that automate application build, test and deployment cycles.
<CLICK>
We still build applications, of course, but they’re no longer monolithic or dependent upon infrastructure.
<CLICK>
Instead applications are composed of several small or micro services. This enables developers to add new services and change existing services faster than ever before. In fact, updates that used to happen every few months now happen multiple times a day! Traditional IT and security practices are not setup to handle the scale or pace of change that cloud enables.
The adoption of cloud-native platforms and DevOps practices also impacts traditional roles and responsibilities. For example, developers focused on building applications while IT managed infrastructure provisioning and security. In the new world, developers build applications based on microservices – some of services are custom built, while others are provided by the cloud platform. Meanwhile, DevOps teams have taken responsibility for management of cloud infrastructure and services.
However, when it comes to security most organizations are left vulnerable. DevOps are not security specialists and may not properly address security and compliance requirements. At the same time, IT security rarely has access, visibility or control of cloud-native environments.
Don’t define the low-level SGs and forth – define guardrails using tags
Ideally – define a unified policy across everything
We don’t own the infrastructure
Developers deploy the full stack including security configuration
We can’t use IP addresses for segmentation
Everything should be automated
Add automated security testing in the CI/CD pipeline
Work in the pipeline with the developers to test, assess, audit and block!
Build and test:
Identify malicious and vulnerable dependencies
Add security tests
Deploy:
Ensure compliance before production (for both code and configuration!)
Operate:
Swap out misbehaving components (e.g., a container)
Add automated security testing in the CI/CD pipeline
Work in the pipeline with the developers to test, assess, audit and block!
Build and test:
Identify malicious and vulnerable dependencies
Add security tests
Deploy:
Ensure compliance before production (for both code and configuration!)
Operate:
Swap out misbehaving components (e.g., a container)