An Overview
Automated Governance
John WIllis
Global Transformation Office
1

2
Outline
● Global Transformation Overview
● DevSecOps
● Automated Governance

GTO

● Strategy review
● Industry trends
● Progress monitoring
● Leadership
4
GTO Guiding Coalition
Platform - Coalition
Jabe Bloom
Sr Dir, Global
Transformation
CSTO, CTO
SocioTechnical Systems | Speaker
Critical Irritant | Transition Designer
Andrew Clay Shafer
VP, Global Transformation
Founder: Puppet, DevOpsDays,
Author Web Operations
IT Optimizer | Change Agent
Founder | Organizer
Kevin Behr
Sr Dir, Global Transformation
Author, Phoenix Project, Visible Ops
CIO, CTO
IT Strategist | Speaker
Enterprise CXO Advisor
John Willis
Sr Dir, Global Transformation
Author, DevOps Handbook,
Beyond the Phoenix Project
CIO, CTO
IT Strategist | Founder
Speaker | Author
@littleidea
@kevinbehr @botchagalupe
@cyetain

● Reduce Audit Time
● Increase Audit Efficacy
● Shorten Feedback Loops
● Local Authority
● Minimize Handoffs
● Enable Trust
5
Automated Goverance
Enforce and
Audit Policy
Block critical
vulnerabilities
Block
misconfigured
infrastructure
Audit
and
Control

6
DevSecOps Dojo
● Increase collaboration and innovation
● Shared Responsibility Model
● Cloud/Platform Enablement
● Templates, Models, and Pipelines
● Automated Governance
● Outcome Based Metrics
● Chaos Engineering
● Skills Liquidity Enablement
Platform - Adopt

● Common Devops Metrics
○ Lead Time
○ Deploys
○ MTTR
○ Change Success
● Advanced Devops Metrics
○ Flow Metrics
○ Change failure rate by team
○ Change failure rate by work type7
Delivery Metrics
Platform - Adopt

8
Economic Impact Analysis
● Consistency
● Toil
● Risk
● Testing
● Automation

9
Economic Impact
● Waste:
○ Possibly >30% (on a 450m budget) $135M wasted
on general processing.
● Consistency:
○ Another 10% to 15% on lost opportunity cost (low or
no automation) $45m to $67M
● Risk:
○ Negative Risk ROI.

DevSecOps

● DevOps Automated Governance
● Automated Cloud Governance
11
Industry Working Groups

Minimum Viable Security Posture

Changing Subjective
attestation into Objective
attestation

The Trusted Software Supply Chain
15
TRUSTED
CODE
REPOS
CCB
RAPID
ATO
OPENSHIFT
SOFTWARE FACTORY
• Che
• Github
• Cucumber
• Junit
• Sonarqube
• Fortify
• AtomicScan
• Anchore
• Twistlock
AUTOMATED
QUALITY
REQ
• Jira
DEV
UNIT
TEST
CODE
QUAL
SEC
SCAN
INT
TEST
QA
UAT
PROD
• Sysdig
• EFK
CM CS
Service Mesh

● Reduce Audit Time
● Increase Audit Efficacy
● Shorten Feedback Loops
● Local Authority
● Minimize Handoffs
● Enable Trust
16
Objective Evidence and Closed Feedback Loops
Enforce and
Audit Policy
Block critical
vulnerabilities
Block
misconfigured
infrastructure
Audit
and
Control

Automated Governance

2015 2018 2019

• Universal artifact metadata
• Metadata API
• Strong access controls
• Rich query-ability
Audit and Govern the Software Supply Chain

● Reduce Audit Time
● Increase Audit Efficacy
● Shorten Feedback Loops
● Local Authority
● Minimize Handoffs
● Enable Trust
22
DevOps Automated Governance
Enforce and
Audit Policy
Block critical
vulnerabilities
Block
misconfigured
infrastructure
Safe Cloud
Usage

Devops automated Governance Reference
Architecture
Development
Non Prod
Deploy
PackageBuild Prod Deploy
Dependency
Mgmt
Artifact
Repo
Common Control
1. Access Control
2. Audit Train/log
3. Everything source
control
4. Usage policies
Common Actors
1. Auditor,
Risk/Compliance
Office
2. (system)
3. Tools Admin

Source Code Repository Stage

Build Stage

Dependency Management Stage

Package Stage

Artifact Stage

Prod Stage

Stage Control Example Control Source Integration Elements
Source Code Repo Pull Request GitHub Webhook pull_request
repository
Source Code Repo Peer Review GitHub Webhook actor
pull_request
repository
Source Code Repo Unit Test SonarQube Pipeline new_coverage
Source Code Repo Clean Dependency Artifactory Pipeline dependency source
Source Code Repo Information Leakage GitHub Webhook (custom)
Source Code Repo Static Code Analysis Muse Webhook pull_request
repository

Stage Control Example Control Source Integration Elements
Build Build Definition Jenkins & GitHub Pipeline Peer Review
Checkout
Build Immutable Build Jenkins Pipeline TBD
Build Upstream Approved Dependency Artifactory Jenkins TBD
Build Unit Test SonarQube Jenkins TBD
Build Linting SonarQube Jenkins TBD
Build Static Security Analysis Checkmarx Jenkins TBD

Stage Control Example Control Source Integration Elements
Package Trusted Dependency Store Artifactory Jenkins TBD
Package License Check Artifactory Jenkins TBD
Package Vulnerability Scan Aqua Jenkins TBD
Package Trusted Authority Artifactory Jenkins TBD
Package Versioning Artifactory Jenkins TBD
Package Usage Policy Artifactory Jenkins TBD

Stage Control Example Control Source Integration Elements
Production Deploy Trusted Sources Artifactory Jenkins TBD
Production Deploy Trusted Configurations GitHub Jenkins TBD
Production Deploy Intrusion Detection TBD Jenkins TBD
Production Deploy Monitoring & Alerting Elastic, PagerDuty Jenkins TBD
Production Deploy Change Management ServiceNow Jenkins TBD
Production Deploy Secrets Management Vault Jenkins TBD
Production Deploy Unauthorized Change Detection Jenkins Jenkins TBD
Production Deploy Production Access Control Vault Jenkins TBD
Production Deploy Deployment Strategy Jenkins, Helm Jenkins TBD

Policy as Code
• Human Readable (YAML)
• Machine Interpreted
• Version Controlled
• Models Attestations and
Enforcement

Policy
As
Code

Event Driven Architecture

Automated Data Pipeline with Objective Compliance
Platform is a Secure and Auditable
Control Point
Inspection based on policy
Enforcement
by Policy
Attestation
Datastore
Policy as Code
Subjective to Objective

Cloud Automated Governance

Cloud Automated Governance

linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Thank you
jwillis@redhat.com
@botchagalupe
45