managing security in the age of devops
TRANSCRIPT
![Page 1: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/1.jpg)
Managing Security in the Age of DevOps
Taiwan InfoSec Conference 2016
Andy Leung
Security Architect, Centre of Excellence
![Page 2: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/2.jpg)
Agenda
DevOps Framework
Security Framework 傳統安全架構
Security Trends and Challenges 安全趨勢及挑戰
SD SN: Software-Defined Secure Network
軟體定義網絡安全架構
Juniper’s SDSN Building Blocks 安全工具組合和配搭
開發以及營運團隊緊密架構
![Page 3: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/3.jpg)
The DevOps Framework
![Page 4: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/4.jpg)
DevOps success case studies
Large enterprises like Amazon, Facebook, Netflix, Sony Pictures, … all gain efficiency and report success after building the Devops culture.
![Page 5: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/5.jpg)
Breaking down the walls
![Page 6: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/6.jpg)
What is DevOps?
Source: http://techtalk.e-conomic.com/devops-from-developing-to-delivery/
• Software or systems development methodology
• Stresses communication, collaboration, and integration between developers, implementers and operators.
• Encourage rapid development and Automation
• Minimize detrimental effects of change through Automation and Orchestration
• Change in Mindset as in Methods
![Page 7: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/7.jpg)
DevOps Cycle vs Security Cycle TEAMING UP TO REVOLUTIONIZE SERVICE DELIVERY
• Changes (software) functionality frequently to quickly move improvements into production • Iterative, repetitive and requires frequent changes but still allows high availability • Minimize detrimental effects of change through Automation and Orchestration
Development cycle
Operations cycle
![Page 8: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/8.jpg)
Traditional Security Framework
Source: NIST Cyber Security Framework http://www.nist.gov/cyberframework/
鑑定
保護
偵察
對應
![Page 9: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/9.jpg)
Network Director
Bare Metal
Leaf
Spine
Hypervisor
Server
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vRouter vRouter vRouter vRouter vRouter
DLE
CA
NDA
NDA NDA NDA
Security Challenges for Cloud Services Multi-vendors cloud network makes threat detection harder
CA CA CA
• Delivery end-to-end network
performance and application
security
• Multiple physical and virtual layers
for deployment
• Need co-ordination between teams
for better application security and
user experience
Challenges
IDENTIFY
鑑定
![Page 10: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/10.jpg)
Most network security strategies focus on security at the perimeter only– outside in. Is securing the perimeter really enough?
Today’s Enterprise: Perimeter security model
Trust model: trust what’s inside the network
Visibility relies mostly on perimeter firewalls
Evolving threats requires adaptability
Security layered on top of network
Inline
Anti-Malware
Inline
Intrusion
Prevention
Unified Threat
Management
Application
Security
Data Loss
Prevention
PROTECT 保護
![Page 11: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/11.jpg)
Everything on Your Network is a Potential Threat
Normal and Abnormal Behavior
Normal operation: call home beacons, energy utilization
Is this normal? How to mitigate risk?
Aberrant behavior: bursting traffic, abnormal high data download rate
DETECT 偵察
![Page 12: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/12.jpg)
Data Breach Trends
Source: Verizon 2015 Data Breach Investigations Report
RESPONSE 對應
![Page 13: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/13.jpg)
Challenges to Security Sector
“Security platforms are a good first step but we need more, we need a holistic security ecosystem — my challenge to the security industry.”
Hug Tatton-Brown, General manager, security portfolio at BT
Why the security sector needs collaboration to stay ahead?
![Page 14: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/14.jpg)
SD SN
軟體定義網絡安全架構
![Page 15: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/15.jpg)
15
Stop talking about Network Security. Start talking about Secure Networks.
A Change in Mindset
Realize threats are everywhere. They are already inside. They walked in your front door
Recognize perimeter security isn’t enough
Detection and Enforcement should be enabled anywhere
Acknowledge security is everyone’s problem – horizontal and vertical
![Page 16: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/16.jpg)
Definition
• SDSN 1. Software-Defined Secure Networks
2. A new Security Solution allows you to operate the entire network as a single enforcement domain where every element is a policy enforcement point.
![Page 17: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/17.jpg)
The Software Defined Secure Network
17
Create and centrally manage intent based policy directly aligned to business objectives
Gather & distribute threat intelligence, from multiple sources – know who the bad guys are faster
Leverage cloud economics for real time analysis – find the bad guys faster
Enforce policy to the threat feed information, real time across the network – adapt the network real-time
Operate network as single enforcement domain, every element becomes a policy enforcement point
Detection 檢測
Policy 政策
Enforcement 執行
![Page 18: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/18.jpg)
Software Defined Secure Network: Policy, Detection & Enforcement 政策,檢測及執行
Your Enterprise Network
Leverage entire network and ecosystem for threat intelligence and detection
Utilize any point of the network as a point of enforcement
Dynamically execute policy across all network elements including third party devices
Threat Intelligence
Enforcement
Detection
Enforcement
Detection
Bottoms Up and Tops Down Approach – Cloud-based
Threat Defense
Dynamic and Adaptive Policy Engine
Policy
![Page 19: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/19.jpg)
SOFTWARE DEFINED SECURE NETWORK
BUILDING BLOCKS
安全工具組合和配搭
![Page 20: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/20.jpg)
Your Enterprise Network
Where to Start – Modernize Your Perimeter
Upgrade your perimeter to make it adaptable
Next Generation Firewall is Current Generation Firewall – simplify and remove niche security appliances
Utilize Cloud Economics for Instant Intelligence that Leads to More Effective Detection
Juniper Cloud Security
Sky Advanced Threat Prevention
Spotlight Secure
Threat Intelligence
SRX Series
Physical Firewall
vSRX
Virtual Firewall
![Page 21: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/21.jpg)
Your Enterprise Network
Converse With Your Network Deploy Policy Engine that Communicates with Your Network Analytics Capability Based on Network Data
Juniper Cloud Security
Sky Advanced Threat Prevention
Spotlight Secure
Threat Intelligence
Customizable UI Provides Data Correlation
Utilize All Network Elements as Detection & Enforcement Points
Future: Intent Based Policy Engine to Communicate Across Any Network Element
Security Director
Mgmt/UI: Policy, App Visibility, Threat Map, Events
Security Policy Controller
Third Party Network Elements
Juniper Network Elements
![Page 22: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/22.jpg)
Automation Framework
SECURITY
DEVICES
PARTNERS
POLICY ENGINE
Standardized Interfaces
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
CONTROL PLANE
DATA PLANE
NETCONF YANG RESTful Thrift
Open Convergence Framework (OCF)
![Page 23: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/23.jpg)
Automation and Orchestration
![Page 24: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/24.jpg)
"BEFORE" SNAPSHOT
"AFTER" SNAPSHOT
"COMPARE" SNAPSHOTS
ospf-int-checks { command show ospf interface; iterate ospf-interface { is-gt neighbor-count, 0 { info OSPF interfaces must have at least 1 neighbor; err "OSPF interface %s does not have any neighbors", interface-name; } } }
bsmith@server$ jsnap --snap preupgrade -l bsmith -t ABC ABCsnapshot.conf bsmith password: Connecting to bsmith@ABC ... CONNECTED. EXEC: 'show ospf interface' ... SAVE: 'ABC__ospf-int-checks__preupgrade.xml' ...
bsmith@server$ jsnap --check preupgrade, postupgrade -t ABC ABCsnapshot.conf --------------------------------------------------------------- CHECKING SECTION: ospf-int-checks --------------------------------------------------------------- + TEST PASSED: OSPF interfaces must have at least 1 neighbor
Network Testing Automation
![Page 25: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/25.jpg)
Juniper’s Security Vision From Network Security to Secure Networks
Only one in the industry with building blocks for tomorrow’s Software Defined Secure Network
Simplified Policy and Management across all network elements
Adaptable Security Solution based on real time threat intelligence information
Cost Effective Detection and Enforcement utilizing the entire network to protect you
The Juniper Software Defined Secure Network dynamically adapts to changing threat landscape…so
you don’t have to!
![Page 26: Managing Security in the Age of DevOps](https://reader036.vdocument.in/reader036/viewer/2022081503/62a23ee7f5ae821b8c161e47/html5/thumbnails/26.jpg)
Thank You