security and compliance in devops world - devon summit · compliance in devops world anurag...
TRANSCRIPT
Managing regulatorycompliance in DevOps
WorldAnurag ShrivastavaDevOps Transformation LeaderNN Group
1
ABOUT ME
https://www.linkedin.com/in/anurag2201/
2
WHAT IS COMPLIANCE?
1. Level 1 - compliance with the external rules and laws that are imposed upon an organisation as a whole
2. Level 2 - compliance with internal systems of control that are imposed to achieve compliance with the externally imposed rules.
Source: https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/
4
WHAT IS REGULATION?
The term ‘regulation’ generally refers to a set of binding rules issued by a private or public body with the necessary authority to supervise compliance with them and apply sanctions in response to violation of them.
Source: https://www.int-comp.org/careers/a-career-in-compliance/what-is-compliance/
5
THE CORE OBJECTIVES OF REGULATION
The protection of investors/consumers
Ensuring that the markets are fair, efficient and
transparent
The reduction of systemic risk
The reduction of financial crime
The maintenance of consumer confidence in
the financial system
6
REGULATIONS ARE HEADACHES
8
WHAT IS DEVOPS
1. Flow
2. Feedback
3. Experimentation
Source: https://blog.amplexor.com/enterprisecontent/en/devops-and-why-it-should-matter-when-selecting-your-technology-partner
9
DEVOPS
10
WHY??
Security matters because security affects the bottom line. It's about sales, support and acquisition.
Hack and security breaches lead to negative press, and customers need to know their information is safe with you, if they're to be customers at all.
Failed security compliance means fines, imprisonment and bad publicity.
11
COMPLIANCE IN THE EYES OF DEVOPS TEAM
12
DEVOPS TEAM IN THE EYES OF COMPLIANCE OFFICER
13
TO ERR IS HUMAN – ENGINEERS ARE HUMANSTOO. FOR EXAMPLE:1. It's too easy to ship bad code, so then bad
things happen.
2. It’s easy to forget about back-up and restore when under pressure.
3. It’s easy to forget encrypt data in transit.
4. It’s easy to push incomplete deployment package in production.
5. It’s easy to skip periodic DR tests
14
PROMISE OF DEVOPS
Speed of DeliveryCD
Eliminate Waste YAGNI
Fast feedback for BusinessMVP
15
DEVOPS IS ABOUT RELEASING CODE IN PRODUCTION SEVERAL TIMES PER DAY
Compliance should notbe a blocker
16
TREACHROUS 12: CLOUD VULNERABILITIES1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues
Source: https://www.welivesecurity.com/2015/04/28/curious-case-ex-hacker-banned-internet/17
WHERE DOES COMPLIANCE FIT?NFR (Non-Functional Requirements) & Compliance•Availability (e.g. 24x7x365)
•Capacity (planned)
•Compliance (legal and/or regulatory)
•Efficiency (resource consumption)
•Interoperability (inter-system data exchanges)
•Performance (response time)
•Portability (cross-system functionality)
•Resource usage (processor, memory, disk space, network bandwidth, etc.)
•Scalability (user count and data volume growth)
•Security (e.g. login, encryption)
18
We can realize the promise of DevOpsand stay compliant.
We must be compliant &We need DevOps.
19
COMPLIANCE, RISK & SECURITY IN THE DEVOPSWAY Shift Left
Democratise the Compliance
Compliance as Code
Prefer Automation
Segregation of Duties
Training and Education
Definition of Done
20
SHIFT LEFT
Picture Source: https://www.gocd.org/2017/03/01/importance-and-principles-of-cd-pipelines.html
21
SHIFT LEFT
1. Think about compliance in the early sprints when architecture decisions are made
2. Consider compliance needs during user story refinement sessions
3. Think about compliance in the user acceptance criteria of user stories
4. Think about compliance user stories
22
DEMOCRATIZE THE COMPLIANCE
Picture Source: http://kimedia.blogspot.nl/2014/08/democracy-from-past-to-future-extract.html23
DEMOCRATIZE THE COMPLIANCE
1. Often compliance is proven on ugly Excel sheets which nobody likes to maintain
2. Compliance officers are limited in numbers servicing large number of teams
3. Have simple tools which everyone can use
4. Tools should be web-based or app based requiring minimum training
5. Tools should have a workflow to enable easy tracking and tracing of request
6. Tools should have API to integrate with CI/CD Pipeline
Picture Source: http://kimedia.blogspot.nl/2014/08/democracy-from-past-to-future-extract.html24
COMPLIANCE AS CODE
25
COMPLIANCE AS CODE
1. Moving away from manual inspections andsign-offs to automated evidence
2. Infrastructure as a Code
3. VM, Middleware and Database built usingzero touch CD Pipeline
4. Prove compliance using automated tools
5. Code is always version controlled, modified using four-eye principle
26
PREFER AUTOMATION
27
PREFER AUTOMATION
1. Identify compliance integration points in yourDeployment Pipeline
2. Integrate various compliance tools using APIs in your Deployment Pipeline
3. Deployment Pipeline workflow make decision ifa change is compliant before it goes intoproduction
4. Initially decision points could be manual action but aim for more and more automation
5. Use deployment pipeline logs as the evidence.
28
SEGREGATION OF DUTIES
29
SEGREGATION OF DUTIES
1. Segregation of duties but not segregation of engineers
2. Giving limited read access to people in development role to production logs
3. Operations people get limited read-only access to source code repos
4. All commits in the source code repository have gone through peer review process enforced by a tool
5. Deployable artifacts once created can not be tampered further in the process
6. Operations involved in the sprint planning process
7. Deployments to production must be approved by the Asset Owner or the PO
30
TRAINING AND EDUCATION
1. New tools require education andpractice
2. Broadening of individual skills in unwanted dimensions
Compliance officers learn to read code and logs
Developers learn to do IT security risk assessment
31
DEFINITION OF DONE – SCRUM GUIDE1. If the definition of "Done" for an increment is part of the conventions, standards or
guidelines of the development organization, all Scrum Teams must follow it as a minimum.
2. If "Done" for an increment is not a convention of the development organization, the Development Team of the Scrum Team must define a definition of "Done" appropriate for the product.
32
GLOBAL DOD FOR ORGANIZATIONGlobal DOD contains three kind of checks Periodic checks Such as network vulnerability scan
Definition of Done Such as test coverage
Definition of Shippable (undone work) Such as CMDB is filled correctly
Global DOD covers KCT-Sox Controls
Enterprise Architecture Requirements
Engineering checks
Change Management and SLA
33
GLOBAL DOD
1. Good starting point for devops teams
2. Pre-agreed with ORM and CAS departments
3. Any deletions must be pre-agreed
4. Any additions are permitted as long as they are non-conflicting
5. As team matures in CI/CD DoD DoS
34
GDOD – RESPONSIBILITY & ACCOUNTABILITY
Who verifies the adherence to the GDOD of the releases? DevOps Team verifies the adherence to GDOD for each sprint and release
The accountability to ensure the adherence lies with the IT manager
Who is responsible for GDOD compliance evidence? DevOps team is responsible, and the IT manager of the team is accountable.
DevOps team is responsible for writing and executing tests, and archiving the logs for evidence
35
COMPLIANCE AND DEVOPS
1. DevOps has marginal benefits if your compliance suffers because of it
2. Compliance should be more accessible to IT
3. Automation and Shift left is the key to flow and feedback
4. Compliance officers are more open to adapt and learn than what a typical IT person would think
36
ANURAG SHRIVASTAVAAsk me anything about Agile, DevOps and Software Developmenthttps://www.linkedin.com/in/anurag2201/
37