Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevOps - The Automation op compliance

DevOps - The Automation op compliance

Many organizations are adopting DevOps patterns and practices, and are enjoying the benefits that come from that adoption: More speed. Higher quality. Better value. However, many teams often get stymied when dealing with information security, compliance, and audit requirements. There seems to be a misconception that DevOps practices won’t work in large organizations which are under regulations or have their own strict processes. DevOps actually helps teams meet compliance standards because automation is not only an integral part of DevOps, but a great way to make sure development and deploy practices are reliable, repeatable, and traceable. This talk will show how it's possible to be both fast and compliant. We will look at both the soft and technical practices. I will cover branch policies, checks you can do during your build and deployment, Azure Security Center, Testing in production and more.

Erwin Staal

March 28, 2019

More Decks by Erwin Staal

Other Decks in Technology


  1. DevOps is the union of people, process, and products to

    enable continuous delivery of value to our end users. Donovan Brown, Microsoft DevOps
  2. “Fundamentally, if somebody wants to get in, they're getting in..accept

    that. Number one, you're in the fight, whether you thought you were or not. Number two, you almost certainly are penetrated." Michael Hayden, Former Director of NSA and CIA
  3. The mindset shift Prevent Breach Assume Breach Threat model Code

    review Security testing Secure development lifecycle War game exercises Centralized security monitors Live site penetration testing
  4. CAB Low / Low 4-eyes principle Register change Continuous Testing

    Every change is classified as a change with low impact and low risk. We need 0-downtime deployments. Every change has been reviewed by at least one colleague. This is traceable. Every change we make is tested using a comprehensive set of automated tests. Configuration Management Automate repetitive manual processes. In order to achieve this, we need to version control everything required to perform these processes. Deployment automation Every change is deployed automatically into environments that resemble production as much as possible. Every change is registered in a central system for everyone to see.