Yet another Software Developer @imonteroperez This talk is NOT about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for software delivery This talk is about • ^(?<Dev|Sec|App|Whatever>.+)Ops$ ideas applied for infrastructure delivery • Infrastructure (servers, databases, microservices, containers, networks, firewalls, etc.)
Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ From a DevOps perspective From a DevOps perspective
Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective From a DevOps perspective
Automated delivery or provision • Physical, Virtual, private and/or public clouds • Inmutable, Scalable, Replicable, etc. The Good parts • Security compliance • Firewalling security needs • Rapid treat containment under attacks • (Multi)vendor coupled The “Ugly” parts ______________________________________________________ Security Security Security Security Others … From a DevOps perspective Only from DevOps perspective?
• Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps to the rescue
• Software delivery • Infrastructure delivery (servers, containers, services) • Network delivery (network and security) Every part of the process need to be validated and reviewed by people, generating bottlenecks • DevOps/NetOps to the rescue Security validations and compliance of infrastructure delivery • ¿?
teams are currently spending 20-32% of their time dealing with misconfigurations. Network Agility Research 2014. Dynamic Markets Change request (portal) Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement change Deliver change Test change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAM APP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is:
manual • Involve different teams (a.k.a silos) with different ways to do things • Live with the problem is not an option Security validation and compliance of infrastructure delivery is: What we want Massive Agility Gains Massive Cost Reduction Better Risk Controls
• Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code
• Apply “shift to the left” paradigm • Define your network needs as code • Application Delivery • SecOps • Risk • Define your compliance as code • Define your security rules as code Firewall policies
to the left” paradigm • Define your network needs as code Abstract all the things! Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code • Risk
to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code • Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code!
to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code • Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server
to the left” paradigm • Define your network needs as code Just say what you want Writing firewall policies in app manifests • Application Delivery • SecOps • Define your compliance as code • Risk I need to consume SNMP servers I will provide a service by tcp 443 and tcp80 Firewall policies as code! User network must have visibility to App server DMZ traffic must be limited to Internet by tcp 443 and tcp80
• Abstraction • Use vendor and topology neutral model • Declarative • Express your infrastructure security needs as user intents • Write policies where you need • From a DevSecOps perspective: Apply shift left, so write on your app manifests!
is a simple web application with two webservers and a database server. • Webserver nodes are located on the frontend network. • Database server is located on the backend network. • They must access a dns server present on the management network. • They must be accessed from Internet and Users and Admins networks.
REQUIREMENTS Users need HTTPS access to webservers. Webservers need MySQL from database. All servers should use the dns server. System administrators need SSH access to all servers.
The RISK TEAM has pre-defined deny requirements to avoid using risky services: • Unencrypted HTTP flows from Internet or User network to webservers are denied Validation will make sure that no HTTP will be allowed between these elements.
Risk assessment (traffic simulation) APP OWNER Schedule for enforcement Approved Validate/Review change Implement change Deliver change Test change NO Policy clean-up (historic degradation) RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAM APP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved YES SECOPS TEAM Periodic RISK TEAM
Risk assessment APP OWNER Schedule for enforcement Approved Automated Validate/Review change Automated Implement change Automated Deliver change Test change NO RISK TEAM RISK TEAM SECOPS TEAM SECOPS TEAM APP OWNER CHANGE MANAGEMENT (WORKFLOW) Not approved SECOPS TEAM
is a way to reduce risks, but not at the expense of agility • Work together. Security affect to everybody. Live with the problems is not an option • Define your security needs as code • Abstract all the things (and automate them) • Reduce your workflow bottlenecks