Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scaling Security

Mitchell Hashimoto
April 24, 2017
Technology
3
2.4k

Scaling Security

This is a short talk given on the challenges and ideas for building secure software as your organization grows (people and technology). It doesn't give any in depth detail on actual security choices since the focus was more on the organizational challenges.

This talk was given at dotScale in Paris.

Mitchell Hashimoto

April 24, 2017
Tweet

More Decks by Mitchell Hashimoto

See All by Mitchell Hashimoto
Advanced Testing with Go
mitchellh
148
44k
Building the World's Largest Websites with Consul and Terraform
mitchellh
8
660
HashiCorp's First "All Hands"
mitchellh
1
1.1k
Advanced Vagrant Usage with Puppet
mitchellh
17
1.1k
Vagrant Usage Patterns
mitchellh
32
4k
Develop and Test Configuration Management Scripts with Vagrant
mitchellh
34
5.9k
Building a Ruby Library: The Parts No One Talks About
mitchellh
24
11k
Middleware: A General Purpose Abstraction
mitchellh
9
480
Scaling Riak to 25MM Ops/Day at Kiip
mitchellh
9
2.5k

Other Decks in Technology

See All in Technology
What's New in early 2023
nicolasgrekas
1
110
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
150
他言語と比較して今こそ理解しよう! 目指せ、列挙型マスター!
soachr
0
120
エンジニアのためのドキュメントライティング / Docs for Developers and Paragraph Writing
nttcom
3
680
大規模言語モデル活用総まとめ with Azure OpenAI
hirosatogamo
3
2k
Managing Test Data
eliasnogueira
0
170
QMファンネルとQAキャリア
gen519
PRO
1
260
関数型で表現するイベントソーシングの実装とその教育
tomohisa
0
200
可能な限り確実にmkdirを成功させるには / Make mkdir
oogfranz
PRO
0
110
シゴトをジモトに運び込め〜大企業でCCoEやってた私が地元に事業所を作るまで〜
mamohacy
2
130
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
3.3k
PHPの最高機能、配列を捨てよう!! / Throw away all PHP array now!!!
uzulla
8
5.3k

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
920
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Rails Girls Zürich Keynote
gr2m
87
12k
BBQ
matthewcrist
75
8.2k
Product Roadmaps are Hard
iamctodd
38
7.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Bash Introduction
62gerente
602
210k
Agile that works and the tools we love
rasmusluckow
321
20k
The Pragmatic Product Professional
lauravandoore
21
3.6k
We Have a Design System, Now What?
morganepeng
37
6k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k

Transcript

  1. Scaling Security
    GROW WITHOUT COMPROMISING SECURITY

    View Slide


  2. Scaling
    mitchellh

    View Slide


  3. Scaling
    mitchellh

    View Slide


  4. Scaling
    mitchellh
    Developer Operator Production

    View Slide


  5. DevOps
    mitchellh
    Developer
    Operator
    Production

    View Slide


  6. DevOps
    mitchellh
    Developer
    Operator
    Production
    Security?

    View Slide


  7. DevOps
    mitchellh
    Developer
    Operator
    Production
    Security?

    View Slide


  8. Scaling Anything
    mitchellh
    1. Do less
    2. Do it faster
    3. Do more in parallel

    View Slide


  9. Scaling Security
    How do you empower people 

    to build secure systems?
    mitchellh

    View Slide


  10. Empowering
    Security
    mitchellh

    View Slide


  11. Empowering Security
    • Developers: A powerful, idiomatic API
    • Operators: A pure-software solution that is easy to maintain
    and can run on commodity hardware
    • Security Engineers: Strict usage control, audit trails, 

    clear threat models
    mitchellh

    View Slide

  12. Vault
    mitchellh

    View Slide


  13. Developers: An API for Security
    • HTTP (over TLS), JSON
    • Secret storage
    • Encryption services
    • Certificate creation and verification
    mitchellh

    View Slide


  14. Operators: Its Just Software
    • Pure software, no hardware requirement
    • Stateless (pluggable data stores)
    • Active/standby HA
    • Read-scalability with replication (enterprise)
    mitchellh

    View Slide


  15. Security Engineers: Fort Knox
    • N-Person Unseal
    • Audit trails
    • Access Control
    • Clearly defined threat model and architecture
    • Open Source, Audited, Compliance, feature support
    mitchellh

    View Slide


  16. Scaling 

    Security
    mitchellh

    View Slide


  17. Scaling Security
    mitchellh
    Developer
    Operator Production
    Security

    View Slide


  18. Scaling Security
    mitchellh
    Developer
    Operator
    Security
    Core Security, Requirements, Practices, Audits
    Infrastructure Security, Network Security
    Application Security, Data Security

    View Slide


  19. Scaling Security: Sec Engineer
    • Allowed behavior
    • Encryption algorithms
    • Key hierarchies, 

    rotation policies
    • Audit logs
    mitchellh
    Core Security, Requirements, Practices, Audits

    View Slide


  20. Infrastructure Security, Network Security
    Scaling Security: Ops
    • Network layout/config,
    routing tables, etc.
    • OS security, user accounts,
    file permissions, etc.
    • Infrastructure creation,
    change process
    mitchellh

    View Slide


  21. Application Security, Data Security
    Scaling Security: Dev
    • TLS connections
    • API auth/authz
    • Data encryption
    • Password request and usage
    mitchellh

    View Slide


  22. Scaling Security
    Trust but verify at every level
    mitchellh

    View Slide

  23. Scaling Security
    GROW WITHOUT COMPROMISING SECURITY

    View Slide