Scaling Security

Scaling Security

This is a short talk given on the challenges and ideas for building secure software as your organization grows (people and technology). It doesn't give any in depth detail on actual security choices since the focus was more on the organizational challenges.

This talk was given at dotScale in Paris.

2828f28fb012308a7786eee83b8293c5?s=128

Mitchell Hashimoto

April 24, 2017
Tweet

Transcript

  1. Scaling Security GROW WITHOUT COMPROMISING SECURITY

  2.  Scaling mitchellh

  3.  Scaling mitchellh

  4.  Scaling mitchellh Developer Operator Production

  5.  DevOps mitchellh Developer Operator Production

  6.  DevOps mitchellh Developer Operator Production Security?

  7.  DevOps mitchellh Developer Operator Production Security?

  8.  Scaling Anything mitchellh 1. Do less 2. Do it

    faster 3. Do more in parallel
  9.  Scaling Security How do you empower people 
 to

    build secure systems? mitchellh
  10.  Empowering Security mitchellh

  11.  Empowering Security • Developers: A powerful, idiomatic API •

    Operators: A pure-software solution that is easy to maintain and can run on commodity hardware • Security Engineers: Strict usage control, audit trails, 
 clear threat models mitchellh
  12. Vault mitchellh

  13.  Developers: An API for Security • HTTP (over TLS),

    JSON • Secret storage • Encryption services • Certificate creation and verification mitchellh
  14.  Operators: Its Just Software • Pure software, no hardware

    requirement • Stateless (pluggable data stores) • Active/standby HA • Read-scalability with replication (enterprise) mitchellh
  15.  Security Engineers: Fort Knox • N-Person Unseal • Audit

    trails • Access Control • Clearly defined threat model and architecture • Open Source, Audited, Compliance, feature support mitchellh
  16.  Scaling 
 Security mitchellh

  17.  Scaling Security mitchellh Developer Operator Production Security

  18.  Scaling Security mitchellh Developer Operator Security Core Security, Requirements,

    Practices, Audits Infrastructure Security, Network Security Application Security, Data Security
  19.  Scaling Security: Sec Engineer • Allowed behavior • Encryption

    algorithms • Key hierarchies, 
 rotation policies • Audit logs mitchellh Core Security, Requirements, Practices, Audits
  20.  Infrastructure Security, Network Security Scaling Security: Ops • Network

    layout/config, routing tables, etc. • OS security, user accounts, file permissions, etc. • Infrastructure creation, change process mitchellh
  21.  Application Security, Data Security Scaling Security: Dev • TLS

    connections • API auth/authz • Data encryption • Password request and usage mitchellh
  22.  Scaling Security Trust but verify at every level mitchellh

  23. Scaling Security GROW WITHOUT COMPROMISING SECURITY