Scaling Security - Speaker Deck

Scaling Security

by Mitchell Hashimoto

Slide 1

Slide 1 text

Scaling Security GROW WITHOUT COMPROMISING SECURITY

Slide 2

Slide 2 text

 Scaling mitchellh

Slide 3

Slide 3 text

 Scaling mitchellh

Slide 4

Slide 4 text

 Scaling mitchellh Developer Operator Production

Slide 5

Slide 5 text

 DevOps mitchellh Developer Operator Production

Slide 6

Slide 6 text

 DevOps mitchellh Developer Operator Production Security?

Slide 7

Slide 7 text

 DevOps mitchellh Developer Operator Production Security?

Slide 8

Slide 8 text

 Scaling Anything mitchellh 1. Do less 2. Do it faster 3. Do more in parallel

Slide 9

Slide 9 text

 Scaling Security How do you empower people   to build secure systems? mitchellh

Slide 10

Slide 10 text

 Empowering Security mitchellh

Slide 11

Slide 11 text

 Empowering Security • Developers: A powerful, idiomatic API • Operators: A pure-software solution that is easy to maintain and can run on commodity hardware • Security Engineers: Strict usage control, audit trails,   clear threat models mitchellh

Slide 12

Slide 12 text

Vault mitchellh

Slide 13

Slide 13 text

 Developers: An API for Security • HTTP (over TLS), JSON • Secret storage • Encryption services • Certiﬁcate creation and veriﬁcation mitchellh

Slide 14

Slide 14 text

 Operators: Its Just Software • Pure software, no hardware requirement • Stateless (pluggable data stores) • Active/standby HA • Read-scalability with replication (enterprise) mitchellh

Slide 15

Slide 15 text

 Security Engineers: Fort Knox • N-Person Unseal • Audit trails • Access Control • Clearly deﬁned threat model and architecture • Open Source, Audited, Compliance, feature support mitchellh

Slide 16

Slide 16 text

 Scaling   Security mitchellh

Slide 17

Slide 17 text

 Scaling Security mitchellh Developer Operator Production Security

Slide 18

Slide 18 text

 Scaling Security mitchellh Developer Operator Security Core Security, Requirements, Practices, Audits Infrastructure Security, Network Security Application Security, Data Security

Slide 19

Slide 19 text

 Scaling Security: Sec Engineer • Allowed behavior • Encryption algorithms • Key hierarchies,   rotation policies • Audit logs mitchellh Core Security, Requirements, Practices, Audits

Slide 20

Slide 20 text

 Infrastructure Security, Network Security Scaling Security: Ops • Network layout/conﬁg, routing tables, etc. • OS security, user accounts, ﬁle permissions, etc. • Infrastructure creation, change process mitchellh

Slide 21

Slide 21 text

 Application Security, Data Security Scaling Security: Dev • TLS connections • API auth/authz • Data encryption • Password request and usage mitchellh