Post on 28-May-2020
transcript
Compliance != Security
Robert Clark, IBM Cloud
Compliance != Security but we used it anyway
Robert Clark, IBM Cloud
Compliance != Security but we used it anyway and improved the way we deliver devops security for agile teams at scaleRobert Clark, IBM Cloud
Conversations
My service is ready for production, where do I get my compliance certifications ?
Conversations
My service is ready for production, where do I get my compliance certifications ?
That depends, is it secure ?
Conversations
My service is ready for production, where do I get my compliance certifications ?
That depends, is it secure ?
Probably!? Isn’t that what certifications are for ?
Conversations
EverySecurityPerson
Our Transformation
Transformation
Challenges
Acquisition Maturity
Compliance Limitations
DevOps Security
How we BuildHow we Staff
Our Cloud Agility Model
Similarities with the “Spotify Model”
DevOps - Design, Build, Ship, Maintain
Self sufficient squads
Squads grouped into tribes
Acquisition Maturity
Acquisition Maturity
Solo Security Engineer Fully Staffed Security Team
Anatomy of a Squad
Developer Systems Engineer
AutomationEngineer
Offering Manager
Security Engineer
Experience Assurance
Tribe Leader
Good Examples
Service Security Squads
Mature / Stable
Development
Developer Systems Engineer
AutomationEngineer
Offering Manager
Security Engineer
Experience Assurance
Tribe Leader
Less Good Examples
Developer Systems Engineer
AutomationEngineer
Offering Manager
Security Engineer
Experience Assurance
New ProductTeams
New Acquisitions
Tribe Leader
Challenges
VS How do we enable small squads to deliver security?
Compliance != Security
Compliance
How do we make IT less scary?
Compliance
How do we make IT less scary?
Prove we know what we’re doing?
Demonstrate safety and best practice?
Compliance
COMPLIANCE
Prove we know what we’re doing?
Demonstrate safety and best practice?
Compliance
Will COMPLIANCE save us ?
Compliance
Let's get our squads doing compliance!
Compliance
Indifference
Imagine Communications https://flic.kr/p/e8CvVF
Anger
Bernard Dupont https://flic.kr/p/Nx8eAe
Denial
By Rexness from Melbourne, Australia (Meerkat digging) [CC BY-SA 2.0 (https://creativecommons.org/licenses/by-sa/2.0)], via Wikimedia Commons
Exodus
Challenges
How do we make compliance accessible?
COMPLIANCE
INDUSTRY POP QUIZ
COMPLIANCE
TOP BREACHES 2016-2017
Compliance Misconceptions
Compliance Misconceptions
COMPLIANCE
Controls Based Planning
Evidence Driven Documentation
Enforcement of Security
Technical Innovations
Defining Processes
GOOD FOR
BAD FOR
Challenges
Understand the limitations of compliance
DevOps / Building for Security
How do we build for security in a cloud native world...
… if “compliance” isn’t the answer?
Changes
Optional Services
How we BuildHow we Staff
Measurable Controls
800-53
CommonControl
AlignmentIntegrated Tools
Oriented to ControlsCentralized Expertise
Distributed Security Function
NIST Alignment
800-53 Security & Privacy Controlsand
Cyber Security Framework
Recover Respond Detect Protect Identify
Strong Privacy Controls (R5)Federal BedrockSignificant Internal Alignment
Superset of Common Controls
CustomizableVariable Maturity Model
BUILD A CENTRAL TEAM OF TALENT
Service Security Squads
Security Talent
Aligning Talent
FAMILY
Access Control
Awareness & Training
Audit and Accountability
Assessment, Authorization and Monitoring
Configuration Management
Contingency Planning
Identification and Authentication
Individual Participation
Incident Response
… [11 more control families]
Aligning Talent
FAMILY
Access Control
Awareness & Training
Audit and Accountability
Assessment, Authorization and Monitoring
Configuration Management
Contingency Planning
Identification and Authentication
Individual Participation
Incident Response
… [11 more control families]
Aligning Talent with NIST
Functional DeliveryThings we do and deliver to benefit cloud services and engineers
Control ExpertiseThings we have strong opinions about and know how to measure
Security Focal Program
SF SF
Attend NIST Aligned Security Training
Role:
Participation:
Security Focal
Part Time
Responsibilities:
Participate in Security Reviews
Know enough to ask for help
Support their Security Focals
Role:
Participation:
Tribe Security Leader
Full Time
Responsibilities:
Escalation point for service / tribe issues
Owner of local security budget
Security of portfolio segment
Support IR and Vulnerability Management
TSLSFSF
Tribe Security Leader
SF SF
Security Focal Program
TSLThis person *owns*
security for their tribe
These people deliver security for their
services
TribeLeader
Tribe Security Leader
SF SF SF
NIST Aligned Security
Org
Security Focal Program
TSL
Lessons Learned
Not every squad has an aspiring security ninja
Focus must always be on developers
NIST is a really big standard!
Secure the path of least resistance
Our Results
Enhanced Service Delivery
Consolidation
Incident Response
Centralized Talent
Security Career Path
Better Communications
Enabled Developers
Best-in-Breed Tooling
Clearer Positioning
Accelerated Penetration Testing
Scaled Threat Modelling
Happy Developers
Happy Security Focals
Malcolm Manners https://flic.kr/p/5bD6hX
Happy Security Team
© Wayne [wrokicki] https://flic.kr/p/8eaFPK
What’s Next
© Wayne [wrokicki] https://flic.kr/p/8eaFPK
Which other standards would work?
How much can we really measure?
Where are the DevOps Security tools?
Questions
Our Results
Enhanced Service Delivery
Consolidation
Incident Response
Centralized Talent
Security Career Path
Better Communications
Enabled Developers
Best-in-Breed Tooling
Clearer Positioning
Accelerated Penetration Testing
Scaled Threat Modelling
How we build
AGILE DevOps
SECURITY