SlideShare una empresa de Scribd logo

Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

Descargar como PPTX, PDF
Ryan Hodgin
Ryan Hodgin

Presented at Reactive Summit 2017

Tecnología
1 de 36
The IBM Watson and Cloud Platform Ryan Hodgin Lead Solution Architect – Healthcare and Life Sciences @rhodgin Regulated Reactive: Security Considerations for Building Reactive Systems in Regulated Industries One Platform. One architecture. Cloud-native. One IBM.
Background On Ryan IBMer for 15 years based in Boulder, CO Application Development and Architecture Background Now on IBM’s Cloud Platform Team focused on Solution Architecture for Healthcare and Life Sciences Twitter: @rhodgin LinkedIn: https://www.linkedin.com/in/rhodgin/ SlideShare: https://www.slideshare.net/RyanHodgin
Equifax Hack - Shock
Equifax Hack - Fallout The fallout – - Drop in Stock Value - Lawsuits - Executives Resign (CEO, CIO, CISO) - Fines
Equifax Hack – Root Cause
Equifax Breach – Personal Impact
Abbott Pacemaker Recall • Vulnerability discovered by researchers • Patch requires office visit
Leads to Extreme Risk Aversion
Our Monolith – Patient Vitals Common DB ModelControllerView patient_vitals.ear Process Vitals Vitals Report Heart Rate Report JSP Alert Respiratory Rate Blood Pressure Patient
Reactive Patient Vitals Vitals Report Vitals Heart Respiratory Blood Pressure Patient Alerts
Compliance Officer’s Perspective Illustration © Lev Polyakov, http://levpolyakov.com
How Developers See Themselves How Compliance Officers See Them
Reactive Patterns – Event Sourcing • What is it? “Capture all changes to an application state as a sequence of events.” – Martin Fowler • Motivations: • Distributed Computing - Append only architecture distributes well • Fully visibility to system’s history • Natural audit log • Snapshots with ability to replay events • Speed to recovery
Malicious Actor Example
Changing Days Absent
How do you recover?
Review Events and Make Corrections Change Days Absent Command Days Absent Changed Event
Event Sourcing and GDPR • General Data Protection Regulation (GDPR) goes into effect May 25, 2018 • In situations where ”Right to erasure” applies, does personal identifying data need to be removed from the event source history?
Reactive Patterns – CQRS • Definition: CQRS (Command Query Responsibility Segregation) - CQRS is simply the creation of two objects where there was previously only one. The separation occurs based upon whether the methods are a command or a query. (Greg Young) • Motivations : • Supports different rules for display of data (query model based on usage) • Fits well with Bounded Contexts in Domain-Driven Design • Support separate access control / security rules between reads/writes • Enables “Principle of Least Privilege (PoLP)”
Add Controls
Lock Ferris Out
Our Stack
Istio • Open source project led by Google, IBM, and Lyft • Service Mesh • Offers features in: • Traffic Management • Observability • Policy Enforcement • Service Identity and Security • Initial support for Kubernetes and plans for VMs, Cloud Foundry, and Mesos
Istio and Security
Disclaimers • Full stack not yet production ready • Other aspects of security still matter (a lot!) • Edge Security • Database Security • Access Management • Policies and procedures • Variations based on industry / organization
NIST’s Cybersecurity Framework • Many organizations are standardizing on the framework (with some customizations by industry/organization) • Defines 5 key categories: • Identify • Protect • Detect • Respond • Recover
Identify • Definition: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. • Opportunities to reduce risk: • Catalog Services and Data - include risk potential and appeal to attackers • Secure events throughout lifecycle • Intelligent routing of sensitive messages • Leverage labels in Kubernetes and tags in cloud providers to give more visibility / reporting
Protect • Definition: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. • Opportunities to reduce risk: • Use SSL/TLS Consistently (Akka, Lagom, Play, anything else) • Use SSL/TLS with Mutual Authentication for Akka Remoting • Disable Java Serializer in Akka (since 2.4.11) • Minimize container privileges • Utilize Kubernetes Role Based Access Control (and record events) for changes • Implement service identity and access control rules (service/data level authorization)
Detect • Definition: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. • Opportunities to reduce risk: • Use tracing – Lightbend Telemetry / Open Tracing / Zipkin / Jaeger • Use monitors and alerts – OpsClarity Monitors, Prometheus • Akka Supervisors – Naturally handle all Actor exceptions (forward messages and track patterns) • Centralize logs, build benchmarks, and detect unusual patterns of activity • Integrate AI/Machine Learning – normal day vs. abnormal day
Respond • Definition: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. • Opportunities to reduce risk: • Elastic application design • Quarantine a compromised Service/VM/container (fail fast) • Utilize circuit breakers and rate limiting • Patch rapidly and make changes without downtime
Recover • Definition: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. • Opportunities to reduce risk: • Resiliency of the application • Snapshots and Replay (Event Sourcing) • Replication / Disaster Recovery strategy • Use multi-data center capability with Hot-backup • Utilize Kubernetes distributed clusters and federation
Demo
Reducing Risk in Reactive Patient Vitals App • Use event sourcing (audit trail/recovery) and CQRS (controls for reporting) • Create snapshots of events and prioritize ability to replay them (test it) • Minimize instances of sensitive data - what information is really required? • Restrict access to services - what should be able to call them? • Secure communication between services (mutual TLS / service authentication) • Capture and store metrics on caller, # of calls, and response times • Capture container images, version deployment history
Communicating the Shift to Reactive • Explain business reasons for change (competitive pressure, speed to market, risk reduction, etc.) • Highlight features of the architectural patterns • Provide realtime visibility (trust but verify) • Automate auditing (follow up on inconsistencies) – Netflix’s Security Monkey • Restrict changes (who is allowed to make changes with strong traceability) • Highlight reductions in current targets (time to patch, RTO/RPO)
Questions? Anyone? Anyone?
Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

Recomendados

ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysGeorg Knon
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014Risk Analysis Consultants, s.r.o.
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 

Recomendados

ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...EnergySec
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysGeorg Knon
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014Risk Analysis Consultants, s.r.o.
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMAnton Goncharov
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewbrty_ngtglobal
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackElasticsearch
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security CenterCheah Eng Soon
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfProtect724v2
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 

Más contenido relacionado

La actualidad más candente

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftAlert Logic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alAlert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsAlert Logic
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMAnton Goncharov
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewbrty_ngtglobal
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackElasticsearch
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewAlert Logic
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security CenterCheah Eng Soon
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCarlos Andrés García
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 

La actualidad más candente (20)

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
 

Similar a Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeCloudHesive
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchRichard Juknavorian
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
 
Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...Lucas Jellema
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...Tammy Bednar
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityTheodore Kim
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformMichael Elder
 

Similar a Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries (20)

Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our Time
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and Elasticsearch
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container Platform
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

  • 1. The IBM Watson and Cloud Platform Ryan Hodgin Lead Solution Architect – Healthcare and Life Sciences @rhodgin Regulated Reactive: Security Considerations for Building Reactive Systems in Regulated Industries One Platform. One architecture. Cloud-native. One IBM.
  • 2. Background On Ryan IBMer for 15 years based in Boulder, CO Application Development and Architecture Background Now on IBM’s Cloud Platform Team focused on Solution Architecture for Healthcare and Life Sciences Twitter: @rhodgin LinkedIn: https://www.linkedin.com/in/rhodgin/ SlideShare: https://www.slideshare.net/RyanHodgin
  • 4. Equifax Hack - Fallout The fallout – - Drop in Stock Value - Lawsuits - Executives Resign (CEO, CIO, CISO) - Fines
  • 5. Equifax Hack – Root Cause
  • 6. Equifax Breach – Personal Impact
  • 7. Abbott Pacemaker Recall • Vulnerability discovered by researchers • Patch requires office visit
  • 8. Leads to Extreme Risk Aversion
  • 9. Our Monolith – Patient Vitals Common DB ModelControllerView patient_vitals.ear Process Vitals Vitals Report Heart Rate Report JSP Alert Respiratory Rate Blood Pressure Patient
  • 11. Compliance Officer’s Perspective Illustration © Lev Polyakov, http://levpolyakov.com
  • 12. How Developers See Themselves How Compliance Officers See Them
  • 13. Reactive Patterns – Event Sourcing • What is it? “Capture all changes to an application state as a sequence of events.” – Martin Fowler • Motivations: • Distributed Computing - Append only architecture distributes well • Fully visibility to system’s history • Natural audit log • Snapshots with ability to replay events • Speed to recovery
  • 16. How do you recover?
  • 17. Review Events and Make Corrections Change Days Absent Command Days Absent Changed Event
  • 18. Event Sourcing and GDPR • General Data Protection Regulation (GDPR) goes into effect May 25, 2018 • In situations where ”Right to erasure” applies, does personal identifying data need to be removed from the event source history?
  • 19. Reactive Patterns – CQRS • Definition: CQRS (Command Query Responsibility Segregation) - CQRS is simply the creation of two objects where there was previously only one. The separation occurs based upon whether the methods are a command or a query. (Greg Young) • Motivations : • Supports different rules for display of data (query model based on usage) • Fits well with Bounded Contexts in Domain-Driven Design • Support separate access control / security rules between reads/writes • Enables “Principle of Least Privilege (PoLP)”
  • 23. Istio • Open source project led by Google, IBM, and Lyft • Service Mesh • Offers features in: • Traffic Management • Observability • Policy Enforcement • Service Identity and Security • Initial support for Kubernetes and plans for VMs, Cloud Foundry, and Mesos
  • 25. Disclaimers • Full stack not yet production ready • Other aspects of security still matter (a lot!) • Edge Security • Database Security • Access Management • Policies and procedures • Variations based on industry / organization
  • 26. NIST’s Cybersecurity Framework • Many organizations are standardizing on the framework (with some customizations by industry/organization) • Defines 5 key categories: • Identify • Protect • Detect • Respond • Recover
  • 27. Identify • Definition: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. • Opportunities to reduce risk: • Catalog Services and Data - include risk potential and appeal to attackers • Secure events throughout lifecycle • Intelligent routing of sensitive messages • Leverage labels in Kubernetes and tags in cloud providers to give more visibility / reporting
  • 28. Protect • Definition: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. • Opportunities to reduce risk: • Use SSL/TLS Consistently (Akka, Lagom, Play, anything else) • Use SSL/TLS with Mutual Authentication for Akka Remoting • Disable Java Serializer in Akka (since 2.4.11) • Minimize container privileges • Utilize Kubernetes Role Based Access Control (and record events) for changes • Implement service identity and access control rules (service/data level authorization)
  • 29. Detect • Definition: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. • Opportunities to reduce risk: • Use tracing – Lightbend Telemetry / Open Tracing / Zipkin / Jaeger • Use monitors and alerts – OpsClarity Monitors, Prometheus • Akka Supervisors – Naturally handle all Actor exceptions (forward messages and track patterns) • Centralize logs, build benchmarks, and detect unusual patterns of activity • Integrate AI/Machine Learning – normal day vs. abnormal day
  • 30. Respond • Definition: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. • Opportunities to reduce risk: • Elastic application design • Quarantine a compromised Service/VM/container (fail fast) • Utilize circuit breakers and rate limiting • Patch rapidly and make changes without downtime
  • 31. Recover • Definition: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. • Opportunities to reduce risk: • Resiliency of the application • Snapshots and Replay (Event Sourcing) • Replication / Disaster Recovery strategy • Use multi-data center capability with Hot-backup • Utilize Kubernetes distributed clusters and federation
  • 32. Demo
  • 33. Reducing Risk in Reactive Patient Vitals App • Use event sourcing (audit trail/recovery) and CQRS (controls for reporting) • Create snapshots of events and prioritize ability to replay them (test it) • Minimize instances of sensitive data - what information is really required? • Restrict access to services - what should be able to call them? • Secure communication between services (mutual TLS / service authentication) • Capture and store metrics on caller, # of calls, and response times • Capture container images, version deployment history
  • 34. Communicating the Shift to Reactive • Explain business reasons for change (competitive pressure, speed to market, risk reduction, etc.) • Highlight features of the architectural patterns • Provide realtime visibility (trust but verify) • Automate auditing (follow up on inconsistencies) – Netflix’s Security Monkey • Restrict changes (who is allowed to make changes with strong traceability) • Highlight reductions in current targets (time to patch, RTO/RPO)

Notas del editor

  1. GDPR’s penalty at 4% of 2016 revenue would have $125M.