IBM InterConnect 2016: Security for DevOps in an Enterprise
1. 5930B Security and DevOps: How to
Manage Security in a DevOps Enterprise
Sanjeev Sharma
CTO, DevOps Technical Sales and Adoption
Distinguished Engineer, IBM Cloud
2. Please Note:
1
• IBM’s statements regarding its plans,directions,and intentare subjectto change or withdrawalwithoutnotice atIBM’s sole
discretion.
• Information regarding potential future products is intended to outline our general productdirection and itshould notbe relied on in
making a purchasing decision.
• The information mentioned regarding potential future products is nota commitment, promise,or legal obligation to deliver any
material,code or functionality.Information aboutpotentialfuture products may notbe incorporated into any contract.
• The development,release,and timing ofany future features or functionality described for our products remains atour sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.The actual
throughputor performance thatany user will experience willvary depending upon many factors,including considerations such as the
amountofmultiprogramming in the user’s job stream,the I/O configuration,the storage configuration,and the workload processed.
Therefore,no assurance can be given thatan individual user willachieveresults similar to those stated here.
3. Agenda
2
• DevOps refresher
• Security and the Application Delivery Pipeline
• Adopting a (Secure) DevOps Architecture
• Where do I start?
6. What does the Line of Business want from IT?
Product Owner
Senior Executives
Users Domain ExpertsAuditors
Gold Owner Support Staff
ExternalSystem
Team
Operations
Staff
Team MemberTeam Lead
Team MemberTeam Member
Line-of-business Customer
IT
Agility - Velocity - Innovation
7. DevOps approach: Apply Lean principles accelerate feedback and
improve time to value
6
People
Process
Line-of-
business
Customer
1
3
2
1. Get ideas into production fast
2. Get people to use it
3. Get feedback
ContinuouslyImprove:
I. Application Delivered
II. EnvironmentDeployed
III. Application and EnvironmentDeliveryProcess
9. Delivering a Business Capability – Hybrid Applications, Hybrid
Platforms, Hybrid Teams
Application A
Application B
Application C
Application N
BusinessCapability
…
10. Three Levels of Security
9
1. Secure the Perimeter
2. Secure the Delivery Pipeline
3. Secure the Deliverable
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/
14. Risks and Vulnerabilities - Delivery Pipeline and Deliverables
13
• Vulnerabilities related to the supply chain
• Insider attacks
• Errors and mistakes in the development project
• Weaknesses in the design, code, and integration
• API Economy and Security
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/
15. Vulnerabilities related to the supply chain
14
External Supplier A
External Supplier B
Internal SupplierA
Internal Supplier B
17. Errors and mistakes in the development project
16
1 per min 1 per min
4 per min 1 per min
4 per min 4 per min
• Reduce Batch size
– Integrated Delivery Pipeline
– Agile Development
• Continuous Security
Testing
• Continuous Validation
18. Weaknesses in the design, code, and integration
17http://www-03.ibm.com/security/secure-engineering/
21. Adopting Bi-modal IT World – Transformation
Industrialized Core
Traditional Development->DevOps, Legacy ->Cloud-ready
Traditional Middleware ->Middleware on Cloud, APIs, Software DefinedInfrastructure
Agile/Innovation Edge
Traditional Development ->
Cloud Native, 12-factor Apps, DevOps, PaaS
Partner Ecosystem
Point-to-Point Integration -> API
Economy
APIs
APIs
APIs
22. DevOps Multi-Speed IT Architecture
IBM Architecture Center
BLUEMIX
DELIVERY PIPELINESOURCE CONTROL
.js
LIVE SYNC
WEB IDE ACTIVE DEPLOY
AUTO SCALING
SECURE GATEWAY
ON-PREMISES
SYSTEMS
API MANAGEMENT
TRACK & PLAN
TRACK & PLAN DEVELOP BUILD DEPLOY
RELEASE TEST
RUNTIME ENVIRONMENTS
RUNTIMES &
CONTAINERS
1
2
3
6 7
9
10
8
1
2
4
5
10
https://developer.ibm.com/architecture/
26. Notices and Disclaimers Con’t.
25
Informationconcerningnon-IBM productswas obtained from the suppliers of thoseproducts, their publishedannouncementsor other publicly available sources. IBM hasnot
tested thoseproducts in connectionwith this publicationandcannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products.
Questionson the capabilities of non-IBM products shouldbe addressedto thesuppliers of thoseproducts.IBM does not warrantthequality of any third-party products, or the
ability of any suchthird-partyproducts to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMSALL WARRANTIES,EXPRESSED OR IMPLIED, INCLUDINGBUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESSFOR A PARTICULAR PURPOSE.
The provision oftheinformation containedh ereinis not intendedto, and does not, grantany right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix,BlueworksLive,CICS, Clearcase,Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®,
FileNet®, Global BusinessServices ®, Global Technology Services ®, IBM ExperienceOne™,IBM SmartCloud®,IBM Social Business®, Informationon Demand,ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,OpenPower, PureAnalytics™,PureApplication®, pureCluster™, PureCoverage®,PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®,QRadar®, Rational®, Rhapsody®, Smarter Commerce®,SoDA, SPSS, SterlingCommerce®,
StoredIQ,Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®,Worklight®, X-Force® and System z® Z/OS, aretrademarks of International Business
Machines Corporation, registeredin many jurisdictions worldwide. Other product andservicenames might betrademarks of IBM or other companies. A current list of IBM
trademarks is availableon the Webat "Copyrightandtrademark information" at: www.ibm.com/legal/copytrade.shtml.
27. Thank You
Your Feedback is Important!
Access the InterConnect 2016 Conference Attendee
Portal to complete your session surveys from your
smartphone,
laptop or conference kiosk.