How to Manage Security in a DevOps Enterprise

1. 5930B Security and DevOps: How to
Manage Security in a DevOps Enterprise
Sanjeev Sharma
CTO, DevOps Technical Sales and Adoption
Distinguished Engineer, IBM Cloud

2. Please Note:
1
• IBM’s statements regarding its plans,directions,and intentare subjectto change or withdrawalwithoutnotice atIBM’s sole
discretion.
• Information regarding potential future products is intended to outline our general productdirection and itshould notbe relied on in
making a purchasing decision.
• The information mentioned regarding potential future products is nota commitment, promise,or legal obligation to deliver any
material,code or functionality.Information aboutpotentialfuture products may notbe incorporated into any contract.
• The development,release,and timing ofany future features or functionality described for our products remains atour sole discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment.The actual
throughputor performance thatany user will experience willvary depending upon many factors,including considerations such as the
amountofmultiprogramming in the user’s job stream,the I/O configuration,the storage configuration,and the workload processed.
Therefore,no assurance can be given thatan individual user willachieveresults similar to those stated here.

3. Agenda
2
• DevOps refresher
• Security and the Application Delivery Pipeline
• Adopting a (Secure) DevOps Architecture
• Where do I start?

4. DevOps Refresher

5. 4 © IBM Corporation
DevOps: Origins

6. What does the Line of Business want from IT?
Product Owner
Senior Executives
Users Domain ExpertsAuditors
Gold Owner Support Staff
ExternalSystem
Team
Operations
Staff
Team MemberTeam Lead
Team MemberTeam Member
Line-of-business Customer
IT
Agility - Velocity - Innovation

7. DevOps approach: Apply Lean principles accelerate feedback and
improve time to value
6
People
Process
Line-of-
business
Customer
1
3
2
1. Get ideas into production fast
2. Get people to use it
3. Get feedback
ContinuouslyImprove:
I. Application Delivered
II. EnvironmentDeployed
III. Application and EnvironmentDeliveryProcess

8. Security and the Application
Delivery Pipeline

9. Delivering a Business Capability – Hybrid Applications, Hybrid
Platforms, Hybrid Teams
Application A
Application B
Application C
Application N
BusinessCapability
…

10. Three Levels of Security
9
1. Secure the Perimeter
2. Secure the Delivery Pipeline
3. Secure the Deliverable
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/

11. Secure the Perimeter
10

12. Secure the Delivery Pipeline
11
Secure Engineering
Access and Control
Secure Build and Deploy
Security Testing of Scripts
Separation of Duties

13. Secure the Deliverable
12
Application
Middleware Config
Middleware
OS Config
Hardware
FullStack
Blueprint
Policies
Secure:
• Code
• Packages
• Components
• Configurations
• Content
• Policies
• Roles

14. Risks and Vulnerabilities - Delivery Pipeline and Deliverables
13
• Vulnerabilities related to the supply chain
• Insider attacks
• Errors and mistakes in the development project
• Weaknesses in the design, code, and integration
• API Economy and Security
http://www.ibm.com/developerworks/library/d-security-
considerations-devops-adoption/

15. Vulnerabilities related to the supply chain
14
External Supplier A
External Supplier B
Internal SupplierA
Internal Supplier B

16. Insider attacks
15

17. Errors and mistakes in the development project
16
1 per min 1 per min
4 per min 1 per min
4 per min 4 per min
• Reduce Batch size
– Integrated Delivery Pipeline
– Agile Development
• Continuous Security
Testing
• Continuous Validation

18. Weaknesses in the design, code, and integration
17http://www-03.ibm.com/security/secure-engineering/

19. 18
The API economy and security

20. Adopting a (Secure) DevOps
Architecture

21. Adopting Bi-modal IT World – Transformation
Industrialized Core
Traditional Development->DevOps, Legacy ->Cloud-ready
Traditional Middleware ->Middleware on Cloud, APIs, Software DefinedInfrastructure
Agile/Innovation Edge
Traditional Development ->
Cloud Native, 12-factor Apps, DevOps, PaaS
Partner Ecosystem
Point-to-Point Integration -> API
Economy
APIs
APIs
APIs

22. DevOps Multi-Speed IT Architecture
IBM Architecture Center
BLUEMIX
DELIVERY PIPELINESOURCE CONTROL
.js
LIVE SYNC
WEB IDE ACTIVE DEPLOY
AUTO SCALING
SECURE GATEWAY
ON-PREMISES
SYSTEMS
API MANAGEMENT
TRACK & PLAN
TRACK & PLAN DEVELOP BUILD DEPLOY
RELEASE TEST
RUNTIME ENVIRONMENTS
RUNTIMES &
CONTAINERS
1
2
3
6 7
9
10
8
1
2
4
5
10
https://developer.ibm.com/architecture/

23. Start Here:
Value Stream Mapping for Identifying and
Addressing bottlenecks

24. Mapping your Delivery Pipeline
Idea/Feature/Bug Fix/
Enhancement
Production
Development Build QA SIT UAT Prod
PMO
Requirements/
Analyst
Developer
CustomersLine of Business
Build
Engineer
QA Team Integration Tester User/Tester Operations
Artifact Repository
Deployment Engineer
Release Management
Code Repository
Deploy
Get Feedback
Infrastructure as Code/
Cloud Patterns
Feedback
Customer or
Customer Surrogate
Metrics - Reporting/Dashboarding
Tasks
Artifacts

25. Notices and Disclaimers
24
Copyright © 2016by International Business Machines Corporation(IBM). No part ofthis document may bereproduced or transmittedin anyform withoutwrittenpermission
from IBM.
U.S. Government UsersRestricted Rights - Use, duplication or disclosure restricted by GSA ADP ScheduleContract with IBM.
Informationin thesepresentations (including informationrelatingto products thathave not yetbeenannounced byIBM) has been reviewedfor accuracy as ofthe dateof
initial publication andcould includeunintentional technical or typographical errors. IBM shall haveno responsibility to update this information.THIS DOCUMENT IS
DISTRIBUTED "ASIS"WITHOUT ANYWARRANTY, EITHER EXPRESSOR IMPLIED. IN NO EVENT SHALLIBM BELIABLEFOR ANY DAMAGEARISING FROM THE
USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSSOF DATA,BUSINESS INTERRUPTION,LOSS OF PROFIT OR LOSSOF OPPORTUNITY.
IBM products andservicesare warrantedaccording tothe terms andconditions of the agreements under which they areprovided.
Any statements regarding IBM's future direction, intent or product plansaresubject to change or withdrawalwithout notice.
Performancedatacontainedhereinwas generally obtainedin a controlled, isolatedenvironments. Customer examplesare presentedas illustrations of how thosecustomers
have usedIBM products andtheresults theymay have achieved. Actual performance, cost, savingsor other results in other operating environments may vary.
References in this document to IBM products, programs, or services doesnotimply thatIBM intends tomake such products, programs or servicesavailablein all countries in
which IBM operatesor does business.
Workshops, sessions and associatedmaterials may havebeenprepared byindependent sessionspeakers, anddo not necessarily reflect the views of IBM. All materials
and discussionsare provided for informational purposesonly,andare neither intendedto, nor shall constitute legal or other guidanceor adviceto any individual participant or
their specific situation.
It is the customer’s responsibility to insureits own compliancewith legal requirements and toobtainadvice ofcompetent legal counsel as totheidentification and
interpretationof any relevant laws and regulatory requirements that mayaffect the customer’s business andany actions thecustomer may needto taketo comply with such
laws. IBM does not providelegal advice or representor warrantthat its services or products will ensurethat the customer is in compliancewith any law

26. Notices and Disclaimers Con’t.
25
Informationconcerningnon-IBM productswas obtained from the suppliers of thoseproducts, their publishedannouncementsor other publicly available sources. IBM hasnot
tested thoseproducts in connectionwith this publicationandcannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products.
Questionson the capabilities of non-IBM products shouldbe addressedto thesuppliers of thoseproducts.IBM does not warrantthequality of any third-party products, or the
ability of any suchthird-partyproducts to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMSALL WARRANTIES,EXPRESSED OR IMPLIED, INCLUDINGBUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESSFOR A PARTICULAR PURPOSE.
The provision oftheinformation containedh ereinis not intendedto, and does not, grantany right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix,BlueworksLive,CICS, Clearcase,Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®,
FileNet®, Global BusinessServices ®, Global Technology Services ®, IBM ExperienceOne™,IBM SmartCloud®,IBM Social Business®, Informationon Demand,ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON,OpenPower, PureAnalytics™,PureApplication®, pureCluster™, PureCoverage®,PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®,QRadar®, Rational®, Rhapsody®, Smarter Commerce®,SoDA, SPSS, SterlingCommerce®,
StoredIQ,Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®,Worklight®, X-Force® and System z® Z/OS, aretrademarks of International Business
Machines Corporation, registeredin many jurisdictions worldwide. Other product andservicenames might betrademarks of IBM or other companies. A current list of IBM
trademarks is availableon the Webat "Copyrightandtrademark information" at: www.ibm.com/legal/copytrade.shtml.

27. Thank You
Your Feedback is Important!
Access the InterConnect 2016 Conference Attendee
Portal to complete your session surveys from your
smartphone,
laptop or conference kiosk.