SlideShare una empresa de Scribd logo

Segregation of Duties and Continuous Delivery

Sriram Narayanan
Sriram Narayanan

This document discusses how to enable continuous delivery while maintaining proper segregation of duties for security and compliance. It begins by explaining continuous delivery and the need for segregation of duties. Typical enforcement of segregation of duties acts as a blocker to continuous delivery by restricting who can access or change environments. The document then recommends implementing segregation of duties in a continuous delivery friendly way through principles like involving security early, separating confidential and regular data, pre-approving standardized deployment bundles, and using multi-factor authentication and configuration management tools. This allows continuous delivery practices like frequent deployments and rapid troubleshooting while still preventing any single person from having end-to-end access or making unregulated changes.

Software
1 de 35
Descargar para leer sin conexión
SEGREGATIONOFDUTIES AND CONTINUOUSDELIVERY How to enable Continuous Delivery while continuing to protect the business and customers. Sriram “Ram” Narayanan D e v S e c C o n S G 2 0 1 7 www.sriramnarayanan.com @sriramNRN
@sriramNRNwww.sriramnarayanan.com A friendly implementation of Segregation of Duties enables Continuous Delivery, Security and Compliance to co-exist 2
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What we’ll cover today ■ About Continuous Delivery ■ The need for Segregation of Duties ■ How typical enforcement of Segregation of Duties is a blocker to CD ■ How to improve SoD enforcement and accelerate CD 3
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Important Points ■ People behave as they are measured (e.g. KPIs) ■ Most issues are 10% technical and 90% cultural/behavioral ■ CD-Friendly SoD and true Continuous Delivery are more process and people problems, and very less tool problems. ■ You should move toward automation-friendly tools, though. 4
@sriramNRNwww.sriramnarayanan.com ABOUT CONTINUOUS DELIVERY It’s beyond Continuous Integration, and beyond “CI/CD” 5
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What Continuous Delivery is NOT: 6 Topic Clarification “CI/CD” You need more than just a “daemonic CI” and a “pipeline plugin” Continuous Deployment Deployment using Tools Blanket permission to Environment owners need to review, approve and trigger deployments at their convenience. Permission to push “Containers” to Prod What goes in those containers needs to be validated!
@sriramNRNwww.sriramnarayanan.com Continuous Delivery Keep software in a reliable and deployable state so that you can deploy on demand. 7
@sriramNRNwww.sriramnarayanan.com Continuous delivery is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time. It aims at building, testing, and releasing software faster and more frequently. - Wikipedia 8
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY With fast I.T. turn-around times, business can: ■ Stay competitive ■ Respond to change faster ■ Fix defects earlier ■ Try new ideas boldly and revert confidently. 9
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What we’d love to have! 10 Commit Code Build and Package Test Locally Deploy to Production! Production Support ■ Deploy when ever we want ■ Debug processes on Production servers ■ Query Production Databases ■ Inspect traffic, review log files ■ Apply hot fixes within minutes
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY 11 Production Support ■ Deploy when ever we want - “Raise a ticket to deploy” ■ Debug processes on Production servers - “No way !!” ■ Query Production Databases - A ticket for individual query results ■ Inspect traffic, review log files - A ticket for log extracts ■ Apply hot fixes within minutes - Ticket please! Reality Check ! Commit Code Build and Package Test Locally Deploy to Production! Tickets per phase!
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What puzzles (frustrates!) Dev Teams and Business ■ Why are Ops, Audit and Security Teams throwing roadblocks at us? ■ Are they raising roadblocks just to assert their importance? ■ Why are Ops given access that they cannot make use of to solve issues? ■ Why do we have such ridiculous policies!? ■ Why does everyone make us raise so many tickets? ■ Why are we trusted to write the software but not to troubleshoot it!!!?? ■ Are Ops, Security and Compliance on our side, or our competitors side? 12
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What Ops, Security, Compliance have to say: 13 “We are merely following industry norms to protect business and customers. We are not the enemy! Please don’t blame us for doing our job!!”
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY So, who is right? 14 Development teams – who develop software that meets business goals? Or Ops and Security – who ensure uptimes and protect customers?
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES Why Ops, Security and Compliance do what they do 15
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Expectations from an organization ■ Make money (if a business) ■ Conform to the laws (e.g. those that protect the customers’ interests) ■ Run in a stable manner 16
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY How orgs are managed - GRC Source: Wikipedia 17 Topic Explanation Governance The executives are responsible for the org’s operations Risk Management Identify, analyze and respond to risks Compliance Conform to stated requirements (Regulations, Org policies, Business guarantees to customers) Applicable to IT, Finance, Legal
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Some examples of fraud and error ■ Untimely and/or non-uniform deployment ■ Deploying with the wrong permissions ■ Handling production environments with zero exposure and skills ■ Accessing confidential data in violation of privacy policies ■ Changing production configurations ad-hoc with poor review, and poor documentation of changes ■ Bypassing domain logic and enforcement in the application, and changing production data directly ■ Logging confidential data and accessing these via logs 18
@sriramNRNwww.sriramnarayanan.com Separation of duties (SoD) (also known as "Segregation of duties") is the concept of having more than one person required to complete a task. … an internal control intended to prevent fraud and error - Wikipedia 19
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Segregation of Duties ■ A well-understood concept in Finance, Law, Governance, Military, etc. ■ No single person should have end to end access to complete an entire workflow ■ At least one other person should be able to ● Regulate the activity, if need be. ● Review the activity 20
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Segregation of Duties in IT 21 No single person or team should have end to end access from code to production
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Deployments 22 Intent Action Typical Implementation Impact Devs should not author and deploy code Deployment by Ops Dependent upon Ops availability Business cannot deploy on- demand Demonstrate deployment in an auditable manner Deployment using Tools Special tools, typically not available in Dev Dev and Prod deployments are different Control over when prod is changed Deployment at specific times Strict calendar schedules Cannot deploy frequently. Exceptions can be expensive.
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Troubleshooting 23 Intent Action Typical Implementation Impact Devs should not access confidential data in logs Regulate access to log systems Access to prod logs governed by SLAs. Extracts only. Lack of direct access to logs prevents fast troubleshooting Prevent adhoc/harmful changes, and data sniffing Regulate access to prod servers Special tools, typically not available in Dev Dev and Prod deployments are different
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Databases 24 Intent Action Typical Implementation Impact Ensure database schema and data integrity by skilled DBAs Regulate changes to databases Changes reviewed and denied before prod deployment. Documentation. Waste of precious time. Wasteful documentation. Prevent adhoc/harmful changes, and data sniffing Regulate access to prod data A query per ticket, reviewed, approved, applied Waste of precious time. Penalties for delays
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Configuration 25 Intent Action Typical Implementation Impact Ensure that all (app,OS) changes to prod are valid and documented Regulate changes to production Changes reviewed and denied before prod deployment. Documentation Waste of precious time. Wasteful documentation. Prevent attacks based on known weaknesses Apply patches regularly at scheduled intervals Configuration (settings, patches) not shared with devs Software not tested with Prod configuration
@sriramNRNwww.sriramnarayanan.com Defensive SoD and insecurely architected software can prevent Continuous Delivery 26
@sriramNRNwww.sriramnarayanan.com CD-FRIENDLY SOD Ensure Segregation of Duties while also enabling fast response times 27
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-friendly SoD – General principles ■ Involve Ops and Security right from Design phase ■ Policies in executable form via CD-Friendly config mgmt tools. ■ Separate confidential data and logs from regular data and logs ■ Single Deployment bundle – app, config, policy, DB schema. ■ Bundle Once, Deploy anywhere ■ Restrict access to confidential data/logs, permit easy access to regular data/logs. ■ Enforce via config than via tickets (e.g. resource throttling vs tickets). ■ Use multi-factor (vs tickets) where possible to regulate actions. 28
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly deployment and configuration 29 Commit Code Build and Package Test Locally Deploy to Production! Dev, DBA, Ops, Security Tested Deployment Bundle with approved prod-ready configs 2FA Deployment enables any-time deployment by Env owner Policies, Code, Approved changes App, OS patches, configs, DB changes Deployment Bundle When gatekeeping checks are codified and tested Automated, Exploratory and Pen Tests
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD! 30 Commit Code Build and Package Test Locally Deploy to Production! Production Support ■ Deploy when ever we want – Environment owners decide, use 2FA ■ Debug processes on Production servers – Yes, configs elsewhere. ■ Query Production Databases – Easier access to regular data. ■ Inspect traffic, review log files – Easier access to regular data. ■ Apply hot fixes within minutes – Test in 1-click dev envs first Dev, DBA, Ops, Security App, OS patches, configs, DB changes Pre-Approved Deployment Bundle Pre-Approved Deployment Bundle 2FA Deployment by Env Owner
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Deployments 31 Intent Action Recommended Implementation Impact Devs should not author and deploy code Deployment by Environment Owners Review and deploy changes in small batches Small batches makes changes easier to review. Demonstrate deployment in an auditable manner Configuration management tools Build once, deploy anywhere Dev-Prod are the auditably the same Control over when prod is changed Deployment by Environment Owners Frequent Deploys in small batches. Multi- factor controls Deploy only when the Env owner wants to.
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Troubleshooting 32 Intent Action Recommended Implementation Impact Devs should not access confidential data in logs and config files Separate confidential and regular logs. Externalised configuration Log UUIDs. Prod Support teams access regular logs, and can SSH to prod. Confidential data remains restricted. Prod support is fast. Prevent adhoc/harmful changes, and data sniffing Standard environments. 1-click environment creation and 1- click deployment Prod errors can be caught earlier in Dev. Reduces prod errors.
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Databases 33 Intent Action Recommended Implementation Impact Ensure database schema and data integrity by skilled DBAs Regulate changes to databases using CD- friendly DB config tools DBAs review and recommend changes at Dev using CD- friendly tools. Identical schema from Dev through prod as approved by the DBA. Prevent adhoc/harmful changes, and data sniffing Delink confidential and regular data. Restrict access to confidential data. Provide access to regular data. Most troubleshooting needs just regular data, and is fast.
@sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Configuration 34 Intent Action Recommended Implementation Impact Ensure that all (app,OS) changes to prod are valid and documented Ops and Security config settings in CD-Friendly config management tool Test pre- approved configs from dev through prod. Pre-approved and tested configs enable frequent deploys. Prevent attacks based on known weaknesses Test OS patches in Dev Apply and test OS patches via automation in 1- click dev env. Rapidly test OS patches and Software in non- Prod first.
THANKYOU Sriram “Ram” Narayanan @sriramNRN ram@thoughtworks.com www.sriramnarayanan.com

Recomendados

Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Owasp SAMM v1.5
Owasp SAMM v1.5Owasp SAMM v1.5
Owasp SAMM v1.5
Brian Glas
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 

Recomendados

Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Owasp SAMM v1.5
Owasp SAMM v1.5Owasp SAMM v1.5
Owasp SAMM v1.5
Brian Glas
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Gap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOpsGap Survey, Assessment and Analysis for DevSecOps
Gap Survey, Assessment and Analysis for DevSecOps
Marc Hornbeek
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
SABSAcourses
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
Imola Informatica
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
SAP grc
SAP grc SAP grc
SAP grc
smadhu29
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
PrasadThorat23
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
Rishi Kant
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
ERPScan
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
Priyanka Aash
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and Financials
Smart ERP Solutions, Inc.
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon
 

Más contenido relacionado

La actualidad más candente

Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 

La actualidad más candente (20)

SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
SAP grc
SAP grc SAP grc
SAP grc
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
All your SAP passwords belong to us
All your SAP passwords belong to usAll your SAP passwords belong to us
All your SAP passwords belong to us
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 

Destacado

Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
Ahmed Abdul Hamed
 

Destacado (20)

Automating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and FinancialsAutomating PeopleSoft Segregation of Duties: HCM and Financials
Automating PeopleSoft Segregation of Duties: HCM and Financials
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragileDevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
DevSecCon Asia 2017 Sergiu Bodiu: From resilient to antifragile
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...Profiling for SAP - Compliance Management, Access Control and Segregation of ...
Profiling for SAP - Compliance Management, Access Control and Segregation of ...
 
Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23Effective Segregation of Duties for PeopleSoft 2011-02-23
Effective Segregation of Duties for PeopleSoft 2011-02-23
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0
 
Security & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoftSecurity & Segregation of Duties for PeopleSoft
Security & Segregation of Duties for PeopleSoft
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 

Similar a Segregation of Duties and Continuous Delivery

How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
IBM Security
 
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORSBig Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
Matt Stubbs
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
SolarWinds
 
Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?
Steelwedge
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
SolarWinds
 
How to Better Manage Technical Debt While Innovating on DevOps
How to Better Manage Technical Debt While Innovating on DevOpsHow to Better Manage Technical Debt While Innovating on DevOps
How to Better Manage Technical Debt While Innovating on DevOps
Dynatrace
 
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
IDERA Software
 
Getting Data Quality Right
Getting Data Quality RightGetting Data Quality Right
Getting Data Quality Right
DATAVERSITY
 
Who, What, Where and How: Why You Want to Know
Who, What, Where and How: Why You Want to Know Who, What, Where and How: Why You Want to Know
Who, What, Where and How: Why You Want to Know
Eric Kavanagh
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
The lean principles of data ops
The lean principles of data opsThe lean principles of data ops
The lean principles of data ops
Lars Albertsson
 

Similar a Segregation of Duties and Continuous Delivery (20)

How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?How Vulnerable is Your Critical Data?
How Vulnerable is Your Critical Data?
 
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORSBig Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
Big Data LDN 2018: USING FAST-DATA TO MAKE SEMICONDUCTORS
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
MGT3342BUS - Architecting Data Protection with Rubrik - VMworld 2017
 
Foundations for Successful Data Projects – Strata London 2019
Foundations for Successful Data Projects – Strata London 2019Foundations for Successful Data Projects – Strata London 2019
Foundations for Successful Data Projects – Strata London 2019
 
Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?Who Owns the “S” in S&OP?
Who Owns the “S” in S&OP?
 
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWindsFederal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
Federal Webinar: RMF, DISA STIGs, and NIST FISMA Compliance using SolarWinds
 
How to Better Manage Technical Debt While Innovating on DevOps
How to Better Manage Technical Debt While Innovating on DevOpsHow to Better Manage Technical Debt While Innovating on DevOps
How to Better Manage Technical Debt While Innovating on DevOps
 
Duke Pci T Raining Slides
Duke Pci T Raining SlidesDuke Pci T Raining Slides
Duke Pci T Raining Slides
 
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
How CMMC Auditors Recommend You Defend Your Organization - Completed March, 2...
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
 
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
IDERA Live | Understanding SQL Server Compliance both in the Cloud and On Pre...
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.More Databases. More Hackers. More Audits.
More Databases. More Hackers. More Audits.
 
Datacenter 2014: Raritan - Richard May
Datacenter 2014: Raritan - Richard MayDatacenter 2014: Raritan - Richard May
Datacenter 2014: Raritan - Richard May
 
Getting Data Quality Right
Getting Data Quality RightGetting Data Quality Right
Getting Data Quality Right
 
Who, What, Where and How: Why You Want to Know
Who, What, Where and How: Why You Want to Know Who, What, Where and How: Why You Want to Know
Who, What, Where and How: Why You Want to Know
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Using digital performance analytic to optimize digital user experience id av5
Using digital performance analytic to optimize digital user experience id av5Using digital performance analytic to optimize digital user experience id av5
Using digital performance analytic to optimize digital user experience id av5
 
The lean principles of data ops
The lean principles of data opsThe lean principles of data ops
The lean principles of data ops
 

Último

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Último (20)

%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 

Segregation of Duties and Continuous Delivery

  • 1. SEGREGATIONOFDUTIES AND CONTINUOUSDELIVERY How to enable Continuous Delivery while continuing to protect the business and customers. Sriram “Ram” Narayanan D e v S e c C o n S G 2 0 1 7 www.sriramnarayanan.com @sriramNRN
  • 2. @sriramNRNwww.sriramnarayanan.com A friendly implementation of Segregation of Duties enables Continuous Delivery, Security and Compliance to co-exist 2
  • 3. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What we’ll cover today ■ About Continuous Delivery ■ The need for Segregation of Duties ■ How typical enforcement of Segregation of Duties is a blocker to CD ■ How to improve SoD enforcement and accelerate CD 3
  • 4. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Important Points ■ People behave as they are measured (e.g. KPIs) ■ Most issues are 10% technical and 90% cultural/behavioral ■ CD-Friendly SoD and true Continuous Delivery are more process and people problems, and very less tool problems. ■ You should move toward automation-friendly tools, though. 4
  • 6. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What Continuous Delivery is NOT: 6 Topic Clarification “CI/CD” You need more than just a “daemonic CI” and a “pipeline plugin” Continuous Deployment Deployment using Tools Blanket permission to Environment owners need to review, approve and trigger deployments at their convenience. Permission to push “Containers” to Prod What goes in those containers needs to be validated!
  • 7. @sriramNRNwww.sriramnarayanan.com Continuous Delivery Keep software in a reliable and deployable state so that you can deploy on demand. 7
  • 8. @sriramNRNwww.sriramnarayanan.com Continuous delivery is a software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time. It aims at building, testing, and releasing software faster and more frequently. - Wikipedia 8
  • 9. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY With fast I.T. turn-around times, business can: ■ Stay competitive ■ Respond to change faster ■ Fix defects earlier ■ Try new ideas boldly and revert confidently. 9
  • 10. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What we’d love to have! 10 Commit Code Build and Package Test Locally Deploy to Production! Production Support ■ Deploy when ever we want ■ Debug processes on Production servers ■ Query Production Databases ■ Inspect traffic, review log files ■ Apply hot fixes within minutes
  • 11. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY 11 Production Support ■ Deploy when ever we want - “Raise a ticket to deploy” ■ Debug processes on Production servers - “No way !!” ■ Query Production Databases - A ticket for individual query results ■ Inspect traffic, review log files - A ticket for log extracts ■ Apply hot fixes within minutes - Ticket please! Reality Check ! Commit Code Build and Package Test Locally Deploy to Production! Tickets per phase!
  • 12. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What puzzles (frustrates!) Dev Teams and Business ■ Why are Ops, Audit and Security Teams throwing roadblocks at us? ■ Are they raising roadblocks just to assert their importance? ■ Why are Ops given access that they cannot make use of to solve issues? ■ Why do we have such ridiculous policies!? ■ Why does everyone make us raise so many tickets? ■ Why are we trusted to write the software but not to troubleshoot it!!!?? ■ Are Ops, Security and Compliance on our side, or our competitors side? 12
  • 13. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY What Ops, Security, Compliance have to say: 13 “We are merely following industry norms to protect business and customers. We are not the enemy! Please don’t blame us for doing our job!!”
  • 14. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY So, who is right? 14 Development teams – who develop software that meets business goals? Or Ops and Security – who ensure uptimes and protect customers?
  • 15. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES Why Ops, Security and Compliance do what they do 15
  • 16. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Expectations from an organization ■ Make money (if a business) ■ Conform to the laws (e.g. those that protect the customers’ interests) ■ Run in a stable manner 16
  • 17. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY How orgs are managed - GRC Source: Wikipedia 17 Topic Explanation Governance The executives are responsible for the org’s operations Risk Management Identify, analyze and respond to risks Compliance Conform to stated requirements (Regulations, Org policies, Business guarantees to customers) Applicable to IT, Finance, Legal
  • 18. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Some examples of fraud and error ■ Untimely and/or non-uniform deployment ■ Deploying with the wrong permissions ■ Handling production environments with zero exposure and skills ■ Accessing confidential data in violation of privacy policies ■ Changing production configurations ad-hoc with poor review, and poor documentation of changes ■ Bypassing domain logic and enforcement in the application, and changing production data directly ■ Logging confidential data and accessing these via logs 18
  • 19. @sriramNRNwww.sriramnarayanan.com Separation of duties (SoD) (also known as "Segregation of duties") is the concept of having more than one person required to complete a task. … an internal control intended to prevent fraud and error - Wikipedia 19
  • 20. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Segregation of Duties ■ A well-understood concept in Finance, Law, Governance, Military, etc. ■ No single person should have end to end access to complete an entire workflow ■ At least one other person should be able to ● Regulate the activity, if need be. ● Review the activity 20
  • 21. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Segregation of Duties in IT 21 No single person or team should have end to end access from code to production
  • 22. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Deployments 22 Intent Action Typical Implementation Impact Devs should not author and deploy code Deployment by Ops Dependent upon Ops availability Business cannot deploy on- demand Demonstrate deployment in an auditable manner Deployment using Tools Special tools, typically not available in Dev Dev and Prod deployments are different Control over when prod is changed Deployment at specific times Strict calendar schedules Cannot deploy frequently. Exceptions can be expensive.
  • 23. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Troubleshooting 23 Intent Action Typical Implementation Impact Devs should not access confidential data in logs Regulate access to log systems Access to prod logs governed by SLAs. Extracts only. Lack of direct access to logs prevents fast troubleshooting Prevent adhoc/harmful changes, and data sniffing Regulate access to prod servers Special tools, typically not available in Dev Dev and Prod deployments are different
  • 24. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Databases 24 Intent Action Typical Implementation Impact Ensure database schema and data integrity by skilled DBAs Regulate changes to databases Changes reviewed and denied before prod deployment. Documentation. Waste of precious time. Wasteful documentation. Prevent adhoc/harmful changes, and data sniffing Regulate access to prod data A query per ticket, reviewed, approved, applied Waste of precious time. Penalties for delays
  • 25. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY Typical SoD procedures for Configuration 25 Intent Action Typical Implementation Impact Ensure that all (app,OS) changes to prod are valid and documented Regulate changes to production Changes reviewed and denied before prod deployment. Documentation Waste of precious time. Wasteful documentation. Prevent attacks based on known weaknesses Apply patches regularly at scheduled intervals Configuration (settings, patches) not shared with devs Software not tested with Prod configuration
  • 26. @sriramNRNwww.sriramnarayanan.com Defensive SoD and insecurely architected software can prevent Continuous Delivery 26
  • 27. @sriramNRNwww.sriramnarayanan.com CD-FRIENDLY SOD Ensure Segregation of Duties while also enabling fast response times 27
  • 28. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-friendly SoD – General principles ■ Involve Ops and Security right from Design phase ■ Policies in executable form via CD-Friendly config mgmt tools. ■ Separate confidential data and logs from regular data and logs ■ Single Deployment bundle – app, config, policy, DB schema. ■ Bundle Once, Deploy anywhere ■ Restrict access to confidential data/logs, permit easy access to regular data/logs. ■ Enforce via config than via tickets (e.g. resource throttling vs tickets). ■ Use multi-factor (vs tickets) where possible to regulate actions. 28
  • 29. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly deployment and configuration 29 Commit Code Build and Package Test Locally Deploy to Production! Dev, DBA, Ops, Security Tested Deployment Bundle with approved prod-ready configs 2FA Deployment enables any-time deployment by Env owner Policies, Code, Approved changes App, OS patches, configs, DB changes Deployment Bundle When gatekeeping checks are codified and tested Automated, Exploratory and Pen Tests
  • 30. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD! 30 Commit Code Build and Package Test Locally Deploy to Production! Production Support ■ Deploy when ever we want – Environment owners decide, use 2FA ■ Debug processes on Production servers – Yes, configs elsewhere. ■ Query Production Databases – Easier access to regular data. ■ Inspect traffic, review log files – Easier access to regular data. ■ Apply hot fixes within minutes – Test in 1-click dev envs first Dev, DBA, Ops, Security App, OS patches, configs, DB changes Pre-Approved Deployment Bundle Pre-Approved Deployment Bundle 2FA Deployment by Env Owner
  • 31. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Deployments 31 Intent Action Recommended Implementation Impact Devs should not author and deploy code Deployment by Environment Owners Review and deploy changes in small batches Small batches makes changes easier to review. Demonstrate deployment in an auditable manner Configuration management tools Build once, deploy anywhere Dev-Prod are the auditably the same Control over when prod is changed Deployment by Environment Owners Frequent Deploys in small batches. Multi- factor controls Deploy only when the Env owner wants to.
  • 32. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Troubleshooting 32 Intent Action Recommended Implementation Impact Devs should not access confidential data in logs and config files Separate confidential and regular logs. Externalised configuration Log UUIDs. Prod Support teams access regular logs, and can SSH to prod. Confidential data remains restricted. Prod support is fast. Prevent adhoc/harmful changes, and data sniffing Standard environments. 1-click environment creation and 1- click deployment Prod errors can be caught earlier in Dev. Reduces prod errors.
  • 33. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Databases 33 Intent Action Recommended Implementation Impact Ensure database schema and data integrity by skilled DBAs Regulate changes to databases using CD- friendly DB config tools DBAs review and recommend changes at Dev using CD- friendly tools. Identical schema from Dev through prod as approved by the DBA. Prevent adhoc/harmful changes, and data sniffing Delink confidential and regular data. Restrict access to confidential data. Provide access to regular data. Most troubleshooting needs just regular data, and is fast.
  • 34. @sriramNRNwww.sriramnarayanan.com SEGREGATION OF DUTIES AND CONTINUOUS DELIVERY CD-Friendly SoD procedures for Configuration 34 Intent Action Recommended Implementation Impact Ensure that all (app,OS) changes to prod are valid and documented Ops and Security config settings in CD-Friendly config management tool Test pre- approved configs from dev through prod. Pre-approved and tested configs enable frequent deploys. Prevent attacks based on known weaknesses Test OS patches in Dev Apply and test OS patches via automation in 1- click dev env. Rapidly test OS patches and Software in non- Prod first.