EMBRACING DEVOPS TO IMPROVE VELOCITY AND SECURITY February 22, 2018 1 ROB CLYDE, CHAIR ISACA BOARD OF DIRECTORS CISM, NACD BOARD LEADERSHIP FELLOW MANAGING DIRECTOR, CLYDE CONSULTING LLC EXECUTIVE CHAIR WHITE CLOUD SECURITY BOARD DIRECTOR, TITUS EXECUTIVE ADVISOR TO BULLGUARD AND HYTRUST
54
Embed
EMBRACING DEVOPS TO IMPROVE VELOCITY AND SECURITY - … · embracing devops to improve velocity and security february 22, 2018 1 rob clyde, chair isaca board of directors cism, nacd
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
EMBRACING DEVOPS TO IMPROVE VELOCITY AND SECURITY
February 22, 2018
1
ROB CLYDE, CHAIR ISACA BOARD OF DIRECTORSCISM, NACD BOARD LEADERSHIP FELLOWMANAGING DIRECTOR, CLYDE CONSULTING LLCEXECUTIVE CHAIR WHITE CLOUD SECURITYBOARD DIRECTOR, TITUSEXECUTIVE ADVISOR TO BULLGUARD AND HYTRUST
REMEMBRANCE…AND THANKS…
Robert StroudCGEIT, CRISC2014-2015 ISACA Board Chair2015-2018 ISACA Board Director
Industry leader…Trusted colleague…Mentor to many…
And most importantly…friend.
2
WHY DEVOPS
Source: Robert Stroud; Xebia Labs
A REAL LIFE EXAMPLE OF DELAYING VELOCITY
Security Compliance Release Management
Software Development Life CycleSource: Robert Stroud; Xebia Labs
“we have to implement DevOps as it’s the only way to deliver the speed, security,
velocity and quality our customers demand”Fortune 500 CEO
Predictability - Lower failure rate of new releases
Reproducibility – Version everything
Maintainability - Faster time to recovery
Image from - dev2ops.orgSource: Robert Stroud; Xebia Labs
DEVOPS: A TIMELINE
8
Source: Robert Stroud; Xebia Labs
Source: Robert Stroud; Xebia Labs
DEVOPS FOR EVERYONE!
“Successful product delivery with DevOps has many different engaged stakeholders – from highly technical to business oriented“
DEV
ReleaseMgmt
QA
Business
OPSCompliance
Mgmt
Security
WHO DOES DEVOPS (BETTER SAID: WHO DOESN’T)
Source: Robert Stroud; Xebia Labs
DEVOPS ADOPTION WAVE
Hitting the Scalability Wall
Initial success with team of “rock
stars”
Attempts to go wide, run into
trouble
Data-Driven Continuous Improvement &
Involvement
DevOps at Enterprise ScaleA Leap of Faith
Skills
Software
Scaling
Security & Compliancy
CI/CD is our silver bullet and will solve all our problems!
Our team has an increase in productivity by 80%!
We’re shipping 3X more often, let’s roll this out more widely
Our IT heroes can do this
This is how we will become a modern IT enterprise
This is cool, no more manual steps. We can automate everything
Lets build compliancy into the pipeline
Let’s replace our big testing phases at the end with continuous testing
Let’s use data to drive our improvement cycle at scale
More teams and more roles are included
We also have to think about deployments further than Dev & Test
Let’s simplify our application architecture to speed up
All parties can be involved, even the auditing team
Can I redesign my security & compliancy process to speed up delivery?
Why don’t the new teams get it?
We need a plan to manage this transformation at scale
Why is our governance department so upset?
Only the real techies can do the magic
If we start scripting all our applications, it will become a nightmare
We need to make this work for our current business applications
Can we benefit from the cloud?
Let’s get more engineers to keep up
Source: Robert Stroud; Xebia Labs
CONTINUOUS INTEGRATION
Source: Robert Stroud; Xebia Labs
CONTINUOUS DELIVERY
Source: Robert Stroud; Xebia Labs
CONTINUOUS DEPLOYMENT
Source: Robert Stroud; Xebia Labs
DEVOPS, AGILE, ETC.
CODE BUILD INTEGRATE TEST DEPLOY OPERATERELEASE
AGILE DEVELOPMENT
CONTINUOUS INTEGRATION
CONTINUOUS DELIVERY
CONTINUOUS DEPLOYMENT
DEVOPS
Source: Robert Stroud; Xebia Labs
96xFaster mean time to recover from downtimeThat means high performers recover inless than an hour instead of several days.
5xas likely that changes will succeedThat means high performers’ changes fail 7.5% of the time instead of 38.5%.
Source: Robert Stroud; Xebia Labs
More frequentCode deployments
46xThat’s the difference between multiple times per day and once a week or less.
Faster lead time from commit to deploy
440xThat’s the difference between less than an hour and more than a week.
Source: Robert Stroud; Xebia Labs
MANULIFE/JOHN HANCOCK: BACKGROUND
19
Manulife/John Hancock offers a variety of financial services: Insurance, Mutual Funds, Asset and Wealth management, Private and Commercial Banking, Commercial Mortgages, Real Estate
Founded in 1862 as John Hancock Mutual Life Insurance company in Boston, Massachusetts, USA
Acquired by Manulife Financial (Toronto, Canada, founded 1887) in 2004
Named after a famous US Founding Father and signer of the Declaration of Independence
Acknowledged as a one of the best known American and Canadian brands
34,000 employees
20+M customers
Increasing & improving cadence of delivery and productivity across the various construction and hosting technologies in the portfolio
Enable true transformation to modern software development practices across a varied portfolio
Integrated security and code quality scanning for all technologies
Leveraging existing and new automation from build, test, deploy to more visible and accountable operations
Standardized management of regions & provisioning with test data & self-service infrastructure management
Efficiency with Scale - utilizing common pipeline tech stack solutions in partnership with other Manulife divisions
Insights, measurements & visibility on activities for continuous improvement
Establish an environment where building, testing and releasing software can be
done rapidly, frequently and reliably while maximizing predictability, efficiency,
security and maintainability of all of the applications in the
Enterprise Portfolio
DevOps PipelineOur Journey and Mission
Emerging Capabilities
Accelerated Delivery Resource Locations
SCO
PE
APP
RO
AC
H Deliver to the 5-year roadmap with constant evaluation for required changes. Address change in an Agile manner.
ALI
GN
MEN
T Resources will be engaged & dedicated to the Pipeline team, ready to assist wherever needed to aid Accelerated Delivery.
Infrastructure as Code
Accelerated Environment Provisioning
Database code back
out and governance
Fast database cloning
Self service environment provisioning
Identify emerging needs for new tools
New toolEnablement
Tool Support and Maintenance
Existing automation supportComplex new Automation
Enablement
New tool Adoption
New Tool R&D
Our Services
Drive new Technical and Service Capabilities
Offshore: India
Onshore: Boston
Our
Mis
sionBy providing DevOps Technical Leadership across the US Division and
some Global areas, our IT Ops/Accelerated Delivery Pipeline Team contributes to our BU IS Partners' ability to deliver & implement high-quality products through multiple DevOps centric Capabilities, DevOps & Accelerated Delivery Techniques.
Offshore: Manila
Capabilities to deliver any new tool, or support any existing tool in the Accelerated Delivery pipeline.
Can we really call it ‘disruption’ anymore if it’s a chronic occurrence?
Change is accelerating
DevOps brought speed, agility, quality and security to the innovation/change process
DevSecOps increased the presence of security as an organizational concern
24
EMPHASIS ON BUSINESS VELOCITY GETS EQUAL EMPHASIS ON SECURITY
Source: Robert Stroud; Xebia Labs
SECURITY IS IN CRISIS
100: 10: 1 Dev: Ops: Sec
There is an inequitable distribution of labor in IT.
Source: Robert Stroud; Xebia Labs
SECURITY KNOWS THERE IS A PROBLEM
Companies are spending a great deal on security, but we read of massive computer-related attacks. Clearly something is wrong. The root of the problem is twofold: we’re protecting the wrong things, and we’re hurting productivity in the process.
-Thinking Security, Steven M. Bellovin, 2015
Source: Robert Stroud; Xebia Labs
SECURITY’S NEW CADENCE
Agile and Security meet
Etsy Security Culture in a Fast-paced Dev Shop (deploy code 25 times/day)
Enabling the Paved Road at Netflix (originated Microservices movement)
“many security teams [still] work with a worldview where their