A DevOps Mario Developer Game Challenge with GRC (Governance, Risk & Compliance)
To stay compliant, secure, you need to go faster. You may wonder how is that possible? Governance, Risk & Security — generally a bottleneck in most of the enterprises for their DevOps transformation. Wait, you have more to that story.
As we step into the eleventh year of the term “DevOps”, it is now mainstream in most organizations. It makes into the Strategy & Board meetings, CIO presentations, press releases and success parties.
BMK shares his experience with Enterprise DevOps Adoption
17. @LBMKRISHNA
Equifax: (At least) $575 Million
Home Depot: ~$200 million
Uber: $148 million
Yahoo: $85 million
Capital One: $80 million
Morgan Stanley: $60 million
British Airways: $26.2 million
Tesco Bank: $21 million
Target: $18.5 million
Anthem: $16 million
Ticketmaster: $10 million
Google: $7.5 million
Magecart Attack on Warner Music Group
Target Lost Data on 40 Million Cards
Adobe’s Million Dollar Data Breach
Heartland Payment Systems Loses Processing Privileges
Equifax
https://www.goanywhere.com/blog/the-5-biggest-pci-compliance-breaches
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
23. @LBMKRISHNA
Organizations today are subject to many
regulations governing the protection of
confidential information, financial
accountability, data retention and disaster
recovery, among others. They're also under
pressure from shareholders, stakeholders and
customers.
https://www.cio.com/article
24. @LBMKRISHNA
“IT governance is the responsibility of executives and
the board of directors, and consists of leadership,
organizational structures, and processes that ensure
that the enterprise’s IT sustains and extends the
organization’s strategies and objectives.”
https://www.architectureandgovernance.com/
27. @LBMKRISHNA
uilding compliance into development and
operations, and wiring compliance policies and
checks and auditing into Continuous Delivery so that
regulatory compliance becomes an integral part of
how DevOps teams work on a day-to-day basis
Justin Arbuckle
31. http://dearauditor.org/
@LBMKRISHNA
The team compiled a list of audit concerns
and documented them in a DevOps Risk
Control Matrix with lot of details around
the controls, our practices and evidences
that are collected to support the control.
33. As more and more DevOps practices are
automated, it becomes harder to capture the
data required to ensure all security and
compliance concerns are met. Organizations
need an automated way to track governance
throughout the entire software delivery
process so they can attest to the integrity of all
assets and to the security of all running
applications.
@LBMKRISHNA
https://itrevolution.com/book/devops-automated-governance-
reference-architecture/
34. @LBMKRISHNA
The intent of this paper is to provide greater
choice and options for corporations to
consume cloud computing services by
automating manual cloud governance
processes. This paper seeks to accelerate
compliance at the speed and scale of
DevOps.
https://www.onug.net/app/uploads/2020/05/ONUG_WP_Automated-
Cloud-Gov_Final.pdf
36. @LBMKRISHNA
Policy-based control for cloud native environments
Flexible, fine-grained control for administrators across the stack
https://www.openpolicyagent.org/
38. @LBMKRISHNA
https://www.sonatype.com/referencearchitecturetestdrive
Successful DevSecOps practices encompass people,
processes, tools, and measurement. But where should
you start, how can you validate your existing practices,
or what are the possibilities? Then answer the
following:
•Where can we further automate manual, security, and
business tasks?
•What DevSecOps tools and integrations are others
deploying?
•What interactions do we need to be aware of or map
out?