Unveiling Design Patterns: A Visual Guide with UML Diagrams
Security in the Hybrid Cloud at Liberty Mutual
1. Security in the Hybrid Cloud
@ Liberty Mutual
Matt Ruel
Security Architect
Global Digital Enablement
Liberty Mutual Insurance
2. • In business since 1912
• 50,000+ employees in 800+ offices worldwide
• Diversified insurer with operations in 30 countries and
economies
• Is the 3rd largest property and casualty insurer in the U.S.
based on 2017 direct written premium data
• Ranks 68th on Fortune 100 list of largest US corporations
based on 2017 revenue
• Reported $39.4 billion in annual consolidated revenue as of
Dec. 31, 2017
Liberty Mutual
Global enterprise headquartered
in Boston, Mass.
1:00 – Our journey begins…
We’ve embarked on a journey to transform IT at Liberty.The marketplace is evolving. Expectations are greater and more complex. As a result we need a more dedicated focus on our customers than ever before.To keep up with the market demands, it’s imperative that we accelerate our speed to market.That’s the challenge we’re confronted with today.CultureIn response… we’re shifting our culture, changing how we work together, breaking down traditional barriers – we're focusing on real outcomes of the work that we do, and the impact it has on our customers. We’re forming fast and nimble teams, capable of delivering products faster than ever.TechBut in order to support this operating model, we need an appropriate toolset that lets us experiment, iterate, and adapt to feedback.We need to be able to focus on delivering business value, instead of maintaining infrastructure.A couple of key pillars in this tech stack... We need a continuous deployment pipeline that allows us to push new features on demand with zero downtime. And we can't do that without the flexibility and scalability that can be achieved with cloud based environments. We’re getting all of this figured out, but once we got into it, we realized we weren’t progressing as fast as we hoped.
1:00 - Starting off we weren’t moving as fast as we anticipated.
We asked developers: What’s impeding our progress?
This is a word cloud from an actual interactive session with a hundred or so of our lead developers.A few topics floated to the surface.Security front and center, and a number of other things on this page in the same arena: sso, ssl encryption,…Why is this so hard? What exactly is getting in the way and What can we do to make Security easier for developers?We can't just look at this and say oh well security is supposed to get in the way, that's the whole idea, stop your whining. No... We can do better. We don't need to compromise. We can achieve business agility, empower developers to embrace new technology, while still maintaining a high level of security in the cloud. We just can't get there by doing what we’ve always done. We need to do better and we need to move faster.
1:00 - Zooming in, figure out what exactly is slowing us down.
A visual depiction of the developer journey (aka treasure map) taking a feature from idea to production.Value stream analysis. Identify and address bottlenecks and points of friction. If you look you'll see some areas where we're doing well and some areas where we encountered some roadblocks, several areas where human intervention was required to get over security challenges. Database provisioning, encryption, network security setup... Those are some of the problem areas that we set out to fix.
2:00 - Some specific strategic moves that will enable Secure DevOps practices.
Historically we assumed this requires compromise in the form of manual steps, stage gates, security reviews... That was a really slow process. Why can’t we provide great security while accelerating our delivery of business value? In the new world of micro-services it’s not possible to review every change to every application to ensure every security control is satisfied. How do we solve this?Developer empowerment!One fundamental belief that drives a lot of this work that we do... Developers want to do the right thing, but they will take the path of least resistance to get there. Assume developers want to do what’s right, give them the platform and processes to succeed, and then trust them to get the job done. But also verify ;-)
2:00 - This starts with a secure pipeline that makes it easy to do the right thing.Going back a couple of years… start with a look at our basic delivery pipeline. Many things automated, but various human tasks still needed to ship a product.Back then we bolted on security after the fact. It was an afterthought. We had people doing manual security reviews, people manually encrypting passwords each time you deploy trip a new environment, inevitably someone who just learned what you were doing the week of your release and sends you back to follow new protocols. And of course the guy pushing the deploy button who's not even sure what exactly is included in the release.As you might guess, this was a Big blocker in the way of getting to Continuous Deployment.We avoided all the effort and risk with infrequent “big bang” releases. Did we reduce risk, or just save it up for later?Solid foundation to build upon, but just getting started.1:00 – As we adopt public cloud, we are building security into everything that we do. First the basics… encrypt everything at rest and in flight. Provide guardrails on how to secure cloud-based workloads. Establish a Secure DevOps culture, a security mindset.
Building a culture where everyone is responsible for security.2:00 - pipeline services, secretsPipeline services – automated provisioning of everything via service provider APIsSecrets mgmt – dynamic secrets fundamental building block.1:00 - identityIdentity mgmt – IdP resources, oauth apis, clients, access controls.Custom libraries for token-based auth, identity enforcement & propagation, etc.1:00 - cloud config2:00 - everything elseFully automated, fully secured pipeline to the cloud.
Secure by default.
Developers can focus on delivering business value.
1:00 - Where did this get us?
We can deliver a Shiny New secure application to the cloud in a day.... We're done, right? Not quite. Still have this complex mix of technology, infrastructure, and delivery techniques to contend with. Nothing in this world happens in a vacuum.We have a complex mix of technology, platforms, processes, identity, data everywhere, mainframes, etc.This is the hybrid cloud, and it presents a whole different set of challenges and risks beyond what we encounter in our own data centers.Need to choreograph all of this and integrate across boundaries in a secure fashion.
1:00 – Some specific techniques for dealing with security in the hybrid cloud.
6:00 – Example technique - token-based auth architecture for hybrid cloud identity
Suite of micro-services in the hybrid cloud, gateway architectureSpring Boot, Spring Security, etc.Expose picture in stages - User, UI, Gateway, IdP, directories
- Applications, APIs
- AuthZ Rules
- Legacy, Monolith – These were once great systems. They’re still important. We need them to operate.
- Auth Gateway
Scenarios:
- User identity / authentication
- Non-human consumer identity
- Identity propagation to downstream apps
- Fined grained authorization of users and non-humans
- Human access to API endpoints (e.g. swagger)
- Legacy consumers / Brownfield vs. Greenfield
Each scenario leverages a combination of OAuth flows
Dev teams should be armed with a Swiss army knife of patterns
Every scenario is different, first understand all the patterns, combine them as needed
This looks complex (it is). It’s incredibly difficult to dissect complex interdependent systems like this, and modernize bits and pieces of the ecosystem. Sometimes you need to build temporary structures just to enable work to be done, only to tear them down when you’re done.The scaffolding takes some creative thought, but the developers actually delivering business value will have a much easier time with it as a result.Don’t be afraid to experiment. Focus on the outcomes.
1:00 – Wrap-up
Progress. Shorter time-to-market.
Happier developers.
More work to be done.Ultimate goal -> Deploy with confidence - to the cloud, in the middle of the day, without anyone knowing (and meeting all security requirements!)That's really what we're after here, and what my team and I are challenged with... to Enable our teams to continuously deliver business value with the confidence that the solution is secure and our customer data is protected.