Security in the Hybrid Cloud at Liberty Mutual
•Download as PPTX, PDF•
1 like•315 views
SpringOne Platform 2018 Security in the Hybrid Cloud at Liberty Mutual Matt Ruel, Liberty Mutual Insurance
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Security in the Hybrid Cloud at Liberty Mutual
Similar to Security in the Hybrid Cloud at Liberty Mutual (20)
More from VMware Tanzu
More from VMware Tanzu (20)
Recently uploaded
Recently uploaded (20)
Security in the Hybrid Cloud at Liberty Mutual
- 1. Security in the Hybrid Cloud @ Liberty Mutual Matt Ruel Security Architect Global Digital Enablement Liberty Mutual Insurance
- 2. • In business since 1912 • 50,000+ employees in 800+ offices worldwide • Diversified insurer with operations in 30 countries and economies • Is the 3rd largest property and casualty insurer in the U.S. based on 2017 direct written premium data • Ranks 68th on Fortune 100 list of largest US corporations based on 2017 revenue • Reported $39.4 billion in annual consolidated revenue as of Dec. 31, 2017 Liberty Mutual Global enterprise headquartered in Boston, Mass.
- 3. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Shifting our culture, breaking down barriers Fast and nimble agile delivery teams Rapidly experiment and adapt to feedback Liberty Mutual IT Transformation Dedicated focus on customer needs Accelerated speed to market Optimized toolset Focus on delivering business value instead of infrastructure Cloud-based infrastructure Deploy into flexible and scalable environments. Transformation Continuous deployment Release new features on demand with zero downtime.
- 4. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ A few challenges stand out… jeff
- 5. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Taking a closer look… DB code repo Establish team Security groups Set technical direction App code repo Database Pipeline DB Build Plan DB Deploy Plan Vault config Generic secrets submission Org setup Initial build, commit code DeploymentProvision identity Secrets config & pipeline App deployed to public cloud Environment setup DB code / config App Pipeline Provision DB Extranet configuredEdge service intake submission Vanity URL Network & Connectivity Identity Vault secrets stored Deploy App Secrets Setup local environment What exactly is involved in taking a business feature from idea to production? Pipeline metadataApp Build Plan App Deploy Plan
- 6. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Automate as much as possible Dynamically created short-lived credentials Ephemeral servers / infrastructure as code Deploy as frequently as possible Trust but verify How do we make this better? >> Developer empowerment << How do we maintain great security without compromising speed of delivery? Not possible to review every change to every application to ensure every security control is satisfied. How do we solve this? Legacy human processes Static encrypted credentials Manual lifecycle management Monthly big-bang releases Lack of developer trust
- 7. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ No Security was an afterthought. Bolted on after the fact, a barrier in the way of getting to true continuous deployment. Automated build & deploy, still some manual reviews, stage gates, fire drills, etc. Going back a few years, a look at our basic deploy pipeline… build source Developer Resource configuration Containers Logging Services File storage deploy Pipeline Services Static code analysis Component analysis Compliance Software delivery pipeline Apply latest build packs Rotate secrets business value Secrets Management Cloud config Validation ... Security test automation Provision identity Identity Management Cloud Security Guardrails Data encryption Infrastructure as code Handling of secrets Frequent rebuild/redeploy Log aggregation Services whitelist Provision Storage Secrets Database Identity dave encryption at rest encryption in motion secrets injection common Identity libspring security secrets api
- 8. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ So where did this get us? A complex mix of technology, infrastructure, and processes. Public cloud(s) Internal cloud Mainframe Cloud storage Cloud data Legacy data Legacy apps Cloud identity PaaS SaaS IaaS LDAP AD Legacy WAM IdP New Secure Cloud App
- 9. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Account isolation Identity federation Security as code Encryption in motion Modern authentication … Hybrid cloud security enablement
- 10. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ UI APIAPI Hybrid cloud authentication patterns Gateway IdPAPI OIDC Auth Provider OAuth JWT Provider AuthZ rules Legacy Auth Gateway id/pwd id/pwd OAuth client id / secret User Applications OIDC Auth Provider AuthZ rules legacy systems greenfield brownfield Basic Auth Provider OAuth Route Filter
- 11. Unless otherwise indicated, these slides are © 2013 -2018 Pivotal Software, Inc. and licensed under a Creative Commons Attribution-NonCommercial license: http://creativecommons.org/licenses/by -nc/3.0/ Where are we on our Journey? Now – Deploy in a day. Automated. Self-service. Happy developers :-) But there’s work to be done… Ultimate goal: to the cloud, whenever we want, without anyone knowing… Deploy with confidence… satisfying all necessary security, customer, and regulatory requirements. Before – Several weeks or months. Manual processes. Error prone. Setup team Establish CI/CD Pipeline Establish Initial Services Network & Connectivity Establish Operational Support Deploy Security & Compliance Setup dev environment
Editor's Notes
- 1:00 – Intro - Who am I, what do I do?
- 1:00 – Global Company Overview
- 1:00 – Our journey begins… We’ve embarked on a journey to transform IT at Liberty. The marketplace is evolving. Expectations are greater and more complex. As a result we need a more dedicated focus on our customers than ever before. To keep up with the market demands, it’s imperative that we accelerate our speed to market. That’s the challenge we’re confronted with today. Culture In response… we’re shifting our culture, changing how we work together, breaking down traditional barriers – we're focusing on real outcomes of the work that we do, and the impact it has on our customers. We’re forming fast and nimble teams, capable of delivering products faster than ever. Tech But in order to support this operating model, we need an appropriate toolset that lets us experiment, iterate, and adapt to feedback. We need to be able to focus on delivering business value, instead of maintaining infrastructure. A couple of key pillars in this tech stack... We need a continuous deployment pipeline that allows us to push new features on demand with zero downtime. And we can't do that without the flexibility and scalability that can be achieved with cloud based environments. We’re getting all of this figured out, but once we got into it, we realized we weren’t progressing as fast as we hoped.
- 1:00 - Starting off we weren’t moving as fast as we anticipated. We asked developers: What’s impeding our progress? This is a word cloud from an actual interactive session with a hundred or so of our lead developers. A few topics floated to the surface. Security front and center, and a number of other things on this page in the same arena: sso, ssl encryption,… Why is this so hard? What exactly is getting in the way and What can we do to make Security easier for developers? We can't just look at this and say oh well security is supposed to get in the way, that's the whole idea, stop your whining. No... We can do better. We don't need to compromise. We can achieve business agility, empower developers to embrace new technology, while still maintaining a high level of security in the cloud. We just can't get there by doing what we’ve always done. We need to do better and we need to move faster.
- 1:00 - Zooming in, figure out what exactly is slowing us down. A visual depiction of the developer journey (aka treasure map) taking a feature from idea to production. Value stream analysis. Identify and address bottlenecks and points of friction. If you look you'll see some areas where we're doing well and some areas where we encountered some roadblocks, several areas where human intervention was required to get over security challenges. Database provisioning, encryption, network security setup... Those are some of the problem areas that we set out to fix.
- 2:00 - Some specific strategic moves that will enable Secure DevOps practices. Historically we assumed this requires compromise in the form of manual steps, stage gates, security reviews... That was a really slow process. Why can’t we provide great security while accelerating our delivery of business value? In the new world of micro-services it’s not possible to review every change to every application to ensure every security control is satisfied. How do we solve this? Developer empowerment! One fundamental belief that drives a lot of this work that we do... Developers want to do the right thing, but they will take the path of least resistance to get there. Assume developers want to do what’s right, give them the platform and processes to succeed, and then trust them to get the job done. But also verify ;-)
- 2:00 - This starts with a secure pipeline that makes it easy to do the right thing. Going back a couple of years… start with a look at our basic delivery pipeline. Many things automated, but various human tasks still needed to ship a product. Back then we bolted on security after the fact. It was an afterthought. We had people doing manual security reviews, people manually encrypting passwords each time you deploy trip a new environment, inevitably someone who just learned what you were doing the week of your release and sends you back to follow new protocols. And of course the guy pushing the deploy button who's not even sure what exactly is included in the release. As you might guess, this was a Big blocker in the way of getting to Continuous Deployment. We avoided all the effort and risk with infrequent “big bang” releases. Did we reduce risk, or just save it up for later? Solid foundation to build upon, but just getting started. 1:00 – As we adopt public cloud, we are building security into everything that we do. First the basics… encrypt everything at rest and in flight. Provide guardrails on how to secure cloud-based workloads. Establish a Secure DevOps culture, a security mindset. Building a culture where everyone is responsible for security. 2:00 - pipeline services, secrets Pipeline services – automated provisioning of everything via service provider APIs Secrets mgmt – dynamic secrets fundamental building block. 1:00 - identity Identity mgmt – IdP resources, oauth apis, clients, access controls. Custom libraries for token-based auth, identity enforcement & propagation, etc. 1:00 - cloud config 2:00 - everything else Fully automated, fully secured pipeline to the cloud. Secure by default. Developers can focus on delivering business value.
- 1:00 - Where did this get us? We can deliver a Shiny New secure application to the cloud in a day.... We're done, right? Not quite. Still have this complex mix of technology, infrastructure, and delivery techniques to contend with. Nothing in this world happens in a vacuum. We have a complex mix of technology, platforms, processes, identity, data everywhere, mainframes, etc. This is the hybrid cloud, and it presents a whole different set of challenges and risks beyond what we encounter in our own data centers. Need to choreograph all of this and integrate across boundaries in a secure fashion.
- 1:00 – Some specific techniques for dealing with security in the hybrid cloud.
- 6:00 – Example technique - token-based auth architecture for hybrid cloud identity Suite of micro-services in the hybrid cloud, gateway architecture Spring Boot, Spring Security, etc. Expose picture in stages - User, UI, Gateway, IdP, directories - Applications, APIs - AuthZ Rules - Legacy, Monolith – These were once great systems. They’re still important. We need them to operate. - Auth Gateway Scenarios: - User identity / authentication - Non-human consumer identity - Identity propagation to downstream apps - Fined grained authorization of users and non-humans - Human access to API endpoints (e.g. swagger) - Legacy consumers / Brownfield vs. Greenfield Each scenario leverages a combination of OAuth flows Dev teams should be armed with a Swiss army knife of patterns Every scenario is different, first understand all the patterns, combine them as needed This looks complex (it is). It’s incredibly difficult to dissect complex interdependent systems like this, and modernize bits and pieces of the ecosystem. Sometimes you need to build temporary structures just to enable work to be done, only to tear them down when you’re done. The scaffolding takes some creative thought, but the developers actually delivering business value will have a much easier time with it as a result. Don’t be afraid to experiment. Focus on the outcomes.
- 1:00 – Wrap-up Progress. Shorter time-to-market. Happier developers. More work to be done. Ultimate goal -> Deploy with confidence - to the cloud, in the middle of the day, without anyone knowing (and meeting all security requirements!) That's really what we're after here, and what my team and I are challenged with... to Enable our teams to continuously deliver business value with the confidence that the solution is secure and our customer data is protected.
- 3:00 - Questions