Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Rolling out wide organization policies

Avatar for José Carlos Chávez José Carlos Chávez
June 06, 2025
0
1

Rolling out wide organization policies

In cloud-native era, security shifts left into SDLC to produce secure software by default. Yet, robust security policies are vital to safeguard outcomes. Join us to explore strategies for seamless, scalable security policy implementation that don’t break builds nor deploys. In the Cloud-Native handbook, security teams are no longer gatekeepers but enablers. The shift-left movement emphasizes embedding a security mindset early in the software development lifecycle, contrasting with traditional approaches where enforcing security policies at the end of development often creates delays and friction between engineering and security teams. However, someone must still guard the gate, and robust security policies are essential to ensure secure and deterministic outcomes. The challenge lies in achieving this without disrupting workflows or introducing unnecessary friction. In this talk, we will explore patterns and strategies for implementing organization-wide security policies effectively. Additionally, we will share lessons learned from rolling out these policies in large-scale organizations.
Avatar for José Carlos Chávez

José Carlos Chávez

June 06, 2025
Tweet

More Decks by José Carlos Chávez

See All by José Carlos Chávez
Fine-Grained Policies RBAC with OpenFGA
Avatar for José Carlos Chávez jcchavezs
0
200
Managing Open Source Software Security in Your Organization
Avatar for José Carlos Chávez jcchavezs
0
52
Web Application Firewalls Revisited with OWASP Coraza
Avatar for José Carlos Chávez jcchavezs
0
49
Use Wasm to Deploy WAF Deeper in the Service Mesh for Zero Trust and Compliance
Avatar for José Carlos Chávez jcchavezs
0
65
The Top 10 List of Istio Security Risks and Mitigation Strategies
Avatar for José Carlos Chávez jcchavezs
0
28
Web Application Firewalls Revisited
Avatar for José Carlos Chávez jcchavezs
0
71
Coraza Web Application Firewall
Avatar for José Carlos Chávez jcchavezs
0
270
Fine-Grained Policies are back with NGAC
Avatar for José Carlos Chávez jcchavezs
0
68
Securing Modern Apps with Zero Trust and Next-Gen Web Application Firewall
Avatar for José Carlos Chávez jcchavezs
0
90

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
273
40k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
32
5.8k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
180
53k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
134
9.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
129
19k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
Code Review Best Practice
Avatar for Trisha Gee trishagee
68
18k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
34
2.3k

Transcript

  1. © Okta and/or its affiliates. All rights reserved. © Okta

    and/or its affiliates. All rights reserved. Rolling Out Wide Organization Security Policies José Carlos Chávez Security Software Engineer @ Okta DevTalks Romania 2025 Bucharest

  2. © Okta and/or its affiliates. All rights reserved. José Carlos

    Chávez Security Software Engineer - Okta • Open Source contributor and maintainer for 10+ years • OWASP Coraza WAF co-leader • Loving father of 2 • Mathematician in quarantine

  3. © Okta and/or its affiliates. All rights reserved. Security policies

  4. © Okta and/or its affiliates. All rights reserved. Rules Expectations

    Approach Confidentiality Integrity Availability Why Security Policies Matter? Actionable Secure

  5. © Okta and/or its affiliates. All rights reserved. Why Security

    Policies Matter to your business? • Growing threats: Data breaches, zero-day exploits, ransomware, IP theft • Regulatory compliance: GDPR, SOC2, PCI DSS, ISO 27001, EO 14028 • Customer trust, reputation and contractual obligations • Scalable security foundations for growth

  6. © Okta and/or its affiliates. All rights reserved. Policy Development

    Framework • Identify Risks: Threat modeling and risk assessments • Stakeholder Involvement: Legal, IT, Engineering, DevOps, Product • Align with Standards: NIST, ISO 27001, CIS Controls • Tailor to Context: Languages, tools, pipelines and platforms • Review & Approve: Legal and executive buy-in

  7. © Okta and/or its affiliates. All rights reserved. Phase 1:

    Assessment & Planning - Baseline security posture - Gap analysis vs. desired state Phase 2: Pilot - Test policies in one team or department - Gather feedback and refine policies & mechanisms Phase 3: Organization-Wide Rollout - Clear timelines and communication in advance - Integrate with onboarding and standard operating procedure (SOP) - Progressive rollout first in audit mode and later in enforcement mode - Gather feedback and refine policies & mechanisms Phase 4: Continuous Monitoring - Policy violations - Automated alerts and audits - Gather feedback and refine policies & mechanisms Rollout strategy 󰛟

  8. © Okta and/or its affiliates. All rights reserved. https://xkcd.com/2347/

  9. © Okta and/or its affiliates. All rights reserved. Key Challenges

    • Lack of awareness • Resistance to change among teams • Balancing security and productivity. • Lack of tooling & automations • Keeping policies up to date with fast-changing tech • Enforcing policies across cloud, remote teams, DevOps without disruptions

  10. © Okta and/or its affiliates. All rights reserved. Key Challenges

  11. © Okta and/or its affiliates. All rights reserved. “Be a

    security enabler not a gatekeeper” Someone I work with

  12. © Okta and/or its affiliates. All rights reserved. 1. Shift

    left for policies Embed security policies as part of the SDLC through automation: a. Build-time policies should be evaluated on CI e.g. test, lint, SCA, signed commits, etc. b. Release policies should be evaluated on CD e.g. SCA, signed images, SBOM, etc. c. Run-time policies should be built and provisioned as IaC if possible e.g. OPA policies, K8s VAPs, RBAC, WAF rules, mTLS, etc. d. IT policies should be automatically deployed across devices. Tooling must be auto updated. e. Whenever introducing policies, do it following the SDLC not as an alien procedure.

  13. © Okta and/or its affiliates. All rights reserved. 2. P

    ~ NP (in security) If you understand the problem you are likely capable to fix it: • Leverage automation to propose a complying fix when possible • Anticipate the compliance before rolling out the policy • If you are not part of the solution then you are part of the problem

  14. © Okta and/or its affiliates. All rights reserved. 3. Tooling,

    Training & Awareness • Security onboarding for new hires • Monthly training or gamified exercises • Internal security champions program • Runbooks and troubleshooting guides to fix broken flows during policy enforcement All of the above only works if it is supported by tooling and automations that empower engineering teams.

  15. © Okta and/or its affiliates. All rights reserved. Measuring Success

    • Time and effort to adopt a policy • Compliance KPIs e.g. % coverage of controls, patch SLAs, tickets volume for policy violations • Incident reduction rate, quantifiable risks • Audit readiness and scores • Spread success stories: present incidents we were not involved thanks to our security policies

  16. © Okta and/or its affiliates. All rights reserved. Conclusions 1.

    Make security a culture, not a checklist 2. Involve engineering early in policy design 3. Use tools and automation wherever it is possible 4. Iterate frequently, follow the data and be prepared for changes 5. Shift left

  17. © Okta and/or its affiliates. All rights reserved. Questions? ©

    Okta and/or its affiliates. All rights reserved. You can also reach me at • [email protected] • https://www.linkedin.com/in/jcchavezs/ • https://jcchavezs.bsky.social

  18. © Okta and/or its affiliates. All rights reserved. Thank you!

    © Okta and/or its affiliates. All rights reserved.

  19. © Okta and/or its affiliates. All rights reserved. The good

    policy • Accountability • Consistency • Effectiveness • Practicality • Credibility:

  20. © Okta and/or its affiliates. All rights reserved. Tools &

    Technology • IAM: Okta, Azure AD • Endpoint Protection: CrowdStrike, SentinelOne • Code Security: Snyk, GitHub Advanced Security, SonarQube • SIEM: Splunk, ELK Stack • Policy Enforcement: OPA, Gatekeeper, Terraform Sentinel @jcchavezs