Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scaling Security

Scaling Security

This is a short talk given on the challenges and ideas for building secure software as your organization grows (people and technology). It doesn't give any in depth detail on actual security choices since the focus was more on the organizational challenges.

This talk was given at dotScale in Paris.

Mitchell Hashimoto

April 24, 2017
Tweet

More Decks by Mitchell Hashimoto

Other Decks in Technology

Transcript

  1.  Empowering Security • Developers: A powerful, idiomatic API •

    Operators: A pure-software solution that is easy to maintain and can run on commodity hardware • Security Engineers: Strict usage control, audit trails, 
 clear threat models mitchellh
  2.  Developers: An API for Security • HTTP (over TLS),

    JSON • Secret storage • Encryption services • Certificate creation and verification mitchellh
  3.  Operators: Its Just Software • Pure software, no hardware

    requirement • Stateless (pluggable data stores) • Active/standby HA • Read-scalability with replication (enterprise) mitchellh
  4.  Security Engineers: Fort Knox • N-Person Unseal • Audit

    trails • Access Control • Clearly defined threat model and architecture • Open Source, Audited, Compliance, feature support mitchellh
  5.  Scaling Security mitchellh Developer Operator Security Core Security, Requirements,

    Practices, Audits Infrastructure Security, Network Security Application Security, Data Security
  6.  Scaling Security: Sec Engineer • Allowed behavior • Encryption

    algorithms • Key hierarchies, 
 rotation policies • Audit logs mitchellh Core Security, Requirements, Practices, Audits
  7.  Infrastructure Security, Network Security Scaling Security: Ops • Network

    layout/config, routing tables, etc. • OS security, user accounts, file permissions, etc. • Infrastructure creation, change process mitchellh
  8.  Application Security, Data Security Scaling Security: Dev • TLS

    connections • API auth/authz • Data encryption • Password request and usage mitchellh