Why We Can't Have Nice Things: A Tale of Woe and a Hope for the Future

Computers are hard, and security is even harder. While you’re building a bespoke host-based intrusion detection system to monitor for advanced persistent threats, vulnerabilities are uncovered in 30-year-old core Unix programs. Even worse, the same junior level operations engineer who can (accidentally) provision thousands of systems and blow your budget away, is the same person who can make one small change to a security group which now allows all access to your back-end systems.

The cloud is making it easier than ever to provision systems to meet your infrastructure needs—and to do so very quickly. Speed to market is a major competitive advantage that many companies are leveraging through the concept of Infrastructure as Code. Provisioning hundreds or thousands of compute instances in mere minutes is now considered an everyday activity. Everyone wants to move fast.

The long contested battlefield of remote access to production machines has only gotten uglier since the rise of the Cloud, which has obliterated the line between building the system and running the system. “Lock out the developers” is not an acceptable policy anymore. Developers inherently build better systems when they experience running them.

Continuous Integration. Continuous Deployment. But who (or what) is continually monitoring the state of your operational security?

We’ll discuss the role of security in this new *aaS landscape. We’ll talk about things to do when you have a dedicated InfoSec team, and tools you can use when you don’t. We’ll explore what it means to build in security in the same way you build in quality as part of your continuous delivery pipelines. And how you can strengthen your security posture while maintaining your ability to move quickly and deliver value to your customers.