SESSION ID: DSO-R09 How to GRC Your DevOps Susan Allspaw Pomeroy Technology Compliance Manager Fastly, Inc. @sueallspaw #RSAC A Story 2 #RSAC A Brief History of DevOps Part 1 3 #RSAC #RSAC Where’s GRC? 4 #RSAC What we think we do What engineers think we do 5 What I’m here to tell you today DevOps and GRC collaboration makes audits smoother and engineers happier Traditional views of controls can (and should) change Calibration of how things work is the foundation of DevOps and GRC collaboration 6 #RSAC #RSAC A note on terminology Auditor, IA, GRC, compliance Software Engineer, Ops Eng, SRE Security team 7 #RSAC Compliance Frameworks (they’re good for you) #RSAC Security Frameworks Are Your Friends* FLEXIBLE to your business Enable engineering teams Utilize basic security tenets you want to do anyway *Not always 9 #RSAC Security Frameworks Are Awful* Have the capability to create business slowdowns Can be interpreted as RIGID Make paperwork *Not always, either 10 What we want (auditor version) Effective security controls Evidence of security controls Repeatable processes 11 #RSAC What we want (engineer version) Stable systems Ability to improve/respond to unstable systems quickly Common systems understanding Visibility into our systems 12 #RSAC What we want (security version) Well-tested code Visibility to unusual activity Rule-following 13 #RSAC #RSAC The Difference? Things we all want: How we want it: Resiliency Auditable/not auditable Visibility/Response Fast/Methodical Quality Perfect/Good enough To Make Our Jobs Easier 14 #RSAC 15 Mental models of how things work #RSAC https://safetydifferently.com/the-varieties-of-human-work/ 16 #RSAC Work-as-Imagined 17 Mental models of how things work Work-as-Done 18 #RSAC #RSAC 19 #RSAC “Procedures are an investment in safety—but not always. Procedures are thought to be required to achieve safe practice— yet they are not always necessary, nor likely ever sufficient for creating safety.” --Sidney Dekker 20