What is the role of security in this new world of development and consumption cloud services and DevOps? To answer the question, this talk traces my personal journey that began in the early 2010s where I helped secure DoD Smart Grid deployments and SCADA systems, working within in very traditional IT and Security Organization. After SAIC, I stepped into world of online game development as a first encounter software engineers just wanting to get their code out, followed by my recent experience developing and delivering Security and Licensing SaaS offerings in AWS. The goal is to share practical lessons on how security organizations can and must adopt new tools, mindsets, and ways of working if they are to remain relevant in what will be the dominant application and service delivery model in the next decade.
By late 2017, the debate over public cloud security is largely over, even within some regulated industries. The consensus is now that a public cloud infrastructure (or consumption of services such as Office 365 or Okta) from a top tier provider are far more securable than what most IT organizations can deliver in their own data centers with their own staff. Furthermore, the cloud allows greater speed and ability to innovate and scale. Even the most conservative organizations have begun to experiment with “DevOps” as a means of improving reliability, increasing alignment between the business and IT Operations, and to integrate security more tightly into the software lifecycle. In short, DevOps has also become a baseline requirement for vendors evolving from on-premise software and hardware to software and services based delivery.