Xueshan Feng, Bruce Vincent, Scotty Logan, – Stanford
How secure do we need to be? Should be asking not “is it safe?” but “is it safe enough?”
Stanford’s Minimum Security Standards for Servers
“it’s an automated bear now” – not good enough to be just faster than the other guy.
Contracts are not security controls
Only coders need apply… coding is table stakes for ops now. “if you do it twice, code it!” (Xueshan). If you’re in a technical role and don’t code, reflect on your future. Automation, revision control (audit trail), scripted deployment, API integrations
Putting the IdP, LDAP, KDC, in the cloud in docker containers. 3 of each + masters for kdc and ldap. Run on CoreOS on EC2. Signed commits with git in gpg. Using gitcrypt (encrypting data in repos). CoreOS is self-patching – no compiler, no yum. Don’t need interactive logins, so don’t need to expose those ports. Not patching containers, but build new ones and deploy.
Oren Sreebny 