►
Description
Speaker: Keith Rhea, Tim Jones
Let’s talk about compliance—just the word makes people either want to fall asleep or worse, run and hide. Between the development process and the cycle of endless audits, it’s no wonder that people try to avoid this topic at all costs. However, it’s clear that in order to move toward cloud migration and modernization, public sector organizations must transform their existing processes to obtain an Authority to Operate (ATO). In this talk, we’ll walk through the process of how implementing automation took our federal customer from an average ATO time of an average of 3-4 months per application to only 1-2 weeks, and more importantly, why Gitlab is the superior tool to help us do that.
Not a federal customer? That’s ok, too. Managing policy through automation is an important way you can more easily pass any regulatory audit like PCI DSS, HIPAA, and more!
Get in touch with Sales: http://bit.ly/2IygR7z
A
B
Listen
all
right.
Welcome
everyone.
First
of
all,
we'd
like
to
thank
everyone
for
attending
today
and
we'd
also
like
to
appreciate
git
lab
for
giving
us
the
opportunity
to
come.
Tell
our
story
of
how
we're
helping
ease
the
pain
of
public
sector
compliance,
so
the
use
of
automation
and
policy
is
code,
so,
first
a
quick
intro
on
ourselves.
B
My
name
is
keith
ray,
I'm
a
senior
cloud
security
engineer
at
minepoint
group,
I've
been
at
minepoint
for
a
little
over
five
years
outside
of
work.
I
enjoy
outdoor
activities
in
the
winter
time.
I
love
skiing
in
the
summertime
just
doing
anything
outside
I
live
in
northern
colorado.
I
love
checking
out
the
local
breweries
and
seeing
what
all
they
got
on
tap
tim.
C
Thanks
keith,
I'm
tim
jones,
I'm
a
cloud
automation
engineer
at
my
point
group:
I've
been
here
for
a
little
under
a
year
and
I
live
in
san,
diego
california.
So
I
like
enjoying
fun
in
the
sun
surfing.
I
also
snowboard
and
I
also
like
the
golf.
So
I'm
going
to
hand
it
back
to
keith
and
we'll
get
started
a.
B
B
B
B
B
B
B
B
We've
broken
that
down
into
a
few
areas,
the
first
being
time,
gathering
all
the
requirements,
building
solutions,
testing
the
solutions,
document
documenting
and
auditing
the
it
systems.
All
of
that
takes
time
and
there's
a
constant
competing
of
time
for
developers
and
engineering
support
to
deliver
content
to
deliver
feature
requests,
deliver
bug
fixes
all
those
types
of
things
that
are
definitely
competing
on
time
and
we've
consistently
seen
security
take
the
back
seat
when
it
comes
to
prioritizing
those
tasks.
B
Secondly,
is
cost
all
the
activities
that
we
just
listed.
You
know
they
all
take
time
and
time
obviously
translates
into
associated
cost.
In
addition
to
that,
implementing
and
auditing
security
compliance
requires
highly
technical
skill
sets
and
those
aren't
easy
to
come
by
and
the
cost
associated
with
those
resources.
Obviously
it
reflects
that
next,
the
ability
to
be
accurate.
B
B
B
I
think
we
really
just
want
to
avoid
the
deploying
of
it
systems
with
default
options
and
people
just
crossing
their
fingers,
hoping
that
you
know
it
meets
the
low
water
mark
for
compliance
and,
lastly,
a
single
source
of
truth.
So
having
all
your
control,
implementation,
details,
documentation
and
code
and
a
single
location
allows
for
all
your
stakeholders,
your
developers,
your
engineers
and
auditors
all
to
be
able
to
rely
on
that
single
source
of
truth
to
get
accurate,
up-to-date
information.
B
So
I
really
want
to
avoid
the
death
by
spreadsheets.
I
think
we've
all
been
through
a
compliance
effort
where
there's
multiple
copies
of
the
same
spreadsheet.
There's
tens
of
tabs
hundreds
of
controls
talking
about
control,
implementation,
details,
whether
you're
passing
you're
failing,
and
we
really
want
to
be
able
to
boil
that
out
and
and
have
that,
be
a
single
source
of
truth
and
avoid.
You
know
information
drift
and
you
know
all
that
sort
of
thing.
B
So
the
five
steps
you
see
here
are
breakout
of
the
risk
management
framework
steps
three
through
six,
so
your
control
implementation
all
the
way
through
your
continuous
monitoring.
So
first,
like
we
talked
about
above,
we
want
to
auto
automate
our
control
implementation,
build
the
solution
and
code
build
a
pipeline
to
automate
the
deployment
of
that
solution.
B
B
Next,
we
want
to
validate
that
process,
have
automated
control
testing,
so
we
don't
want
to
go
through
an
annual
assessment
every
year.
We
want
to
have
that
continuous
feedback
that
is
near
real
time
and
up
to
date
and
the
output
of
that.
So
when
a
control
test
fails,
how
do
we
handle
that
the
automated
control
remediation?
Is
it
something
that
we
can
respond
to
automatically
and
remediate?
Is
it
something
that
requires
engineering
developer,
support
a
code
change?
C
So
this
is
going
to
bring
about
a
culture
change
where
teams
are
going
to
have
to
be
more
development
minded
and
security
focused.
But
this
is
going
to
allow
them
to
practice
the
traditional
agile
software
development
techniques,
while
also
being
cognizant
of
the
accreditation
of
the
system,
and
so
we
achieved
this
with
three
main
pillars
of
our
automated
compliance
environment,
and
one
of
them
is
get
lab.
C
So
this
allows
us
to
customize
our
workflows
for
security,
relevant
events
using
gitlab
pipelines
and
runner
containers
and
commit
policies
to
not
only
deploy
secure
infrastructure
to
the
cloud,
but
also
desired.
State
configuration
playbooks
for
the
os
platforms
and
the
applications
running
on
those
os's.
In
your
environment,
and
so
we're
able
to
maintain
the
source
code
for
these
modular
code
bases
and
provide
the
knowledge
base
and
the
documentation
for
our
clients
to
then
interact
with
those
code
modules
and
execute
that
code
in
their
environments
by
providing
input
variables
into
that
code.
C
C
It'll
run
that
in
that
dev
environment
and
based
on
the
success
or
failure
of
that
process,
then
you're
allowed
to
build
that
ami
into
production.
So
this
is
a
good
way
for
us
to
control
the
security
of
a
system
before
it
even
hits
the
environment
and
the
point
with
all
this.
It's
not
to
make
the
job
of
the
developer
harder.
It's
not
to
create
an
additional
roadblock.
C
This
is
actually
making
it
easier
to
deploy
code
to
your
environment
because
we're
using
all
these
automation
technologies
and
we're
giving
the
developers
confidence
to
not
only
find
the
specific
configurations
in
their
application
that
may
apply
to
a
security
component,
but
we're
providing
that
knowledge
base
to
make
it
easier
for
them
to
go
and
discover
where
those
security
configurations
lie,
how
to
remediate
them
and
then
how
to
confidently
deploy
systems
into
their
production
environment.
And
so,
if
you
structure
something
like
this,
where
you
have
a
three-stage
build
of
two
separate
os
platforms
happening
in
parallel.
C
If
you
can
ensure
that
these
are
pushing
to
a
master
branch,
then
you
can
schedule
a
nightly,
build
and
have
clean
amis
the
next
day
to
build
new
resources
off
of
or
to
support
systems
that
are
already
in
production.
You
might
have
a
cluster
configuration
for
a
server,
or
maybe
an
auto
scaling
group.
So
this
provides
you
the
ability
to
deploy
that
quickly
and
securely.
C
And
so
here's
a
higher
level
overview
of
what
that
modular,
consumable
framework
might
look
like
where
you
can
have
application
rules
securing
your
application.
You
can
have
separate
roles
that
are
going
to
secure
your
operating
system
multi-platform
and
you
can
also
import
terraform
modules
to
deploy
different
resources
to
your
cloud
environment.
C
Allow
them
to
make
a
more
educated
decision
on
accrediting
the
system
and
continuing
to
accredit
the
system,
and
this
gives
us
the
ability
to
have
consistency
and
accuracy
and
also
module
modularly
deploy
code
as
a
service
to
our
clients
consistently
and
scalable.
So
when
you're
talking
about
an
update
to
let's
say
a
stig
baseline,
you
know
there
could
have
been
a
week
or
a
two
week
turnaround
on
being
able
to
provide
those
updates.
C
So
this
allows
accuracy
and
consistency
and
being
able
to
fine-tune
your
control
implementation,
so
you're
more
confident
in
deploying
resources
to
your
environment,
and
so,
if
you
have
any
questions
about
how
we're
doing
this
feel
free
to
reach
out
to
kether,
alright
and
here's
our
email
addresses
also,
if
you're
more
interested
in
hearing
about
what
mindpoint
group
is
doing
as
an
organization.
Please
visit
www.mindpointgroup.com
and
if
you're
also
interested
in
checking
out
our
secure
playbooks
for
secure
implementation.