Peter Souter

There's a lot of confusion around the differences between the various terms used when talking about configuring systems. Is Jenkins an orchestration tool or a deployment tool? Can Puppet provision systems? Is Ansible config management or and orchestration?

In this talk, we're going to boil down the core of each term and talk about the approaches used and where things cross over.

Names, as we know, are one of the hardest things in computer science. And in the DevOps space, we frequently see 4 terms come up again and again, and people often blur the lines between what each one is doing:

Deployment vs Provisioning vs Orchestration vs Configuration Management

It's easy to get mixed up between the terms, especially as a lot of the vendors who specialised in one area have started expanding into other areas to diversify their offerings and create a one-stop solution.

In this talk, we're going to discuss the differences between each term, what tools and approaches work well for each, how the lines have blurred in the container world and what the future might hold.

Config management is a perfect fit for compliance: you model desired compliant state, continually enforce it and have a full audit path of when changes occur and what lead to the drift. But what are the best practises for using config management for compliance, what are the caveats, how do you scan for issues and how can you keep the auditors happy?

If you work with or at a Telco, Financial Institution or a Government entity, you probably already know about compliance and the various acronyms and headaches it can bring.

How can we make this less of a painful process?

Well, if you think about it: compliance is a set of rules that someone has given you to enforce and prove that they're being enforced. What is configuration management? A series of rules for systems that need to be enforced. So compliance is the perfect use-case for configuration management.

We'll be discussing how you can enforce compliance in your estate with config management, what open-source tooling you to perform scans across your estate and how to save time by leveraging existing work such as http://dev-sec.io.

We'll also be talking about how to sell the benefits of config management for compliance to stakeholders and some real-life examples of how it's worked with customers in the past, and the caveats that come with it.

Configuration management is a great tool for helping with hardening and securing servers. But with any addition of new technology comes a new attack vector: Who watches the watchers?

Security is painful. Luckily the invention of configuration management tools has made this process easier, by allowing repeatable configuration for common hardening. However there comes a catch-22: How do we harden the configuration management itself?

When you have a tool that enables you to change systems at a fundamental level, it's a fairly tempting target for malicious agents, and one that would cause a lot of problems if compromised.

We'll be discussing some general patterns we can use to mitigate these problems: - Whitelisting "master" API's - Encrypting sensitive data - Adding a security element to code review

And we'll talk about some application specific options for some of most popular tools out there, such as Puppet, Chef, Ansible, cfengine and Salt.