aws re:invent 2016: embracing devsecops while improving compliance and security agility and posture...
TRANSCRIPT
![Page 1: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scott Paddock, AWS Security Solutions Architect
Matt Ferrari, ClearDATA Chief Technology Officer
November 28, 2016
HLC303
Embracing DevSecOps
While Improving Your Compliance
and Security Agility and Posture
![Page 2: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/2.jpg)
Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS• Tools, processes and frameworks to assist
• Example Compliance Workflows
![Page 3: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/3.jpg)
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
Source: Wikipedia
![Page 4: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/4.jpg)
DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
![Page 5: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/5.jpg)
Drivers for DevSecOps
Embedding Security into DevOps was not successful because…
• Compliance checklists didn’t take us far before we stopped scaling…
• We couldn’t keep up with deployments without automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help the business make decisions…
From Intuit
![Page 6: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/6.jpg)
DevSecOps: Security as Code
Establishing these principles…
• Customer-focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
![Page 7: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/7.jpg)
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
![Page 8: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/8.jpg)
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
GlacierAmazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
AWS HIPAA Eligible Services (prior to re:Invent)
Consult with compliance and security organizations before implementing
Amazon
Snowball
![Page 9: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/9.jpg)
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
GlacierAmazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
Amazon ECS Amazon
CloudWatch
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
SQS SNS
AWS Config
AWS
Device Farm
AWS HIPAA Eligible Services (prior to re:Invent)
Other AWS Services
Consult with compliance and security organizations before implementing
Amazon
Snowball
![Page 10: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/10.jpg)
Observed industry cloud techniques with AWS
![Page 11: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/11.jpg)
Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence
![Page 12: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/12.jpg)
General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
Consult with compliance and security organizations before implementing
• Decouple protected/sensitive data from
the processing or orchestration
• Track where your protected/sensitive
data flows
• Do not check the protected data into
your source or artifact repository!
• Use indirection when orchestrating your
protected/sensitive data flow
• Separate protected/sensitive and general
workflow logical boundaries
![Page 13: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/13.jpg)
Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2Amazon
EMRAmazon
S3
PHI / Sensitive Data VPC
Amazon
EC2
General VPC
AWS Directory
Service
AWS
Device Farm
PHI
Consult with compliance and security organizations before implementing
![Page 14: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/14.jpg)
Indirection Strategy
Data Processing
SystemInbound
Data Store
(S3)HTTPS
Send
SQS
SNS
Claims
PHI Data
Consult with compliance and security organizations before implementing
![Page 16: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/16.jpg)
HEALTHCARE MANAGED CLOUD
Designed for today’s healthcare environment.
THE PREMIER
COMPANY
![Page 17: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/17.jpg)
Deployment Tools
• Configuration Management Tools
• Orchestration Tools
• Auditing & Governance Tools
![Page 18: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/18.jpg)
Security and Automation Objectives
No Tight Coupling to
Orchestration Tools
Strong & Secure
Audit Trail
External
Managed ServicesHighly Automated
![Page 19: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/19.jpg)
Rethinking the model – Observe, Orient, Decide, Act
Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:OODA.Boyd.svg
![Page 20: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/20.jpg)
AWS ConfigAWS CloudTrail
Amazon CloudWatch
Customer Account
Amazon
SNS
Amazon API
Gateway
Management Account
AWS
Lambda
Amazon
Kinesis
AWS Services Account Configuration
![Page 21: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/21.jpg)
Amazon Kinesis Streams
SensuCMDB
Backups Vuln Scanning
SlackPagerDuty
Ticketing
CloudTrail / CloudWatch Events EC2 events Auditing / Governance
AlertingSEIM
Remediation
Amazon
DynamoDB
Amazon
Redshift
![Page 22: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/22.jpg)
AWS Services Driving Security
• Catches common account misconfigurations
• Suggests cost reductions
• Evaluates fault tolerance
CloudWatch
• Monitor performance of AWS resources
• Aggregate and process log files (non-PHI)
• Requires instance profile or distributed credentials
AWS Config rules
• Constantly watch for account changes
• Remediate in near real-time
• Incredibly flexible and extendable
• AWS Lambda-based
Trusted Advisor
![Page 23: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/23.jpg)
Emerging AWS-native Solutions
![Page 24: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/24.jpg)
Extending OODA Inside the Instance
UnobtrusiveStrong & Secure
Audit Trail
External
Managed ServicesHighly Automated
![Page 25: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/25.jpg)
AWS Environment
• Compute
• Storage
• Network / Cloud
Operating Environment
• Hardened AMIs
• Configuration management engine
• Patch management
• Managed backup & snapshots
• Monitoring & alerts
• Consolidated account info
• Isolated dev & test environments
Security & Compliance
• Hardened encryption configuration
• Key management
• Intrusion detection system
• Login and access tracking
• Event log management
• ClearDATA security appliance
• VPNs / Address translation
• Anti-virus
24/7 Managed Services
Delivered by AWS Certified Personnel
Over 30 additional services automatically attached to AWS infrastructure
Dynamic Cloud Platform
![Page 26: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/26.jpg)
Security & Compliance Dashboard
• First of its kind in the
industry – service-based,
real-time, HIPAA compliance
dashboard
• At-a-glance system status
plus trending over time
• Detailed history available for
attestation during audits
Continuous security and compliance
monitoring mapped directly to
HIPAA guidelines delivered across
cloud and private environments via
interactive dashboard and individual
asset scorecards.
![Page 27: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/27.jpg)
Thank you!
![Page 28: AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)](https://reader034.vdocuments.net/reader034/viewer/2022050614/586f72b11a28ab10258b54d3/html5/thumbnails/28.jpg)
Remember to complete
your evaluations!
Remember to complete
your evaluations!