compliance is hard: two worlds at odds - chefconf 2015
TRANSCRIPT
Compliance is Hard: Two Worlds at
OddsJohn Martinez
April 2, 2015
About Me
4
✴ Been doing DevOps and Cloud stuff for ~5 years ✴ Did heavy Chef work for ~3 ✴ UNIX throat beard since way back ✴ Compliance scars on my back ✴ I now talk to people about security for a living ✴ I recently built my 2nd Raspberry Pi (random fact, but true)
“When management says you are going to meet regulatory
compliance, Don’t fight it. Embrace it! Because compliance done right is also best practices, and who doesn’t want to be the
best?”Wayne Sisk, Compliance & Security Manager, Adobe
5
What is Compliance?
▪Boiled down: It’s about assessing risk and implementing governance ▪Most common are government mandated and industry specific
compliance certifications ▪Compliance != Security ▪YOU: It’s not necessarily because management says-so…you
are a hugely important part of the process ▪Examples of regulatory compliance: HIPAA, FISMA, FedRAMP ▪Examples of industry compliance: SOC-2, PCI, ISO 27001
6
Typical Compliance Workflow
7
Define Discover Control
Report / Certify
Test
Remediate
Where do I fit in?
Case Study - SoftCorp*
▪Embarked on a journey to SOC-2 Compliance ▪Define and Discovery took about 4 months ▪Control took about 3 months ▪Test / Remediate / Report took about 6 months ▪Total effort: 12 months: 4 dedicated people, 4 partially-dedicated
people ▪Most phases of the workflow overlapped ▪The final phase was continuous
*SoftCorp is a fictitious corporation
8
SoftCorp
Compliance is for Humans, Not Technology
9
▪Auditors and compliance officers don’t understand the cloud or DevOps ▪Embrace it as a challenge to mold them in your way ▪You’ll have to talk to a lot of people, mostly internal
auditors and managers (meetings to schedule other meetings BRING A LAPTOP!) ▪Don’t take questions about your cool architecture
personally
10
▪Evidence gathering requires automation - let your bots do your work for you ▪Tons of time will be spent writing automation of infrastructure
in the early phases ▪Tons of time will be spent gathering data from your
automation in the late phases ▪Self described systems 4TW ▪Chef is awesome for this (knife node show -l) ▪ Log aggregation to gather your evidence ▪Save them somewhere else ▪Use 3rd party tools to have an independent view of your world ▪ (I may know a good one!)
technology == automation
What will you be asked for?▪Diagrams and diagrams and diagrams (of
networks and application stacks) ▪ “Evidence” for “Controls" (i.e. TONS of data) ▪Your cloud provider’s certifications doesn’t mean
you don’t have to work ▪ In fact, you have to prove you’re following their
customer responsibility requirement ▪ In the test phase, you will need to sit through many
many long hours of meetings (or not) with both internal and external auditors ▪HINT: let your internal auditors use the “no” word ▪More than likely: DOCUMENTATION ▪Because, why not do it with Chef?
11
What will you be asked for? The Sensitive Parts
▪Cloud Configurations ▪System Configurations ▪Firewall logs ▪Application Descriptions ▪Network Access Testing ▪Authentication and Authorization ▪Privilege Escalation ▪Data Isolation ▪Segregation of Duties
12
Where can I read more?
▪Start with the Cloud Security Alliance Cloud Controls Matrix https://cloudsecurityalliance.org/research/ccm/
13
Final Note: Compliance is Continuous!
14
▪You mean I’ll have to go through this again? ▪Maybe you, maybe someone else, but
yes ▪Be the process ▪Bring it on! (other compliance projects)
Give me a shout!
15
✴ Twitter: @johnmartinez ✴ Email: [email protected]
Come see us at Booth #104 Enter our drawing for a drone!