Compliance is Hard: Two Worlds at

OddsJohn Martinez

April 2, 2015

About Me

4

✴ Been doing DevOps and Cloud stuff for ~5 years ✴ Did heavy Chef work for ~3 ✴ UNIX throat beard since way back ✴ Compliance scars on my back ✴ I now talk to people about security for a living ✴ I recently built my 2nd Raspberry Pi (random fact, but true)

“When management says you are going to meet regulatory

compliance, Don’t fight it. Embrace it! Because compliance done right is also best practices, and who doesn’t want to be the

best?”Wayne Sisk, Compliance & Security Manager, Adobe

5

What is Compliance?

▪Boiled down: It’s about assessing risk and implementing governance ▪Most common are government mandated and industry specific

compliance certifications ▪Compliance != Security ▪YOU: It’s not necessarily because management says-so…you

are a hugely important part of the process ▪Examples of regulatory compliance: HIPAA, FISMA, FedRAMP ▪Examples of industry compliance: SOC-2, PCI, ISO 27001

6

Typical Compliance Workflow

7

Define Discover Control

Report / Certify

Test

Remediate

Where do I fit in?

Case Study - SoftCorp*

▪Embarked on a journey to SOC-2 Compliance ▪Define and Discovery took about 4 months ▪Control took about 3 months ▪Test / Remediate / Report took about 6 months ▪Total effort: 12 months: 4 dedicated people, 4 partially-dedicated

people ▪Most phases of the workflow overlapped ▪The final phase was continuous

*SoftCorp is a fictitious corporation

8

SoftCorp

Compliance is for Humans, Not Technology

9

▪Auditors and compliance officers don’t understand the cloud or DevOps ▪Embrace it as a challenge to mold them in your way ▪You’ll have to talk to a lot of people, mostly internal

auditors and managers (meetings to schedule other meetings BRING A LAPTOP!) ▪Don’t take questions about your cool architecture

personally

10

▪Evidence gathering requires automation - let your bots do your work for you ▪Tons of time will be spent writing automation of infrastructure

in the early phases ▪Tons of time will be spent gathering data from your

automation in the late phases ▪Self described systems 4TW ▪Chef is awesome for this (knife node show -l) ▪ Log aggregation to gather your evidence ▪Save them somewhere else ▪Use 3rd party tools to have an independent view of your world ▪ (I may know a good one!)

technology == automation

What will you be asked for?▪Diagrams and diagrams and diagrams (of

networks and application stacks) ▪ “Evidence” for “Controls" (i.e. TONS of data) ▪Your cloud provider’s certifications doesn’t mean

you don’t have to work ▪ In fact, you have to prove you’re following their

customer responsibility requirement ▪ In the test phase, you will need to sit through many

many long hours of meetings (or not) with both internal and external auditors ▪HINT: let your internal auditors use the “no” word ▪More than likely: DOCUMENTATION ▪Because, why not do it with Chef?

11

What will you be asked for? The Sensitive Parts

▪Cloud Configurations ▪System Configurations ▪Firewall logs ▪Application Descriptions ▪Network Access Testing ▪Authentication and Authorization ▪Privilege Escalation ▪Data Isolation ▪Segregation of Duties

12

Where can I read more?

▪Start with the Cloud Security Alliance Cloud Controls Matrix https://cloudsecurityalliance.org/research/ccm/

13

Final Note: Compliance is Continuous!

14

▪You mean I’ll have to go through this again? ▪Maybe you, maybe someone else, but

yes ▪Be the process ▪Bring it on! (other compliance projects)

Give me a shout!

15

✴ Twitter: @johnmartinez ✴ Email: john@evident.io

Come see us at Booth #104 Enter our drawing for a drone!