aws re:invent 2016: embracing devsecops while improving compliance and security agility and posture...
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scott Paddock, AWS Security Solutions Architect
Matt Ferrari, ClearDATA Chief Technology Officer
November 28, 2016
HLC303
Embracing DevSecOps
While Improving Your Compliance
and Security Agility and Posture
Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS• Tools, processes and frameworks to assist
• Example Compliance Workflows
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
Source: Wikipedia
DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Drivers for DevSecOps
Embedding Security into DevOps was not successful because…
• Compliance checklists didn’t take us far before we stopped scaling…
• We couldn’t keep up with deployments without automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help the business make decisions…
From Intuit
DevSecOps: Security as Code
Establishing these principles…
• Customer-focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
GlacierAmazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
AWS HIPAA Eligible Services (prior to re:Invent)
Consult with compliance and security organizations before implementing
Amazon
Snowball
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
GlacierAmazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
Amazon ECS Amazon
CloudWatch
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
SQS SNS
AWS Config
AWS
Device Farm
AWS HIPAA Eligible Services (prior to re:Invent)
Other AWS Services
Consult with compliance and security organizations before implementing
Amazon
Snowball
Observed industry cloud techniques with AWS
Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence
General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
Consult with compliance and security organizations before implementing
• Decouple protected/sensitive data from
the processing or orchestration
• Track where your protected/sensitive
data flows
• Do not check the protected data into
your source or artifact repository!
• Use indirection when orchestrating your
protected/sensitive data flow
• Separate protected/sensitive and general
workflow logical boundaries
Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2Amazon
EMRAmazon
S3
PHI / Sensitive Data VPC
Amazon
EC2
General VPC
AWS Directory
Service
AWS
Device Farm
PHI
Consult with compliance and security organizations before implementing
Indirection Strategy
Data Processing
SystemInbound
Data Store
(S3)HTTPS
Send
SQS
SNS
Claims
PHI Data
Consult with compliance and security organizations before implementing
HEALTHCARE MANAGED CLOUD
Designed for today’s healthcare environment.
THE PREMIER
COMPANY
Deployment Tools
• Configuration Management Tools
• Orchestration Tools
• Auditing & Governance Tools
Security and Automation Objectives
No Tight Coupling to
Orchestration Tools
Strong & Secure
Audit Trail
External
Managed ServicesHighly Automated
Rethinking the model – Observe, Orient, Decide, Act
Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:OODA.Boyd.svg
AWS ConfigAWS CloudTrail
Amazon CloudWatch
Customer Account
Amazon
SNS
Amazon API
Gateway
Management Account
AWS
Lambda
Amazon
Kinesis
AWS Services Account Configuration
Amazon Kinesis Streams
SensuCMDB
Backups Vuln Scanning
SlackPagerDuty
Ticketing
CloudTrail / CloudWatch Events EC2 events Auditing / Governance
AlertingSEIM
Remediation
Amazon
DynamoDB
Amazon
Redshift
AWS Services Driving Security
• Catches common account misconfigurations
• Suggests cost reductions
• Evaluates fault tolerance
CloudWatch
• Monitor performance of AWS resources
• Aggregate and process log files (non-PHI)
• Requires instance profile or distributed credentials
AWS Config rules
• Constantly watch for account changes
• Remediate in near real-time
• Incredibly flexible and extendable
• AWS Lambda-based
Trusted Advisor
Emerging AWS-native Solutions
Extending OODA Inside the Instance
UnobtrusiveStrong & Secure
Audit Trail
External
Managed ServicesHighly Automated
AWS Environment
• Compute
• Storage
• Network / Cloud
Operating Environment
• Hardened AMIs
• Configuration management engine
• Patch management
• Managed backup & snapshots
• Monitoring & alerts
• Consolidated account info
• Isolated dev & test environments
Security & Compliance
• Hardened encryption configuration
• Key management
• Intrusion detection system
• Login and access tracking
• Event log management
• ClearDATA security appliance
• VPNs / Address translation
• Anti-virus
24/7 Managed Services
Delivered by AWS Certified Personnel
Over 30 additional services automatically attached to AWS infrastructure
Dynamic Cloud Platform
Security & Compliance Dashboard
• First of its kind in the
industry – service-based,
real-time, HIPAA compliance
dashboard
• At-a-glance system status
plus trending over time
• Detailed history available for
attestation during audits
Continuous security and compliance
monitoring mapped directly to
HIPAA guidelines delivered across
cloud and private environments via
interactive dashboard and individual
asset scorecards.
Thank you!
Remember to complete
your evaluations!
Remember to complete
your evaluations!