Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Iolaire McKinnon
ProServe - Security Risk & Comp...
What to expect from the session
Why do security automation?
Who is responsible for security in a DevOps world?
Where do yo...
So what is DevSecOps anyway?
So what is DevSecOps anyway?
DevOps is a collaboration between Development and
Operations to improve agility and pace of i...
So what is DevOps anyway?
DevOps is a collaboration between Development and
Operations to improve agility and pace of inno...
So what is DevSecOps anyway?
DevSecOps is expanding the Dev + Ops collaboration to
include Security.
The aim: to have secu...
So, Meet the new security team
Operations Engineering
Application
Security
Compliance
So, Meet the new security team
Operations Engineering
Application
Security
Compliance
Development
So, Meet the new security team
Operations Engineering
Application
Security
Compliance
Security team development
responsibi...
How to win at DevSecOps – Automate!
- Automation is responsive
- Automation is reliable
- Automation is scalable….
- Don’t...
How to win at DevSecOps – The Mindset
• Develop a Customer-centric mindset
• Successful DevSecOps is not blocking a rapid ...
Where?
All over the place!
Continuous Integration / Continuous Deployment
1. Security of the CI/CD Pipeline
• Access roles – separation of duties
• H...
CI/CD for DevOps
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterDev
Get /
Pull
Code
Images
Se...
Version
Control
CI Server
Package
Builder
Promote
Process
Block creds
From gitDev
Get /
Pull
Code
Images
Log for audit
Sta...
Okay, but what about my other
stuff?
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Take a Cloud-native approach to security
Infrast...
When?
All of the time!
When – Control and Validate
Pre-event - Where possible
• Store infrastructure in code repository
• Validate each push (git...
When – Control and Validate
Post-event - Always
• Follow-up on sensitive APIs
• IAM, security groups/firewall, encryption ...
When – Control and Validate
Triggers – Event based:
• Per change
• API-based
• Event logs
• Per day
• Per framework
• Over...
What?
Iolaire! I want examples!
Okay, jeez fine, have some examples:
Security validation in a elastic infrastructure
• Implement -> Validate -> Decide
• T...
It’s demo time! – Logging enforcement
Detect
• CloudTrail logging disabled
Respond
• Automatically re-enable logging
Foren...
Recap: Security Automation?
Why? Keep up with DevOps, and focus on higher value work
Who? Everyone (self-service model)
Wh...
iolaire@amazon.com
Upcoming SlideShare
Loading in …5
×

Automating Security in Cloud Workloads with DevSecOps

616 views

Published on

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

Published in: Technology

Automating Security in Cloud Workloads with DevSecOps

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Iolaire McKinnon ProServe - Security Risk & Compliance June 21, 2017 Automating Security in Cloud Workloads with DevSecOps
  2. 2. What to expect from the session Why do security automation? Who is responsible for security in a DevOps world? Where do you want security automation? When? pre, post, and everything in between What you can do, practical examples How? Tools and partners
  3. 3. So what is DevSecOps anyway?
  4. 4. So what is DevSecOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. So what is DevOps anyway?
  5. 5. So what is DevOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. Tooling that you have/use/develop to perform this activity Cultural philosophy on how change and deployment are handled within the organization Processes which enable this activity
  6. 6. So what is DevSecOps anyway? DevSecOps is expanding the Dev + Ops collaboration to include Security. The aim: to have security that is: • applied throughout the development process, • is non-blocking, • and works at scale.
  7. 7. So, Meet the new security team Operations Engineering Application Security Compliance
  8. 8. So, Meet the new security team Operations Engineering Application Security Compliance Development
  9. 9. So, Meet the new security team Operations Engineering Application Security Compliance Security team development responsibilities: - Tool creation - Guide app dev teams - Enabling automation of security
  10. 10. How to win at DevSecOps – Automate! - Automation is responsive - Automation is reliable - Automation is scalable…. - Don’t worry… we still need humans
  11. 11. How to win at DevSecOps – The Mindset • Develop a Customer-centric mindset • Successful DevSecOps is not blocking a rapid pace of innovation. • Security is built in, automated, and current. • Security as a self service, with strong auditability • Security that is moving faster than Developers
  12. 12. Where? All over the place!
  13. 13. Continuous Integration / Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles – separation of duties • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis • Validation prior to infrastructure change
  14. 14. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Deployment templates for infrastructure Generate Artifact Repo
  15. 15. Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook Artifact Repo
  16. 16. Okay, but what about my other stuff?
  17. 17. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Take a Cloud-native approach to security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Runtime security • Tag based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services
  18. 18. When? All of the time!
  19. 19. When – Control and Validate Pre-event - Where possible • Store infrastructure in code repository • Validate each push (git event hooks) • Use managed microservices as the execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Force infrastructure change via templates (Service Catalog) • Block or add manual review if needed/unsure
  20. 20. When – Control and Validate Post-event - Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine in CI/CD • Decide on remediation
  21. 21. When – Control and Validate Triggers – Event based: • Per change • API-based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
  22. 22. What? Iolaire! I want examples!
  23. 23. Okay, jeez fine, have some examples: Security validation in a elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure of security check Automatic Incident Response Remediation • Autoheal Cloudtrail logging, then • Disable offenders Integrate host-based activity with cloud-based control • Immutable infrastructure – Auto isolate instances that fail checks
  24. 24. It’s demo time! – Logging enforcement Detect • CloudTrail logging disabled Respond • Automatically re-enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user?
  25. 25. Recap: Security Automation? Why? Keep up with DevOps, and focus on higher value work Who? Everyone (self-service model) Where? Everywhere! When? All the time! More info: Search “DevSecOps” on AWS Security & DevOps blogs
  26. 26. iolaire@amazon.com

×