Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)

1,698 views

Published on

This session will demonstrate how to embrace DevSecOps to improve your security and compliance agility and posture within the highly regulated HIPAA environment. We will cover compliance frameworks, data decoupling strategies to fully utilize AWS, and best practices learned from the industry most active cloud adopters.

Published in: Technology

AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scott Paddock, AWS Security Solutions Architect Matt Ferrari, ClearDATA Chief Technology Officer November 28, 2016 HLC303 Embracing DevSecOps While Improving Your Compliance and Security Agility and Posture
  2. 2. Agenda • DevOps to DevSecOps Primer • Observed industry cloud techniques with AWS • Tools, processes and frameworks to assist • Example Compliance Workflows
  3. 3. DevOps Toolchain Plan Configure Verify Preprod Monitor Create Release Define and plan; business value, application requirements, security, compliance and metrics Build, code and configuration Ensuring quality; acceptance, regression, security and compliance testing Infrastructure and application Approval/certification, triggered releases, release staging and holding Process, application, infrastructure, security and compliance Release coordination, promotion, scheduling, rollback and recovery Source: Wikipedia
  4. 4. DevOps Principles • Collaborate with all stakeholders • Codify everything • Test everything • Automate everything • Measure and monitor everything • Deliver business value with continual feedback
  5. 5. Drivers for DevSecOps Embedding Security into DevOps was not successful because… • Compliance checklists didn’t take us far before we stopped scaling… • We couldn’t keep up with deployments without automation… • Standard Security Operations did not work… • And we needed far more data than we expected to help the business make decisions… From Intuit
  6. 6. DevSecOps: Security as Code Establishing these principles… • Customer-focused mindset • Scale, scale, scale • Objective criteria • Proactive hunting • Continuous detection and response
  7. 7. DevOps Toolchain Plan Configure Verify Preprod Monitor Create Release Define and plan; business value, application requirements, security, compliance and metrics Build, code and configuration Ensuring quality; acceptance, regression, security and compliance testing Infrastructure and application Approval/certification, triggered releases, release staging and holding Process, application, infrastructure, security and compliance Release coordination, promotion, scheduling, rollback and recovery
  8. 8. AWS Service Amazon EC2 Amazon EMR Amazon Glacier Amazon S3 Amazon DynamoDB Amazon RDS (MySQL and Oracle) Amazon Redshift Amazon EBS Elastic Load Balancing AWS HIPAA Eligible Services (prior to re:Invent) Consult with compliance and security organizations before implementing Amazon Snowball
  9. 9. AWS Service Amazon EC2 Amazon EMR Amazon Glacier Amazon S3 Amazon DynamoDB Amazon RDS (MySQL and Oracle) Amazon Redshift Amazon EBS Elastic Load Balancing Amazon ECS Amazon CloudWatch AWS CodeCommit AWS CodeDeploy AWS CodePipeline SQS SNS AWS Config AWS Device Farm AWS HIPAA Eligible Services (prior to re:Invent) Other AWS Services Consult with compliance and security organizations before implementing Amazon Snowball
  10. 10. Observed industry cloud techniques with AWS
  11. 11. Consult internally before implementing The following slides are practices we have seen used in industry. As security and industry compliance is determined by the customer before implementing please: • Consult with your internal best practices • Consult with with your Cloud Center of Excellence • Consult with your Information Security group • Consult with your Compliance organization • Do your due diligence
  12. 12. General Strategies AWS CodeCommit AWS CodeDeploy AWS CodePipeline Consult with compliance and security organizations before implementing • Decouple protected/sensitive data from the processing or orchestration • Track where your protected/sensitive data flows • Do not check the protected data into your source or artifact repository! • Use indirection when orchestrating your protected/sensitive data flow • Separate protected/sensitive and general workflow logical boundaries
  13. 13. Separate Virtual Private Cloud (VPC) Strategy Amazon EC2 Amazon EMR Amazon S3 PHI / Sensitive Data VPC Amazon EC2 General VPC AWS Directory Service AWS Device Farm PHI Consult with compliance and security organizations before implementing
  14. 14. Indirection Strategy Data Processing System Inbound Data Store (S3) HTTPS Send SQS SNS Claims PHI Data Consult with compliance and security organizations before implementing
  15. 15. A Deeper Dive http://amzn.to/2cHDDuN
  16. 16. HEALTHCARE MANAGED CLOUD Designed for today’s healthcare environment. THE PREMIER COMPANY
  17. 17. Deployment Tools • Configuration Management Tools • Orchestration Tools • Auditing & Governance Tools
  18. 18. Security and Automation Objectives No Tight Coupling to Orchestration Tools Strong & Secure Audit Trail External Managed Services Highly Automated
  19. 19. Rethinking the model – Observe, Orient, Decide, Act Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:OODA.Boyd.svg
  20. 20. AWS ConfigAWS CloudTrail Amazon CloudWatch Customer Account Amazon SNS Amazon API Gateway Management Account AWS Lambda Amazon Kinesis AWS Services Account Configuration
  21. 21. Amazon Kinesis Streams SensuCMDB Backups Vuln Scanning SlackPagerDuty Ticketing CloudTrail / CloudWatch EventsEC2 events Auditing / Governance AlertingSEIM Remediation Amazon DynamoDB Amazon Redshift
  22. 22. AWS Services Driving Security • Catches common account misconfigurations • Suggests cost reductions • Evaluates fault tolerance CloudWatch • Monitor performance of AWS resources • Aggregate and process log files (non-PHI) • Requires instance profile or distributed credentials AWS Config rules • Constantly watch for account changes • Remediate in near real-time • Incredibly flexible and extendable • AWS Lambda-based Trusted Advisor
  23. 23. Emerging AWS-native Solutions
  24. 24. Extending OODA Inside the Instance Unobtrusive Strong & Secure Audit Trail External Managed Services Highly Automated
  25. 25. AWS Environment • Compute • Storage • Network / Cloud Operating Environment • Hardened AMIs • Configuration management engine • Patch management • Managed backup & snapshots • Monitoring & alerts • Consolidated account info • Isolated dev & test environments Security & Compliance • Hardened encryption configuration • Key management • Intrusion detection system • Login and access tracking • Event log management • ClearDATA security appliance • VPNs / Address translation • Anti-virus 24/7 Managed Services Delivered by AWS Certified Personnel Over 30 additional services automatically attached to AWS infrastructure Dynamic Cloud Platform
  26. 26. Security & Compliance Dashboard • First of its kind in the industry – service-based, real-time, HIPAA compliance dashboard • At-a-glance system status plus trending over time • Detailed history available for attestation during audits Continuous security and compliance monitoring mapped directly to HIPAA guidelines delivered across cloud and private environments via interactive dashboard and individual asset scorecards.
  27. 27. Thank you!
  28. 28. Remember to complete your evaluations! Remember to complete your evaluations!

×