Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017

1,303 views

Published on

When you use the cloud to enable speed and agility, how do you know if you did it right? We are on a mission to help builders follow industry best practices within security guide rails by creating the largest compliance-as-code repo, available to all. Compliance-as-code is the idea to translate those best practices, guide rails, policies, or standards into codified unit testing. Apply this to your AWS environment to provide insights on what can/must be improved. Learn why compliance-as-code matters to gain speed (by getting developers, architects, and security pros on the same page), how it is currently used (demo), and how to start to use it or be part of building it.

  • Be the first to comment

Building the Largest Repo for Serverless Compliance-as-Code - SID205 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Building the Largest Repo for Serverless Compliance-as-Code Gilles Baillet – Standard Chartered Bank – Head, Cloud and DevOps Architecture Jonathan Rault – AWS – Security Lead APJC, Professional Services Prashant Prahlad – AWS – Sr. Manager Product Management S I D 2 0 5 N o v e m b e r 3 0 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Introduction to compliance-as-code • Voice of the customer: Standard Chartered Bank • Personas, goals, challenges, and solutions • Your next three months
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant a.k.a. The state of meeting rules or standards
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View C h e ck list o f co n tr o l re qu ire m e n t s A u dit p ro ce ss
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Let’s Go Upstream! Organizational perspective: four steps to compliance
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Che c kl i st o f c o ntr o l r e qui r e m e nts A udi t p r o c e ss
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t A udi t p r o c e ss Inf o Se c
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer’s Point of View Sp r e adshe e t Inf o Se c A udi to rQue sti o n nai r e do c s/ sc r e e nsho ts
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenges E x p e r t i s e i s n o t g i v e n t o a l l ​ T i m e - c o n s u m i n g f o r e v e r y o n e G e t - r e a d y - f o r - t h e - a u d i t m i n d s e t
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Be Compliant-as-Code a.k.a. The state of meeting rules or standards via a programmatic test-driven approach
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Audit
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Codified Checklist Audit Continuous Visibility
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer-facing Four Steps to Compliance Analyze Define and document Checklist Audit
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Customer-facing Analyze Define and document Checklist Continuous Visibility Codified Checklist
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits S c a l e c o n s i s t e n t l y t o a l l c u s t o m e r s F o c u s t i m e a n d r e s o u r c e s o n v a l u e P a r t o f ​ d a y - t o - d a y
  20. 20. Everything-as-Code Gilles Baillet Head, Cloud and DevOps Architecture
  21. 21. A Global Bank
  22. 22. Increasingly, Banking is Technology
  23. 23. “We are embarking on a journey to shape the future of banking while creating a culture of innovation, efficiency and automation. We are introducing global platforms, machine learning and bringing forth intelligent technology. We want to lead this change and not be led by it.” Michael Gorriz Group Chief Information Officer
  24. 24. SCB Early Adopter Program
  25. 25. 5 applications in Production on AWS
  26. 26. Our Cloud Foundational Principles
  27. 27. Our Cloud Foundational Principles Customer first
  28. 28. Our Cloud Foundational Principles Learn from Others
  29. 29. Our Cloud Foundational Principles Start simple and build the complexity on top
  30. 30. Our Cloud Foundational Principles Gall’s Law “A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over with a working simple system.” - John Gall -
  31. 31. Our Cloud Foundational Principles Native capabilities with Reversibility in mind
  32. 32. Our Cloud Foundational Principles Involve DevOps early
  33. 33. Our Cloud Foundational Principles Security and Compliance from Day 1
  34. 34. Our Use Cases
  35. 35. Use Case 1 Compliance-as-Code for storing customer data § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted at rest using KMS o No public access to S3 buckets o Principle of Least Privilege enforced § Extensible
  36. 36. Use Case 2 Compliance-as-Code for Internet Access § Changes tracked via AWS CloudTrail § AWS Config o Data encrypted in transit using SSL o Inbound access enforced via our Content Delivery Network o Running Amazon Machine Image (AMI) up-to-date § Extensible
  37. 37. Use Case 3 Compliance-as-code for trusting compliance-as-code Inception phase!
  38. 38. What’s next?
  39. 39. As code!
  40. 40. Thank you!
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building the Largest Repo of Compliance-as-Code
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. C o m p l i a n c e - a s - c o d e Six Steps to Compliance with Code Analyze Define and document Checklist Continuous visibility Codified checklist Operate and integrate
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Input/Output of Compliance-as-Code
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Input/Output of Compliance-as-Code Checklist Continuous visibility Codified checklist Operate and integrate C o m p l i a n c e - a s - c o d e Joe Sec Toby Dev Greg Ops Mike App Tim Audit
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Acronym addict (CIS, GxP, TLS, etc.) Has many obscure security certifications Got the super-power of “not approved by compliance” Ultimately responsible for security!
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Needs to do the heavy lifting Work harder not smarter because of inflexibility of tools, and too any escalation Meet Joe Sec Challenges Help app owner to do the right thing Be out of the critical path Goals
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Training is available to get up to speed • AWS re:Invent and videos • Online and on-site • Certifications Solutions3 1 AWS Security Fundamental (3-hour online) https://aws.amazon.com/training/course-descriptions/security-fundamentals/
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Solutions3 AWS Config is available in all AWS regions • Continuously monitor configurations • Record configuration changes AWS Config: https://aws.amazon.com/config/ 2
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  54. 54. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  55. 55. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  56. 56. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource inventory
  57. 57. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config – Resource details
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Joe Sec Best practices are available • AWS re:Invent and videos • Two CIS Benchmarks for AWS • AWS Whitepapers Solutions3 3 CIS: https://aws.amazon.com/blogs/security/tag/cis-aws-foundations-benchmark/
  61. 61. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Policy to Dev-Readable Requirements Define the use case and test cases for test-driven security # Check that CloudTrail trails are encrypted, optionally with K key. # Input parameter (optional): K – AWS KMS Customer Master Key ARN (overrides the default of “None”) # Description: # Returns COMPLIANT if CloudTrail is encrypted and K is not specified # Returns COMPLIANT if CloudTrail is encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is encrypted, CloudTrail is not encrypted with K and K is specified # Returns NON-COMPLIANT if CloudTrail is not encrypted
  62. 62. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Writing Test Case 101 1. Cover all permutations of inputs 2. Keep distinct coverage in the test cases 3. Think that human needs to fix it (at first) 4. Reasoning approach is the future, and the future is now
  63. 63. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hoodies, Headphones, Espresso, Craft Breweries Knows 20 programing languages with two years of experience each (according to his resume) Known for not liking meetings Meet Toby Dev Ultimately responsible for delivering code!
  64. 64. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Not knowledgeable about security Struggles often with non-precise requirements Feels need to reinvent the wheel too often Lots of console and/or home-backed scripts Meet Toby Dev Challenges Freedom to be creative Wants impact (and recognition) by doing awesome code Goals
  65. 65. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2
  66. 66. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev Solutions2 70+ compliance-as-code rules already available • Cover several common controls • Include test cases • Verified by the community and AWS • Integrate with AWS Config AWS Managed Config Rules Custom rules: https://github.com/awslabs/aws-config-rules 1
  67. 67. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Toby Dev NEW – Rule Development Kit • Initiate your dev environment locally • Initiate your dev environment in AWS • Deploy rule and test from your IDE Solutions2 2 Rule Development Kit: https://pypi.python.org/pypi/rdk
  68. 68. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Likes Michelin-starred restaurants Affected by the phantom vibration syndrome Perceived like Dad: old-fashioned but the first person you call in case of emergency Ultimately responsible for stability!
  69. 69. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Running more servers, means more workload Not used to automation, can adapt but not build from scratch Meet Greg “Ninja” Ops Challenges More is less – including for being paged at 3a.m. Goals
  70. 70. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2
  71. 71. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 Run on serverless with AWS Lambda • Event-driven • Automated administration • Integrated security model • Bring your own code AWS Lambda: https://aws.amazon.com/lambda/details/ 1 L a m b d a
  72. 72. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Greg “Ninja” Ops Solutions2 NEW – Compliance-as-code engine available • Multi-account • 1-step deployment • Serverless • Code securely located in a segregated and dedicated AWS Account Github: https://github.com/awslabs/aws-config-engine-for-compliance-as-code 2
  73. 73. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Finally, Meet… Has to deal with checklist and meetings with Sec team Lack of clear guidance to move forwardChallenges Wants to go to prod ASAP Goals Mike App and Tim Audit Seen more as the policeman Must ask to get the information Be a trusted advisor on doing the right thing
  74. 74. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meet Mike App and Tim Audit Solutions2 NEW – Compliance-as-code Engine available • Multi-account, 1-step deployment, Serverless, securely segregated Code • Can be integrated in his DevOps pipeline • Dashboard with actionable insights • Store all historical compliance status/changes • Dashboard for Compliance-as-code Analytics Rest of 2 Github: https://github.com/awslabs/aws-config-engine-for-compliance-as- code
  75. 75. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Compliance-as-code Engine 1. Dashboard for Compliance-as-code Analytics 2. One-step deployment in a new Application Account 3. Dashboard for Application Owner to gain insights
  76. 76. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Adoption Framework – Security CAF Security perspective – Guidance and process for your security specific to AWS https://d0.awsstatic.com/whitepapers/AWS_CAF_Security _Perspective.pdf New – Compliance-as-code RuleSet from the CAF Security recommendations Github: https://github.com/awslabs/aws-config-engine- for-compliance-as-code
  77. 77. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workbook for PCI Compliance in AWS PCI Qualified Security Assessor Company (QSAC) Workbook – Partner with AWS on a Workbook for PCI Compliance in the AWS Cloud Link: https://d1.awsstatic.com/whitepapers/compliance/AW S_Anitian_Workbook_PCI_Cloud_Compliance.pdf New – Compliance-as-code RuleSet from the workbook’s recommendation Github: https://github.com/awslabs/aws-config- engine-for-compliance-as-code
  78. 78. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In conclusion…
  79. 79. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Five Key Learnings 1. Get a dedicated Security member as part of the cloud team 2. Iterate on controls and provide solutions to your customers 3. Treat edge cases carefully 4. Devs like to have clear goals, stand up all together 5. Start with Cloud Native tools first
  80. 80. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started: Next Three Months Stand-up together at least twice a week (Dev-Sec-Ops) Demonstrate visibility by POCing the engine with one available RuleSet Get buy-in from the account owners Sprint 1 (two weeks) Deploy the engine in all your accounts Select three relevant controls to be fixed, listen to feedback Finish Sprint 2 Select three more controls to be fixed, listen to feedback Start documenting iteratively your security baseline Select three more controls to be fixed, listen to feedback Train your Devs on the RDK Sprint 2 Sprint 3 Sprint 4 Sprint 5 Sprint 6 Select the one control you know is hard Build first exec metrics. Communicate broadly the results. Empower. Plan your next three months
  81. 81. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! P l e a s e f i l l o u t y o u r s u r v e y

×