Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017

1,146 views

Published on

A surprising trend is starting to emerge among organizations who are progressing through the cloud maturity lifecycle: major improvements in revenue growth, customer satisfaction, and mission success are being directly attributed to improvements in security and compliance. At one time thought of as speed bumps in the path to deployment, security and compliance are now seen as critical ingredients that help organizations differentiate their offerings in the market, win more deals, and achieve mission-critical goals faster. This session explores how organizations like Jive Software and the National Geospatial Agency use the Evident Security Platform, AWS, and AWS Quick Starts to automate security and compliance processes in their organization to accomplish more, do it faster, and deliver better results.

Session sponsored by Evident.io

  • Be the first to comment

From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization J O H N M A R T I N E Z , V P C U S T O M E R S U C C E S S , E V I D E N T . I O M A T T W I L L M A N , P R I N C I P A L A R C H I T E C T F O R F E D R A M P , J I V E S O F T W A R E N o v e m b e r 3 0 , 2 0 1 7 SID318
  2. 2. Copyright © 2017, Evident.io, Inc. JOHN MARTINEZ VP CUSTOMER SUCCESS EVIDENT.IO MATT WILLMAN PRINCIPAL ARCHITECT FOR FEDRAMP JIVE SOFTWARE Introductions
  3. 3. Copyright © 2017, Evident.io, Inc. Cloud Security is a Team Sport SECOPS DEVOPS RISK & COMPLIANCE CISO CIO, CFO, CEO Success Is Achieved When Everyone Works Together
  4. 4. Copyright © 2017, Evident.io, Inc. Cloud Adoption Maturity: Where Are You? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging Auto Scaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  5. 5. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Implement Optimize Monitoring & Enforcement Always Behind/ Out-resourced SecOps
  6. 6. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Implement Optimize Monitoring & Enforcement Automating Workflows Always Behind/ Out-resourced Adopting/Creating New Workflows DevOps
  7. 7. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Don’t Know Implement Optimize Automating Monitoring & Enforcement Automating Workflows Don’t Know Always Behind/ Out-resourced Adopting/Creating New Workflows Don’t Know Compliance
  8. 8. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  9. 9. Copyright © 2017, Evident.io, Inc. What Should Be Occurring At Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Adapting Policies, Exploring Tools Adopting a Security-First Approach, Learning What Is Available in AWS Learning Plans and Impact of Deployments, What Is Inherited from AWS
  10. 10. Copyright © 2017, Evident.io, Inc. Security by Design • AWS-recommended for proactive security in AWS • Provides a practical approach to creating your security controls matrix and enforcing those controls • Heavy on the proactive automation with AWS CloudFormation https://aws.amazon.com/compliance/security-by-design/
  11. 11. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Security Monitoring & Assessment for Full Visibility Developing Processes to Ensure Best Practices Are Followed Performing Periodic Measurement to Identify Gaps in Compliance Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment.
  12. 12. Copyright © 2017, Evident.io, Inc. Security Policy as Code Policy: Ensure the default security group restricts all traffic Description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don’t specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. def perform(aws) aws.ec2.describe_security_groups.security_groups.each do |sg| group_name = sg[:group_name] if group_name == "default" group_id = sg[:group_id] set_data(group_id: group_id, group_name: group_name, sg: sg) if sg[:ip_permissions].empty? && sg[:ip_permissions_egress].empty? pass(message: "Default security group '#{group_id}' restricts all traffic.", resource_id: group_id) else fail(message: "Default security group '#{group_id}' does not restrict all traffic.", resource_id: group_id) end end end end
  13. 13. Copyright © 2017, Evident.io, Inc. Do You Know Where You Stand?
  14. 14. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Enforcement of Policy Automating Workflows to Validate Configuration Before Deployment Compliance Scorecard by Month, Week, or Day Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  15. 15. Manage Security Continuously DEPLOY MONITOR TEST & ANALYZE ALERT DEV APPLY FIXES NEW RELEASE NEW RELEASE DEPLOY DEPLOY
  16. 16. Even Better Way, Automate Enforcement DEPLOY MONITOR ANALYZE REMEDIATE VIA AWS LAMBDA COMPLIANT NEW RELEASE NEW RELEASE DEPLOY DEPLOY
  17. 17. Copyright © 2017, Evident.io, Inc. Remediate with AWS Lambda
  18. 18. Copyright © 2017, Evident.io, Inc. Policy Enforcement as Code for admin_port in admin_port_list: proto = re.split('-', admin_port)[0] port = re.split('-', admin_port)[1] find_port='true' if from_port <= int(port) <= to_port else 'false’ if cidr_ip in global_cidr_list and ip_protocol.lower() == proto and find_port == 'true': try: ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=[ {'IpProtocol': ip_protocol, 'FromPort': from_port, 'ToPort': to_port, IpRanges: [{ IpCidr: cidr_ip }] } ]) except Exception as e: error = str(e.message) if 'rule does not exist' not in error: print('=> Error: ', error) else: print("=> Revoked rule permitting %s/%d-%d with cidr %s from %s" % (ip_protocol, from_port, to_port, cidr_ip, sg_id)) Control: PCI DSS 3.21.2.1 Restrict inbound and outbound traffic Description: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
  19. 19. Copyright © 2017, Evident.io, Inc. ESP Dashboard AWS LambdaAlert Fix Problem ESP Updated Amazon SNS Integrations Find Problem/ Open Ticket Compliant Problem Resolved Ticket Updated
  20. 20. Copyright © 2017, Evident.io, Inc. Common Pitfalls NOT INVOLVING POLICY MAKERS IN EACH STEP AND AS EACH PROJECT IS DEPLOYED#1
  21. 21. Copyright © 2017, Evident.io, Inc. Common Pitfalls FORGETTING THAT INCIDENTS HAPPEN WILL DERAIL YOUR TIMELINES#2
  22. 22. Copyright © 2017, Evident.io, Inc. Common Pitfalls TREATING THE CLOUD EXACTLY LIKE YOUR DATACENTER#3
  23. 23. Copyright © 2017, Evident.io, Inc. Common Pitfalls “IT’S JUST AN EXPERIMENT” PROTOTYPES BECOME PERMANENT#4
  24. 24. Copyright © 2017, Evident.io, Inc. Common Pitfalls ENGINEERS WHO BUILD SOLUTIONS LOOKING FOR PROBLEMS#5
  25. 25. Copyright © 2017, Evident.io, Inc. Simplifying NIST 800-53 Compliance in GovCloud Jive Software selected the Evident Security Platform (ESP) as an automation tool to continuously monitor vulnerabilities in their AWS infrastructure, saving them time and money. Simple one-click compliance reports for CIS AWS Foundations Benchmark, PCI and NIST 800-53 provides on-going measurement and industry frameworks. Matt Willman Principle Architect for FedRAMP, Jive Software
  26. 26. Copyright © 2017, Evident.io, Inc. Compliance in One Click
  27. 27. Copyright © 2017, Evident.io, Inc. BOOTH #2000
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!

×