Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Governance at Scale

479 views

Published on

Governance at Scale Dublin Loft

  • Be the first to comment

Governance at Scale

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Greg Share, Solutions Architect April 12th, 2018 Governance @ Scale Compliance Automation at AWS
  2. 2. Why are we here?
  3. 3. Common governance questions • How do I determine the current state of all cloud users and their access rights across the enterprise? • How do I ensure adherence to IT budgets in a pay-per-use model • How do I ensure deployments and operations are compliant with relevant legal, regulatory, and/or contractual policies? • How do I ensure security posture is enforced across accounts and workloads? • WITHOUT REDUCING THE AGILITY OF THE CLOUD
  4. 4. Typical enterprise AWS adoption • In highly federated organizations, AWS adoption flows from the bottom up • In parallel, central IT often begins mirroring the on-premises architecture in AWS • Governance approach should: • Meet organizational requirements • Scale • Allow direct use of approved AWS services and APIs Top down adoption Bottom up adoption
  5. 5. Tradeoffs in AWS adoption approaches Minimally encumbered AWS accounts • Complete power of the AWS platform; every feature available immediately • Requires the building or buying a solution that can manage many AWS accounts • Account provisioning and budget enforcement @scale can be automated • Uniform security controls and operations Service catalog/cloud broker approach • Prescribes limited access to the AWS platform based on catalog templates or via middleware • Suitable for meeting common requirements of less-technical internal users • Doesn’t allow developers to access cloud APIs • Doesn’t provide enough value or flexibility in large enterprises
  6. 6. What’s your challenge as AWS adoption grows? Amazon S3 Project 1 AWS Account Amazon EC2 Project 2 AWS Account Amazon S3 Amazon EC2 Amazon RDS Stage 1 Specific Systems Limited Accounts Minimal Services Stage 2 Numerous Systems Multiple Accounts Many Services Amazon S3 Project 1 AWS Account Amazon EC2 Amazon VPC Amazon S3 Project 2 AWS Account Amazon EC2 Amazon VPC Amazon EMR Amazon Kinesis Amazon Redshift Project 3 AWS Account Amazon S3 Project 4 AWS Account Amazon EC2 Project 5 AWS Account Amazon API Gateway Amazon SQS Amazon WorkSpaces Amazon ECS AWS Lambda AWS Elastic BeanstalkAmazon S3 Amazon S3 Project 6 AWS Account Amazon EC2 Amazon EMR Amazon Kinesis Amazon VPC
  7. 7. Governance is not a “one size fits all” Higher-impact workloads are more likely to be managed by central or departmental IT groups and will have more security controls. Lower-impact workloads still have basic security controls, but can be issued freely to end users for test, development, or low impact research and production workloads.Low High High Low Availability Confidentiality
  8. 8. Three principles of governance@scale Account management • Standardize and streamline provisioning, maintenance, and access control policies for many AWS accounts and workloads Cost enforcement • Ensure AWS accounts and workloads do not exceed budget Compliance automation • Provide continuous monitoring, configuration management, and enforce security controls
  9. 9. So…what does this look like? Projects Management Upper Management Senior Leadership Executive CXO VP Director Manager Manager Director Manager VP Director Manager Manager Project 1 Project 2 Project 3 Project 5 Project 6 Project 7 Project 8 $ $ $ $$ $ $ $ $ $ $ $$ $ $ $ $ $
  10. 10. How you get this security visibility Projects Data Analyst Management Senior Leadership Executive CXO VP Director Analyst Analyst Director Analyst VP Director Analyst Analyst Project 1 Project 2 Project 3 Project 5 Project 6 Project 7 Project 8 P1: P2: P3: P5: P6: P7: P8: 25%: 0%: 75%: 0%: 35%: 65%:
  11. 11. Account management @scale • Use a consolidated admin AWS account • AWS Identity & Access Management (IAM) users live in this account • IAM users assume roles to access other AWS accounts • Enforce MFA for role assumption • Automate AWS account provisioning • Eliminate slow, error-prone manual provisioning • Ensure AWS accounts are actively managed • Incentivizes users from using other methods (personal, school, etc.) for AWS experimentation. • Implement “single sign-on” through federation • Use enterprise accelerators as a starting point • Policy assignment to IAM users/groups/roles • Consolidated admin baseline • Target account baseline
  12. 12. Consolidated Admin AWS Account IAM users users stack security baseline stack Automate provisioning of target accounts Target AWS Account admin role billing role read only role baseline stack Target AWS Account admin role billing role read only role baseline stack Target AWS Account admin role billing role read only role baseline stack
  13. 13. Key configuration points to baseline accounts AWS CloudFormation Leverage Enterprise Accelerator Compliance “Quick Starts” Amazon CloudWatch AWS Config Config Rules AWS CloudTrail CloudWatch Events Manual configuration Root MFA Alternate contacts IAM Managed Policies Roles Security questions Amazon VPC VPC peering Flow logs
  14. 14. Cost enforcement @scale • Use automation to map AWS accounts to org. structure • Aligns with current budget process and cost alignments • Use automation for cost management/enforcement • Actual spend vs. budget projections decision makers. • Allow management to increase budgets • Turn off resources to preserve budget • Use dynamic IAM policies to throttle usage when budget thresholds are met • Provide near-real time budget projections so stakeholders are aware of current AWS spend
  15. 15. Cost enforcement @scale Projects Management Upper Management Senior Leadership Executive CXO VP Director Manager Manager Director Manager VP Director Manager Manager Project 1 Project 2 Project 3 Project 5 Project 6 Project 7 Project 8 $ $ $ $$ $ $ $$$$$ $$$$$ $ $ $$$$ $$$$$$ $$$$ $$$$$ $$$$
  16. 16. Cost enforcement @scale: metering No alerts, no charge. Smart agent won’t alert or charge when instances are turned off to save money. Seamlessly get logs and continue providing protection when instances are turned back on. OFF ON
  17. 17. Compliance automation @scale • Pre-approve standard security configurations to decrease RMF efforts up to 50% and achieve faster ATOs (days vs. months/years) • Automate deployment of accounts consistent with security policies (NIST/HIPAA) • Installing instance level account and security tools via Security Tools • Pre-populate GRC tools with inherited and system specific controls (ex Telos Xacta) • Perform continuous monitoring with GRC tools and alert security staff of configuration drift and/or vulnerabilities • Send all AWS account log files to centralized data lake for security analysis
  18. 18. Projects Management Upper Management Senior Leadership Executive CXO VP Director Manager Manager Director Manager VP Director Manager Manager Project 1 Project 2 Project 3 Project 5 Project 6 Project 7 Project 8 Compliance automation @scale
  19. 19. Security automation @ scale Recommendation scan: Policy tailored to governance and workload Deployed with repeatable generic code
  20. 20. Implement policies dynamically at runtime based on workload tags. Security automation @scale
  21. 21. Where do I go from here? • Build or buy a governance@scale solution that can grow with you. • Professional Services can help facilitate the design and help you build a solution based on your requirements. • Partner Solutions are available (CloudTamer by Stratus Solutions ) • Incorporate and automate security and operations management tools into infrastructure provisioning • If you can’t automate third-party products with AWS, then they aren’t built for AWS • Security needs to have parity for enabling visibility for this governance model
  22. 22. Thank You Greg Share, gshare@amazon.co.uk

×