Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as Code - SID327 - re:Invent 2017

1,470 views

Published on

In less than 12 months, Zocdoc became a cloud-first organization, diversifying their tech stack and liberating data to help drive rapid product innovation. Brian Lozada, CISO at Zocdoc, and Zhen Wang, Director of Engineering, provide an overview on how their teams recognized that infrastructure as code was the most effective approach for their security policies to scale across their AWS infrastructure. They leveraged tools such as AWS CloudFormation, hardened AMIs, and hardened containers. The use of DevSecOps within Zocdoc has enhanced data protection with the use of AWS services such as AWS KMS and AWS CloudHSM and auditing capabilities, and event-based policy enforcement with Amazon Elasticsearch Service and Amazon CloudWatch, all built on top of AWS.

  • Be the first to comment

How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as Code - SID327 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as Code B r i a n L o z a d a , C I S O , Z o c d o c , I n c Z h e n W a n g , H e a d o f I n f r a s t r u c t u r e , Z o c d o c , I n c S t e v e B o l t u c h , S r S o l u t i o n s A r c h i t e c t , A W S S I D 3 2 7 N o v e m b e r 3 0 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. *Courtesy CNBC
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. We Started by Solving the Access Problem Average wait time (U.S.) 24 days The hidden supply of care 30% Unbooked, cancelled or rescheduled
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zocdoc Brings Marketplace Efficiencies to Healthcare 24 Days 24 Hours For healthcare
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building Our Supply of Care Since 2007 2007 Private Medical Practices 2015 Larger Health Systems 2016 Zocdoc 2.0
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zocdoc Amazon Web Services (AWS) Goals Scale horizontally Diversify tech stack Open source Data liberation Elevate security
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zocdoc 2.0 …in less than 12 months 2016 Zocdoc 2.0 2017 ALL IN
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical Security Concerns Maintaining compliance Shared responsibility model Maintain visibility Access control Encryption & Key management Logging & monitoring Incident response
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Maintaining Compliance
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alliances
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alliance with AWS • B u s i n e s s e n a b l e m e n t • T e c h n i c a l e n a b l e m e n t
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alliance within Zocdoc *image from gettyimages
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Easier with AWS Access control Maintain visibility Encryption & key management Logging & monitoring Incident response
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØVisibility of critical data ØScope reduction ØEnhanced alerting ØStandardized configurations Maintaining Visibility & Control with Agility
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØHardened AMIs ØPacker ØLogging agents ØHost based intrusion detection ØAntivirus ØHardened containers using Docker Infrastructure Hardening
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure as Code
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØGranular controls ØDefault minimal privilege ØVisibility for administrative activities ØMaintaining authentication tokens Access Control *image from shutterstock
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Segmentation
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access Management
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Policy Control and Maintenance ØEnforced MFA for users ØNo public endpoints ØEncryption checks
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØData protection ØMaintain end-to-end encryption ØCentralize key management ØMaintain appropriate key rotation controls ØRestricted access to keys Encryption & Key Management
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Security at Rest ØSegment keys across AWS services ØEncrypted Amazon S3 buckets ØEncrypted EBS volumes
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØDDoS protection and front end alerting ØDetective controls ØCentralized logging ØOffice to cloud environment visibility Enhanced Logging & Monitoring *image from verisign
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Metrics monitoring Application layer firewalls in offices Vulnerability scanning DDoS protection and WAF Data visibility SIEM Protecting Ourselves
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØIncident response >= existing response SLA ØMaintain pen test and tabletop exercise capabilities ØEnvironment resiliency >= existing recovery SLA Incident Response & Disaster Recovery
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØActive disaster recovery site ØRemediating penetration test issues as high priority ØCollaborative tabletop exercises ØEncrypted offsite backups across Amazon S3 regions Responding to Incidents
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Failover Mechanism Part 2 Part 3Part 1
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zocdoc AWS Goals Scale horizontally Diversify tech stack Open source Data liberation Elevate security
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ØAvailable security controls ØSimplified security and compliance ØEnhanced visibility and control ØFaster security recover and delivery Security Key Takeaways Get yourself a squad *courtesy HBO
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. join@zocdoc.com
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×