Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jason Chan, Engineering Director @ Netflix
Octob...
2015 for Developers
2015 for Auditors and Security Teams
What to Expect from This Session
• Learn approaches to compliance that enable and are
improved by modern technology and te...
The Problem
Developers:
Incentives
• Speed
• Features
Want
• Freedom to innovate
• New technology
Incentives and Perspectives
Auditors...
The Resolution
“You build it, you run it.”
-Werner Vogels, Amazon CTO (June 2006)
Who Cares About These Answers?
• When did that code change?
• Who made the change?
• Who logged in to that host?
• What di...
Before
Developers and Auditors
After
AuditorDev
Auditor
Dev
How Do We Get There?
Two Approaches to Compliance
Four Pillars for Effective, Efficient, and
Flexible Compliance in the Cloud
The Pillars
1. Undifferentiated heavy lifting and shared
responsibility
2. Traceability in development
3. Continuous secur...
SOX – Sarbanes-Oxley
• Relevant to public US
companies
• Driven by accounting reform
and investor protection
• Seeks to en...
The Pillars
Undifferentiated Heavy Lifting
and Shared Responsibility
Vulnerability Management
Data Backups
Server
Database
Disk
Tape storage
Corporate data center Backup data center/media storage provider
Disk
Tape storage
Tradit...
RDBMS
Data Backup in the Cloud
Amazon
EBS volume
Cassandra Amazon
S3 bucket
Other region
S3 bucket
Other account
S3
bucket...
Control Mapping
Control Description
PCI 6.2 Install patches to protect against security
vulnerabilities.
PCI 9.5 Physicall...
Traceability in Development
Common Audit Requirements for
Software Development
• Review changes.
• Track changes.
• Test changes.
• Deploy only approv...
Spinnaker for Continuous Deployment
• Customizable development
pipelines (workflows).
• Single interface to all
aspects of...
Spinnaker: App-Centric View
Application-specific components
Pipeline, triggered by code change
AMI creation per region
Lin...
Spinnaker Multistage Pipeline
Multiple deployment stagesAutomated
Manual
Failed test, do not proceed
Automated Canary Analysis
Canary test score
Link to details
Result
Manual Approval (Optional)
Restricted Deployment Window (Optional)
Restricted Deployment Window (Optional)
Deployment Notification (Optional)
Spinnaker vs. Manual Deployments
• Deployment is independent of languages and other
underlying technology.
• Java, Python,...
Control Mapping
Control Description
PCI 6.3.2 Perform code reviews prior to release.
PCI 6.4.5 Test changes to verify no a...
Continuous Security Visibility
Issues with Application Security Risk Management
• Spreadsheets and surveys!
• Human driven.
• Presuppose managed
intake.
...
Penguin Shortbread – Automated Risk Analysis for
Microservice Architectures
• Analyze microservice
connectivity.
• Passive...
Microservice and Resource Registry Analysis
• Leverage cloud APIs and resource registry for data.
• Bi-directionally analy...
Application Risk Metric
Metric summary
Metric algorithm
Scoring
Application Risk Rollup
Metrics
Risk metrics by region/environment
Self-Service in the Cloud
Security Monkey – Change Tracking
Searching Security Monkey
Search Options
Globally, or region-limited
All AWS services, or single/subset
All accounts, or l...
Security Monkey Record
Clickable list of discovered versions
Record details
Security Monkey Record – Look Back and Diff
Diff from previous discovery
Audit Findings in Security Monkey
Finding Details
Impacted resource details Finding score
Finding details
Justify
Justifying an Audit Finding in Security Monkey
AMIs at Netflix
Foundation AMI = Linux AMI (OS only)
Base AMI = Foundation AMI + Netflix-specific bits
• Managed by Engine...
Scantron – Base AMI Vulnerability Scanning
Instance of
Base AMI
Base
AMI
Scantron Scan findings
Launch Scan
Change
Results...
Control Mapping
Control Description
PCI 1.2.1 Restrict traffic to that which is necessary.
PCI 6.4.5 Test changes to verif...
Compartmentalization
Compartmentalization
Resilience: Limit blast radius Confidentiality: Need to know
Compartmentalization in AWS
Security groupRegion Availability ZoneVirtual private cloud
Key (AWS KMS, AWS
CloudHSM)
IAM ro...
AWS Account Segregation
AWS Account – Test
Test
Resources
AWS Account – Production
Production
Resources
Cross-Account
Acce...
Account Segregation for Compliance
AWS Account – Production
Production
Resources
AWS Account – Compliance
Compliance-
Rele...
User Payments
application
Payment
processors
and
partners
Encrypted credit
card database
Name Encrypted CC
John Doe XXXXXX...
Microservices and Tokenization in AWS
CloudHSM
Payment
application
Token
service
Token db
Token Encrypted CC
abc123 XXXXXX...
Compartmentalizing Access
AuditorDev
{
"Version":
"2012-10-17",
"Statement": [
{
"Action": "*",
"Effect":
"Allow",
"Resour...
Total API Calls Total API Errors Total Access Denied Errors
removable = (allowed) - (used)
new_policy = current_policy - removable
Repoman Use Cases
• Find unused roles, profiles, users (0 API calls).
• Investigate API errors (such as throttling).
• Inv...
Control Mapping
Control Description
PCI 2.2 Implement one primary function per server.
PCI 6.4.1 Separate dev/test environ...
Wrapping Up!
Auditor
Dev
Takeaways
• Limit investments in approaches that meet narrow
regulatory needs.
• Embrace core security design and operatio...
Remember to complete
your evaluations!
Thank you!
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Upcoming SlideShare
Loading in …5
×

(SEC310) Keeping Developers and Auditors Happy in the Cloud

4,669 views

Published on

Often times, developers and auditors can be at odds. The agile, fast-moving environments that developers enjoy will typically give auditors heartburn. The more controlled and stable environments that auditors prefer to demonstrate and maintain compliance are traditionally not friendly to developers or innovation. We'll walk through how Netflix moved its PCI and SOX environments to the cloud and how we were able to leverage the benefits of the cloud and agile development to satisfy both auditors and developers. Topics covered will include shared responsibility, using compartmentalization and microservices for scope control, immutable infrastructure, and continuous security testing.

Published in: Technology

(SEC310) Keeping Developers and Auditors Happy in the Cloud

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jason Chan, Engineering Director @ Netflix October 2015 SEC310 Splitting the Check on Compliance and Security Keeping Developers and Auditors Happy in the Cloud
  2. 2. 2015 for Developers
  3. 3. 2015 for Auditors and Security Teams
  4. 4. What to Expect from This Session • Learn approaches to compliance that enable and are improved by modern technology and techniques • How to use foundational security principles to build a flexible and efficient framework for compliance • Real-world examples of tools and automation that benefit multiple audiences: • Engineers, security teams, auditors
  5. 5. The Problem
  6. 6. Developers: Incentives • Speed • Features Want • Freedom to innovate • New technology Incentives and Perspectives Auditors: Incentives • Compliance with regulatory obligations • Verifiable processes Want • Well-known technology • Predictability and stability
  7. 7. The Resolution
  8. 8. “You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
  9. 9. Who Cares About These Answers? • When did that code change? • Who made the change? • Who logged in to that host? • What did they do? • Who pushed that code? • When was this dependency introduced? • Was that build tested before deployment? • What were the test results? ?
  10. 10. Before Developers and Auditors After AuditorDev Auditor Dev
  11. 11. How Do We Get There?
  12. 12. Two Approaches to Compliance
  13. 13. Four Pillars for Effective, Efficient, and Flexible Compliance in the Cloud
  14. 14. The Pillars 1. Undifferentiated heavy lifting and shared responsibility 2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
  15. 15. SOX – Sarbanes-Oxley • Relevant to public US companies • Driven by accounting reform and investor protection • Seeks to ensure the validity, integrity, and accuracy of financial reporting • COBIT is a common framework for describing SOX- related control activities A Slide on SOX and PCI PCI – Payment Card Industry • Relevant to any organization that handles credit cards • Driven by payment data breaches • Intended to protect credit card data • Requirements are outlined in the Data Security Standard (DSS)
  16. 16. The Pillars
  17. 17. Undifferentiated Heavy Lifting and Shared Responsibility
  18. 18. Vulnerability Management
  19. 19. Data Backups
  20. 20. Server Database Disk Tape storage Corporate data center Backup data center/media storage provider Disk Tape storage Traditional Data Backup
  21. 21. RDBMS Data Backup in the Cloud Amazon EBS volume Cassandra Amazon S3 bucket Other region S3 bucket Other account S3 bucket Non-AWS cloud storage Cloud backup
  22. 22. Control Mapping Control Description PCI 6.2 Install patches to protect against security vulnerabilities. PCI 9.5 Physically secure all media. PCI 9.6.2 Send media by secure, traceable courier. COBIT DSS05.05 Manage physical access to IT assets.
  23. 23. Traceability in Development
  24. 24. Common Audit Requirements for Software Development • Review changes. • Track changes. • Test changes. • Deploy only approved code. • For all actions: • Who did it? • When?
  25. 25. Spinnaker for Continuous Deployment • Customizable development pipelines (workflows). • Single interface to all aspects of the deployment process. • Answers who, what, when, and why for both developers and auditors. Auditor Dev
  26. 26. Spinnaker: App-Centric View Application-specific components Pipeline, triggered by code change AMI creation per region Link to build (Jenkins CI), code changes (Stash)
  27. 27. Spinnaker Multistage Pipeline Multiple deployment stagesAutomated Manual Failed test, do not proceed
  28. 28. Automated Canary Analysis Canary test score Link to details Result
  29. 29. Manual Approval (Optional)
  30. 30. Restricted Deployment Window (Optional)
  31. 31. Restricted Deployment Window (Optional)
  32. 32. Deployment Notification (Optional)
  33. 33. Spinnaker vs. Manual Deployments • Deployment is independent of languages and other underlying technology. • Java, Python, Linux, Windows… • Multiple stages of automated testing. • Integration, security, functional, production canary. • Fully traceable pipeline. • Changes and change drivers are fully visible. • All artifacts and test results available.
  34. 34. Control Mapping Control Description PCI 6.3.2 Perform code reviews prior to release. PCI 6.4.5 Test changes to verify no adverse security impact. COBIT BAI03.08 Execute solution testing.
  35. 35. Continuous Security Visibility
  36. 36. Issues with Application Security Risk Management • Spreadsheets and surveys! • Human driven. • Presuppose managed intake. • One-time vs. continuous.
  37. 37. Penguin Shortbread – Automated Risk Analysis for Microservice Architectures • Analyze microservice connectivity. • Passively monitor app and cloud configuration. • Develop risk scoring based on observations.
  38. 38. Microservice and Resource Registry Analysis • Leverage cloud APIs and resource registry for data. • Bi-directionally analyze initialized clients. • Evaluate services offered and security group connectivity. App under analysis Services offered Initialized clients (outbound) Initialized clients (inbound)
  39. 39. Application Risk Metric Metric summary Metric algorithm Scoring
  40. 40. Application Risk Rollup Metrics Risk metrics by region/environment
  41. 41. Self-Service in the Cloud
  42. 42. Security Monkey – Change Tracking
  43. 43. Searching Security Monkey Search Options Globally, or region-limited All AWS services, or single/subset All accounts, or limited By resource name By configuration Active or inactive (deleted) Resources/changes or audit findings
  44. 44. Security Monkey Record Clickable list of discovered versions Record details
  45. 45. Security Monkey Record – Look Back and Diff Diff from previous discovery
  46. 46. Audit Findings in Security Monkey
  47. 47. Finding Details Impacted resource details Finding score Finding details Justify
  48. 48. Justifying an Audit Finding in Security Monkey
  49. 49. AMIs at Netflix Foundation AMI = Linux AMI (OS only) Base AMI = Foundation AMI + Netflix-specific bits • Managed by Engineering Tools team • Functional equivalent to gold image Application AMI = Base AMI + app-specific bits • Managed by application teams • AMI deployed to Auto Scaling groups
  50. 50. Scantron – Base AMI Vulnerability Scanning Instance of Base AMI Base AMI Scantron Scan findings Launch Scan Change Results email
  51. 51. Control Mapping Control Description PCI 1.2.1 Restrict traffic to that which is necessary. PCI 6.4.5 Test changes to verify no adverse security impact. PCI 10.6 Review logs and security events. PCI 11.2 Run vulnerability scans after any significant change. PCI 12.2 Implement a risk-assessment process. APO 12.03 Maintain a risk profile. COBIT DSS05.07 Monitor the infrastructure for security-related events. COBIT DSS06.04 Manage errors and exceptions. COBIT MEA02.03 Perform control self-assessments.
  52. 52. Compartmentalization
  53. 53. Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know
  54. 54. Compartmentalization in AWS Security groupRegion Availability ZoneVirtual private cloud Key (AWS KMS, AWS CloudHSM) IAM role
  55. 55. AWS Account Segregation AWS Account – Test Test Resources AWS Account – Production Production Resources Cross-Account Access Policies
  56. 56. Account Segregation for Compliance AWS Account – Production Production Resources AWS Account – Compliance Compliance- Relevant Resources Cross-Account Access Policies LDAP Membership Authorized users SAML SSO
  57. 57. User Payments application Payment processors and partners Encrypted credit card database Name Encrypted CC John Doe XXXXXXXXXX HSM Monolithic Card Processing in the Data Center Sign up/change CC Store/retrieve CC Real-time/batch auth Tax, analytics, fraud, etc. Web server
  58. 58. Microservices and Tokenization in AWS CloudHSM Payment application Token service Token db Token Encrypted CC abc123 XXXXXXXXXXCrypto proxy Name Token John Doe abc123 Payments db Token vault User Sign up/change CC Web server
  59. 59. Compartmentalizing Access AuditorDev { "Version": "2012-10-17", "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*" } ] }
  60. 60. Total API Calls Total API Errors Total Access Denied Errors
  61. 61. removable = (allowed) - (used) new_policy = current_policy - removable
  62. 62. Repoman Use Cases • Find unused roles, profiles, users (0 API calls). • Investigate API errors (such as throttling). • Investigate access issues (access denied). • Prune excessive privileges.
  63. 63. Control Mapping Control Description PCI 2.2 Implement one primary function per server. PCI 6.4.1 Separate dev/test environments from production. Enforce separation with access controls. PCI 7.1 Limit access to only those who require access. PCI 7.1.2 Assign fewest privileges necessary. PCI 10.6 Review logs and security events. COBIT DSS05.04 Manage user identity and logical access. COBIT DSS05.07 Monitor the infrastructure for security-related events. COBIT DSS06.04 Manage errors and exceptions.
  64. 64. Wrapping Up! Auditor Dev
  65. 65. Takeaways • Limit investments in approaches that meet narrow regulatory needs. • Embrace core security design and operational principles that address regulatory requirements as a result. • As you migrate or engineer regulatory-sensitive workloads, focus on tools and techniques that serve and satisfy multiple audiences.
  66. 66. Remember to complete your evaluations!
  67. 67. Thank you!

×