Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

7,805 views

Published on

"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS.

We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."

Published in: Technology

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shannon Lietz – Intuit – Sr. Manager, Cloud Security Engineering Matt Bretan – AWS Professional Services – Senior Consultant October 2015 SEC402 Enterprise Cloud Security via DevSecOps 2.0 Crawl. Walk. Run.
  2. 2. What to expect from this session • Are you ready to adopt security so compelling it changes how your company operates??? • Learn from our lessons and war stories. • Gain knowledge about how to do DevSecOps at your organization. • Discover what we are doing to learn more!
  3. 3. …DevSecOps is an evolving story Copyright © 2009 José-Manuel Benitos
  4. 4. 2007 2008 2009 2010 2011 2012 2013 2014 2015 48 61 82 159 280 514 ? Security, compliance, governance, and audit related launches and updates AWS constantly innovating – driven by your needs
  5. 5. Cloud security Then and Now From: To: Human Interactions Recon Operations Security Intelligence UX API Security Intelligence Recon Tools Agents Operations Human Interactions
  6. 6. Where are we today? • DevSecOps is different and addictive. • Cloud attacks and compromises are faster. • Investing in native cloud solutions. • Doubling down on educating security on AWS services. • Focusing on attack modeling and operationalizing security. Since 2014: + 37 DevSecOps worldwide + 2k cloud security + 3 open-source projects underway + Full day of SecDevOps @RSA + Dedicated track for security in Rugged DevOps @ Goto
  7. 7. How can I catch up? Quick recap? Problem statement • DevOps requires continuous deployments • Fast decision making is critical to DevOps success • Traditional security just doesn’t scale or move fast enough Welcome, DevSecOps! • Customer focused mindset • Scale, scale, scale • Objective criteria • Proactive hunting • Continuous detection and response Bang Head Here DevSecOps Security Engineering Security Operations Compliance Operations Security Science Experiment, Automate, Test Hunt, Detect, Contain Respond, Manage, Train Learn, Measure, Forecast
  8. 8. Why is this so important? The Case for Change • DevOps, Agile, and Scrum on the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…
  9. 9. The DevSecOps mindset • Customer focus • Open and transparent • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org
  10. 10. OK → Ready, Set, Crawl?
  11. 11. Where to start? • Pontificate? • Checklists? • 1-pagers? 6-pagers? Documents? Page 3 of 433 Security as code
  12. 12. Security as code is easy with AWS AWS provides all the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations
  13. 13. How can we learn DevSecOps? Security as Code? Security as Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps
  14. 14. Crawl demo
  15. 15. Lessons learned • One and done does not work. • Documenting decisions is useful but not enough. • Traditional security tools make operating a cloud environment challenging. • Need to suspend disbelief. • Enterprise cloud security is a big-data problem.
  16. 16. The “who” matters Operations Red team Blue team Developer Security
  17. 17. The “who” matters Copyright © 2012 Martin Patten
  18. 18. The “who” matters
  19. 19. Can I skip walking?
  20. 20. Why walking is important… Imagine that you will need to support all of the facets of security inline with development and operations at speed. • Were your crawl experiments enough to generate DevSecOps experts? • Have you got the right level of operational maturity? • Do you have an All Star Team or a Team of All Stars? • Is your organization listening, participating, and fully engaged? • Is collaboration and communication working well? • Do you have it all figured out?
  21. 21. Are you ready to make these decisions? On-Premises Partial On-Premises Outsourced w/ No Indemnification Outsourced w/ Partial Indemnification Outsourced w/ Full Indemnification Who is responsible? I N T E R N A L You You You You + Partner Partner P A R T N E R S Which minimal controls are needed? Physical Security, Secure Handling, Disposal File Or Object Encryption For Sensitive Data, Physical Security, Secure Handling, Disposal File Or Object Encryption For Sensitive Data, Partner Security, SOC Attestation File Or Object Encryption For Sensitive Data, Partner Security, SOC Attestation Partner Security, SOC Attestation Where does data transit and get stored? Company “Owned” Data Center Or Co- location Any Compute & Transit, Data Store On Premises Public Cloud, Free Services SaaS, Private Cloud, Public Cloud, Free Services, Managed Services, SaaS, Private Cloud What are the innovation benefits? Reduced Latency, Search Sensitive Data Speed, Reduced Friction, Search Sensitive Data Speed, Reduced Friction, Evolving Patterns, Community Speed, Reduced Friction, Evolving Patterns, Community Speed, Reduced Friction, Indemnification What are the potential risks? SQL Injection, Internal Threats, Mistakes, Phishing, Increased Friction, Slow Latency, SQL Injection, Internal Threats, Mistakes, Phishing, Increased Friction, Slow Inability to Search Sensitive Data, SQL Injection, Internal Threats, Mistakes, Phishing, Unknown Gov’t Requests, Reduced Financial Responsibility Inability to Search Sensitive Data, SQL Injection, Internal Threats, Mistakes, Phishing, Unknown Gov’t Requests Inability to Search Sensitive Data, SQL Injection, Internal Threats, Mistakes, Phishing, Unknown Gov’t Requests
  22. 22. Or govern these policies? { “Version”: “2015-05-09”, “Statement”: { “Effect”: “Allow”, “Action”: [ “iam:ChangePassword”, “iam:GetAccountPasswordPolicy” ], “Resource”: “*” } }
  23. 23. Or hunt full stack security issues?
  24. 24. Or communicate simply and quickly? Discover Evaluate Control Communicate
  25. 25. Or translate security like this? Begin (iam.client.list_role_policies(:role_name => role_)[:policy_names] -roldedb.list_policies(role)).each do |policy| log.warn("Deleting Policy"#{policy}", which is not part of the approved baseline.") if policydiff("{}", URI.decode(iam.client.get_role_policy( :role_name => role, :policy_name => policy )[:policy_document]), {:argv => ARGV, :diff => options.diff}) end options.dryrun ? nil : iam.client.delete_role_policy( :role_name => role, :policy_name => policy ) Account Grade: B Heal Account?
  26. 26. Walk demo
  27. 27. Lessons learned • A lot of this is not new. • It’s hard work and ever evolving. • Enterprise cloud security is a bigger big-data problem than we originally thought…petabytes!!!! • Keys to success: • Detect and resolve security issues quickly. • Use native security capabilities as much as possible. • Enlist and enable the organization. • Educate inline and break it into bite-size chunks.
  28. 28. Up and running in 2 weeks
  29. 29. Guiding principles • DevSecOps is a journey, not a destination. • Small security teams can make a profound impact. • Organize around self-service and enablement. • Translate security for the layperson. • Perfection is the enemy…get rugged.
  30. 30. What does Running look like? • Operating model and process • Open contribution • Tools and rules
  31. 31. Operating model and process • Empower everyone to participate. • Enlighten decision makers with insights. • Don’t reinvent the wheel—use organizational tools. • Lightweight process. • Pivot! Pivot! Pivot! • Iterate.
  32. 32. Open contribution • Use source control and collaboration features to ensure the right rules are being created. • Engage everyone in your organization. • Track and resolve defects transparently.
  33. 33. Ready to build your DevSecOps platform? insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel
  34. 34. Demo: Enterprise cloud security in AWS
  35. 35. What Next? • Take the DevSecOps Survey at devsecops.org. • Join the DevSecOps LinkedIn group and get involved. • Follow us on Twitter @devsecops. • Give us feedback on the Enterprise Cloud Security How- To. • Write an article for the DevSecOps community. • Become a DevSecOps engineer. • Spread the word!!!
  36. 36. Remember to complete your evaluations!
  37. 37. Thank you! @devsecops
  38. 38. Related sessions SEC326 – Security Science Using Big Data SEC312 – Reliable Design and Deployment of Security and Compliance SEC316 – Harden Your Architecture with Security Incident Response Simulations (SIRS) SEC308 – Wrangling Security Events in the Cloud

×