If you're trying to figure out how to run enterprise applications and services on AWS securely, come join Intuit and the AWS Professional Services team to learn how to embrace a new discipline called DevSecOps. You'll learn more about software-defined security and why we think that DevSecOps helps organizations large and small adopt cloud services at a rapid pace. We'll provide you with links and information to help you get started with creating your own DevSecOps team.

2. Spoiler Alert:

3. Secure Enterprise Workloads in the Cloud…
•Pain
•Trial & Error
•Blood, sweat & tears
•Ouch, my head hurts!
It would have been great to hear this speech a couple years ago….
Bang
Head
Here

4. Intuit Cloud Security
AWS Professional Services

5. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?
Start Here?

6. Embedding into DevOpswas a disaster…
–Compliance checklists didn’t take us far before we stopped scaling…
–We couldn’t keep up with deployments without automation…
–Standard Security Operations did not work…
–And we needed far more data than we expected to help the business make decisions…

7. DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast

9. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

10. Page 3 of 267
Security Configuration Procedures
V 3.6.0.1.1,
January 2011
Frozen in Time

11. AWS provides a programmable infrastructure

12. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

14. Central Account
(Trusted)
Admin
IAM IAM IAM IAM IAM IAM
BU Accounts (Trusting)
SecRole SecRole SecRole SecRole SecRole SecRole
IAM

15. Role Name
Access Policies
Trust Policy
Short Description

16. Pull Push
Source Code
Repository
Baseline
IAM Catalog
Trusting BU Accounts
SecRole
IAM Role
Develop
Review
Test
Approve
Commit
Ruby
AKID/SAK
1 2
Admin
3
5
STS
Creds
4

17. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

18. applying these principles…

19. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

21. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

22. experimenting with these principles…

23. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

25. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

28. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?

31. Security as Code?
Experiment: Automate
Policy Governance
Security Operations?
Experiment: Detection via Security Operations
Experiment: Compliance via DevSecOpstoolkit
Experiment: Science via Profiling
DevOps+ Security
DevOps+ DevSecOps
Compliance Operations?
Science?
AWSome!

35. Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals