Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Compliance Superpowers - Ben Blair, Chicago

68 views

Published on

AWS Community Day | Midwest 2018
Track 2
Compliance Superpowers - Ben Blair, Chicago

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Compliance Superpowers - Ben Blair, Chicago

  1. 1. Compliance Superpowers Ben Blair - VPE Catalytic June 7, 2018
  2. 2. What to Expect ● Who is this talk for? ● What is compliance & why should you care? ● Change Management ● AWS Account Organization ● Access Control ● Monitoring & Logging ● Encryption ● Vulnerabilities & Malware 2
  3. 3. Security vs. Agility?
  4. 4. What to Expect ✓ Who is this talk for? ● What is compliance & why should you care? ● Change Management ● AWS Account Organization ● Access Control ● Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 6
  5. 5. Catalytic’s Compliance Story ● Founded 3 years ago ● B2B SaaS ● 50 Employees ● 1 in-house former auditor ● HIPAA & SOC 2 in 4 months with 3 engineers ● Opened the door to many F500 & healthcare customers 7
  6. 6. Why care about compliance? 8 Laws & Regulations Unlock Sales Safe Agility Happy Team
  7. 7. Why care about compliance? 9 Laws & Regulations Unlock Sales Safe Agility Happy Team
  8. 8. Why care about compliance? 10 Laws & Regulations Unlock Sales Safe Agility Happy Team
  9. 9. Why care about compliance? 11 Laws & Regulations Unlock Sales Safe Agility Trust
  10. 10. 12
  11. 11. Common Standards General SOC 2 ISO GDPR HIPAA PCI FedRAMP Specialized 13
  12. 12. Audits Before Get Help! Choose Targets Choose Auditor Document Evaluate Readiness Maintain Process Periodic Reviews Track Changes Keep Evidence Notify After 14 During Point Person Walkthrough Review Policies Review Controls Gather Evidence
  13. 13. Process Matters not Tech
  14. 14. Compliance Should Never Force a Bad Solution
  15. 15. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ● Change Management ● AWS Account Organization ● Access Control ● Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 17
  16. 16. Change Management Risks ● Broken functionality (Availability) ● Introduce a vulnerability ● Introduce a time bomb ● Introduce a back door ● Weaken a protection Controls ● Infrastructure as Code ● Code Review ● Realistic, Isolated Dev / Test Environments ● Continuous Integration ● Continuous Deployment ● Static Analysis ● Vulnerability Scanning 18
  17. 17. git branch master CloudFormation Testing CodeBuild Dev Account Code Review And Approval CloudFormationCodeBuild Prod Account Code Repo Code Repo Change Management 19 Change Ticket
  18. 18. Ticket System ● Tracks every change request ● Tickets remain open until closed ● Comments and discussion matter to your auditors! ● GitHub ● Jira ● Catalytic ● Many others ... 20
  19. 19. Code Repository ● Record of *every* change made ● When ● By Whom ● Why ● Comments and discussion matter to your auditors! ● GitHub ● GitLab ● AWS CodeCommit ● BitBucket ● ... 21
  20. 20. Continuous Integration & Deployment CodeBuild ● Automated Tests for every change ● Test Coverage ● Static Analysis ● Vulnerability / CVE checks ● Reproducible Builds (AMIs, Docker Images, CF Templates) ● The Only IAM role with Deploy rights ● AWS CodeBuild ● CircleCI ● Jenkins ● CodeShip ● ... 22
  21. 21. Infrastructure as Code CloudFormation ● Safely deploy infrastructure changes many times per day ● Auditable log of infrastructure changes alongside code changes ● Reproducible infrastructure changes ● Same dev / test / approve / deploy process for infrastructure changes ● Reduces the most catastrophic kinds of errors ● Encourages immutable infrastructure ● AWS CloudFormation ● Terraform ● Mutable: Chef, Ansible, Puppet, Salt ● ... 23
  22. 22. Code Review ● Every change gets reviewed and approved ● Security Review ● Reduces risks ● Spreads knowledge through your team ● Escalate riskier changes ● Capture reasoning in discussions ● GitHub ● GitLab ● Jira ● BitBucket ● ... 24
  23. 23. Testing Manual + Automated ● Test application & infrastructure changes together ● Automated End-to-end tests ● Manual QA Tests ● Migration / Deployment tests ● Failure recovery tests ● Many different tools for this ● ... 25
  24. 24. Production Deploy CloudFormation ● Exact same as non-production deploy ● Cannot be done without approval ● Know exactly what code & infrastructure is in production by looking at your repo(s) ● Revert & Merge: Default rollback process! 26
  25. 25. Continuous Improvement ● A place and a process to make all other changes ● Trigger reviews for emergency changes ● Place to add new controls ● Place to include security checks and auto-remediation 27
  26. 26. Benefits of Good Change Management For your team ● Agility ● Safety ● Ease ● Continuous improvement ● Sleep at night For your auditors ● Auditable, documented process ● Followed every release ● Produces evidence it was followed 28
  27. 27. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ● AWS Account Organization ● Access Control ● Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 29
  28. 28. Organization Master Account Security Logging Production Staging Test Dev CI / CD 30
  29. 29. Security Logging Production Staging Test Dev CI / CD Organization Master Account 31
  30. 30. Organization Master Account Production Staging Test Dev CI / CD Security Logging 32
  31. 31. Organization Master Account Production Staging Test Dev Security Logging CI / CD 33
  32. 32. Organization Master Account ProductionSecurity Logging CI / CD Staging Test Dev 34
  33. 33. Organization Master Account Security Logging CI / CD Staging Test Dev Production 35
  34. 34. Organization Master Account Security Logging CI / CD Staging Test Dev Audit Scope Production 36
  35. 35. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ✓ AWS Account Organization ● Access Control ● Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 37
  36. 36. Organization Master Account ProductionLogging CI / CD Staging Test Dev Security 38
  37. 37. Organization Master Account ProductionLogging CI / CD Staging Test Dev Security Vault 39
  38. 38. Organization Master Account ProductionLogging CI / CD Staging Test Dev Security Identity Provider 40
  39. 39. Organization Master Account ProductionLogging CI / CD DevSecurity Identity Provider 41
  40. 40. Organization Master Account ProductionLogging CI / CD DevSecurity Identity Provider 42
  41. 41. Identity & Authentication ● Never use the root account ● Consider identity federation into one account to manage users ● Use cross-account role assumption ● IAM users should have very limited privileges ● Use role assumption for “break glass” privilege escalation when needed 43
  42. 42. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ✓ AWS Account Organization ✓ Access Control ● Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 44
  43. 43. Organization Master Account Security Logging Production Staging Test Dev CI / CD 45
  44. 44. Each Account CloudTrail 46
  45. 45. Each Account CloudTrail Logging 47
  46. 46. Each Account CloudWatch Logs CloudTrail Logging 48
  47. 47. Each Account CloudWatch Logs CloudTrail Logging 49
  48. 48. Each Account VPC Flow Logs CloudWatch Logs CloudTrail Logging 50
  49. 49. Each Account VPC Flow Logs CloudWatch Logs Instances Containers Applications CloudTrail Logging 51
  50. 50. Each Account VPC Flow Logs CloudWatch Logs CloudWatch Alarms Instances Containers Applications CloudTrail Logging 52
  51. 51. Logging Each Account VPC Flow Logs CloudWatch Logs CloudWatch Alarms Instances Containers Applications CloudTrail 53
  52. 52. Logging Each Account VPC Flow Logs CloudWatch Logs CloudWatch Alarms Instances Containers Applications CloudTrail Ticketing System 54
  53. 53. Each Account Ticketing System Config 55
  54. 54. Each Account Trusted Advisor Ticketing System Config 56
  55. 55. Each Account Trusted Advisor GuardDuty Ticketing System Config 57
  56. 56. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ✓ AWS Account Organization ✓ Access Control ✓ Monitoring & Logging ● Encryption ● Availability & Durability ● Vulnerabilities & Malware 58
  57. 57. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 59
  58. 58. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 60
  59. 59. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 61
  60. 60. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 62
  61. 61. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 63
  62. 62. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 64
  63. 63. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 65
  64. 64. Encryption 66 ● Encrypt everything at Rest and in Transit ● Rely on KMS where possible ● ACM & Route53 (or Let’s Encrypt) make https easy
  65. 65. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ✓ AWS Account Organization ✓ Access Control ✓ Monitoring & Logging ✓ Encryption ● Availability & Durability ● Vulnerabilities & Malware 67
  66. 66. Availability and Durability 68 ● Multi-AZ everywhere ● Cross-region backups, re-encrypted with KMS
  67. 67. What to Expect ✓ Who is this talk for? ✓ What is compliance & why should you care? ✓ Change Management ✓ AWS Account Organization ✓ Access Control ✓ Monitoring & Logging ✓ Encryption ✓ Availability & Durability ● Vulnerabilities & Malware 69
  68. 68. Application Account AZ 3 AZ 2 Public Subnet AZ 1 AZ 3 AZ 2 Private Subnet AZ 1 70
  69. 69. Application Account AZ 3 AZ 2 AZ 3 AZ 2 Private Subnet AZ 1 Immutable: Rebuild & Replace 71
  70. 70. Application Account AZ 3 AZ 2 AZ 3 AZ 2 Private Subnet AZ 1 Patch & CVE Feed 72 Ticketing System
  71. 71. Application Account AZ 3 AZ 2 AZ 3 AZ 2 Private Subnet AZ 1 Read Only FS Short Lifetime 73
  72. 72. Application Account AZ 3 AZ 2 AZ 3 AZ 2 Private Subnet AZ 1No SSH 74
  73. 73. Application Account AZ 3 AZ 2 AZ 3 AZ 2 Private Subnet AZ 1 75 Security Groups AWS WAF
  74. 74. Vulnerabilities & Malware 76 ● Automate building new AMIs and Docker images for each release ● Use services to scan for and notify you of new CVEs or patches ● Use the AWS Linux AMI Security (ALAS) site and RSS feed ● Regular Penetration Tests
  75. 75. Resources
  76. 76. Resources Center for Internet Security (CIS) AWS Benchmarks https://www.cisecurity.org/benchmark/amazon_web_services/ AWS CIS Benchmark QuickStart https://github.com/awslabs/aws-security-benchmark CloudFormation Template for CloudTrail alarms https://github.com/aws-samples/ aws-cloudtrail-analyzer-workshop/blob/master/README.md 78
  77. 77. Conclusion ● Agile vs Compliance is a false choice ● Don’t be afraid of compliance ● Some simple best-practices will get you most of the way there ● Invest in Change Management first ● Earn your customer’s trust! 79
  78. 78. https://catalytic.com @wearecatalytic ben@catalytic.com @stochastic_code Keep in Touch 80
  79. 79. Questions

×