Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splitting the Check on Compliance and Security


Published on

Abbreviated version of my 2015 AWS Re:invent talk. Presented at Futurestack 2015.

Published in: Internet, Technology
  • Girls for sex are waiting for you
    Are you sure you want to  Yes  No
    Your message goes here
  • Meetings for sex in your area are there:
    Are you sure you want to  Yes  No
    Your message goes here
  • Meetings for sex in your area are there:
    Are you sure you want to  Yes  No
    Your message goes here
  • Improve your programming skills to be better developer or start your trip in learning any programming language. Its the best service for learning. Much better than coursera, udemy or udacity. Just try there:
    Are you sure you want to  Yes  No
    Your message goes here
  • The best site for flirting and sex in your area is there:
    Are you sure you want to  Yes  No
    Your message goes here

Splitting the Check on Compliance and Security

  1. Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs
  2. 2015 for Developers
  3. 2015 for Auditors and Security Teams
  4. The Problem
  5. Developers: Incentives • Speed • Features Want • Freedom to innovate • New technology Incentives and Perspectives Auditors: Incentives • Compliance with regulatory obligations • Verifiable processes Want • Well-known technology • Predictability and stability
  6. The Resolution
  7. “You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
  8. Who Cares About These Answers? • When did that code change? • Who made the change? • Who logged in to that host? • What did they do? • Who pushed that code? • When was this dependency introduced? • Was that build tested before deployment? • What were the test results? ?
  9. Before Developers and Auditors After AuditorDev Auditor Dev
  10. How Do We Get There?
  11. Two Approaches to Compliance
  12. Pillars for Effective, Efficient, and Flexible Compliance
  13. The Pillars 1. Traceability in development 2. Continuous security visibility 3. Compartmentalization
  14. Discussion Format
  15. Traceability in Development
  16. Common Audit Requirements for Software Development • Review changes. • Track changes. • Test changes. • Deploy only approved code. • For all actions: • Who did it? • When?
  17. Spinnaker for Continuous Deployment • Customizable development pipelines (workflows) • Based on team requirements • Single interface to entire deployment process • Answers who, what, when, and why • For developers and auditors Auditor Dev
  18. Spinnaker: Compliance-Relevant Features • Integrated access to development artifacts • Pull requests, test results, build artifacts, etc. • Push authorization • Restricted deployment windows (time, region) • Deployment notifications
  19. Spinnaker: App-Centric View & Multistage Pipeline Multiple deployment stagesAutomated Manual Failed test, do not proceed Application-specific components Link to build (Jenkins CI), code changes (Stash)
  20. Automated Canary Analysis Canary test score Link to details Result
  21. Manual Approval (Optional)
  22. Restricted Deployment Window (Optional)
  23. Restricted Deployment Window (Optional)
  24. Deployment Notification (Optional)
  25. Spinnaker vs. Manual Deployments • Deployment is independent of languages and other underlying technology. • Java, Python, Linux, Windows… • Multiple stages of automated testing. • Integration, security, functional, production canary. • Fully traceable pipeline. • Changes and change drivers are fully visible. • All artifacts and test results available.
  26. Control Mapping Control Description PCI 6.3.2 Perform code reviews prior to release. PCI 6.4.5 Test changes to verify no adverse security impact. COBIT BAI03.08 Execute solution testing.
  27. Continuous Security Visibility
  28. Issues with Application Security Risk Management • Spreadsheets and surveys! • Human driven. • Presuppose managed intake. • One-time vs. continuous.
  29. Penguin Shortbread – Automated Risk Analysis for Microservice Architectures • Analyze microservice connectivity. • Passively monitor app and cloud configuration. • Develop risk scoring based on observations.
  30. Application Risk Metric Metric summary Metric algorithm Scoring
  31. Application Risk Rollup Metrics Risk metrics by region/environment
  32. Control Mapping Control Description PCI 1.2.1 Restrict traffic to that which is necessary. PCI 12.2 Implement a risk-assessment process. APO 12.03 Maintain a risk profile.
  33. Compartmentalization
  34. Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know
  35. User Payments application Payment processors and partners Encrypted credit card database Name Encrypted CC John Doe XXXXXXXXXX HSM Monolithic Card Processing in the Data Center Sign up/change CC Store/retrieve CC Real-time/batch auth Tax, analytics, fraud, etc. Web server
  36. Microservices and Tokenization in AWS CloudHSM Payment application Token service Token db Token Encrypted CC abc123 XXXXXXXXXXCrypto proxy Name Token John Doe abc123 Payments db Token vault User Sign up/change CC Web server
  37. Control Mapping Control Description PCI 2.2 Implement one primary function per server. DSS05.02 Manage network and connectivity security. DSS05.03 Manage endpoint security.
  38. Wrapping Up! • Limit investments in approaches that meet narrow regulatory needs. • Embrace core security design and operational principles. • Focus on tools and techniques that serve multiple audiences. Auditor Dev
  39. Thank you! @chanjbs -