Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Splitting the Check on
Compliance and Security
Jason Chan
Engineering Director – Cloud Security
@chanjbs
2015 for Developers
2015 for Auditors and Security Teams
The Problem
Developers:
Incentives
• Speed
• Features
Want
• Freedom to innovate
• New technology
Incentives and Perspectives
Auditors...
The Resolution
“You build it, you run it.”
-Werner Vogels, Amazon CTO (June 2006)
Who Cares About These Answers?
• When did that code change?
• Who made the change?
• Who logged in to that host?
• What di...
Before
Developers and Auditors
After
AuditorDev
Auditor
Dev
How Do We Get There?
Two Approaches to Compliance
Pillars for Effective, Efficient, and
Flexible Compliance
The Pillars
1. Traceability in development
2. Continuous security visibility
3. Compartmentalization
Discussion Format
Traceability in Development
Common Audit Requirements for
Software Development
• Review changes.
• Track changes.
• Test changes.
• Deploy only approv...
Spinnaker for Continuous Deployment
• Customizable development
pipelines (workflows)
• Based on team
requirements
• Single...
Spinnaker: Compliance-Relevant Features
• Integrated access to development artifacts
• Pull requests, test results, build ...
Spinnaker: App-Centric View & Multistage Pipeline
Multiple deployment stagesAutomated
Manual
Failed test, do not proceed
A...
Automated Canary Analysis
Canary test score
Link to details
Result
Manual Approval (Optional)
Restricted Deployment Window (Optional)
Restricted Deployment Window (Optional)
Deployment Notification (Optional)
Spinnaker vs. Manual Deployments
• Deployment is independent of languages and other
underlying technology.
• Java, Python,...
Control Mapping
Control Description
PCI 6.3.2 Perform code reviews prior to release.
PCI 6.4.5 Test changes to verify no a...
Continuous Security Visibility
Issues with Application Security Risk Management
• Spreadsheets and surveys!
• Human driven.
• Presuppose managed
intake.
...
Penguin Shortbread – Automated Risk Analysis for
Microservice Architectures
• Analyze microservice
connectivity.
• Passive...
Application Risk Metric
Metric summary
Metric algorithm
Scoring
Application Risk Rollup
Metrics
Risk metrics by region/environment
Control Mapping
Control Description
PCI 1.2.1 Restrict traffic to that which is necessary.
PCI 12.2 Implement a risk-asses...
Compartmentalization
Compartmentalization
Resilience: Limit blast radius Confidentiality: Need to know
User Payments
application
Payment
processors
and
partners
Encrypted credit
card database
Name Encrypted CC
John Doe XXXXXX...
Microservices and Tokenization in AWS
CloudHSM
Payment
application
Token
service
Token db
Token Encrypted CC
abc123 XXXXXX...
Control Mapping
Control Description
PCI 2.2 Implement one primary function per server.
DSS05.02 Manage network and connect...
Wrapping Up!
• Limit investments in
approaches that meet
narrow regulatory needs.
• Embrace core security
design and opera...
Thank you!
@chanjbs - chan@netflix.com
Splitting the Check on Compliance and Security
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
Defending Netflix from Abuse
Next
Upcoming SlideShare
Defending Netflix from Abuse
Next
Download to read offline and view in fullscreen.

79

Share

Splitting the Check on Compliance and Security

Download to read offline

Abbreviated version of my 2015 AWS Re:invent talk. Presented at Futurestack 2015.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Splitting the Check on Compliance and Security

  1. Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs
  2. 2015 for Developers
  3. 2015 for Auditors and Security Teams
  4. The Problem
  5. Developers: Incentives • Speed • Features Want • Freedom to innovate • New technology Incentives and Perspectives Auditors: Incentives • Compliance with regulatory obligations • Verifiable processes Want • Well-known technology • Predictability and stability
  6. The Resolution
  7. “You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
  8. Who Cares About These Answers? • When did that code change? • Who made the change? • Who logged in to that host? • What did they do? • Who pushed that code? • When was this dependency introduced? • Was that build tested before deployment? • What were the test results? ?
  9. Before Developers and Auditors After AuditorDev Auditor Dev
  10. How Do We Get There?
  11. Two Approaches to Compliance
  12. Pillars for Effective, Efficient, and Flexible Compliance
  13. The Pillars 1. Traceability in development 2. Continuous security visibility 3. Compartmentalization
  14. Discussion Format
  15. Traceability in Development
  16. Common Audit Requirements for Software Development • Review changes. • Track changes. • Test changes. • Deploy only approved code. • For all actions: • Who did it? • When?
  17. Spinnaker for Continuous Deployment • Customizable development pipelines (workflows) • Based on team requirements • Single interface to entire deployment process • Answers who, what, when, and why • For developers and auditors Auditor Dev
  18. Spinnaker: Compliance-Relevant Features • Integrated access to development artifacts • Pull requests, test results, build artifacts, etc. • Push authorization • Restricted deployment windows (time, region) • Deployment notifications
  19. Spinnaker: App-Centric View & Multistage Pipeline Multiple deployment stagesAutomated Manual Failed test, do not proceed Application-specific components Link to build (Jenkins CI), code changes (Stash)
  20. Automated Canary Analysis Canary test score Link to details Result
  21. Manual Approval (Optional)
  22. Restricted Deployment Window (Optional)
  23. Restricted Deployment Window (Optional)
  24. Deployment Notification (Optional)
  25. Spinnaker vs. Manual Deployments • Deployment is independent of languages and other underlying technology. • Java, Python, Linux, Windows… • Multiple stages of automated testing. • Integration, security, functional, production canary. • Fully traceable pipeline. • Changes and change drivers are fully visible. • All artifacts and test results available.
  26. Control Mapping Control Description PCI 6.3.2 Perform code reviews prior to release. PCI 6.4.5 Test changes to verify no adverse security impact. COBIT BAI03.08 Execute solution testing.
  27. Continuous Security Visibility
  28. Issues with Application Security Risk Management • Spreadsheets and surveys! • Human driven. • Presuppose managed intake. • One-time vs. continuous.
  29. Penguin Shortbread – Automated Risk Analysis for Microservice Architectures • Analyze microservice connectivity. • Passively monitor app and cloud configuration. • Develop risk scoring based on observations.
  30. Application Risk Metric Metric summary Metric algorithm Scoring
  31. Application Risk Rollup Metrics Risk metrics by region/environment
  32. Control Mapping Control Description PCI 1.2.1 Restrict traffic to that which is necessary. PCI 12.2 Implement a risk-assessment process. APO 12.03 Maintain a risk profile.
  33. Compartmentalization
  34. Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know
  35. User Payments application Payment processors and partners Encrypted credit card database Name Encrypted CC John Doe XXXXXXXXXX HSM Monolithic Card Processing in the Data Center Sign up/change CC Store/retrieve CC Real-time/batch auth Tax, analytics, fraud, etc. Web server
  36. Microservices and Tokenization in AWS CloudHSM Payment application Token service Token db Token Encrypted CC abc123 XXXXXXXXXXCrypto proxy Name Token John Doe abc123 Payments db Token vault User Sign up/change CC Web server
  37. Control Mapping Control Description PCI 2.2 Implement one primary function per server. DSS05.02 Manage network and connectivity security. DSS05.03 Manage endpoint security.
  38. Wrapping Up! • Limit investments in approaches that meet narrow regulatory needs. • Embrace core security design and operational principles. • Focus on tools and techniques that serve multiple audiences. Auditor Dev
  39. Thank you! @chanjbs - chan@netflix.com
  • MdMahbuburRahman109

    May. 17, 2021
  • cbshivers

    Mar. 10, 2021
  • JamieWyatt8

    Mar. 5, 2021
  • MikeFrostCISSP

    Feb. 17, 2020
  • kanametunes

    Feb. 16, 2020
  • victorjung_

    Feb. 6, 2020
  • omaruriel

    Jan. 27, 2020
  • sitelock1

    Nov. 7, 2018
  • sirleidefatimajabali

    Apr. 25, 2018
  • PremiumPx

    Apr. 3, 2017
  • thehideipaddress

    Mar. 26, 2017
  • WashingtonSantos13

    Mar. 2, 2017
  • GaryStClare

    Jan. 24, 2017
  • vijayagopal

    Jan. 3, 2017
  • beejhuff

    Dec. 25, 2016
  • JeremyBae1

    Oct. 31, 2016
  • reviewmanagement

    Oct. 26, 2016
  • MiNDocR

    Sep. 2, 2016
  • ElieHirschfeld11

    Jun. 13, 2016
  • EdgarLegarda

    Jun. 9, 2016

Abbreviated version of my 2015 AWS Re:invent talk. Presented at Futurestack 2015.

Views

Total views

31,273

On Slideshare

0

From embeds

0

Number of embeds

112

Actions

Downloads

133

Shares

0

Comments

0

Likes

79

×