AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

James Strong
James StrongCloud Native Director at Contino
Atlanta AWS Builders -
AWS Cloud Governance & Security
through Automation
Jason Lutz - DevOps Consultant
James Strong - Cloud Native Director
8/20/2020
01 | Introduction to Contino
02 | DevSecOps Intro
03 | Compliance & Governance at the Enterprise Level
04 | Cloud Service Provider and Account Security
05 | Network & Workload Security
Agenda
2
● 360~ people
● 500+ engagements
● 250+ customers
First Customers
Financial Services
Global Offices
A Brief History of Time
3
Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises
transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps.
Founded
2014
October
2019
Key Industries
● Manufacturing
● Banking & Financial Services
● Telecommunications
● Public Sector & Healthcare
● Travel & Transport
Speakers
Speakers
6
The DevSecOps & Cyber Security Practice DevSecOps &
Cyber Security
Practice
Where can Contino optimise your security
posture?
We treat security as a first class citizen.
Security & Risk
Management
3
Apply evidence based controls
and governance, that are
supported by data and industry
best practice.
Regulatory aligned
governance
frameworks that
provide rigour &
control, with speed in
mind.
Security Operating
Model
2
Establish team structures and
operating procedures for a
proactive posture.
Right sized, structured
and skilled workforces
to support multi speed
enterprise delivery.
Move fast and remain
secure.
Security Advisory &
Education
1
Learn new skills and
prepare for constantly
evolving protagonists.
Setting the right path to
remain secure in a rapidly
evolving digital
environment and
establishing a baseline
security posture.
Example Customer
Outcomes:
60% effort reduction in
administering security
controls through automated
solutions.
65% faster MTTD and
remediation of security
vulnerabilities.
16,000 person days saved by
automating risk management
controls.
Remediation of critical
vulnerabilities to offset
instances of crypto-mining
and ransomware.
100% compliance rating with
CIS & NIST benchmarks.
Industry leading security
posture as validated by 3rd
party auditors across FS,
Healthcare and Public Sector.
Security
Engineering
4
Best of breed cloud native
security solutions,
underpinned by Red/Blue
Team concepts.
Proactive security
solutions, integrated
with detection,
prevention and
notification systems
that have automation at
their core.
Security Enabled
Lighthouse
Projects
5
New working practices, tooling and
team structures to reduce MTTD of
Security vulnerabilities and
attacks.
Building upon
foundational security
posture by introducing
Security Chaos
Engineering and
patterns to support
advanced attacker
techniques across your
technology estate.
Security is properly
integrated into the
software development
lifecycle (SLDC). Early
fast feedback is valued
over retrospective
corrections.
Security is a final hurdle/
set of gated checks
added to the end of the
process
Traditional Security vs DevSecOps - DevSecOps 101
Development Commit Build Test Deploy
Automated
Tests
Automated
Security
Early
Feedback
Security
Validation
Code Quality
Validation
Security Policy
Checks
Security
Requirements
Documentation
Development
Manual Security
Tests
Manual Penetration
Tests
Manual
Checks
Exceptions
Manual Signoffs
Re-Work
Deploy?
X
Automated
Builds
Automated
Deployment
All changes
Treated as code
Benefits of DevSecOps
● Speed of Delivery
● Speed of Recovery
● Immutable Infrastructure
● Security Auditing, Monitoring, and Notification Systems
● Security is Federated
● DevSecOps Fosters a Culture of Openness and Transparency
A DevSecOps culture means:
● Communication
● Customer Focused Organization
● Agility and Security
● Ownership
“Every program and every privileged user of the system should
operate using the least amount of privilege necessary to complete
the job.” - MIT Professor Jerome Saltzer.
Creating A Culture of Security - DevSecOps 101
AWS Shared Responsibility Model
Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Enterprise Security Compliance:
● Security Program
● Security Framework
Enterprise Security Compliance
Cloud Security Program
Workload &
Network Security
Cloud Security Program:
● Cloud Security Posture
Management
● Workload and Network
Security
NIST CSF
➔ Framework Tiers
➔ Tier 1: Partial
➔ Tier 2: Risk Informed
➔ Tier 3: Repeatable
➔ Tier 4: Adaptive
Compliance & Governance
Identify
Security Hub, Organizations, Control Tower, Trusted Advisor, Service
Catalog, Config, Systems Manager
Protect
VPC, IoT Device Defender, Direct Connect, Resource Access
Manager, Directory Services, AWS Shield, IAM, Secrets Manager,
KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO
Detect GuardDuty, Macie, Inspector, SecurityHub
Respond
Automate: CloudWatch, Systems Manager, Lambda
Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53
Recover S3, Glacier
Compliance and Governance on AWS
Services & Tools
AWS Artifacts (Identify)
AWS CloudTrail (Detect)
AWS Config (Detect & React)
AWS Trusted Advisor (Detect)
AWS Inspector (Detect)
AWS SSM (Protect & Respond)
AWS ECR (Detect, Protect)
AWS CloudWatch (Detect & Respond)
AWS EBS (Protect)
AWS S3 (Protect)
AWS KMS (Protect)
AWS Security Hub (Identify, Detect, Protect, Respond, Recover)
Best Practices
AWS Security Best Practices
AWS Well Architected Framework
CIS AWS Benchmarks
Compliance and Governance on AWS
Services & Tools
AWS Artifacts (Identify)
AWS CloudTrail (Detect)
AWS Config (Detect & React)
AWS Trusted Advisor (Detect)
AWS Inspector (Detect)
AWS SSM (Protect & Respond)
AWS ECR (Detect, Protect)
AWS CloudWatch (Detect & Respond)
AWS EBS (Protect)
AWS S3 (Protect)
AWS KMS (Protect)
AWS Security Hub (Identify, Detect, Protect, Respond, Recover)
Best Practices
AWS Security Best Practices
AWS Well Architected Framework
CIS AWS Benchmarks
AWS Config
& Config Aggregator
Cloud Service Provider and Account Security
Identity and Access Management (IAM) - root, credentials,
password policies, MFA, etc.
Logging - CloudTrail, CloudWatch, S3 access, VPC Flow
Logs, KMS/CMKs
Monitoring - Log metrics/alarms: api’s, root, S3 changes,
network changes
Networking - check for ingress, default security group
settings, VPC peering least access
CIS and Account Security on AWS
CIS and Account Security on AWS
CIS and Account Security on AWS
CIS Benchmark Demo
Prowler
Multi Account Architecture of Security Hub
Network Security
AWS Security Hub Demo
https://www.contino.io/insights/aws-config-aggregator-compliance
Workload Security
NIST Special Publication 800-190 Application Container Security Guide
● Major Risks for Core Components of Container Technologies
● Countermeasures
● Container Threat Scenarios
● Security Considerations for Container Technology Life Cycles
NIST Special Publication 800-204 Security Strategies for Microservices-based Application
Systems
CIS Benchmarks Docker & Kubernetes
CIS Hardening Guides for Operating Systems & Server Applications
Workload Security AWS
Demo Container Security
As you move to an infrastructure as code approach, Enterprises will also have the potential to
integrate compliance and security as code into your infrastructure development pipelines.
This enables your application and infrastructure teams to deliver software innovation in a controlled,
secure, compliant and governed manner using automation rather than manual reviews and audits.
For more thought leadership on DevSecOps please visit the following URLs:
● A Quick Compliance As Code Demo:
https://www.contino.io/insights/devsecops-quick-compliance-as-code
● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc
● Enter The Vault:
https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino
● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs
● Introduction To DevSecOps White Paper:
https://www.contino.io/resources/devsecops-best-practice-guide
Contino Approach To DevSecOps
Atlanta
atlanta@contino.io
Thank You
contino.io continohq contino
London
london@contino.io
New York
newyork@contino.io
Melbourne
melbourne@contino.io
Sydney
sydney@contino.io
1 of 27

Recommended

Managing Security with AWS | AWS Public Sector Summit 2017 by
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
774 views64 slides
T4 – Understanding aws security by
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
1.2K views70 slides
AWS Security Week: Security, Identity, & Compliance by
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
895 views22 slides
Intro to AWS: Security by
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
4.7K views56 slides
Understanding AWS security by
Understanding AWS securityUnderstanding AWS security
Understanding AWS securityAmazon Web Services
1.3K views90 slides
AWS Storage Stage of Union by
AWS Storage Stage of UnionAWS Storage Stage of Union
AWS Storage Stage of UnionAmazon Web Services
574 views39 slides

More Related Content

What's hot

Introduction to AWS Security by
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
2.1K views24 slides
Compliance in the Cloud Using Security by Design by
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
5.2K views30 slides
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |... by
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...Amazon Web Services
4.4K views20 slides
Aws security Fundamentals by
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals Christopher Caplan
183 views31 slides
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou... by
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
154 views27 slides
Monitoring and administrating privilegeMonitoring and administrating privileg... by
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...Amazon Web Services
585 views17 slides

What's hot(20)

Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services5.2K views
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |... by Amazon Web Services
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services4.4K views
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou... by Brian Andrzejewski
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
Brian Andrzejewski154 views
Monitoring and administrating privilegeMonitoring and administrating privileg... by Amazon Web Services
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations by Amazon Web Services
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services2.9K views
Cloud Security, Risk and Compliance on AWS by Karim Hopper
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper848 views
How to implement DevSecOps on AWS for startups by Aleksandr Maklakov
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov520 views
Security in the Cloud - AWS Symposium 2014 - Washington D.C. by Amazon Web Services
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Amazon Web Services2.1K views
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW... by Amazon Web Services
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Amazon Web Services6.2K views
Automating AWS security and compliance by John Varghese
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
John Varghese1.1K views
Journey Through the Cloud - Security Best Practices on AWS by Amazon Web Services
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services4.7K views
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices by Amazon Web Services
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ... by Amazon Web Services
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...

Similar to AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

Securing Your Public Cloud Infrastructure by
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
4.4K views41 slides
Compliance in the Cloud Using “Security by Design” Principles by
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesAmazon Web Services
915 views24 slides
Multi cloud governance best practices - AWS, Azure, GCP by
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
115 views26 slides
Compliance In The Cloud Using Security By Design by
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
743 views31 slides
(SEC303) Architecting for End-To-End Security in the Enterprise by
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the EnterpriseAmazon Web Services
9.4K views51 slides
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS by
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
610 views19 slides

Similar to AWS Cloud Governance & Security through Automation - Atlanta AWS Builders(20)

Securing Your Public Cloud Infrastructure by Qualys
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys4.4K views
Compliance in the Cloud Using “Security by Design” Principles by Amazon Web Services
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
Multi cloud governance best practices - AWS, Azure, GCP by Faiza Mehar
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar115 views
Compliance In The Cloud Using Security By Design by Amazon Web Services
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
(SEC303) Architecting for End-To-End Security in the Enterprise by Amazon Web Services
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services9.4K views
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS by Alert Logic
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic 610 views
An Evolving Security Landscape – Security Patterns in the Cloud by Amazon Web Services
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the Cloud
Amazon Web Services2.9K views
Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services1.4K views
CloudPassage Best Practices for Automatic Security Scaling by Amazon Web Services
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
Amazon Web Services3.6K views
Automating your AWS Security Operations by Evident.io
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io1.5K views
Compliance in the cloud using sb d toronto-summit-v1.0 by Amazon Web Services
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
(SEC310) Keeping Developers and Auditors Happy in the Cloud by Amazon Web Services
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services6.2K views
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve... by Amazon Web Services
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt... by Amazon Web Services
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services1.5K views
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi... by Amazon Web Services
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Amazon Web Services1.4K views
Application Security in the Cloud - Best Practices by RightScale
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best Practices
RightScale407 views

Recently uploaded

JioEngage_Presentation.pptx by
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptxadmin125455
8 views4 slides
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...NimaTorabi2
16 views17 slides
How Workforce Management Software Empowers SMEs | TraQSuite by
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteTraQSuite
6 views3 slides
Quality Assurance by
Quality Assurance Quality Assurance
Quality Assurance interworksoftware2
5 views6 slides
Electronic AWB - Electronic Air Waybill by
Electronic AWB - Electronic Air Waybill Electronic AWB - Electronic Air Waybill
Electronic AWB - Electronic Air Waybill Freightoscope
5 views1 slide
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptxanimuscrm
15 views19 slides

Recently uploaded(20)

JioEngage_Presentation.pptx by admin125455
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptx
admin1254558 views
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by NimaTorabi2
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
NimaTorabi216 views
How Workforce Management Software Empowers SMEs | TraQSuite by TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuite
TraQSuite6 views
Electronic AWB - Electronic Air Waybill by Freightoscope
Electronic AWB - Electronic Air Waybill Electronic AWB - Electronic Air Waybill
Electronic AWB - Electronic Air Waybill
Freightoscope 5 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm15 views
Quality Engineer: A Day in the Life by John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino7 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j17 views
Understanding HTML terminology by artembondar5
Understanding HTML terminologyUnderstanding HTML terminology
Understanding HTML terminology
artembondar57 views
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation by HCLSoftware
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook AutomationDRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation
HCLSoftware6 views
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by sparkfabrik
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
sparkfabrik8 views
Introduction to Git Source Control by John Valentino
Introduction to Git Source ControlIntroduction to Git Source Control
Introduction to Git Source Control
John Valentino7 views
ADDO_2022_CICID_Tom_Halpin.pdf by TomHalpin9
ADDO_2022_CICID_Tom_Halpin.pdfADDO_2022_CICID_Tom_Halpin.pdf
ADDO_2022_CICID_Tom_Halpin.pdf
TomHalpin95 views
Bootstrapping vs Venture Capital.pptx by Zeljko Svedic
Bootstrapping vs Venture Capital.pptxBootstrapping vs Venture Capital.pptx
Bootstrapping vs Venture Capital.pptx
Zeljko Svedic15 views
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke35 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8714 views

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

  • 1. Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020
  • 2. 01 | Introduction to Contino 02 | DevSecOps Intro 03 | Compliance & Governance at the Enterprise Level 04 | Cloud Service Provider and Account Security 05 | Network & Workload Security Agenda 2
  • 3. ● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Offices A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport
  • 6. 6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a first class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notification systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.
  • 7. Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a final hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code
  • 8. Benefits of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notification Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency
  • 9. A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101
  • 10. AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  • 11. Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security
  • 12. NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive
  • 13. Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Config, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier
  • 14. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  • 15. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  • 16. AWS Config & Config Aggregator
  • 17. Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access
  • 18. CIS and Account Security on AWS
  • 19. CIS and Account Security on AWS
  • 20. CIS and Account Security on AWS
  • 22. Multi Account Architecture of Security Hub
  • 23. Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance
  • 24. Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications
  • 25. Workload Security AWS Demo Container Security
  • 26. As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps
  • 27. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io