Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

Is that requirement from NIST 800-53 Controls or NIST 800-190? If you've ever wondered where those pesky cloud security controls come from, this meetup is for you.
In this Meetup, Jame Strong and Jason Lutz from Contino (an AWS Premier Consulting Partner) will discuss how Contino views DevSecOps. They will review the Benefits of DevSecOps:
- Cost Reduction
- Speed of Delivery
- Speed of Recovery
- Security is Federated
- DevSecOps Fosters a Culture of Openness and Transparency
During this Meetup, James and Jason will show you how to harden and secure a container pipeline and AWS network. Briefly, they will demonstrate how to deploy accounts with a Cloud Security Posture and review security best practices from AWS, CIS, and NIST. They will also touch on how to integrate changes in your infrastructure pipelines to adhere to your Enterprise's Security Compliance Guidelines.
If you're interested in integrating security and compliance into your Application and Infrastructure pipelines to realize the benefits of DevSecOps, join us in this virtual meetup.

  • Be the first to comment

  • Be the first to like this

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

  1. 1. Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020
  2. 2. 01 | Introduction to Contino 02 | DevSecOps Intro 03 | Compliance & Governance at the Enterprise Level 04 | Cloud Service Provider and Account Security 05 | Network & Workload Security Agenda 2
  3. 3. ● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Offices A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport
  4. 4. Speakers
  5. 5. Speakers
  6. 6. 6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a first class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notification systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.
  7. 7. Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a final hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code
  8. 8. Benefits of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notification Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency
  9. 9. A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101
  10. 10. AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  11. 11. Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security
  12. 12. NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive
  13. 13. Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Config, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier
  14. 14. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  15. 15. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  16. 16. AWS Config & Config Aggregator
  17. 17. Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access
  18. 18. CIS and Account Security on AWS
  19. 19. CIS and Account Security on AWS
  20. 20. CIS and Account Security on AWS
  21. 21. CIS Benchmark Demo Prowler
  22. 22. Multi Account Architecture of Security Hub
  23. 23. Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance
  24. 24. Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications
  25. 25. Workload Security AWS Demo Container Security
  26. 26. As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps
  27. 27. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io

×