AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

James Strong
James StrongCloud Native Director at Contino
Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020
01 | Introduction to Contino 02 | DevSecOps Intro 03 | Compliance & Governance at the Enterprise Level 04 | Cloud Service Provider and Account Security 05 | Network & Workload Security Agenda 2
● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Offices A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport
Speakers
Speakers
6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a first class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notification systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.
Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a final hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code
Benefits of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notification Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency
A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101
AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/
Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security
NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive
Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Config, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier
Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
AWS Config & Config Aggregator
Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access
CIS and Account Security on AWS
CIS and Account Security on AWS
CIS and Account Security on AWS
CIS Benchmark Demo Prowler
Multi Account Architecture of Security Hub
Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance
Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications
Workload Security AWS Demo Container Security
As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps
Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io
1 of 27

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

Download to read offline
Software

Is that requirement from NIST 800-53 Controls or NIST 800-190? If you've ever wondered where those pesky cloud security controls come from, this meetup is for you. In this Meetup, Jame Strong and Jason Lutz from Contino (an AWS Premier Consulting Partner) will discuss how Contino views DevSecOps. They will review the Benefits of DevSecOps: - Cost Reduction - Speed of Delivery - Speed of Recovery - Security is Federated - DevSecOps Fosters a Culture of Openness and Transparency During this Meetup, James and Jason will show you how to harden and secure a container pipeline and AWS network. Briefly, they will demonstrate how to deploy accounts with a Cloud Security Posture and review security best practices from AWS, CIS, and NIST. They will also touch on how to integrate changes in your infrastructure pipelines to adhere to your Enterprise's Security Compliance Guidelines. If you're interested in integrating security and compliance into your Application and Infrastructure pipelines to realize the benefits of DevSecOps, join us in this virtual meetup.

James Strong
James StrongCloud Native Director at Contino

Recommended

Managing Security with AWS | AWS Public Sector Summit 2017 by
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
774 views64 slides
T4 – Understanding aws security by
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
1.2K views70 slides
AWS Security Week: Security, Identity, & Compliance by
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
895 views22 slides
Intro to AWS: Security by
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
4.7K views56 slides
Understanding AWS security by
Understanding AWS securityUnderstanding AWS security
Understanding AWS securityAmazon Web Services
1.3K views90 slides
AWS Storage Stage of Union by
AWS Storage Stage of UnionAWS Storage Stage of Union
AWS Storage Stage of UnionAmazon Web Services
574 views39 slides

More Related Content

What's hot

Introduction to AWS Security by
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
2.1K views24 slides
Compliance in the Cloud Using Security by Design by
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
5.2K views30 slides
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |... by
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...Amazon Web Services
4.4K views20 slides
Aws security Fundamentals by
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals Christopher Caplan
183 views31 slides
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou... by
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...Brian Andrzejewski
154 views27 slides
Monitoring and administrating privilegeMonitoring and administrating privileg... by
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...Amazon Web Services
585 views17 slides

What's hot(20)

Introduction to AWS Security by Amazon Web Services
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services2.1K views
Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services5.2K views
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |... by Amazon Web Services
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services4.4K views
Aws security Fundamentals by Christopher Caplan
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan183 views
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou... by Brian Andrzejewski
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS Clou...
Brian Andrzejewski154 views
Monitoring and administrating privilegeMonitoring and administrating privileg... by Amazon Web Services
Monitoring and administrating privilegeMonitoring and administrating privileg...Monitoring and administrating privilegeMonitoring and administrating privileg...
Monitoring and administrating privilegeMonitoring and administrating privileg...
Amazon Web Services585 views
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations by Amazon Web Services
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
Amazon Web Services2.9K views
Managing Security on AWS by Amazon Web Services
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services867 views
Building an Automated Security Fabric in AWS by Amazon Web Services
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWS
Amazon Web Services660 views
Intro to AWS: Security by Amazon Web Services
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services1.5K views
Cloud Security, Risk and Compliance on AWS by Karim Hopper
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper848 views
How to implement DevSecOps on AWS for startups by Aleksandr Maklakov
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
Aleksandr Maklakov520 views
AWS Security Fundamentals by Amazon Web Services
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services2.7K views
Security in the Cloud - AWS Symposium 2014 - Washington D.C. by Amazon Web Services
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Amazon Web Services2.1K views
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW... by Amazon Web Services
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Amazon Web Services6.2K views
Automating AWS security and compliance by John Varghese
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
John Varghese1.1K views
Introduction to Incident Response on AWS by Amazon Web Services
Introduction to Incident Response on AWSIntroduction to Incident Response on AWS
Introduction to Incident Response on AWS
Amazon Web Services4.6K views
Journey Through the Cloud - Security Best Practices on AWS by Amazon Web Services
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services4.7K views
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices by Amazon Web Services
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services9K views
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ... by Amazon Web Services
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
Amazon Web Services704 views

Similar to AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

Securing Your Public Cloud Infrastructure by
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureQualys
4.4K views41 slides
Compliance in the Cloud Using “Security by Design” Principles by
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesAmazon Web Services
915 views24 slides
Multi cloud governance best practices - AWS, Azure, GCP by
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
115 views26 slides
Compliance In The Cloud Using Security By Design by
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
743 views31 slides
(SEC303) Architecting for End-To-End Security in the Enterprise by
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the EnterpriseAmazon Web Services
9.4K views51 slides
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS by
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWSAlert Logic
610 views19 slides

Similar to AWS Cloud Governance & Security through Automation - Atlanta AWS Builders(20)

Securing Your Public Cloud Infrastructure by Qualys
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys4.4K views
Compliance in the Cloud Using “Security by Design” Principles by Amazon Web Services
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
Amazon Web Services915 views
Multi cloud governance best practices - AWS, Azure, GCP by Faiza Mehar
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar115 views
Compliance In The Cloud Using Security By Design by Amazon Web Services
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
Amazon Web Services743 views
(SEC303) Architecting for End-To-End Security in the Enterprise by Amazon Web Services
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services9.4K views
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS by Alert Logic
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic 610 views
An Evolving Security Landscape – Security Patterns in the Cloud by Amazon Web Services
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the Cloud
Amazon Web Services2.9K views
Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services1.4K views
(GEN117) AWS Compliance Summit by Amazon Web Services
(GEN117) AWS Compliance Summit(GEN117) AWS Compliance Summit
(GEN117) AWS Compliance Summit
Amazon Web Services3.4K views
CloudPassage Best Practices for Automatic Security Scaling by Amazon Web Services
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
Amazon Web Services3.6K views
Automating your AWS Security Operations by Evident.io
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io1.5K views
Compliance in the cloud using sb d toronto-summit-v1.0 by Amazon Web Services
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0
Amazon Web Services407 views
Getting Started with AWS Security by Amazon Web Services
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services881 views
Compliance in the Cloud Using Security by Design by Amazon Web Services
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services679 views
(SEC310) Keeping Developers and Auditors Happy in the Cloud by Amazon Web Services
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services6.2K views
Automating your AWS Security Operations by Amazon Web Services
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services4.9K views
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve... by Amazon Web Services
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services6K views
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt... by Amazon Web Services
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services1.5K views
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi... by Amazon Web Services
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...
Amazon Web Services1.4K views
Application Security in the Cloud - Best Practices by RightScale
Application Security in the Cloud - Best PracticesApplication Security in the Cloud - Best Practices
Application Security in the Cloud - Best Practices
RightScale407 views

Recently uploaded

JioEngage_Presentation.pptx by
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptxadmin125455
8 views4 slides
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...NimaTorabi2
16 views17 slides
How Workforce Management Software Empowers SMEs | TraQSuite by
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteTraQSuite
6 views3 slides
Quality Assurance by
Quality Assurance Quality Assurance
Quality Assurance interworksoftware2
5 views6 slides
Electronic AWB - Electronic Air Waybill by
Electronic AWB - Electronic Air Waybill Electronic AWB - Electronic Air Waybill
Electronic AWB - Electronic Air Waybill Freightoscope
5 views1 slide
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptxanimuscrm
15 views19 slides

Recently uploaded(20)

JioEngage_Presentation.pptx by admin125455
JioEngage_Presentation.pptxJioEngage_Presentation.pptx
JioEngage_Presentation.pptx
admin1254558 views
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P... by NimaTorabi2
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
Unlocking the Power of AI in Product Management - A Comprehensive Guide for P...
NimaTorabi216 views
How Workforce Management Software Empowers SMEs | TraQSuite by TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuite
TraQSuite6 views
Quality Assurance by interworksoftware2
Quality Assurance Quality Assurance
Quality Assurance
interworksoftware25 views
Electronic AWB - Electronic Air Waybill by Freightoscope
Electronic AWB - Electronic Air Waybill Electronic AWB - Electronic Air Waybill
Electronic AWB - Electronic Air Waybill
Freightoscope 5 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm15 views
EV Charging App Case by iCoderz Solutions
EV Charging App Case EV Charging App Case
EV Charging App Case
iCoderz Solutions9 views
Quality Engineer: A Day in the Life by John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino7 views
Flask-Python.pptx by Triloki Gupta
Flask-Python.pptxFlask-Python.pptx
Flask-Python.pptx
Triloki Gupta9 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j17 views
Understanding HTML terminology by artembondar5
Understanding HTML terminologyUnderstanding HTML terminology
Understanding HTML terminology
artembondar57 views
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation by HCLSoftware
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook AutomationDRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation
DRYiCE™ iAutomate: AI-enhanced Intelligent Runbook Automation
HCLSoftware6 views
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by sparkfabrik
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
sparkfabrik8 views
Introduction to Git Source Control by John Valentino
Introduction to Git Source ControlIntroduction to Git Source Control
Introduction to Git Source Control
John Valentino7 views
ADDO_2022_CICID_Tom_Halpin.pdf by TomHalpin9
ADDO_2022_CICID_Tom_Halpin.pdfADDO_2022_CICID_Tom_Halpin.pdf
ADDO_2022_CICID_Tom_Halpin.pdf
TomHalpin95 views
Bootstrapping vs Venture Capital.pptx by Zeljko Svedic
Bootstrapping vs Venture Capital.pptxBootstrapping vs Venture Capital.pptx
Bootstrapping vs Venture Capital.pptx
Zeljko Svedic15 views
Page Object Model by artembondar5
Page Object ModelPage Object Model
Page Object Model
artembondar56 views
The Era of Large Language Models.pptx by AbdulVahedShaik
The Era of Large Language Models.pptxThe Era of Large Language Models.pptx
The Era of Large Language Models.pptx
AbdulVahedShaik7 views
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke35 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8714 views

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

  • 1. Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020
  • 2. 01 | Introduction to Contino 02 | DevSecOps Intro 03 | Compliance & Governance at the Enterprise Level 04 | Cloud Service Provider and Account Security 05 | Network & Workload Security Agenda 2
  • 3. ● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Offices A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport
  • 6. 6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a first class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notification systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.
  • 7. Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a final hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code
  • 8. Benefits of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notification Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency
  • 9. A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101
  • 10. AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  • 11. Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security
  • 12. NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive
  • 13. Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Config, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier
  • 14. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  • 15. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  • 16. AWS Config & Config Aggregator
  • 17. Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access
  • 18. CIS and Account Security on AWS
  • 19. CIS and Account Security on AWS
  • 20. CIS and Account Security on AWS
  • 22. Multi Account Architecture of Security Hub
  • 23. Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance
  • 24. Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications
  • 25. Workload Security AWS Demo Container Security
  • 26. As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps
  • 27. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io