Successfully reported this slideshow.

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

0

Share

Aug. 20, 2020
0 likes 132 views
Upcoming SlideShare
Cloud Native Lou - Networking
Cloud Native Lou - Networking
Loading in …3
×
1 of 27
1 of 27

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

Aug. 20, 2020
0 likes 132 views

0

Share

Download to read offline

Software

Is that requirement from NIST 800-53 Controls or NIST 800-190? If you've ever wondered where those pesky cloud security controls come from, this meetup is for you.
In this Meetup, Jame Strong and Jason Lutz from Contino (an AWS Premier Consulting Partner) will discuss how Contino views DevSecOps. They will review the Benefits of DevSecOps:
- Cost Reduction
- Speed of Delivery
- Speed of Recovery
- Security is Federated
- DevSecOps Fosters a Culture of Openness and Transparency
During this Meetup, James and Jason will show you how to harden and secure a container pipeline and AWS network. Briefly, they will demonstrate how to deploy accounts with a Cloud Security Posture and review security best practices from AWS, CIS, and NIST. They will also touch on how to integrate changes in your infrastructure pipelines to adhere to your Enterprise's Security Compliance Guidelines.
If you're interested in integrating security and compliance into your Application and Infrastructure pipelines to realize the benefits of DevSecOps, join us in this virtual meetup.

Is that requirement from NIST 800-53 Controls or NIST 800-190? If you've ever wondered where those pesky cloud security controls come from, this meetup is for you.
In this Meetup, Jame Strong and Jason Lutz from Contino (an AWS Premier Consulting Partner) will discuss how Contino views DevSecOps. They will review the Benefits of DevSecOps:
- Cost Reduction
- Speed of Delivery
- Speed of Recovery
- Security is Federated
- DevSecOps Fosters a Culture of Openness and Transparency
During this Meetup, James and Jason will show you how to harden and secure a container pipeline and AWS network. Briefly, they will demonstrate how to deploy accounts with a Cloud Security Posture and review security best practices from AWS, CIS, and NIST. They will also touch on how to integrate changes in your infrastructure pipelines to adhere to your Enterprise's Security Compliance Guidelines.
If you're interested in integrating security and compliance into your Application and Infrastructure pipelines to realize the benefits of DevSecOps, join us in this virtual meetup.

Software
License: CC Attribution-ShareAlike License

Recommended

More Related Content

Featured

Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
Shorter ER Wait Times
Knowledge@Wharton
Asia's Artificial Intelligence Agenda. MIT Technology Review
Alexander Jarvis
Martin Luther King's Pearl Of Wisdom!
SurveyCrest
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell

Related Books

Free with a 14 day trial from Scribd

See all
Hamlet's BlackBerry: A Practical Philosophy for Building a Good Life in the Digital Age William Powers
(4/5)
Free
In the Plex: How Google Thinks, Works, and Shapes Our Lives Steven Levy
(4.5/5)
Free
An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths Glenn Reynolds
(4/5)
Free
World Wide Mind: The Coming Integration of Humanity, Machines, and the Internet Michael Chorost
(4/5)
Free
Tubes: A Journey to the Center of the Internet Andrew Blum
(4/5)
Free
Emergence: The Connected Lives of Ants, Brains, Cities, and Software Steven Johnson
(4.5/5)
Free
The Impulse Economy: Understanding Mobile Shoppers and What Makes Them Buy Gary Schwartz
(4.5/5)
Free
Blog Schmog: The Truth About What Blogs Can (and Can't) Do for Your Business Robert W. Bly
(4/5)
Free
The End of Business As Usual: Rewire the Way You Work to Succeed in the Consumer Revolution Brian Solis
(5/5)
Free
Socialnomics: How Social Media Transforms the Way We Live and Do Business Erik Qualman
(4/5)
Free
The Nature of the Future: Dispatches from the Socialstructed World Marina Gorbis
(4/5)
Free
Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live Jeff Jarvis
(3.5/5)
Free
Talking Back to Facebook: The Common Sense Guide to Raising Kids in the Digital Age James P. Steyer
(4.5/5)
Free
The Thank You Economy Gary Vaynerchuk
(4/5)
Free
Blog, Inc.: Blogging for Passion, Profit, and to Create Community Joy Deangdeelert Cho
(3.5/5)
Free
Grown Up Digital: How the Net Generation is Changing Your World Don Tapscott
(0/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
New Dark Age: Technology and the End of the Future James Bridle
(4.5/5)
Free
The Emperor's New Mind: Concerning Computers, Minds, and the Laws of Physics Roger Penrose
(3.5/5)
Free
Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World Don Tapscott
(4/5)
Free
Alone Together: Why We Expect More from Technology and Less from Each Other Sherry Turkle
(4.5/5)
Free
The Death of Expertise: The Campaign Against Established Knowledge and Why it Matters Tom Nichols
(4.5/5)
Free
Algorithms to Live By: The Computer Science of Human Decisions Brian Christian
(4.5/5)
Free
An Introduction to Information Theory: Symbols, Signals and Noise John R. Pierce
(4.5/5)
Free
The Social Life of Information: Updated, with a New Preface-Revised John Seely Brown
(0/5)
Free
Who Owns the Future? Jaron Lanier
(4/5)
Free
The Dark Net: Inside the Digital Underworld Jamie Bartlett
(4/5)
Free
Cognitive Surplus: Creativity and Generosity in a Connected Age Clay Shirky
(4/5)
Free
The New New Thing: A Silicon Valley Story Michael Lewis
(4.5/5)
Free
Ten Arguments for Deleting Your Social Media Accounts Right Now Jaron Lanier
(4/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
The History of the Future: Oculus, Facebook, and the Revolution That Swept Virtual Reality Blake J. Harris
(4.5/5)
Free
Once Upon an Algorithm: How Stories Explain Computing Martin Erwig
(4/5)
Free

AWS Cloud Governance & Security through Automation - Atlanta AWS Builders

  1. 1. Atlanta AWS Builders - AWS Cloud Governance & Security through Automation Jason Lutz - DevOps Consultant James Strong - Cloud Native Director 8/20/2020
  2. 2. 01 | Introduction to Contino 02 | DevSecOps Intro 03 | Compliance & Governance at the Enterprise Level 04 | Cloud Service Provider and Account Security 05 | Network & Workload Security Agenda 2
  3. 3. ● 360~ people ● 500+ engagements ● 250+ customers First Customers Financial Services Global Offices A Brief History of Time 3 Contino is a global Digital Transformation Consultancy. We specialize in helping highly-regulated enterprises transform faster, modernizing their product delivery with Cloud Computing, Data & FinOps. Founded 2014 October 2019 Key Industries ● Manufacturing ● Banking & Financial Services ● Telecommunications ● Public Sector & Healthcare ● Travel & Transport
  4. 4. Speakers
  5. 5. Speakers
  6. 6. 6 The DevSecOps & Cyber Security Practice DevSecOps & Cyber Security Practice Where can Contino optimise your security posture? We treat security as a first class citizen. Security & Risk Management 3 Apply evidence based controls and governance, that are supported by data and industry best practice. Regulatory aligned governance frameworks that provide rigour & control, with speed in mind. Security Operating Model 2 Establish team structures and operating procedures for a proactive posture. Right sized, structured and skilled workforces to support multi speed enterprise delivery. Move fast and remain secure. Security Advisory & Education 1 Learn new skills and prepare for constantly evolving protagonists. Setting the right path to remain secure in a rapidly evolving digital environment and establishing a baseline security posture. Example Customer Outcomes: 60% effort reduction in administering security controls through automated solutions. 65% faster MTTD and remediation of security vulnerabilities. 16,000 person days saved by automating risk management controls. Remediation of critical vulnerabilities to offset instances of crypto-mining and ransomware. 100% compliance rating with CIS & NIST benchmarks. Industry leading security posture as validated by 3rd party auditors across FS, Healthcare and Public Sector. Security Engineering 4 Best of breed cloud native security solutions, underpinned by Red/Blue Team concepts. Proactive security solutions, integrated with detection, prevention and notification systems that have automation at their core. Security Enabled Lighthouse Projects 5 New working practices, tooling and team structures to reduce MTTD of Security vulnerabilities and attacks. Building upon foundational security posture by introducing Security Chaos Engineering and patterns to support advanced attacker techniques across your technology estate.
  7. 7. Security is properly integrated into the software development lifecycle (SLDC). Early fast feedback is valued over retrospective corrections. Security is a final hurdle/ set of gated checks added to the end of the process Traditional Security vs DevSecOps - DevSecOps 101 Development Commit Build Test Deploy Automated Tests Automated Security Early Feedback Security Validation Code Quality Validation Security Policy Checks Security Requirements Documentation Development Manual Security Tests Manual Penetration Tests Manual Checks Exceptions Manual Signoffs Re-Work Deploy? X Automated Builds Automated Deployment All changes Treated as code
  8. 8. Benefits of DevSecOps ● Speed of Delivery ● Speed of Recovery ● Immutable Infrastructure ● Security Auditing, Monitoring, and Notification Systems ● Security is Federated ● DevSecOps Fosters a Culture of Openness and Transparency
  9. 9. A DevSecOps culture means: ● Communication ● Customer Focused Organization ● Agility and Security ● Ownership “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” - MIT Professor Jerome Saltzer. Creating A Culture of Security - DevSecOps 101
  10. 10. AWS Shared Responsibility Model Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  11. 11. Enterprise Security Compliance: ● Security Program ● Security Framework Enterprise Security Compliance Cloud Security Program Workload & Network Security Cloud Security Program: ● Cloud Security Posture Management ● Workload and Network Security
  12. 12. NIST CSF ➔ Framework Tiers ➔ Tier 1: Partial ➔ Tier 2: Risk Informed ➔ Tier 3: Repeatable ➔ Tier 4: Adaptive
  13. 13. Compliance & Governance Identify Security Hub, Organizations, Control Tower, Trusted Advisor, Service Catalog, Config, Systems Manager Protect VPC, IoT Device Defender, Direct Connect, Resource Access Manager, Directory Services, AWS Shield, IAM, Secrets Manager, KMS, Cognito, WAF, FW Manager, Cert. Manager HSM, SSO Detect GuardDuty, Macie, Inspector, SecurityHub Respond Automate: CloudWatch, Systems Manager, Lambda Investigate: CloudWatch, CloudTrail, Health Dashboard, Route 53 Recover S3, Glacier
  14. 14. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  15. 15. Compliance and Governance on AWS Services & Tools AWS Artifacts (Identify) AWS CloudTrail (Detect) AWS Config (Detect & React) AWS Trusted Advisor (Detect) AWS Inspector (Detect) AWS SSM (Protect & Respond) AWS ECR (Detect, Protect) AWS CloudWatch (Detect & Respond) AWS EBS (Protect) AWS S3 (Protect) AWS KMS (Protect) AWS Security Hub (Identify, Detect, Protect, Respond, Recover) Best Practices AWS Security Best Practices AWS Well Architected Framework CIS AWS Benchmarks
  16. 16. AWS Config & Config Aggregator
  17. 17. Cloud Service Provider and Account Security Identity and Access Management (IAM) - root, credentials, password policies, MFA, etc. Logging - CloudTrail, CloudWatch, S3 access, VPC Flow Logs, KMS/CMKs Monitoring - Log metrics/alarms: api’s, root, S3 changes, network changes Networking - check for ingress, default security group settings, VPC peering least access
  18. 18. CIS and Account Security on AWS
  19. 19. CIS and Account Security on AWS
  20. 20. CIS and Account Security on AWS
  21. 21. CIS Benchmark Demo Prowler
  22. 22. Multi Account Architecture of Security Hub
  23. 23. Network Security AWS Security Hub Demo https://www.contino.io/insights/aws-config-aggregator-compliance
  24. 24. Workload Security NIST Special Publication 800-190 Application Container Security Guide ● Major Risks for Core Components of Container Technologies ● Countermeasures ● Container Threat Scenarios ● Security Considerations for Container Technology Life Cycles NIST Special Publication 800-204 Security Strategies for Microservices-based Application Systems CIS Benchmarks Docker & Kubernetes CIS Hardening Guides for Operating Systems & Server Applications
  25. 25. Workload Security AWS Demo Container Security
  26. 26. As you move to an infrastructure as code approach, Enterprises will also have the potential to integrate compliance and security as code into your infrastructure development pipelines. This enables your application and infrastructure teams to deliver software innovation in a controlled, secure, compliant and governed manner using automation rather than manual reviews and audits. For more thought leadership on DevSecOps please visit the following URLs: ● A Quick Compliance As Code Demo: https://www.contino.io/insights/devsecops-quick-compliance-as-code ● Compliance As Code On AWS: https://www.youtube.com/watch?v=HxFCFaCweIc ● Enter The Vault: https://www.youtube.com/watch?v=e_pBreicARM&t=17s&ab_channel=Contino ● The ‘Why’ & ‘How’ Of DevSecOps: https://www.youtube.com/watch?v=uyGwFytQrNs ● Introduction To DevSecOps White Paper: https://www.contino.io/resources/devsecops-best-practice-guide Contino Approach To DevSecOps
  27. 27. Atlanta atlanta@contino.io Thank You contino.io continohq contino London london@contino.io New York newyork@contino.io Melbourne melbourne@contino.io Sydney sydney@contino.io

×