SlideShare a Scribd company logo
1 of 30
Download to read offline
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Sandage, Sr. Security Partner Strategist
Vidhya Krishnamoorthy, Sr. Engineer, DevOps, VeriFone
July 13, 2016
Compliance in the Cloud Using
Security by Design
Problem Statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.
Current State – Technology Governance
Policies
Procedures and
Guidelines
Standards
Issues – Technology Governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with LIMITED technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance Technology Governance Services.
Flexibility and Complexity
What is the regulatory
requirement?
What's in-scope or out-
of-scope?
How to verify the
standards are met?
Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service
Security by Design - Design Principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for Breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as Code
• Modular
• Versioned
• Constrained
Developing new risk mitigation capabilities, which go beyond global security frameworks,
by treating risks, eliminating manual processes, optimizing evidence and audit ratifications
processes through rigid automation
SbD - Eco-system
Security by Design (SbD)
AWS CloudFormation
AWS Config Rules
Amazon Inspector
SbD - Modernize Tech Governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete
You need automation that AWS offers to manage
security
Goal - Modernize Tech Governance (MTG)
Adopting “Prevent” controls, making
“Detect” controls more powerful and
comprehensive
SbD - Modernizing Technology Governance (MTG)
1.2 Identify Your Workloads Moving to
AWS
2.1 Rationalize
Security Requirements
2.2 Define Data
Protections and Controls
2.3 Document
Security Architecture
3.1 Build/deploy
Security Architecture
1. Decide what
to do (Strategy)
2. Analyze and
Document
(outside of AWS)
1.1 Identify Stakeholders
3. Automate,
Deploy & Monitor
3.2 Automate
Security Operations
4. Certify
3.3 Continuous
Monitor
4.1 Audit and Certification
3.4 Testing and
Game Days
SbD – Rationalize Security Requirements
AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security
configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The Benchmarks are:
• Recommended technical control
rules/values for hardening operating
systems, middle ware and software
applications, and network devices
• Distributed free of charge by CIS in .PDF
format
• Used by thousands of enterprises as the
basis for security configuration policies and
the de facto standard for IT configuration
best practices.
SbD – AWS CIS Benchmark Scope
Foundational Benchmark
CloudTrail
Config & Config
Rules
Key Management
Service
Identity & Access
Management
CloudWatch
S3
SNS
Three-tier Web Architecture
EC2 Elastic Load
Balancing
VPC
Direct Connect
Amazon Elastic
Block Store
Cloud HSM Glacier Route 53VPN
Gateway
CloudFront
Define Data Protections and Controls
Document Security Architecture
https://getcompliant.allgress.com/gc
Business Case: VeriFone Commerce Platform
• Global leader in secure POS solutions
• Commerce Portal: Secure B2B App Marketplace and
Developer Platform enabling merchants to customize the
point of sale through innovative apps that provide
customers with rich, contextual experiences in store
S3 CodeDeploy
Cloud
FormationKMS
Note: All tiers are designed
for auto-scaling, automated
Multi-AZ failover
CloudHSM CloudTrail
Security Considerations
● Multiple AWS accounts
● VPC, private subnets for application servers and RDS
● Minimal network perimeter (Only SSL Terminating Reverse Proxy in DMZ)
● Tightened Security Groups - fine grained rules for ports and CIDRs
● Immutable Docker containers, CloudTrail, Log aggregation using Splunk
● Compliance with “All code stays on-premises”
Security Considerations (Contd)
● CIS-benchmarked AMIs
● Hardened Linux/Software
● KMS-based secret management
● Two-factor authentication on AMIs
● Advanced user and key management using LDAP. Elimination of ec2-user
● HSM for secure data/keys
Secure Code Delivery Pipeline
Dev
Code +
Dockerfil
e
S3/KMS
Pro
d
Code
Docker Image
Other Benefits
Availability: HA with Multi-AZ solution
Auto-Scaling
Innovation: Infrastructure as Code
Agility and Flexibility
Ansible-based config management
Dockerfiles for software provisioning
Full CI/CD
Next Steps
• Continue Security by Design approach – AWS WAF for
firewall
• Enhance User Management - LDAP authentication/SSO
approaches
• EC2 Run Command/Opsworks for operations
• ECS for Docker and ECR for Docker Registry
Partnership
• Established a AWS/DevOps philosophy at Verifone
• Architected/Implemented foundation layer for the
Verifone solution
• Built a POC that provided security with agility
SbD – Automate Security Operations
Automate deployments, provisioning, and configurations of
the AWS customer environments
CloudFormation Service CatalogStack
Template
Instances AppsResources
Stack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
AWS CloudTrail
EMR Kinesis VPC ELB S3 Lambda
AWS ConfigAWS CloudWatch
IoT
Other
Services
Add-on for AWS
Splunk App for AWS
Explore Analyze Dashboard Alert
Use Cases for AWS:
Security Intelligence (Cloudtrail, Cloudwatch, VPC)
Operational Intelligence (CloudWatch, ELB, etc.)
DevOps Intelligence (CloudWatch, Lambda)
Big Data Insights (Kinesis, EMR, IoT, S3)
Continuous Monitor – Splunk
AWS CloudTrail
Resource Activity
Splunk App for AWS – Visualize & Monitor
AWS CloudTrail
User Activity
SbD - Modernizing Technology Governance (MTG)
Automate
Governance
Automate
Deployments
Automate Security
Operations
Continuous
Compliance
Closing the Loop
SbD - Modernizing Technology Governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls
AWS Resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper – to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/
Compliance in the Cloud Using Security by Design

More Related Content

What's hot

AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAmazon Web Services
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”Amazon Web Services
 
Check Point Software Technologies: Secure Your AWS Workloads
 Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Amazon Web Services
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017Amazon Web Services
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudAmazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0Amazon Web Services
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAmazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Amazon Web Services
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAmazon Web Services
 
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...Amazon Web Services
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Amazon Web Services
 

What's hot (20)

AWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by DesignAWS Enterprise Summit Netherlands - Infosec by Design
AWS Enterprise Summit Netherlands - Infosec by Design
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Compliance with AWS
Compliance with AWSCompliance with AWS
Compliance with AWS
 
Check Point Software Technologies: Secure Your AWS Workloads
 Check Point Software Technologies: Secure Your AWS Workloads Check Point Software Technologies: Secure Your AWS Workloads
Check Point Software Technologies: Secure Your AWS Workloads
 
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
Secure Applications and FedRAMP in the AWS GovCloud (US) Region (SEC204) | AW...
 
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017 HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
HIPAA / HITRUST Account Governance Strategies | | AWS Public Sector Summit 2017
 
Smartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS CloudSmartronix - Building Secure Applications on the AWS Cloud
Smartronix - Building Secure Applications on the AWS Cloud
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Automating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS CloudAutomating Event Driven Security in the AWS Cloud
Automating Event Driven Security in the AWS Cloud
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...
Advanced Techniques for DDoS Mitigation and Web Application Defense | AWS Pub...
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Security & Compliance (Part 2)
Security & Compliance (Part 2)Security & Compliance (Part 2)
Security & Compliance (Part 2)
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 

Similar to Compliance in the Cloud Using Security by Design

Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Amazon Web Services
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesAmazon Web Services
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
 
LIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingLIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingRobert Herjavec
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
An Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the CloudAmazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...Amazon Web Services
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSKarim Hopper
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionTom Laszewski
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?AWS Germany
 
How We Should Think About Security
How We Should Think  About SecurityHow We Should Think  About Security
How We Should Think About SecurityAmazon Web Services
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...Amazon Web Services
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markryAmazon Web Services LATAM
 

Similar to Compliance in the Cloud Using Security by Design (20)

Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0Compliance in the cloud using sb d toronto-summit-v1.0
Compliance in the cloud using sb d toronto-summit-v1.0
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
LIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud ComputingLIFT OFF 2017: AWS and Cloud Computing
LIFT OFF 2017: AWS and Cloud Computing
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
An Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the Cloud
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
 
How We Should Think About Security
How We Should Think  About SecurityHow We Should Think  About Security
How We Should Think About Security
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance   wwps pre-day sao paolo - markry1. aws security and compliance   wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....rightmanforbloodline
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization -  The evolution of API governanceAPI Governance and Monetization -  The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 

Compliance in the Cloud Using Security by Design

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Sandage, Sr. Security Partner Strategist Vidhya Krishnamoorthy, Sr. Engineer, DevOps, VeriFone July 13, 2016 Compliance in the Cloud Using Security by Design
  • 2. Problem Statement Increasing complexity (mobility, system connectivity) causes increasing difficulty in managing risk and security and demonstrating compliance.
  • 3. Current State – Technology Governance Policies Procedures and Guidelines Standards
  • 4. Issues – Technology Governance The majority of technology governance processes relies predominantly on administrative and operational security controls with LIMITED technology enforcement. Assets ThreatVulnerability Risk AWS has an opportunity to innovate and advance Technology Governance Services.
  • 5. Flexibility and Complexity What is the regulatory requirement? What's in-scope or out- of-scope? How to verify the standards are met?
  • 6. Security by Design Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service
  • 7. Security by Design - Design Principles • Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach • Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code • Modular • Versioned • Constrained Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation
  • 8. SbD - Eco-system Security by Design (SbD) AWS CloudFormation AWS Config Rules Amazon Inspector
  • 9. SbD - Modernize Tech Governance (MTG) Why? Complexity is growing, making the old way to govern technology obsolete You need automation that AWS offers to manage security
  • 10. Goal - Modernize Tech Governance (MTG) Adopting “Prevent” controls, making “Detect” controls more powerful and comprehensive
  • 11. SbD - Modernizing Technology Governance (MTG) 1.2 Identify Your Workloads Moving to AWS 2.1 Rationalize Security Requirements 2.2 Define Data Protections and Controls 2.3 Document Security Architecture 3.1 Build/deploy Security Architecture 1. Decide what to do (Strategy) 2. Analyze and Document (outside of AWS) 1.1 Identify Stakeholders 3. Automate, Deploy & Monitor 3.2 Automate Security Operations 4. Certify 3.3 Continuous Monitor 4.1 Audit and Certification 3.4 Testing and Game Days
  • 12. SbD – Rationalize Security Requirements AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally. https://www.cisecurity.org/ The Benchmarks are: • Recommended technical control rules/values for hardening operating systems, middle ware and software applications, and network devices • Distributed free of charge by CIS in .PDF format • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
  • 13. SbD – AWS CIS Benchmark Scope Foundational Benchmark CloudTrail Config & Config Rules Key Management Service Identity & Access Management CloudWatch S3 SNS Three-tier Web Architecture EC2 Elastic Load Balancing VPC Direct Connect Amazon Elastic Block Store Cloud HSM Glacier Route 53VPN Gateway CloudFront
  • 14. Define Data Protections and Controls
  • 16. Business Case: VeriFone Commerce Platform • Global leader in secure POS solutions • Commerce Portal: Secure B2B App Marketplace and Developer Platform enabling merchants to customize the point of sale through innovative apps that provide customers with rich, contextual experiences in store
  • 17. S3 CodeDeploy Cloud FormationKMS Note: All tiers are designed for auto-scaling, automated Multi-AZ failover CloudHSM CloudTrail
  • 18. Security Considerations ● Multiple AWS accounts ● VPC, private subnets for application servers and RDS ● Minimal network perimeter (Only SSL Terminating Reverse Proxy in DMZ) ● Tightened Security Groups - fine grained rules for ports and CIDRs ● Immutable Docker containers, CloudTrail, Log aggregation using Splunk ● Compliance with “All code stays on-premises”
  • 19. Security Considerations (Contd) ● CIS-benchmarked AMIs ● Hardened Linux/Software ● KMS-based secret management ● Two-factor authentication on AMIs ● Advanced user and key management using LDAP. Elimination of ec2-user ● HSM for secure data/keys
  • 20. Secure Code Delivery Pipeline Dev Code + Dockerfil e S3/KMS Pro d Code Docker Image
  • 21. Other Benefits Availability: HA with Multi-AZ solution Auto-Scaling Innovation: Infrastructure as Code Agility and Flexibility Ansible-based config management Dockerfiles for software provisioning Full CI/CD
  • 22. Next Steps • Continue Security by Design approach – AWS WAF for firewall • Enhance User Management - LDAP authentication/SSO approaches • EC2 Run Command/Opsworks for operations • ECS for Docker and ECR for Docker Registry
  • 23. Partnership • Established a AWS/DevOps philosophy at Verifone • Architected/Implemented foundation layer for the Verifone solution • Built a POC that provided security with agility
  • 24. SbD – Automate Security Operations Automate deployments, provisioning, and configurations of the AWS customer environments CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
  • 25. AWS CloudTrail EMR Kinesis VPC ELB S3 Lambda AWS ConfigAWS CloudWatch IoT Other Services Add-on for AWS Splunk App for AWS Explore Analyze Dashboard Alert Use Cases for AWS: Security Intelligence (Cloudtrail, Cloudwatch, VPC) Operational Intelligence (CloudWatch, ELB, etc.) DevOps Intelligence (CloudWatch, Lambda) Big Data Insights (Kinesis, EMR, IoT, S3) Continuous Monitor – Splunk
  • 26. AWS CloudTrail Resource Activity Splunk App for AWS – Visualize & Monitor AWS CloudTrail User Activity
  • 27. SbD - Modernizing Technology Governance (MTG) Automate Governance Automate Deployments Automate Security Operations Continuous Compliance
  • 28. Closing the Loop SbD - Modernizing Technology Governance Result: Reliable technical implementation and enforcement of operational and administrative controls
  • 29. AWS Resources Amazon Web Services Cloud Compliance • https://aws.amazon.com/compliance/ SbD website and whitepaper – to wrap your head around this • https://aws.amazon.com/compliance/security-by-design/