GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To Mission

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
GPS: Game Changing C2S Services To
Transform Your Customers’ Speed To Mission
D a v i d W a d e , N A T S E C S o l u t i o n s A r c h i t e c t
J e r o m e J o h n s o n , N A T S E C S o l u t i o n s A r c h i t e c t
N o v e m b e r 2 8 , 2 0 1 7
G P S W K S 4 0 4

Session overview
• Voice of the customer
• C2S game changers
• DevSecOps–where are we now?
• Workshop–cross domain DevSecOps environment

Voice of the customer

C2S game changers

Commercial Cloud Services (C2S) regions
Availability
Zone A
Availability
Zone B
Regional AZ
TS
Region
Unclassified
commercial AWS
(Global, US, or
GovCloud regions)
Availability
Zone A
Availability
Zone B
Regional AZ
Secret
Region

DataCompute
DevOps and Management
Amazon
EC2
C2S services—new for 2017
AWS Marketplace
IC Marketplace
AWS SnowballAWS Data Pipeline
AWS
CodeDeploy*
AWS Config
AWS Directory
Service
DB Migration
Service
AWS Diode
C++/.NET/Go
SDKs
X1, P2, C4
RI Volume
Discounts

“C2S Cloud is the most
innovative thing we
have ever done.”
— Jo h n E d w a r d s
C I O , C e n t r a l I n t e l l i g e n c e A g e n c y

What is your game changer?
SPEED
SCALE
TRUTHPOWER
Amazon
DynamoDB
EMR
CloudWatch
Cloud
Formation
CloudTrail
Kinesis
Streams
RedShift
AWS
Config
DB Migration
Service
AWS Diode
Auto
Scaling
AWS Mgmt
Console
STRENGTH
DURABILITY

What is your game changer anti-pattern?
Procurement
6-9 Month ATO
Documentation
RIGID PROCESS
Migrating into C2S

How do we accelerate?
DevSecOps
• Agile DevOps Pipeline code development and deployment model
• Insert security and/or vulnerability assessment into the process
• Results from DevSecOps tools reported automatically to developers, security
teams, and automated monitoring systems
Comprehensive monitoring
• Monitor API state and audit changes that occur at the C2S account level
• Analyze against customizable rules to determine a risk assessment score
• Metadata enrichment and monitoring system dashboard integration maps:
• C2S account to A&A number, ISSM, authorization status
• Instance ID’s to patch data and OSI agent data
• DevOps security analysis tools findings to projects

DevSecOps
Continuous delivery: defined and enforceable pipeline for rapid and
automated software testing and release
Lean startup approach: employing the notion of simplest and
cheapest implementation of an idea
Shifting security to the left: embracing and ensuring security is
properly integrated early, and throughout lifecycle
Security as code: wiring compliance checks and audit into
continuous delivery process and mapping checks into the workflow
Continuous monitoring: persistent and integrated assessments
during development, test and production cycles
Infrastructure as code and containers: automated packaging and
enforcement of security services required for the runtime
environment

12
Robust user access management
1. Project administrators
2. Application user
3. C2S IAM roles
Hardened Amazon Machine Image
1. Enterprise managed
2. Project managed
Secured software defined networks
Controlled encryption
Robust audit
1. AWS Application Programming Interface (API)
2. S3 Audit
3. C2S Access Portal (CAP) audit logs
4. Operating system audit logs
5. Application audit logs
Comprehensive monitoring
S3 Buckets
Enterprise Audit Tools
Security
Visibility

Project delivery lifecycle
• Heavy documentation burden
• Linear process/lacks flexibility
• Point-in-time snapshot
o Documentation
o Risk assessment
Challenges
Benefits/advantages
• Interactive/parallel process
• Streamline documentation
process
• Assessment throughout
lifecycle
• Common baseline across IC
using commercial standards
• Highly responsive to C2S
environment
Risk Evaluation
Cycle 1-3 Years
Risk evaluation
cycle 24 hours
The time to ATO is largely driven
by the time required to develop
the application
Findings report, executive risk, assessment, POAM
Today
Tomorrow
Document &
Deliver
Assess &
Authorize
Continuous
Monitoring
Comprehensive
Monitoring
Continuous Risk
Engine
Document &
Deliver
Assess &
Authorize
Continuous Risk
Evaluation
Comprehensive
Monitoring
6 to 9 Months to ATO
App Development

DevOps in C2S
Where are we now?

DevOps adoption in C2S
DevOps continuous integration and deployment
Version
Control
CI Server
Package
Builder
Dev
Get/
Pull
Code
Images
Staging Env
Test Env
Code
Config
Tests
Prod Env
Config
Generate
Deploy
Server
Push
Push
Artifact Repo
Send build report to Dev
Stop everything if build failed
Commit to
Git/master

Version
Control
CI Server
Package
Builder
Block creds
from Git
Dev
Get/
Pull
Code
Images
Log for audit
Staging Env
Test Env
Code
Config
Tests
Prod Env
Config Checksum
Continuous
Scan
Audit/Validate
Send build report to security
Stop everything if audit/validation failed
DevSecOps continuous integration and deployment
Deploy
Server
Promote
Process
Artifact Repo
Push
Generate
Push

AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
AWS
CodeBuild
AWS
CloudFormation
AWS
OpsWorks
Continuous integration and deployment

Continuous monitoring and security
Amazon
CloudWatch
AWS
CloudTrail
AWS
Config

DevOps adoption in the IC
Continuous monitoring and security

Migrating your existing pipeline
GitHub Jenkins EC2
Production
Translator

Workshop:
Cross domain DevSecOps
environment

Six capabilities to help you develop
DevSecOps components
1. Create a development pipeline with AWS CodeStar
2. Create a C2S enterprise development environment
3. Integrate DevSecOps compliance checks
4. Operate an isolated region deployment pipeline
5. Continuously monitor your operational environment
6. Deploy a Blue/Green DevSecOps environment

1. Create a development pipeline with
AWS CodeStar
• The challenge
• Getting started with DevOps and AWS Code* tools and setting up a
pipeline can be a big hurdle
• The solution
• Start with AWS CodeStar
• When customizations are required beyond AWS CodeStar
capabilities, extract the AWS CloudFormation scripts to go “manual”
• Accelerates the starting point when you are new to the tools

Quick Review: What is DevOps?
• Union of software development and operations
• Migration of Agile continuous development into continuous
integration and continuous delivery
• DevOps model
• No silos—puts emphasis on communication, collaboration, and cohesion
between disciplines
• Best practices for change, configuration, and deployment automation
• Deliver apps/services at a faster pace
• High speed product updates

DevOps processes: Four major phases
• Check-in
source code
• Peer review
new code
• Compile code
• Unit tests
• Style checkers
• Code metrics
• Create container
images
• Integration tests
with other
systems
• Load testing
• UI tests
• Penetration
testing
• Deployment to
production
environments

Continuous Integration (CI) is…
DevOps software development practice
Refers to build or integration stage of the software release
process
Key activities
 Code changes merges into a central repository
 Automated builds and tests are run
Goals
 Find and address bugs quickly
 Improve software quality
 Reduce time to release new software updates

Continuous Delivery (CD) is…
DevOps software development practice that refers to
deployment stage of the software release process
Key activities
 Deployment of all code changes to a testing and/or a
production environment
 Approval of updates to production from test stages
Goals
 Verify application updates across multiple dimensions before
deployment
 Automate entire software release process
 Pre-emptively discover deployment issues

DevOps release processes: Levels

AWS DevOps portfolio

AWS CodeStar environment
DevOps environment for software
development and continuous
integration and delivery workflow

AWS CodeStar integrated partners

2. Create a C2S enterprise development
environment
• The challenge
• Unique technical requirements must be addressed when
developing for C2S
• Standard, enforceable, repeatable pipeline must be
implemented for DevSecOps
• The solution: C2S development environment
• Multiple commercial vendors provide C2S emulators
• Integrated checks and testing before moving to isolated region
• Provides a common dev/test environment for the enterprise

C2S DevOps—AWS CodeStar
Project X Prod Acct
ChallengesChallenges
Project Y/Z Prod Acct
Project X Prod Acct
Project Y/Z Dev Acct
Project X Dev Acct
“Virtual C2S”
Public Subnet
Squid/NAT
Gateway instance
“Virtual Production”
Private Subnets
AWS
Organizations
Development OU Emulator OUService Control
Policy (SCP)
C2S/NISTEmulator
DevelopmentVPC
SubOrg OU
Service Control
Policy (SCP)
ChallengesChallengesProgram OU
Service Control
Policy (SCP)
Service Control
Policy (SCP)
Organization
Master
Account
Consolidated Billing
Project X Dev Acct
ICD503
Compliant
Environment
Production Acct
CodeDeploy
Data Transfer
System(s)
Development Acct
US-EAST C2S

Project X Prod Acct
ChallengesChallenges
Project Y/Z Prod Acct
Project X Prod Acct
Project Y/Z Dev Acct
Project X Dev Acct
“Virtual C2S”
Public Subnet
Squid/NAT
Gateway instance
“Virtual Production”
Private Subnets
AWS
Organizations
Development OU Emulator OU
C2S/NISTEmulator
DevelopmentVPC
SubOrg OU
ChallengesChallengesProgram OU
Organization
Master
Account
Project X Dev Acct
ICD503
Compliant
Environment
Production Acct
CodeDeploy
Data Transfer
System(s)
Development Acct
US-EAST C2S
C2S DevOps—custom pipeline
AWS
CodeCommit
AWS
CodeBuild
AWS
CodePipeline
Service Control
Policy (SCP)
Service Control
Policy (SCP)
Service Control
Policy (SCP)
Service Control
Policy (SCP)
Consolidated Billing

3. Integrated DevSecOps compliance
checks
• The challenge
• DevOps requires continuous deployments
• Fast decision making is critical to DevOps success
• Traditional security just doesn’t scale or move fast enough
• The solution: DevSecOps compliance
• Integrate security into the pipeline
• Include supporting artifacts as part of the delivery
• Enforce security functions

C2S technical requirements
• Air-gapped region
• No outgoing calls
• Limited AWS service offerings for production environments
• Role-based access with 1-hour token expiration
• Unique endpoints
• SigV4 required
• Certificate authority chains are different

4. Operate an isolated region deployment
pipeline
• The challenge
• You must break the DevOps pipeline in two
• The same tools may not be available in both regions
• You may be limited to certain file types, or no executables
• The solution: isolated region development
• Commercial dev/test deploys changes to Amazon S3 bucket
• S3->S3 transfer with appropriate checks in between
• Checks run by owner of isolated region
• Transfer process handled by the governing body of the region

5. Continuously monitor your operational
environment
• The challenge
• You need to implement continuous monitoring in a compliant
environment but don’t know where to start
• The solution: continuous monitoring with NIST standard templates
• AWS Quick Starts for compliance
• Implement NIST template in your development and operations
environments
• Use monitors included in the NIST template as a starting point

6. Deploy a Blue/Green DevSecOps
environment
• The challenge
• You need to have high availability for your DevSecOps
environment
• The solution: DevSecOps deployment
• Create a Blue/Green deployment using AWS CodeDeploy

Thank you!
D a v i d W a d e – w a d e d a v e @ a m a z o n . c o m
J e r o m e J o h n s o n – j j o h n i i @ a m a z o n . c o m

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To Mission

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To Mission

Similar to GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To Mission (20)

More from Amazon Web Services

More from Amazon Web Services (20)

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To Mission