SlideShare a Scribd company logo

Implementing Governance as Code

Amazon Web Services
Amazon Web Services

Traditionally, technology governance has required long, detailed documents and hours of work for IT managers, security or audit professionals, and administrators. Automating governance on AWS offers a better way. AWS services modernize technology governance by enshrining policy into code and embedding security guardrails at the development level, to provide reliable policy implementation and allow for continuous and real-time auditing capabilities. Leave this session with a better understanding of the benefits of automating technology governance and managing security and compliance with AWS. Presenter: John McDonald, Financial Services Compliance Specialist, AWS

1 of 23
Governance as Code Using Security by Design J o h n M c D o n a l d H e a d o f R i s k & C o m p l i a n c e – A m e r i c a s A W S G l o b a l F i n a n c i a l S e r v i c e s
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ““CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly, and reliably leverage the benefits of this increasingly ubiquitous computing model.” — G a r t n e r ( 9 / 2 2 / 1 5 ) : Clouds Are Secure: Are You Using Them Securely?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer Customer data management Operating system, network & firewall configuration AWS Platform, applications, identity & access management Responsibility for security IN the cloud Compute Storage Database Networking Client-side data encryption & data Integrity authentication Operations compliance, control implementation & enforcement, monitoring Networking traffic protection (encryption / integrity / identity) Responsibility for security OF the cloud AWS Global Infrastructure Edge Locations Regions Availability Zones Governance & the Share Responsibility Model C o m p l i a n c e i s a j o i n t e f f o r t , w i t h c u s t o m e r s m a n a g i n g t h e i r p r o g r a m s a n d d a t a
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance as Code Key Concepts 1 Changing the Cloud Governance Model T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y 2 Implementing a Security by Design Deployment Model 3 Continuous Compliance Using Dedicated Tooling
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Problem Statement Increasing complexity (mobility, system connectivity, speed of innovation, and threat vectors, etc.) ……causes increasing difficulty in managing risk and security and demonstrating compliance to control frameworks H o w t o b e c o m p l i a n t i n t h e c l o u d a t s c a l e
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Current State of Technology Governance Policies Procedures and Guidelines Standards T h e D e p a r t m e n t o f N e r v o u s n e s s i s r e s p o n s i b l e f o r t h e i r o w n p i e c e o f t h e p i e Then get translated into IT Speak…. And become Tactical IT Implementations across multiple environments..… ………you hope
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Opportunity: Modernize Technology Governance Technology governance relies predominantly on administrative & operational security controls with LIMITED technology enforcement…….and usually only at the RISK point M o v e f r o m m a n u a l i m p l e m e n t a t i o n s t o a u t o m a t i o n s o y o u s l e e p w e l l a t n i g h t Assets ThreatVulnerability RISK The cloud has an opportunity to innovate and advance Technology Governance Services.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Modernize Technology Governance Complexity is growing……..making the old way to govern technology obsolete W h y c h a n g e w h a t w e h a v e b e e n d o i n g f o r y e a r s ? Adopt “Prevent” controls To make “Detect” controls more powerful Goal You need automation to manage security in real time
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Modern IT Governance in the Cloud N e w p r o c e s s f o r m a n a g i n g g o v e r n a n c e i n t h e C l o u d 1.2 Identify Your Workloads Moving to AWS 2.1 Rationalize Security Requirements 2.2 Define Data Protections and Controls 2.3 Document Security Architecture 3.1 Build/deploy Security Architecture 2. Analyze and Document (outside of AWS) 1.1 Identify Stakeholders 3. Automate, Deploy & Monitor 3.2 Automate Security Operations 4. Certify 3.3 Continuous Monitor 4.1 Audit and Certification 3.4 Testing and Game Days 1. Decide what to do (Strategy)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Cloud Brings Flexibility and Complexity S e c u r i t y s t a n d a r d s m u s t b e e n f o r c e d a c r o s s m u l t i p l e s e r v i c e s Single VPC orMultiple VPCs How many AWS accounts Public or private subnets What type of encryption Who will manage the keys IAM groups or roles Security groups or NACLs What is the regulatory requirement? What's in-scope or out-of- scope? How to verify the standards are met? Can we use S3 for this Which AWS database
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by Design - Overview S e c u r i t y & G o v e r n a n c e t h r o u g h a u t o m a t i o n Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by Design – Key Design Factors ü Build security in every layer by default ü Design for failures ….of services, of controls, of people ü Implement auto-healing using reactive controls ü Think parallel…. look for what can be rather than for what is ü Plan for Breach….and rehearse the breach scenarios ü Don't fear constraints….they are your friend ü Treat Infrastructure as code…..Modular, Versioned, Constrained D e v e l o p n e w r i s k m i t i g a t i o n c a p a b i l i t i e s v i a r i g i d a u t o m a t i o n a n d o p t i m i z e d a u d i t e v i d e n c e
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD - Standard Security Baseline Example A W S h a s p a r t n e r e d w i t h C I S B e n c h m a r k s t o c r e a t e c o n s e n s u s - b a s e d b e s t - p r a c t i c e s • Technical control rules/values for hardening OS, middleware, applications, & network devices • Used by thousands of enterprises as the basis for security configuration policies in the cloud • Distributed free of charge by CIS in PDF format: https://cissecueity.org • Available in AWS via Quick Start templates and deployment guides: AWS CIS Benchmark Quick Starts
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Compliance Standard Benefits D e f i n e d d a t a p r o t e c t i o n s a n d c o n t r o l s f o r g l o b a l r e q u i r e m e n t s
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – AWS CIS Benchmark ScopeB e s t p r a c t i c e s f o r i n f r a s t r u c t u r e & a p p l i c a t i o n d e p l o y m e n t s Foundational Benchmark CloudTrail Config & Config Rules Key Management Service Identity & Access Management CloudWatch S3 SNS Three-tier Web Architecture EC2 Elastic Load Balancing VPC Direct Connect Amazon EBS Cloud HSM Glacier Route 53VPN Gateway CloudFront
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Automate Security Operations A u t o m a t e d e p l o y m e n t s , p r o v i s i o n i n g , a n d c o n f i g u r a t i o n s o f t h e A W S c u s t o m e r e n v i r o n m e n t s CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products & Portfolios DeployConstrain Identity & Access Management Set Permissions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Continuous Compliance in the Cloud Today’s Challenges q Validating compliance to IT controls occurs once or twice a year q This is usually done manually, and in time consuming audits q You hope you see controls people say are there….and will stay that way The Revolution ü In the cloud, we can prove controls exist in real time….across all accounts ü We can test new environments at almost the push of a button ü See real time portals for any compliance regime, for any audience A n e w p a r a d i g m f o r c l o u d g o v e r n a n c e a n d c o n t r o l v a l i d a t i o n
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS TrustedAdvisor Best practices (or checks) in five categories: cost optimization, security, fault tolerance, performance, and service limits. AWS Identity & Access Mgmt. (IAM) Securely control access to AWS services and resources for your users Amazon Inspector Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. AWS Service Catalog & CloudFormation AWS tools to manage approved services and environments across all accounts, Lines of Business, and user bases. Amazon Macie Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS AWS Shield Advanced Managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS AWS CloudTrail AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. AWS Organizations Policy-based controls & cost management for multiple AWS accounts AWS Config & Config Rules AWS resource inventory, configuration history, and configuration change notifications & preventive rules. Amazon Guard Duty Uses machine learning for automated threat detection allowing you to continuously monitor and protect AWS accounts and workloads. Governance as Code Tools & Sources A W S e n a b l e s y o u t o a u t o m a t e t a s k s f o r c o m p r e h e n s i v e g o v e r n a n c e AWS Systems Manager Fleet management service that helps you automatically collect software inventory, apply OS patches, create system images, AWS CloudWatch Amazon CloudWatch gives you system-wide visibility into resource utilization, application performance, and operational health.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Continuous Compliance Tooling O n e t o o l i s c r i t i c a l f o r c o m p l i a n c e t e a m s u c c e s s
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Key Principles M o d e r n i z i n g t e c h n o l o g y g o v e r n a n c e t h r o u g h c o d e Automate Deployments Automate Security Operations Continuous Compliance Automate Governance
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance as Code Key Takeaways T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y Security by Design Creates a control environment that cannot be overridden by the users who aren’t allowed to modify those functions. Consistent implementation, measurement & enforcement of operational controls Modernize IT Governance A modern cloud based approach will deliver game changing results, and change your audit practices Continuous Compliance Creates an ongoing measure of your cloud security & health across multiple dimensions & all your applications
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Governance as Code Resources Ø Amazon Web Services Cloud Compliance https://aws.amazon.com/compliance/ Ø SbD website and whitepaper – to wrap your head around this https://aws.amazon.com/compliance/security-by-design/ Ø AWS Well Architected Framework– Security Pillar https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf Ø AWS Cloud Adoption Framework– Security Perspective https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf K e y r e s o u r c e s t o h e l p y o u o n y o u r j o u r n e y t o a s e c u r e a n d c o m p l i a n t c l o u d
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! John McDonald Head of Risk & Compliance – Americas AWS Global Financial Services johnemcd@amazon.om

Recommended

Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Azure governance
Azure governanceAzure governance
Azure governancegirish goudar
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Large-Scale AWS Migrations with CSC
Large-Scale AWS Migrations with CSCLarge-Scale AWS Migrations with CSC
Large-Scale AWS Migrations with CSCAmazon Web Services
 
Defining Your Cloud Strategy
Defining Your Cloud StrategyDefining Your Cloud Strategy
Defining Your Cloud StrategyInternap
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
Cloud Migration Checklist | Microsoft Azure Migration
Cloud Migration Checklist | Microsoft Azure MigrationCloud Migration Checklist | Microsoft Azure Migration
Cloud Migration Checklist | Microsoft Azure MigrationIntellika
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework Amazon Web Services
 

Recommended

Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Azure governance
Azure governanceAzure governance
Azure governancegirish goudar
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Large-Scale AWS Migrations with CSC
Large-Scale AWS Migrations with CSCLarge-Scale AWS Migrations with CSC
Large-Scale AWS Migrations with CSCAmazon Web Services
 
Defining Your Cloud Strategy
Defining Your Cloud StrategyDefining Your Cloud Strategy
Defining Your Cloud StrategyInternap
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
Cloud Migration Checklist | Microsoft Azure Migration
Cloud Migration Checklist | Microsoft Azure MigrationCloud Migration Checklist | Microsoft Azure Migration
Cloud Migration Checklist | Microsoft Azure MigrationIntellika
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework Amazon Web Services
 
Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as CodeAmazon Web Services
 
Azure Migrate
Azure MigrateAzure Migrate
Azure MigrateMustafa
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsTom Laszewski
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWSAmazon Web Services
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWSAmazon Web Services
 
Migrating to the Cloud
Migrating to the CloudMigrating to the Cloud
Migrating to the CloudAmazon Web Services
 
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Amazon Web Services
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...Amazon Web Services
 
Building a Data Lake on AWS
Building a Data Lake on AWSBuilding a Data Lake on AWS
Building a Data Lake on AWSAmazon Web Services
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudTom Laszewski
 
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughAWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughKaushik Mohanraj
 
Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)Amazon Web Services
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudAtanas Gergiminov
 
Azure Governance
Azure GovernanceAzure Governance
Azure GovernanceBenjamin Hüpeden
 
Getting started on your AWS migration journey
Getting started on your AWS migration journeyGetting started on your AWS migration journey
Getting started on your AWS migration journeyAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubCrishantha Nanayakkara
 
New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Amazon Web Services
 

More Related Content

What's hot

Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as CodeAmazon Web Services
 
Azure Migrate
Azure MigrateAzure Migrate
Azure MigrateMustafa
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsTom Laszewski
 
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Amazon Web Services
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...Amazon Web Services
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...Amazon Web Services
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudTom Laszewski
 
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughAWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughKaushik Mohanraj
 
Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)Amazon Web Services
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudAtanas Gergiminov
 
Getting started on your AWS migration journey
Getting started on your AWS migration journeyGetting started on your AWS migration journey
Getting started on your AWS migration journeyAmazon Web Services
 

What's hot (20)

Managing Your Infrastructure as Code
Managing Your Infrastructure as CodeManaging Your Infrastructure as Code
Managing Your Infrastructure as Code
 
Azure Migrate
Azure MigrateAzure Migrate
Azure Migrate
 
AWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and WorkshopsAWS Cloud Adoption Framework and Workshops
AWS Cloud Adoption Framework and Workshops
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
Cost Optimization on AWS
Cost Optimization on AWSCost Optimization on AWS
Cost Optimization on AWS
 
Cost Optimisation on AWS
Cost Optimisation on AWSCost Optimisation on AWS
Cost Optimisation on AWS
 
Migrating to the Cloud
Migrating to the CloudMigrating to the Cloud
Migrating to the Cloud
 
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
Cloud Adoption Framework Define Your Cloud Strategy and Accelerate Results
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
 
Building a Data Lake on AWS
Building a Data Lake on AWSBuilding a Data Lake on AWS
Building a Data Lake on AWS
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
FinOps: A Culture Transformation to Bring DevOps, Finance and the Business To...
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS Cloud
 
AWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk ThroughAWS Well Architected Framework - Walk Through
AWS Well Architected Framework - Walk Through
 
Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)Introduction to Cloud Computing with AWS (Thai Session)
Introduction to Cloud Computing with AWS (Thai Session)
 
Microsoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloudMicrosoft Azure - Introduction to microsoft's public cloud
Microsoft Azure - Introduction to microsoft's public cloud
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
Getting started on your AWS migration journey
Getting started on your AWS migration journeyGetting started on your AWS migration journey
Getting started on your AWS migration journey
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 

Similar to Implementing Governance as Code

New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadAmazon Web Services
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Amazon Web Services
 
ENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated IndustriesENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated IndustriesAmazon Web Services
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Amazon Web Services
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorAmazon Web Services
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
Public cloud and the state of security
Public cloud and the state of securityPublic cloud and the state of security
Public cloud and the state of securityOlivier Schmitt
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon Web Services
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...Amazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Amazon Web Services
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud securityRaj Sarode
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks
Protect Your Game Servers from DDoS Attacks - AWS Online Tech TalksProtect Your Game Servers from DDoS Attacks - AWS Online Tech Talks
Protect Your Game Servers from DDoS Attacks - AWS Online Tech TalksAmazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Amazon Web Services
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...Martin Klie
 

Similar to Implementing Governance as Code (20)

New AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your WorkloadNew AWS Security Solutions to Protect Your Workload
New AWS Security Solutions to Protect Your Workload
 
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
Executive Security Simulation Workshop (WPS206) - AWS re:Invent 2018
 
ENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated IndustriesENT305 Compliance and Cloud Security for Regulated Industries
ENT305 Compliance and Cloud Security for Regulated Industries
 
Security@Scale
Security@ScaleSecurity@Scale
Security@Scale
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
Public cloud and the state of security
Public cloud and the state of securityPublic cloud and the state of security
Public cloud and the state of security
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Amazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and RemediationAmazon GuardDuty Threat Detection and Remediation
Amazon GuardDuty Threat Detection and Remediation
 
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
[REPEAT 1] Safeguard the Integrity of Your Code for Fast and Secure Deploymen...
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
Safeguard the Integrity of Your Code for Fast and Secure Deployments (DEV349-...
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks
Protect Your Game Servers from DDoS Attacks - AWS Online Tech TalksProtect Your Game Servers from DDoS Attacks - AWS Online Tech Talks
Protect Your Game Servers from DDoS Attacks - AWS Online Tech Talks
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
2018 re:Invent - Safeguard the Integrity of Your Code for Fast and Secure Dep...
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Implementing Governance as Code

  • 1. Governance as Code Using Security by Design J o h n M c D o n a l d H e a d o f R i s k & C o m p l i a n c e – A m e r i c a s A W S G l o b a l F i n a n c i a l S e r v i c e s
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ““CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly, and reliably leverage the benefits of this increasingly ubiquitous computing model.” — G a r t n e r ( 9 / 2 2 / 1 5 ) : Clouds Are Secure: Are You Using Them Securely?
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Customer Customer data management Operating system, network & firewall configuration AWS Platform, applications, identity & access management Responsibility for security IN the cloud Compute Storage Database Networking Client-side data encryption & data Integrity authentication Operations compliance, control implementation & enforcement, monitoring Networking traffic protection (encryption / integrity / identity) Responsibility for security OF the cloud AWS Global Infrastructure Edge Locations Regions Availability Zones Governance & the Share Responsibility Model C o m p l i a n c e i s a j o i n t e f f o r t , w i t h c u s t o m e r s m a n a g i n g t h e i r p r o g r a m s a n d d a t a
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance as Code Key Concepts 1 Changing the Cloud Governance Model T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y 2 Implementing a Security by Design Deployment Model 3 Continuous Compliance Using Dedicated Tooling
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Problem Statement Increasing complexity (mobility, system connectivity, speed of innovation, and threat vectors, etc.) ……causes increasing difficulty in managing risk and security and demonstrating compliance to control frameworks H o w t o b e c o m p l i a n t i n t h e c l o u d a t s c a l e
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Current State of Technology Governance Policies Procedures and Guidelines Standards T h e D e p a r t m e n t o f N e r v o u s n e s s i s r e s p o n s i b l e f o r t h e i r o w n p i e c e o f t h e p i e Then get translated into IT Speak…. And become Tactical IT Implementations across multiple environments..… ………you hope
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Opportunity: Modernize Technology Governance Technology governance relies predominantly on administrative & operational security controls with LIMITED technology enforcement…….and usually only at the RISK point M o v e f r o m m a n u a l i m p l e m e n t a t i o n s t o a u t o m a t i o n s o y o u s l e e p w e l l a t n i g h t Assets ThreatVulnerability RISK The cloud has an opportunity to innovate and advance Technology Governance Services.
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Modernize Technology Governance Complexity is growing……..making the old way to govern technology obsolete W h y c h a n g e w h a t w e h a v e b e e n d o i n g f o r y e a r s ? Adopt “Prevent” controls To make “Detect” controls more powerful Goal You need automation to manage security in real time
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Modern IT Governance in the Cloud N e w p r o c e s s f o r m a n a g i n g g o v e r n a n c e i n t h e C l o u d 1.2 Identify Your Workloads Moving to AWS 2.1 Rationalize Security Requirements 2.2 Define Data Protections and Controls 2.3 Document Security Architecture 3.1 Build/deploy Security Architecture 2. Analyze and Document (outside of AWS) 1.1 Identify Stakeholders 3. Automate, Deploy & Monitor 3.2 Automate Security Operations 4. Certify 3.3 Continuous Monitor 4.1 Audit and Certification 3.4 Testing and Game Days 1. Decide what to do (Strategy)
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Cloud Brings Flexibility and Complexity S e c u r i t y s t a n d a r d s m u s t b e e n f o r c e d a c r o s s m u l t i p l e s e r v i c e s Single VPC orMultiple VPCs How many AWS accounts Public or private subnets What type of encryption Who will manage the keys IAM groups or roles Security groups or NACLs What is the regulatory requirement? What's in-scope or out-of- scope? How to verify the standards are met? Can we use S3 for this Which AWS database
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by Design - Overview S e c u r i t y & G o v e r n a n c e t h r o u g h a u t o m a t i o n Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process.
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security by Design – Key Design Factors ü Build security in every layer by default ü Design for failures ….of services, of controls, of people ü Implement auto-healing using reactive controls ü Think parallel…. look for what can be rather than for what is ü Plan for Breach….and rehearse the breach scenarios ü Don't fear constraints….they are your friend ü Treat Infrastructure as code…..Modular, Versioned, Constrained D e v e l o p n e w r i s k m i t i g a t i o n c a p a b i l i t i e s v i a r i g i d a u t o m a t i o n a n d o p t i m i z e d a u d i t e v i d e n c e
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD - Standard Security Baseline Example A W S h a s p a r t n e r e d w i t h C I S B e n c h m a r k s t o c r e a t e c o n s e n s u s - b a s e d b e s t - p r a c t i c e s • Technical control rules/values for hardening OS, middleware, applications, & network devices • Used by thousands of enterprises as the basis for security configuration policies in the cloud • Distributed free of charge by CIS in PDF format: https://cissecueity.org • Available in AWS via Quick Start templates and deployment guides: AWS CIS Benchmark Quick Starts
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Compliance Standard Benefits D e f i n e d d a t a p r o t e c t i o n s a n d c o n t r o l s f o r g l o b a l r e q u i r e m e n t s
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – AWS CIS Benchmark ScopeB e s t p r a c t i c e s f o r i n f r a s t r u c t u r e & a p p l i c a t i o n d e p l o y m e n t s Foundational Benchmark CloudTrail Config & Config Rules Key Management Service Identity & Access Management CloudWatch S3 SNS Three-tier Web Architecture EC2 Elastic Load Balancing VPC Direct Connect Amazon EBS Cloud HSM Glacier Route 53VPN Gateway CloudFront
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Automate Security Operations A u t o m a t e d e p l o y m e n t s , p r o v i s i o n i n g , a n d c o n f i g u r a t i o n s o f t h e A W S c u s t o m e r e n v i r o n m e n t s CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products & Portfolios DeployConstrain Identity & Access Management Set Permissions
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Continuous Compliance in the Cloud Today’s Challenges q Validating compliance to IT controls occurs once or twice a year q This is usually done manually, and in time consuming audits q You hope you see controls people say are there….and will stay that way The Revolution ü In the cloud, we can prove controls exist in real time….across all accounts ü We can test new environments at almost the push of a button ü See real time portals for any compliance regime, for any audience A n e w p a r a d i g m f o r c l o u d g o v e r n a n c e a n d c o n t r o l v a l i d a t i o n
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS TrustedAdvisor Best practices (or checks) in five categories: cost optimization, security, fault tolerance, performance, and service limits. AWS Identity & Access Mgmt. (IAM) Securely control access to AWS services and resources for your users Amazon Inspector Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. AWS Service Catalog & CloudFormation AWS tools to manage approved services and environments across all accounts, Lines of Business, and user bases. Amazon Macie Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS AWS Shield Advanced Managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS AWS CloudTrail AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. AWS Organizations Policy-based controls & cost management for multiple AWS accounts AWS Config & Config Rules AWS resource inventory, configuration history, and configuration change notifications & preventive rules. Amazon Guard Duty Uses machine learning for automated threat detection allowing you to continuously monitor and protect AWS accounts and workloads. Governance as Code Tools & Sources A W S e n a b l e s y o u t o a u t o m a t e t a s k s f o r c o m p r e h e n s i v e g o v e r n a n c e AWS Systems Manager Fleet management service that helps you automatically collect software inventory, apply OS patches, create system images, AWS CloudWatch Amazon CloudWatch gives you system-wide visibility into resource utilization, application performance, and operational health.
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Continuous Compliance Tooling O n e t o o l i s c r i t i c a l f o r c o m p l i a n c e t e a m s u c c e s s
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SbD – Key Principles M o d e r n i z i n g t e c h n o l o g y g o v e r n a n c e t h r o u g h c o d e Automate Deployments Automate Security Operations Continuous Compliance Automate Governance
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance as Code Key Takeaways T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y Security by Design Creates a control environment that cannot be overridden by the users who aren’t allowed to modify those functions. Consistent implementation, measurement & enforcement of operational controls Modernize IT Governance A modern cloud based approach will deliver game changing results, and change your audit practices Continuous Compliance Creates an ongoing measure of your cloud security & health across multiple dimensions & all your applications
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Governance as Code Resources Ø Amazon Web Services Cloud Compliance https://aws.amazon.com/compliance/ Ø SbD website and whitepaper – to wrap your head around this https://aws.amazon.com/compliance/security-by-design/ Ø AWS Well Architected Framework– Security Pillar https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf Ø AWS Cloud Adoption Framework– Security Perspective https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf K e y r e s o u r c e s t o h e l p y o u o n y o u r j o u r n e y t o a s e c u r e a n d c o m p l i a n t c l o u d
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! John McDonald Head of Risk & Compliance – Americas AWS Global Financial Services johnemcd@amazon.om