26. Compliance in the cloud at NN
Leon Kortekaas
Manager Cloud Integration (AWS, Azure, Windows / Linux and CI/CD tooling)
Leon.kortekaas@nn-group.com
27. 27
• NN’s roots lie in the 18th- century the Netherlands
• Strong business positions; market positions built organically
• Unified international culture with shared best practices
• 17 million customers (excl. NN IP)
• About 15,000 employees
• Successful IPO on 2 July 2014
• Businesses rebranded to “NN” in 2015
• ING’s divestment of NN Group completed in April 2016
• Tender offer for Delta Lloyd successfully completed in April 2017
• Shareholders’ equity of EUR 22.7 bn at 15 February 2018
• Credit ratings1: A/stable (S&P), A+/stable (Fitch)
International financial services company with strong
businesses in Europe and Japan
Some facts and figures Our brand promise ‘You matter’
1. Financial Strength Ratings
Key takeaways:
1. We are an European financial company, meaning we
are regulated by the Dutch National Bank but also by
other regulators
2. We have a lot of ‘proven technology’
3. We are of reasonable size
28. Overview of steps
Step 1: Perform a risk assessment
Step 2: Set boundaries with a set of compliance principles
Step 3: Determine a list of security principles
The security principles are meant to mitigate the risks found
during the cloud risk assessment. The security principles should
be checked against the compliance principles.
This cloud risk and security framework is sent to the regulators
for approval
Step 4: Let the cloud teams build services compliant with the
cloud risk and security framework
Framework for cloud risk control
Compliance
Principles
Security
Principles
Security
Models
Cloud Risk
Assessment
Security
Standards
Security Architecture
29. Compliance Principles
1. NN is accountable
2. Always compliant
3. Always in control
4. Use of NN security solutions
Assumption: Cloud Services are not compliant by default
30. Cloud Security Principles
1. Controlled Environment
2. Minimize Trust
3. Secured authentication, secured communication
4. Separation of responsibilities
5. Full control on IAM and key management
6. SIEM separated from operations
7. TSCM/VM separated from operations
31. Cloud Security Principles example
SEC-01: Controlled environment
Examples of security controls to
be implemented:
• Security logs are sent to our
central SIEM solution
• Connect cloud platform to
central IAM solution
• Encrypt data at-rest and in
transit
• Have a traceable process for
changes
33. Responsibility AWS team
Goal
Create value by adding thin layer to the AWS services and platform, making the services easily consumable within NN. We
do this centrally, proving it as a service to our internal customers (business units)
Shared responsibility model
We are responsible for the platform, the business unit / application owner remains responsible for the compliance of its
application
What do we deliver?
•Compliant platform
•Compliant base builds
•CI / CD tooling
33
Delivering consumable cloud services
Concourse CI Pipeline
Build Test DeployVCS
TSC
M
SIEM IAM
Platform compliance
Hardened OS
TSC
M
SIEM
Splu
nk
IAMLinux /
Windows
Base Image
Build
GIT
Test
CICI/CD
capabilities
1
2
3
Cloud team
35. Platform compliance
Goal
Providing a compliant AWS platform for our customers. Protect NN against mistakes and miscommunication which might
harm the group while providing a lot of freedom to our customers in their accounts.
Lessons learned
•We started by manually creating and deploying Lambda and Cloud config rules to check and enforce compliance. This
did not work because of:
• A lot of manual work (deploying, testing) when creating new accounts (time consuming and error prone)
• No traceable process and hard to understand for non tech people (e.g. what check is implemented, approved by who)
•Adopt market standards (CIS best practice for platform controls)
•When you make compliance easy, customers will come by them selves.
Please remember: You’re not the first organization with additional compliance requirements!
35
36. Platform compliance
36
Technical state compliance monitoring
• Based on CIS best practice
• Some controls are enforced (risk based: e.g. public IP, disk encryption), the rest monitored
• Cloud custodian is used to implement the controls
IAM
• Automated role provisioning of IAM roles and policies to both AD and AWS
• SSO with multi factor
Security event monitoring
• Sent cloud trail logs to our central SIEM solution (Arcsight)
• Use cases are defined at our SOC. They inform the AWS team or take mitigating action if needed
Change control and traceability
• No manual access to our A/P accounts
• Everything is automatically tested and deployed via our pipeline
37. Demo: Platform compliance
37
1. Human readable declarative controls
2. Automatically tested
3. Automatically deployed in all accounts
4. Results sent to our team
39. Base build compliance
Goal
Providing a NN base build for our customers, out of the box secure, connected to our security tooling and easy to use.
Lessons learned
•Build for automation and self service
• It will not scale if not automated, cloud provides all the capabilities needed, so automate!
• Without self service you will nullify one of the most important cloud benefits (speed)
•Use open source tools for hardening, having a huge community behind a tool is a big benefit
• You’re not the first who needs a hardened OS, don’t invent but adopt
•Rethink the status quo, the current solution (non cloud) may not be suited for cloud
39
40. Base build compliance
Technical state compliance monitoring
•Nessus for runtime, everything on the inside of the server (e.g. vulnerabilities, config)
•Cloud Custodian for everything on the ‘outside’ of the server (e.g. security groups, encryption)
•OpenSCAP during build time
Security event monitoring
•Sent systems and applications logs to our central SIEM solution (Arcsight), scalable setup op collectors behind a ASG
•Use cases are defined at our SOC. They inform the customer or take mitigating action if needed
Change control and traceability
•Users cannot login on the servers
•Everything is automatically tested and deployed via our pipeline
40
41. Demo: Base build
41
1. Declarative Ansible playbooks
2. Includes hardening, SIEM, TSCM, Splunk
3. Tested and build in our pipeline
4. Checked on compliancy
5. Base builds propagated to other accounts to be used by our customers