Date post: | 15-Apr-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 290 times |
Download: | 0 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 16, 2016 • Enterprise Summit • Hong Kong
Keeping Developers and Auditors Happy in the Cloud
Brian Wagner, AWS Security Consultant
Incentives and Perspectives
Developers Incentives
Speed Features
Want
Freedom to innovate New technology
Auditors Incentives
Compliance with regulatory obligations
Verifiable processes Want
Well-known technology Predictability and stability
developers delivery pipelines services
release test build
release test build
release test build
release test build
release test build
release test build
You Build It, You Run It
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development
3. Continuous security visibility
4. Compartmentalization
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development
3. Continuous security visibility
4. Compartmentalization
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development
3. Continuous security visibility
4. Compartmentalization
Common Audit Requirements for Software Development
Review changes. Track changes. Test changes. Deploy only approved
code. For all actions:
Who did it? When?
AWS Config
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
Continuous Change Recording Changing Resources
AWS Config History
Stream
Snapshot (ex. 2014-11-05) AWS Config
Audit logs for all operations Store/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS services
around the world..
CloudTrail is continuously recording API
calls
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development
3. Continuous security visibility
4. Compartmentalization
Infrastructure as Code is a practice by where traditional infrastructure
management techniques are supplemented and often replaced by using code based tools and software
development techniques.
Where to Start?
• Guidelines? • Checklists? • 1-pagers? • 6-pagers? • Full documents?
Security as Code
Security as Code is Easy with AWS
AWS provides all the APIs! Programmatically test environments Determine state of environment at a
specific point in time Repeatable processes Scalable operations
How Can We Learn DevSecOps?
Start Here
Security as Code?
Security as Ops?
Compliance Ops?
Science?
Experiment: Automate
Policy Governance
Experiment: Detection via
Security Operations
Experiment:
Compliance via DevSecOps
Toolkit
Experiment: Science via
Profiling
Dev
Sec
Ops
DevOps +
Security
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development
3. Continuous security visibility
4. Compartmentalization
amazon.com 2009
Service-Oriented Architecture (SOA)
Single-purpose
Connect only through APIs
“Microservices”
developers delivery pipelines services
release test build
release test build
release test build
release test build
release test build
release test build
You Build It, You Run It