Keeping Developers and Auditors Happy in the Cloud

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

[email protected]

June 16, 2016 • Enterprise Summit • Hong Kong

Keeping Developers and Auditors Happy in the Cloud

Brian Wagner, AWS Security Consultant

The Cloud from a Developer Perspective

The Cloud from an Auditor Perspective

The Problem

Incentives and Perspectives

Developers Incentives

  Speed   Features

Want

  Freedom to innovate   New technology

Auditors Incentives

  Compliance with regulatory obligations

  Verifiable processes Want

  Well-known technology   Predictability and stability

The Solution

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)

Traditional Deployment

developers

release test build

delivery pipeline stack

developers delivery pipelines services

release test build

release test build

release test build

release test build

release test build

release test build

You Build It, You Run It

AWS Assurance Programs

How Does that Help?

Four Pillars

1.  Undifferentiated heavy lifting and shared responsibility

2.  Traceability in development

3.  Continuous security visibility

4.  Compartmentalization

Four Pillars





Vulnerability Management

Data Backups

Traditional Data Backup

Data Backup in the Cloud

Four Pillars





Common Audit Requirements for Software Development

  Review changes.   Track changes.   Test changes.   Deploy only approved

code.   For all actions:

  Who did it?   When?

AWS Config

AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

Continuous Change Recording Changing Resources

AWS Config History

Stream

Snapshot (ex. 2014-11-05) AWS Config

Audit logs for all operations Store/ Archive

Troubleshoot

Monitor & Alarm

You are making API

calls...

On a growing set of AWS services

around the world..

CloudTrail is continuously recording API

calls

Four Pillars





DevOps

Infrastructure as Code is a practice by where traditional infrastructure

management techniques are supplemented and often replaced by using code based tools and software

development techniques.

Infrastructure-as-code workflow

code version control code review integrate

“It’s all software”

Development Lifecycle — DevOps

Delivery Pipeline

DevSecOps

Where to Start?

•  Guidelines? •  Checklists? •  1-pagers? •  6-pagers? •  Full documents?

Security as Code

Security as Code is Easy with AWS

AWS provides all the APIs!   Programmatically test environments   Determine state of environment at a

specific point in time   Repeatable processes   Scalable operations

Development Lifecycle — DevOps

Delivery Pipeline

Security as Code

How Can We Learn DevSecOps?

Start Here

Security as Code?

Security as Ops?

Compliance Ops?

Science?

Experiment: Automate

Policy Governance

Experiment: Detection via

Security Operations

Experiment:

Compliance via DevSecOps

Toolkit

Experiment: Science via

Profiling

Dev

Sec

Ops

DevOps +

Security

Four Pillars





amazon.com 2001

Traditional Deployment

developers

release test build

delivery pipeline stack

amazon.com 2009

  Service-Oriented Architecture (SOA)

  Single-purpose

  Connect only through APIs

  “Microservices”

Example Microservice

amazon.com 2009

  Two-pizza teams

  Full ownership

  Full accountability

  Aligned incentives

  “DevOps”

developers delivery pipelines services

release test build

release test build

release test build

release test build

release test build

release test build

You Build It, You Run It

Keep Developers and Auditors Happy

Thank You! Brian Wagner, AWS Security Consultant

Date post:	15-Apr-2017
Category:	Technology
Upload:	amazon-web-services
View:	290 times
Download:	0 times

Keeping Developers and Auditors Happy in the Cloud

Technology