Security and compliance automation have become the most important drivers for IT Transformation to the cloud. Foundational cloud security services provide an unprecedented capability to ensure your cloud platform is secure, programmatically monitored, and adaptive. This session will demonstrate how Federal and Enterprise customers are embracing adaptive techniques in managing their most critical application workloads.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Robert Groat, EVP Technology and Strategy,
Smartronix
June 21, 2016
Adaptive Cloud Security
Game Changing Cloud Security
and Compliance Automation Strategies

2. Smartronix intro
Premier Partner for all 4 years
Inaugural Managed Services Partner
Inaugural DevOps competency
1st to bring federal government into AWS
1st to implement FISMA Moderate/
FedRAMP solutions (NIST 800-53 Rev. 4)
One of the largest channel resellers
Successfully completed FedRAMP 3PAO
Assessment for our CloudAssured
Managed Services

3. History lesson—2009
CISO quotes:
“Cloud is too new.”
“Unproven technologies.”
“Not secure?”
Cloud is used for web, DR, R&D, storage, email.
Main drivers for use are cost and agility.

4. Cloud 2016
CIO quotes:
“I want to move everything to the cloud.”
“Why aren’t we doing more in the cloud?”
Cloud is used for all workloads.
Main drivers for use are security, agility, then cost.

5. Cloud 2016
If security isn’t the number one reason for you to move to
the cloud, it probably should be.
Fundamental Theorem of Cloud Transformation
“The area of success is exponentially related to the ability
to automate security and compliance at scale.”

6. Adaptive cloud security
What is it?
Why is is it important?
Let’s look at some troubling reasons why it is necessary…

7. Your data center infrastructure is $#%@!
Your network has been breached
Your physical security is weak
Your environment is wildly heterogeneous
You lack organizational standardization
You don’t know what is in there and you have lost control

8. Your application security is even more $#%@!
Applications built 10–20 years ago are still running and still
exposing the same weaknesses
Your supply chain of application partners is ever changing
Your application security standardization is virtually
nonexistent
Your security tools do not cover all security aspects/threats
You don’t know what applications and processes you have
running and the environment is in constant flux

9. The hard truth
One bad firewall rule from a junior administrator can enable
a breach
One bad web application service written by a lazy
programmer can enable a breach
One smart, well-positioned, overly credentialed admin can
leave your data center with a lot of information

10. Wait, so the cloud fixes this?
What is easier to protect?
a) A physical infrastructure that has evolved out of control
for 20+ years that you don’t even fully know what’s in it?
b) A modern architecture where everything is accessed via
software API endpoints?
Look at what you have tried to put in place over last 5
years at a macro level.

11. How to make a CISO happy
Know everything running at all times
Be alerted when any configuration change happens
Build immutable environments
Enable policy based access for all privileged components
Log everything
Enforce compliance
Enforce backups
Ensure everything is encrypted

12. Major security automation enablers
AWS CloudTrail
AWS Config/Config Rules
Amazon CloudWatch/CloudWatch Logs
Amazon Inspector
AWS WAF for CloudFront
AWS Lambda
Amazon VPC endpoints
AWS Identity and Access Management
(IAM)
AWS Trusted Advisor
AWS KMS
AWS CloudHSM
AWS Certificate Manager (ACM)
AWS STS
Amazon Machine Learning
Amazon Elasticsearch Service
Amazon VPC Flow Logs
AWS CloudFormation
AWS reference architectures

13. Foundational security & compliance automation
Pre-approved list of launchable Amazon Machine Images
(AMIs) and services
- Locked down by policy
- Managed by AWS Service Catalog
- Version controlled with CloudFormation
- Governed by Config Rules and CloudWatch and
automatically revoked by Lambda

14. Foundational security & compliance automation
Privileged User Access Management
- Locked down by IAM policy, device, location
- Governed by CloudTrail, CloudWatch Logs
- Automated notifications and potentially revoked
- Forensics using CloudTrail logs

15. Foundational security & compliance automation
Data and encryption management
- Monitor and enforce encryption on creation
- Monitor and enforce compliance with Config
- Utilize Amazon Inspector for automated assessment
- Use ACM for data in transit management
- Automate data backup services

16. Foundational security & compliance automation
Boundary management
- React immediately to compliance drift
- Use VPC Flow Logs to understand traffic
- Automate VPC creation
- Use reference architectures and CloudFormation
templates (NIST compliance etc.)

17. Foundational security & compliance automation
Security best practices
- Utilize Amazon Inspector for automated assessment
- Create custom triggers from CloudTrail/Config events
- Use pre-approved (STIG) AMIs
- Use pre-approved CloudFormation templates
- Use Lambda to programmatically react to events
- Use the scale and power of AWS to analyze all events
and logs within your environment

18. Unlearn everything you have heard
Build your foundational cloud services so you can put your
most critical workloads in the cloud
Use a Managed Security Service Partner to help your
transformation
Embrace security and compliance automation

19. Thank You!
Contact Info:
cloudassured@smartronix.com
rgroat@smartronix.com
@groatr