This session will demonstrate how to embrace DevSecOps to improve your security and compliance agility and posture within the highly regulated HIPAA environment. We will cover compliance frameworks, data decoupling strategies to fully utilize AWS, and best practices learned from the industry most active cloud adopters.
2. Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to assist
• Example Compliance Workflows
3. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
Source: Wikipedia
4. DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
5. Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help
the business make decisions…
From Intuit
6. DevSecOps: Security as Code
Establishing these principles…
• Customer-focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
7. DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery
11. Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence
12. General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
Consult with compliance and security organizations before implementing
• Decouple protected/sensitive data from
the processing or orchestration
• Track where your protected/sensitive
data flows
• Do not check the protected data into
your source or artifact repository!
• Use indirection when orchestrating your
protected/sensitive data flow
• Separate protected/sensitive and general
workflow logical boundaries
13. Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2
Amazon
EMR
Amazon
S3
PHI / Sensitive Data VPC
Amazon
EC2
General VPC
AWS Directory
Service
AWS
Device Farm
PHI
Consult with compliance and security organizations before implementing
26. Security & Compliance Dashboard
• First of its kind in the
industry – service-based,
real-time, HIPAA compliance
dashboard
• At-a-glance system status
plus trending over time
• Detailed history available for
attestation during audits
Continuous security and compliance
monitoring mapped directly to
HIPAA guidelines delivered across
cloud and private environments via
interactive dashboard and individual
asset scorecards.