Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliat...
Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to ass...
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application require...
DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measur...
Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us fa...
DevSecOps: Security as Code
Establishing these principles…
• Customer-focused mindset
• Scale, scale, scale
• Objective cr...
DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application require...
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
A...
AWS Service
Amazon
EC2
Amazon
EMR
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
A...
Observed industry cloud techniques with AWS
Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and i...
General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
Consult with compliance and security organizations befor...
Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2
Amazon
EMR
Amazon
S3
PHI / Sensitive Data VPC
Amazon
EC2
General ...
Indirection Strategy
Data Processing
System
Inbound
Data Store
(S3)
HTTPS
Send
SQS
SNS
Claims
PHI Data
Consult with compli...
A Deeper Dive
http://amzn.to/2cHDDuN
HEALTHCARE MANAGED CLOUD
Designed for today’s healthcare environment.
THE PREMIER
COMPANY
Deployment Tools
• Configuration Management Tools
• Orchestration Tools
• Auditing & Governance Tools
Security and Automation Objectives
No Tight Coupling to
Orchestration Tools
Strong & Secure
Audit Trail
External
Managed S...
Rethinking the model – Observe, Orient, Decide, Act
Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:O...
AWS ConfigAWS CloudTrail
Amazon CloudWatch
Customer Account
Amazon
SNS
Amazon API
Gateway
Management Account
AWS
Lambda
Am...
Amazon Kinesis Streams
SensuCMDB
Backups Vuln Scanning
SlackPagerDuty
Ticketing
CloudTrail / CloudWatch EventsEC2 events A...
AWS Services Driving Security
• Catches common account misconfigurations
• Suggests cost reductions
• Evaluates fault tole...
Emerging AWS-native Solutions
Extending OODA Inside the Instance
Unobtrusive
Strong & Secure
Audit Trail
External
Managed Services
Highly Automated
AWS Environment
• Compute
• Storage
• Network / Cloud
Operating Environment
• Hardened AMIs
• Configuration management eng...
Security & Compliance Dashboard
• First of its kind in the
industry – service-based,
real-time, HIPAA compliance
dashboard...
Thank you!
Remember to complete
your evaluations!
Remember to complete
your evaluations!
Nächste SlideShare
Wird geladen in …5
×

AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)

1.771 Aufrufe

Veröffentlicht am

This session will demonstrate how to embrace DevSecOps to improve your security and compliance agility and posture within the highly regulated HIPAA environment. We will cover compliance frameworks, data decoupling strategies to fully utilize AWS, and best practices learned from the industry most active cloud adopters.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Security Agility and Posture (HLC303)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scott Paddock, AWS Security Solutions Architect Matt Ferrari, ClearDATA Chief Technology Officer November 28, 2016 HLC303 Embracing DevSecOps While Improving Your Compliance and Security Agility and Posture
  2. 2. Agenda • DevOps to DevSecOps Primer • Observed industry cloud techniques with AWS • Tools, processes and frameworks to assist • Example Compliance Workflows
  3. 3. DevOps Toolchain Plan Configure Verify Preprod Monitor Create Release Define and plan; business value, application requirements, security, compliance and metrics Build, code and configuration Ensuring quality; acceptance, regression, security and compliance testing Infrastructure and application Approval/certification, triggered releases, release staging and holding Process, application, infrastructure, security and compliance Release coordination, promotion, scheduling, rollback and recovery Source: Wikipedia
  4. 4. DevOps Principles • Collaborate with all stakeholders • Codify everything • Test everything • Automate everything • Measure and monitor everything • Deliver business value with continual feedback
  5. 5. Drivers for DevSecOps Embedding Security into DevOps was not successful because… • Compliance checklists didn’t take us far before we stopped scaling… • We couldn’t keep up with deployments without automation… • Standard Security Operations did not work… • And we needed far more data than we expected to help the business make decisions… From Intuit
  6. 6. DevSecOps: Security as Code Establishing these principles… • Customer-focused mindset • Scale, scale, scale • Objective criteria • Proactive hunting • Continuous detection and response
  7. 7. DevOps Toolchain Plan Configure Verify Preprod Monitor Create Release Define and plan; business value, application requirements, security, compliance and metrics Build, code and configuration Ensuring quality; acceptance, regression, security and compliance testing Infrastructure and application Approval/certification, triggered releases, release staging and holding Process, application, infrastructure, security and compliance Release coordination, promotion, scheduling, rollback and recovery
  8. 8. AWS Service Amazon EC2 Amazon EMR Amazon Glacier Amazon S3 Amazon DynamoDB Amazon RDS (MySQL and Oracle) Amazon Redshift Amazon EBS Elastic Load Balancing AWS HIPAA Eligible Services (prior to re:Invent) Consult with compliance and security organizations before implementing Amazon Snowball
  9. 9. AWS Service Amazon EC2 Amazon EMR Amazon Glacier Amazon S3 Amazon DynamoDB Amazon RDS (MySQL and Oracle) Amazon Redshift Amazon EBS Elastic Load Balancing Amazon ECS Amazon CloudWatch AWS CodeCommit AWS CodeDeploy AWS CodePipeline SQS SNS AWS Config AWS Device Farm AWS HIPAA Eligible Services (prior to re:Invent) Other AWS Services Consult with compliance and security organizations before implementing Amazon Snowball
  10. 10. Observed industry cloud techniques with AWS
  11. 11. Consult internally before implementing The following slides are practices we have seen used in industry. As security and industry compliance is determined by the customer before implementing please: • Consult with your internal best practices • Consult with with your Cloud Center of Excellence • Consult with your Information Security group • Consult with your Compliance organization • Do your due diligence
  12. 12. General Strategies AWS CodeCommit AWS CodeDeploy AWS CodePipeline Consult with compliance and security organizations before implementing • Decouple protected/sensitive data from the processing or orchestration • Track where your protected/sensitive data flows • Do not check the protected data into your source or artifact repository! • Use indirection when orchestrating your protected/sensitive data flow • Separate protected/sensitive and general workflow logical boundaries
  13. 13. Separate Virtual Private Cloud (VPC) Strategy Amazon EC2 Amazon EMR Amazon S3 PHI / Sensitive Data VPC Amazon EC2 General VPC AWS Directory Service AWS Device Farm PHI Consult with compliance and security organizations before implementing
  14. 14. Indirection Strategy Data Processing System Inbound Data Store (S3) HTTPS Send SQS SNS Claims PHI Data Consult with compliance and security organizations before implementing
  15. 15. A Deeper Dive http://amzn.to/2cHDDuN
  16. 16. HEALTHCARE MANAGED CLOUD Designed for today’s healthcare environment. THE PREMIER COMPANY
  17. 17. Deployment Tools • Configuration Management Tools • Orchestration Tools • Auditing & Governance Tools
  18. 18. Security and Automation Objectives No Tight Coupling to Orchestration Tools Strong & Secure Audit Trail External Managed Services Highly Automated
  19. 19. Rethinking the model – Observe, Orient, Decide, Act Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:OODA.Boyd.svg
  20. 20. AWS ConfigAWS CloudTrail Amazon CloudWatch Customer Account Amazon SNS Amazon API Gateway Management Account AWS Lambda Amazon Kinesis AWS Services Account Configuration
  21. 21. Amazon Kinesis Streams SensuCMDB Backups Vuln Scanning SlackPagerDuty Ticketing CloudTrail / CloudWatch EventsEC2 events Auditing / Governance AlertingSEIM Remediation Amazon DynamoDB Amazon Redshift
  22. 22. AWS Services Driving Security • Catches common account misconfigurations • Suggests cost reductions • Evaluates fault tolerance CloudWatch • Monitor performance of AWS resources • Aggregate and process log files (non-PHI) • Requires instance profile or distributed credentials AWS Config rules • Constantly watch for account changes • Remediate in near real-time • Incredibly flexible and extendable • AWS Lambda-based Trusted Advisor
  23. 23. Emerging AWS-native Solutions
  24. 24. Extending OODA Inside the Instance Unobtrusive Strong & Secure Audit Trail External Managed Services Highly Automated
  25. 25. AWS Environment • Compute • Storage • Network / Cloud Operating Environment • Hardened AMIs • Configuration management engine • Patch management • Managed backup & snapshots • Monitoring & alerts • Consolidated account info • Isolated dev & test environments Security & Compliance • Hardened encryption configuration • Key management • Intrusion detection system • Login and access tracking • Event log management • ClearDATA security appliance • VPNs / Address translation • Anti-virus 24/7 Managed Services Delivered by AWS Certified Personnel Over 30 additional services automatically attached to AWS infrastructure Dynamic Cloud Platform
  26. 26. Security & Compliance Dashboard • First of its kind in the industry – service-based, real-time, HIPAA compliance dashboard • At-a-glance system status plus trending over time • Detailed history available for attestation during audits Continuous security and compliance monitoring mapped directly to HIPAA guidelines delivered across cloud and private environments via interactive dashboard and individual asset scorecards.
  27. 27. Thank you!
  28. 28. Remember to complete your evaluations! Remember to complete your evaluations!

×