Pokémon’s SecOps team built an automated PII datalake pipeline allowing them to categorize data into profiles and manage permissions. We discuss how, using AWS Lambda, Amazon DynamoDB, and Amazon Simple Queue Service (Amazon SQS), they can validate any person in Active Directory, build the approval to the appropriate manager, write to DDB with a TTL, and push the appropriate access controls. This has two benefits: First, Pokémon can reuse this architecture for other permissions-based business processes, meaning a security layer can be added at the beginning. Second, it frees up security engineers to tackle larger, more important challenges.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Pokémon’s SecOps team enables
its business
Jacob Bornemann
Sr. Security Engineer
The Pokémon Company International
S D D 3 2 8

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
The Pokémon story
Building sandcastles
Let’s remove humans
Our solution is evolving
Questions

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS services we cover in this section

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Background
What is Pokémon?

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Background
Who is on the team?

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Background
How do we stop from drowning?

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managing access
Painful
Extremely manual
Time consuming
Better things to work on
Terrible
Harder problems
Humans are fallible
Did I mention it’s miserable?

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Analyticspipeline

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data analytics

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Confidential projects
Hundreds of projects to manage
Access is varied
Code names

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Confidential projects

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges
High touch Multiple projects Multiple
technologies

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Solution
Demisto

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demisto Playbook

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SQS to AWS Lambda
https://github.com/bornej89/Access-Control

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lambda Stream

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon DynamoDB

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolution is great!

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Evolution is great!

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Apply to other areas

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SEIM dashboard

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Audit/compliance

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why did we do this?
Small team with a big problem
Human error is real
Manual processes suck

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key takeaways
1. Automate yourself out of a job
2. AWS offers many services to remove human error
3. AWS allows you to customize the solution
4. Evolve your solution, because the business is evolving
5. Now go try your own!

38. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Jacob Bornemann
j.bornemann@pokemon.com