The Zen of governance - Establish guardrails and empower builders - SVC201 - Atlanta AWS Summit

•

0 gefällt mir•363 views

IT organizations often see governance control and innovation as competing priorities. Compliance-minded individuals may view rapid innovation as disruptive to the security, health, and stability of their organizations. Innovation-minded individuals may view governance control as inhibiting growth. With AWS, you don’t have to choose between governance control and growth—you can have both. In this session, we provide an overview of the common challenges in this area and share how to use AWS services to solve them. We explain how to establish guardrails to improve security and compliance while empowering builders to speed innovation.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The Zen of governance:
Establish guardrails and empower builders
Sam Hennessy
Solutions architect
Amazon Web Services
S V C 2 0 1

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Once upon a time …

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The story
W
al
l
Product owners IT operationsDevelopers
W
al
l
W
al
l
W
al
l
QA Security
1
2
1
3
4
5
6
6

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Competing priorities
Lack of understanding
Wildly different environments
No singular tool chain
Slow
Repetitive workflows
Lack of security influence
Everyone is frustrated (usually with each other)
Does this work?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Just do DevOps

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Who is responsible for what
Responsible for
Their
product
Deployment tools
CI/CD tools
Monitoring tools
Metrics tool
Logging tools
APM tools
Infrastructure provisioning
tools
Security tools
Database management tools
Testing tools
….
Not responsible for

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Who does QA?
• The team
Who is responsible to deliver a secure product?
• The team
Who is responsible to operate and maintain the product?
• The team
Who is responsible for production failures and issues (on call)?
• The team
Who is responsible for monitoring, logging, and application analysis?
• The team
Do you see a pattern?
Who is responsible for what

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
This will solve all my problems?
Not quite …

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The challenges
Training
Tools
Processes
Bottlenecks

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Training
Quality
Security
Operations

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
The bottlenecks
Security and compliance validation
Software release
Infrastructure provisioning
Account provisioning

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Self service is the key to scalability

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
You want to let whom do what?

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails to the rescue
Secure SDLC (sSDLC)
Separation of duties
Logging

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails enablement tools

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
sSDLC: Software guardrails
Code review
Authorization controls
Security testing
Separation of duties
Security monitoring
Audit trail
Security training

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Isolation guardrails
Account throttling and limits
Minimal permission
Reduce blast effect
Framework compliance

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Tools and processes
Tools should be managed like internal services
Teams should manage the access and availability of the tools, not their use
Ask why self-service cannot be used, instead of why it should be used

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Separation of duties: Production
AWS Cloud
Shared services
CI/CD tools
QA
Staging
Production
Logging and change control

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Logging: Tracking guardrails
Change control
Centralized collection
Don’t just let logs sit there

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Guardrails at scale

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account
Centralized management
Access administration
Easy auditing
Security assets
AWS Cloud
Organizations
Master
Shared services
Security and logging

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Provisioning
Organizations
Homegrown
AWS Landing Zones
AWS Control Tower
Amazon CloudWatchIAMAWS CloudTrail
AWS Systems
Manager documents

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Continuous compliance
AWS Config
AWS Systems Manager
AWS CloudFormation drift detection
AWS CloudTrail

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Multi-account: Example
AWS Cloud
AWS Organizations
Master Security
Shared
SCPs
AWS Landing Zone
AWS Control Tower
Homegrown
Application accounts
AWS Service Catalog
AWS Config
AWS Systems Manager
Shared production tools
AWS CloudTrail

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Resource provisioning
Should be part of CI/CD process
AWS CloudFormation
AWS Service Catalog
AWS OpsWorks

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Resource provisioning: Processes
ReleaseBuildSource
Testing
Security
peer review
static code analysis
linters
style guides
Testing
Security
unit testing
• functional
• security
Testing
Security
integration testing
performanace testing
UAT
pen/vuln testing
smoke testing
AWS CodePipeline
AWS CodeBuild
AWS CodeCommit
AWS CodeDeploy

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Recap
DevOps is a good starting point
Self-service is the key to enablement
Multi-account tooling
Centralized governance; tighten controls to loosen innovation

Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sam Hennessy

Weitere ähnliche Inhalte

Was ist angesagt?

Developers spend much time and effort delivering machine learning models that can make fast and accurate predictions in real time. These models become even more critical for edge devices where memory and processing power are constrained. Amazon SageMaker Neo lets developers run and develop models in the most optimized way: train the models once and run them anywhere in the cloud and at the edge. In this chalk talk, we dive deep into Neo and show you how this capability of Amazon SageMaker automatically optimizes models built on TensorFlow, Apache MXNet, PyTorch, and ONNX.

Train once, deploy anywhere on the cloud and at the edge with Amazon SageMake...

Amazon Web Services

Data modeling with Amazon DynamoDB - ADB301 - New York AWS Summit

Amazon Web Services

Amazon Aurora is a fully managed MySQL and PostgreSQL-compatible relational database with the speed, reliability, and availability of commercial databases at one-tenth the cost. It is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases. This session provides an overview of Aurora, explores recently announced features, such as serverless, multi-master, and performance insights, and helps you get started.

What's new in Amazon Aurora - ADB204 - Santa Clara AWS Summit.pdf

Amazon Web Services

Industry 4.0 is here, and organizations are rapidly automating factory floors, machinery, and production lines. Companies are implementing IoT across industries such as Oil and Gas, Manufacturing, and Agriculture. In this session, we walk you through key use cases for industrial applications, such as predictive maintenance, manufacturing quality, and process monitoring. Along the way, we show how the AWS industrial IoT reference architecture is incorporated to build your industrial application.

AWS IoT services - Extract value for industrial applications - SVC205 - Santa...

Amazon Web Services

Migration to AWS: The foundation for enterprise transformation - SVC210 - New...

Amazon Web Services

Modern applications typically comprise multiple services. Each service may be built using multiple types of compute infrastructure such as Amazon EC2 and AWS Fargate. As the number of an application’s services grows, pinpointing the location of errors, rerouting traffic after failures, and safely deploying code changes becomes difficult. Previously, you needed to build monitoring and control logic directly into your code and redeploy your service every time there are changes. In this session, we explain how AWS App Mesh provides application-level networking to make it easy for your services to communicate with each other across multiple types of compute infrastructure.

AWS App Mesh: Manage services mesh discovery, recovery, and monitoring - MAD3...

Amazon Web Services

Amazon Elasticsearch Service gives customers many options for log analytics. From small environments with a single application to large environments where multiple teams log five terabytes or more per day with retention periods that span months, Amazon ES provides a tool kit that gives organizations a holistic view of their application logs. In this session, we discuss effective patterns leveraged by organizations across the AWS ecosystem and gives you foundational knowledge and deployment architectures that will accelerate your goals of building a cost-effective logging solution.

Searching for patterns: Log analytics using Amazon ES - ADB205 - New York AWS...

Amazon Web Services

Introducing AWS App Mesh - MAD303 - Santa Clara AWS Summit

Amazon Web Services

IoT applications are rapidly becoming more intelligent, especially when it comes to home security solutions such as entry sensors, motion detectors, home automation, and video monitoring. Combine IoT with serverless video streaming, analysis, and playback, and you have a powerful solution at a scale and price that make business sense. In this session, learn how to build intelligent home security applications using Amazon Kinesis Video Streams and AWS IoT services. We are joined by a representative from Comcast, which migrated to AWS to power their Xfinity Home security cameras and focus on secure storage of video data from customers worldwide.

Building home security solutions at scale, ft. Comcast - SVC206 - New York AW...

Amazon Web Services

Successful machine learning (ML) models are built on high-quality training datasets. However, it is often expensive, complicated, and time-consuming to create the training data necessary to build these models. Amazon SageMaker Ground Truth helps you quickly build highly accurate training datasets for ML. SageMaker Ground Truth offers easy access to public and private human labelers, providing them with built-in workflows and interfaces for common labeling tasks. Additionally, SageMaker Ground Truth uses automatic labeling, lowering your labeling costs by up to 70%. In this chalk talk, we dive deep into using SageMaker Ground Truth to build high-quality training datasets.

Build Accurate Training Datasets with Amazon SageMaker Ground Truth - AIM302 ...

Amazon Web Services

Join us as we talk about IBM's game-changing Kubernetes and management capabilities, led by our recently announced cloud management solution. This solution provides customers with consistent visibility into hybrid infrastructures, built-in governance, and consistent application management across public, private, and hybrid cloud environments. This presentation is brought to you by AWS partner, IBM.

Open by design: Accelerating the enterprise cloud journey - DEM01-S - New Yor...

Amazon Web Services

AWS offers a variety of data migration services and tools to help you move everything from gigabytes to petabytes of data using your networks, our networks, the mail, or even a tractor-trailer. We briefly cover a few key data migration services, including the AWS Snow family and AWS DataSync. We then engage in an interactive discussion about specific customer use cases to help you understand which technology is best for your needs. Come and join the discussion.

Discuss data migration with AWS experts - STG304 - Santa Clara AWS Summit

Amazon Web Services

Financial institutions are burdened with the costs and inaccuracies of storing information on paper or in unconnected legacy IT systems. It’s challenging to extract and analyze relevant data regarding customers, credit, economic trends, geographies, and more from these formats. In this session, learn how Black Knight addressed this challenge by building an ML system using AWS Lambda, Amazon API Gateway, Amazon S3, and other technologies that accurately process documents at scale, extract the information they contain, and provide actionable information. Discover how Black Knight leveraged automation and serverless architectures to simplify processes, save time, cut costs, and unlock the value in unstructured data sources.

Building ML platforms in Financial Services with serverless technology - FSV2...

Amazon Web Services

AI has already been integrated into many use cases, but we’ve just scratched the surface of what’s possible. In this session, we cover how to use the AWS AI services to tackle three use cases that can deliver immediate value: 1) “voice of the customer” analytics to better understand what your customers are thinking and saying, 2) document analysis and processing to move beyond the limitations of traditional OCR, and 3) chatbots to improve in-app customer service and customer contact center experiences. We also discuss how to use AI in use cases within the Media, Healthcare, and Financial Services industries.

Add intelligence to applications - AIM205 - Santa Clara AWS Summit.pdf

Amazon Web Services

Build secure, offline, real-time-enabled mobile apps - MAD304 - Atlanta AWS S...

Amazon Web Services

Blockchain technology is evolving rapidly. Are you ready to take advantage of blockchain’s use cases for the enterprise? In this session, learn about blockchain and its enterprise use cases, how AWS views blockchain technology, and learn about our services and about the features of our new managed blockchain service, Amazon Managed Blockchain, which makes it easy to build and manage scalable Hyperledger Fabric networks on AWS.

Building enterprise solutions with blockchain technology - SVC217 - New York ...

Amazon Web Services

HK-AWS-Quick-Start-Workshop

Amazon Web Services

Ensuring that your company’s data is safely and securely persisted should be among your organization’s top priorities. But beyond data integrity, you also need to ensure availability. In this session, we focus on best practices for AWS block and file storage when supporting business-critical applications such as SAP HANA, Oracle RAC, Microsoft SQL Server, MySQL, Cassandra, and home directories. We discuss migrating mission-critical workload data, selecting volumes or file systems, maximizing performance, and designing for durability and availability. We also talk about how to optimize for cost to make sure your lift-and-shift project is a complete success.

AWS storage solutions for business-critical applications - STG301 - Chicago A...

Amazon Web Services

With the simplicity of Amazon Elasticsearch Service (Amazon ES) comes many opportunities to use it as a backend for real-time application and infrastructure monitoring. With this wealth of opportunities comes sprawl; developers in your organization are deploying Amazon ES for many different workloads. Should you centralize into one Amazon ES domain? What are the tradeoffs in scale and cost? How do you control access to the data and dashboards? Do you structure your indexes as single tenant or multi-tenant? In this session, we explore whether, when, and how to centralize logging across your organization and discover how Autodesk built a unified log analytics solution using Amazon ES.

Build your own log analytics solution on AWS - ADB301 - Atlanta AWS Summit

Amazon Web Services

Developing serverless applications with .NET using AWS SDK & tools - MAD311 -...

Amazon Web Services

Was ist angesagt? (20)