Winning Governance Strategies for the Technology Disruptions of our Time
1. Winning Governance Strategies for the Technology Disruptions of our
Time
ISACA South Florida Annual GRC Conference
June 22, 2018
Patrick Hannah, VP of Engineering, CloudHesive
3. About CloudHesive
• Professional Services
– Assessment (Current environment, datacenter or cloud footprint)
– Strategy (Getting to the future state)
– Migration (Environment-to-cloud, Datacenter-to-cloud)
– Implementation (Point solutions)
– Support (Break/fix and ongoing enhancement)
• DevOps Services
– Assessment
– Strategy
– Implementation (Point solutions)
– Management (Supporting infrastructure, solutions or ongoing
enhancement)
– Support (Break/fix and ongoing enhancement)
• Managed Security Services (SecOps)
– Encryption as a Service (EaaS) – encryption at rest and in flight
– End Point Security as a Service
– Threat Management
– SOC II Type 2 Validated
• Next Generation Managed Services
– Leveraging our Professional, DevOps and Managed Security Services
– Single payer billing
– Intelligent operations and automation
– AWS Audited
4. Agenda
• Disruptive technology history
• Challenges faced in GRC by disruptive technologies
• Brief introduction to AWS
• Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS
• Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with
technology disruptors
• Overview of AWS Services that can be leveraged to support GRC on AWS
• Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously
referenced AWS Services
• Conclusion
5. Disruptive Technology History
• Then
– Storage
– Communications
– Computing
– Transportation
– Manufacturing
– Discreet Components
• Now
– Social
– Mobile
– Analytics/Big Data/AI
– Cloud
– Smart Things/IoT
– Blockchain
6. Challenges faced in GRC by disruptive technologies
• Endpoints
– From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile
phones), mixed platforms
– Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.),
Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms
• Data
– Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and
display
– Growth in the four v’s (volume, variety, velocity and veracity)
• Policy
– Attempting to apply legacy policies to disruptive technologies
– Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies
• Shadow IT
– The nature of disruptive technologies supports the adoption of them by non IT users
– Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
7. Who is using AWS (US and Abroad)?
• Federal Government
• Government-Sponsored Enterprise
• State
• Local
• Higher Education
• K-12
• Non-Profit
• Private Sector
8. GovCloud
• Additional Assurance Programs Above and Beyond other AWS Regions
– ITAR
– FedRAMP ATO (High for GovCloud, Medium for us-east/west)
– DoD SRG (2,4,5 for GovCloud, 2 for us-east/west)
• General
– Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules)
– Separate Namespace
– Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root
Account)
– 46 of the 127 AWS Services Available (EC2 Classic not Available)
– US Citizen only Access
• Physical Location
– Northwestern US
– Eastern US (forthcoming)
12. General Design Principles
• Stop guessing your capacity needs
• Test systems at production scale
• Automate to make architectural experimentation easier
• Allow for evolutionary architectures
• Drive architectures using data
• Improve through game days
13. Operational Excellence
• Design Principles
– Perform operations as code
– Annotate documentation
– Make frequent, small, reversible changes
– Refine operations procedures frequently
– Anticipate failure
– Learn from all operational failures
• Best Practices
– Prepare
– Operate
– Evolve
14. Security
• Design Principles
– Implement a strong identity foundation
– Enable traceability
– Apply security at all layers
– Automate security best practices
– Protect data in transit and at rest
– Prepare for security events
• Best Practices
– Identity and Access Management
– Detective Controls
– Infrastructure Protection
– Data Protection
– Incident Response
15. Reliability
• Design Principles
– Test recovery procedures
– Automatically recover from failure
– Scale horizontally to increase aggregate system availability
– Stop guessing capacity
– Manage change in automation
• Best Practices
– Foundations
– Change Management
– Failure Management
16. Performance Efficiency
• Design Principles
– Democratize advanced technologies
– Go global in minutes
– Use serverless architectures
– Experiment more often
– Mechanical sympathy
• Best Practices
– Selection
– Review
– Monitoring
– Tradeoffs
17. Cost Optimization
• Design Principles
– Adopt a consumption model
– Measure overall efficiency
– Stop spending money on data center operations
– Analyze and attribute expenditure
– Use managed services to reduce cost of ownership
• Best Practices
– Cost-Effective Resources
– Matching Supply and Demand
– Expenditure Awareness
– Optimizing Over Time
18. Sample Implementation
• “NIST Quickstart”
• Based on Cybersecurity
Framework, SP 800-53, SP 800-37
• Corresponding Guide + Controls
Matrix
• CIS and PCI Variants Available
• Good starting point
19. Supporting Services
• VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall)
• VPC: Flow Logs (NetFlow)
• VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) +
Endpoints (Private Connectivity to AWS Services)
• VPC: NAT Gateway (Private to Public IP Address NAT’ing)
• EC2: Patch Manager (OS and above patching + auditing)
• EC2: Parameter Store (Secure Storage of Service Accounts)
20. Supporting Services
• S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention
• Code Commit/ECS: Secure Application and Artifact Repository
• Code Deploy/Run Command: “Hands off” OS and configuration management + application
deployment
• CloudWatch Logs: OS and above log management
• CloudWatch Events + Lambda: Event triggered code
• CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
21. Supporting Services
• Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent
storage
• OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management
• CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable
• IAM + Directory Service + SSO: Standalone and Federated AAA
• KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services,
provides expiration and ability to provide self-generated cryptographic material
• CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
22. Supporting Services
• Certificate Manager: Secure Certificate Store
• Workspaces: Secure Bastion
• WAF: Layer 7 WAF
• Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection
• Artifact: AWS Audit Reports available on demand
• Tags: Built-in asset + inventory marking and tracking on configuration items
• Service Catalog: Predefined configurations available to end users, can be integrated to ITSM
system
24. Conclusion
• AWS provides a number of services to support your frameworks + controls, in addition to
core infrastructure (server + storage) capabilities.
• AWS provides guidance (in the form of the CAF and WAF) for organizations which do not
have an existing framework to base their cloud adoption model on.
• Getting started on AWS is easy; with the free tier, you can experiment with a number of
services without incurring significant cost.
• Adoption of AWS in your organization can be as easy or as hard as you want to make it; start
simple and iterate.
25. Recommended Reading
• AWS Well Architected Framework
– https://aws.amazon.com/architecture/well-architected/
• AWS Cloud Adoption Framework
– https://aws.amazon.com/professional-services/CAF/
• AWS Cloud Transformation Maturity Model
– https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf
• Shared Responsibility Model
– https://aws.amazon.com/compliance/shared-responsibility-model/
• Operational Checklists for AWS
– https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf
• Introduction to Auditing the Use of AWS
– https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
26. Further Learning
• Getting Started: https://aws.amazon.com/getting-started
• General Reference: http://docs.aws.amazon.com/general/latest/gr
• Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/
• FAQs: https://aws.amazon.com/faqs
• Documentation: https://aws.amazon.com/documentation/
• Architecture: https://aws.amazon.com/architecture
• Whitepapers: https://aws.amazon.com/whitepapers
• Security: https://aws.amazon.com/security
• Blog: https://aws.amazon.com/blogs
• Service Specific Pages: https://aws.amazon.com/service
• AWS Answers: https://aws.amazon.com/answers/
• AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/
• SlideShare: http://www.slideshare.net/AmazonWebServices
• Github: https://github.com/aws and https://github.com/awslabs
Certifications in CCSK, CCSP, ITIL
Experience with AWS, GovCloud, FedRAMP, specifically
From Wiki: Disruptive innovation is an innovation that creates a new market and value network and eventually disrupts an existing market and value network, displacing established market-leading firms, products, and alliances
AWS Public Sector Summit – June 20-21, 2018, Walter E. Washington Convention Center
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
https://aws.amazon.com/compliance/services-in-scope/
See also C2S and Secret Region: https://aws.amazon.com/federal/us-intelligence-community/
https://aws.amazon.com/quickstart/architecture/accelerator-nist/
NIST – Cybersecurity Framework, SP 800-53, SP 800-37
CIS – Benchmarks
CSA – CCM + CAIQ
Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles.
Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability.
Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data.
Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services.
Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application.
A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities.
Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database.
Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
The next few slides I will detail some of the supporting services; a number of the AWS published matrices detail the alignment of these services to specific controls, rather than read through a matrix, I thought it would help to explain what these services are and how they can help