SlideShare ist ein Scribd-Unternehmen logo

Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

Als PPTX, PDF herunterladen
Ryan Hodgin
Ryan Hodgin

Presented at Reactive Summit 2017

Technologie
1 von 36
The IBM Watson and Cloud Platform Ryan Hodgin Lead Solution Architect – Healthcare and Life Sciences @rhodgin Regulated Reactive: Security Considerations for Building Reactive Systems in Regulated Industries One Platform. One architecture. Cloud-native. One IBM.
Background On Ryan IBMer for 15 years based in Boulder, CO Application Development and Architecture Background Now on IBM’s Cloud Platform Team focused on Solution Architecture for Healthcare and Life Sciences Twitter: @rhodgin LinkedIn: https://www.linkedin.com/in/rhodgin/ SlideShare: https://www.slideshare.net/RyanHodgin
Equifax Hack - Shock
Equifax Hack - Fallout The fallout – - Drop in Stock Value - Lawsuits - Executives Resign (CEO, CIO, CISO) - Fines
Equifax Hack – Root Cause
Equifax Breach – Personal Impact
Abbott Pacemaker Recall • Vulnerability discovered by researchers • Patch requires office visit
Leads to Extreme Risk Aversion
Our Monolith – Patient Vitals Common DB ModelControllerView patient_vitals.ear Process Vitals Vitals Report Heart Rate Report JSP Alert Respiratory Rate Blood Pressure Patient
Reactive Patient Vitals Vitals Report Vitals Heart Respiratory Blood Pressure Patient Alerts
Compliance Officer’s Perspective Illustration © Lev Polyakov, http://levpolyakov.com
How Developers See Themselves How Compliance Officers See Them
Reactive Patterns – Event Sourcing • What is it? “Capture all changes to an application state as a sequence of events.” – Martin Fowler • Motivations: • Distributed Computing - Append only architecture distributes well • Fully visibility to system’s history • Natural audit log • Snapshots with ability to replay events • Speed to recovery
Malicious Actor Example
Changing Days Absent
How do you recover?
Review Events and Make Corrections Change Days Absent Command Days Absent Changed Event
Event Sourcing and GDPR • General Data Protection Regulation (GDPR) goes into effect May 25, 2018 • In situations where ”Right to erasure” applies, does personal identifying data need to be removed from the event source history?
Reactive Patterns – CQRS • Definition: CQRS (Command Query Responsibility Segregation) - CQRS is simply the creation of two objects where there was previously only one. The separation occurs based upon whether the methods are a command or a query. (Greg Young) • Motivations : • Supports different rules for display of data (query model based on usage) • Fits well with Bounded Contexts in Domain-Driven Design • Support separate access control / security rules between reads/writes • Enables “Principle of Least Privilege (PoLP)”
Add Controls
Lock Ferris Out
Our Stack
Istio • Open source project led by Google, IBM, and Lyft • Service Mesh • Offers features in: • Traffic Management • Observability • Policy Enforcement • Service Identity and Security • Initial support for Kubernetes and plans for VMs, Cloud Foundry, and Mesos
Istio and Security
Disclaimers • Full stack not yet production ready • Other aspects of security still matter (a lot!) • Edge Security • Database Security • Access Management • Policies and procedures • Variations based on industry / organization
NIST’s Cybersecurity Framework • Many organizations are standardizing on the framework (with some customizations by industry/organization) • Defines 5 key categories: • Identify • Protect • Detect • Respond • Recover
Identify • Definition: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. • Opportunities to reduce risk: • Catalog Services and Data - include risk potential and appeal to attackers • Secure events throughout lifecycle • Intelligent routing of sensitive messages • Leverage labels in Kubernetes and tags in cloud providers to give more visibility / reporting
Protect • Definition: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. • Opportunities to reduce risk: • Use SSL/TLS Consistently (Akka, Lagom, Play, anything else) • Use SSL/TLS with Mutual Authentication for Akka Remoting • Disable Java Serializer in Akka (since 2.4.11) • Minimize container privileges • Utilize Kubernetes Role Based Access Control (and record events) for changes • Implement service identity and access control rules (service/data level authorization)
Detect • Definition: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. • Opportunities to reduce risk: • Use tracing – Lightbend Telemetry / Open Tracing / Zipkin / Jaeger • Use monitors and alerts – OpsClarity Monitors, Prometheus • Akka Supervisors – Naturally handle all Actor exceptions (forward messages and track patterns) • Centralize logs, build benchmarks, and detect unusual patterns of activity • Integrate AI/Machine Learning – normal day vs. abnormal day
Respond • Definition: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. • Opportunities to reduce risk: • Elastic application design • Quarantine a compromised Service/VM/container (fail fast) • Utilize circuit breakers and rate limiting • Patch rapidly and make changes without downtime
Recover • Definition: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. • Opportunities to reduce risk: • Resiliency of the application • Snapshots and Replay (Event Sourcing) • Replication / Disaster Recovery strategy • Use multi-data center capability with Hot-backup • Utilize Kubernetes distributed clusters and federation
Demo
Reducing Risk in Reactive Patient Vitals App • Use event sourcing (audit trail/recovery) and CQRS (controls for reporting) • Create snapshots of events and prioritize ability to replay them (test it) • Minimize instances of sensitive data - what information is really required? • Restrict access to services - what should be able to call them? • Secure communication between services (mutual TLS / service authentication) • Capture and store metrics on caller, # of calls, and response times • Capture container images, version deployment history
Communicating the Shift to Reactive • Explain business reasons for change (competitive pressure, speed to market, risk reduction, etc.) • Highlight features of the architectural patterns • Provide realtime visibility (trust but verify) • Automate auditing (follow up on inconsistencies) – Netflix’s Security Monkey • Restrict changes (who is allowed to make changes with strong traceability) • Highlight reductions in current targets (time to patch, RTO/RPO)
Questions? Anyone? Anyone?
Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

Empfohlen

ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Georg Knon
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
Risk Analysis Consultants, s.r.o.
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 

Empfohlen

ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers C...
EnergySec
 
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und QualysWebinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Webinar: Vulnerability Management leicht gemacht – mit Splunk und Qualys
Georg Knon
 
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
QualysGuard InfoDay 2013 - QualysGuard RoadMap for H2-­2013/H1-­2014
Risk Analysis Consultants, s.r.o.
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
CloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
CloudPassage
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
CloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
CloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Anton Goncharov
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
rty_ngtglobal
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
Elasticsearch
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
Scott Carlson
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
Cheah Eng Soon
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
Protect724v2
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
CloudPassage
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
DevOps.com
 

Was ist angesagt? (20)

Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpoint
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
Css sf azure_8-9-17 - 5_ways to_optimize_your_azure_infrastructure_thayer gla...
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
 
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESMImproving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
Improving IR Workflow - Using Risk-Based Escalation in HP ArcSight ESM
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Hp arcsight services 2014 ewb
Hp arcsight services 2014 ewbHp arcsight services 2014 ewb
Hp arcsight services 2014 ewb
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
End-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic StackEnd-to-End Security Analytics with the Elastic Stack
End-to-End Security Analytics with the Elastic Stack
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
 
Cloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New RealityCloud Native Security: New Approach for a New Reality
Cloud Native Security: New Approach for a New Reality
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
ESM_101_6.9.0.pdf
ESM_101_6.9.0.pdfESM_101_6.9.0.pdf
ESM_101_6.9.0.pdf
 

Ähnlich wie Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
Brian Proctor - GICSP, CISSP, CRISC
 
Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...
Lucas Jellema
 
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Tammy Bednar
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
Theodore Kim
 

Ähnlich wie Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries (20)

Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Winning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our TimeWinning Governance Strategies for the Technology Disruptions of our Time
Winning Governance Strategies for the Technology Disruptions of our Time
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud ManagementSukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak-Agile-DevOps-Cloud Management
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)Cloud application security (CCSP Domain 4)
Cloud application security (CCSP Domain 4)
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
S4x20 Forescout Presentation
S4x20 Forescout Presentation S4x20 Forescout Presentation
S4x20 Forescout Presentation
 
Cloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and ElasticsearchCloud-native application monitoring powered by Riverbed and Elasticsearch
Cloud-native application monitoring powered by Riverbed and Elasticsearch
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...Business and IT agility through DevOps and microservice architecture powered ...
Business and IT agility through DevOps and microservice architecture powered ...
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
Database@Home : Data Driven Apps - Data-driven Microservices Architecture wit...
 
Jobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to SecurityJobvite: A Holistic Approach to Security
Jobvite: A Holistic Approach to Security
 
IBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container PlatformIBM Multicloud Management on the OpenShift Container Platform
IBM Multicloud Management on the OpenShift Container Platform
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Kürzlich hochgeladen (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 

Regulated Reactive - Security Considerations for Building Reactive Systems in Regulated Industries

  • 1. The IBM Watson and Cloud Platform Ryan Hodgin Lead Solution Architect – Healthcare and Life Sciences @rhodgin Regulated Reactive: Security Considerations for Building Reactive Systems in Regulated Industries One Platform. One architecture. Cloud-native. One IBM.
  • 2. Background On Ryan IBMer for 15 years based in Boulder, CO Application Development and Architecture Background Now on IBM’s Cloud Platform Team focused on Solution Architecture for Healthcare and Life Sciences Twitter: @rhodgin LinkedIn: https://www.linkedin.com/in/rhodgin/ SlideShare: https://www.slideshare.net/RyanHodgin
  • 4. Equifax Hack - Fallout The fallout – - Drop in Stock Value - Lawsuits - Executives Resign (CEO, CIO, CISO) - Fines
  • 5. Equifax Hack – Root Cause
  • 6. Equifax Breach – Personal Impact
  • 7. Abbott Pacemaker Recall • Vulnerability discovered by researchers • Patch requires office visit
  • 8. Leads to Extreme Risk Aversion
  • 9. Our Monolith – Patient Vitals Common DB ModelControllerView patient_vitals.ear Process Vitals Vitals Report Heart Rate Report JSP Alert Respiratory Rate Blood Pressure Patient
  • 11. Compliance Officer’s Perspective Illustration © Lev Polyakov, http://levpolyakov.com
  • 12. How Developers See Themselves How Compliance Officers See Them
  • 13. Reactive Patterns – Event Sourcing • What is it? “Capture all changes to an application state as a sequence of events.” – Martin Fowler • Motivations: • Distributed Computing - Append only architecture distributes well • Fully visibility to system’s history • Natural audit log • Snapshots with ability to replay events • Speed to recovery
  • 16. How do you recover?
  • 17. Review Events and Make Corrections Change Days Absent Command Days Absent Changed Event
  • 18. Event Sourcing and GDPR • General Data Protection Regulation (GDPR) goes into effect May 25, 2018 • In situations where ”Right to erasure” applies, does personal identifying data need to be removed from the event source history?
  • 19. Reactive Patterns – CQRS • Definition: CQRS (Command Query Responsibility Segregation) - CQRS is simply the creation of two objects where there was previously only one. The separation occurs based upon whether the methods are a command or a query. (Greg Young) • Motivations : • Supports different rules for display of data (query model based on usage) • Fits well with Bounded Contexts in Domain-Driven Design • Support separate access control / security rules between reads/writes • Enables “Principle of Least Privilege (PoLP)”
  • 23. Istio • Open source project led by Google, IBM, and Lyft • Service Mesh • Offers features in: • Traffic Management • Observability • Policy Enforcement • Service Identity and Security • Initial support for Kubernetes and plans for VMs, Cloud Foundry, and Mesos
  • 25. Disclaimers • Full stack not yet production ready • Other aspects of security still matter (a lot!) • Edge Security • Database Security • Access Management • Policies and procedures • Variations based on industry / organization
  • 26. NIST’s Cybersecurity Framework • Many organizations are standardizing on the framework (with some customizations by industry/organization) • Defines 5 key categories: • Identify • Protect • Detect • Respond • Recover
  • 27. Identify • Definition: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. • Opportunities to reduce risk: • Catalog Services and Data - include risk potential and appeal to attackers • Secure events throughout lifecycle • Intelligent routing of sensitive messages • Leverage labels in Kubernetes and tags in cloud providers to give more visibility / reporting
  • 28. Protect • Definition: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. • Opportunities to reduce risk: • Use SSL/TLS Consistently (Akka, Lagom, Play, anything else) • Use SSL/TLS with Mutual Authentication for Akka Remoting • Disable Java Serializer in Akka (since 2.4.11) • Minimize container privileges • Utilize Kubernetes Role Based Access Control (and record events) for changes • Implement service identity and access control rules (service/data level authorization)
  • 29. Detect • Definition: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. • Opportunities to reduce risk: • Use tracing – Lightbend Telemetry / Open Tracing / Zipkin / Jaeger • Use monitors and alerts – OpsClarity Monitors, Prometheus • Akka Supervisors – Naturally handle all Actor exceptions (forward messages and track patterns) • Centralize logs, build benchmarks, and detect unusual patterns of activity • Integrate AI/Machine Learning – normal day vs. abnormal day
  • 30. Respond • Definition: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. • Opportunities to reduce risk: • Elastic application design • Quarantine a compromised Service/VM/container (fail fast) • Utilize circuit breakers and rate limiting • Patch rapidly and make changes without downtime
  • 31. Recover • Definition: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. • Opportunities to reduce risk: • Resiliency of the application • Snapshots and Replay (Event Sourcing) • Replication / Disaster Recovery strategy • Use multi-data center capability with Hot-backup • Utilize Kubernetes distributed clusters and federation
  • 32. Demo
  • 33. Reducing Risk in Reactive Patient Vitals App • Use event sourcing (audit trail/recovery) and CQRS (controls for reporting) • Create snapshots of events and prioritize ability to replay them (test it) • Minimize instances of sensitive data - what information is really required? • Restrict access to services - what should be able to call them? • Secure communication between services (mutual TLS / service authentication) • Capture and store metrics on caller, # of calls, and response times • Capture container images, version deployment history
  • 34. Communicating the Shift to Reactive • Explain business reasons for change (competitive pressure, speed to market, risk reduction, etc.) • Highlight features of the architectural patterns • Provide realtime visibility (trust but verify) • Automate auditing (follow up on inconsistencies) – Netflix’s Security Monkey • Restrict changes (who is allowed to make changes with strong traceability) • Highlight reductions in current targets (time to patch, RTO/RPO)

Hinweis der Redaktion

  1. GDPR’s penalty at 4% of 2016 revenue would have $125M.