SlideShare una empresa de Scribd logo

From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017

Amazon Web Services
Amazon Web Services

A surprising trend is starting to emerge among organizations who are progressing through the cloud maturity lifecycle: major improvements in revenue growth, customer satisfaction, and mission success are being directly attributed to improvements in security and compliance. At one time thought of as speed bumps in the path to deployment, security and compliance are now seen as critical ingredients that help organizations differentiate their offerings in the market, win more deals, and achieve mission-critical goals faster. This session explores how organizations like Jive Software and the National Geospatial Agency use the Evident Security Platform, AWS, and AWS Quick Starts to automate security and compliance processes in their organization to accomplish more, do it faster, and deliver better results. Session sponsored by Evident.io

1 de 28
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization J O H N M A R T I N E Z , V P C U S T O M E R S U C C E S S , E V I D E N T . I O M A T T W I L L M A N , P R I N C I P A L A R C H I T E C T F O R F E D R A M P , J I V E S O F T W A R E N o v e m b e r 3 0 , 2 0 1 7 SID318
Copyright © 2017, Evident.io, Inc. JOHN MARTINEZ VP CUSTOMER SUCCESS EVIDENT.IO MATT WILLMAN PRINCIPAL ARCHITECT FOR FEDRAMP JIVE SOFTWARE Introductions
Copyright © 2017, Evident.io, Inc. Cloud Security is a Team Sport SECOPS DEVOPS RISK & COMPLIANCE CISO CIO, CFO, CEO Success Is Achieved When Everyone Works Together
Copyright © 2017, Evident.io, Inc. Cloud Adoption Maturity: Where Are You? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging Auto Scaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Implement Optimize Monitoring & Enforcement Always Behind/ Out-resourced SecOps
Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Implement Optimize Monitoring & Enforcement Automating Workflows Always Behind/ Out-resourced Adopting/Creating New Workflows DevOps
Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Don’t Know Implement Optimize Automating Monitoring & Enforcement Automating Workflows Don’t Know Always Behind/ Out-resourced Adopting/Creating New Workflows Don’t Know Compliance
Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
Copyright © 2017, Evident.io, Inc. What Should Be Occurring At Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Adapting Policies, Exploring Tools Adopting a Security-First Approach, Learning What Is Available in AWS Learning Plans and Impact of Deployments, What Is Inherited from AWS
Copyright © 2017, Evident.io, Inc. Security by Design • AWS-recommended for proactive security in AWS • Provides a practical approach to creating your security controls matrix and enforcing those controls • Heavy on the proactive automation with AWS CloudFormation https://aws.amazon.com/compliance/security-by-design/
Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Security Monitoring & Assessment for Full Visibility Developing Processes to Ensure Best Practices Are Followed Performing Periodic Measurement to Identify Gaps in Compliance Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment.
Copyright © 2017, Evident.io, Inc. Security Policy as Code Policy: Ensure the default security group restricts all traffic Description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don’t specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. def perform(aws) aws.ec2.describe_security_groups.security_groups.each do |sg| group_name = sg[:group_name] if group_name == "default" group_id = sg[:group_id] set_data(group_id: group_id, group_name: group_name, sg: sg) if sg[:ip_permissions].empty? && sg[:ip_permissions_egress].empty? pass(message: "Default security group '#{group_id}' restricts all traffic.", resource_id: group_id) else fail(message: "Default security group '#{group_id}' does not restrict all traffic.", resource_id: group_id) end end end end
Copyright © 2017, Evident.io, Inc. Do You Know Where You Stand?
Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Enforcement of Policy Automating Workflows to Validate Configuration Before Deployment Compliance Scorecard by Month, Week, or Day Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
Manage Security Continuously DEPLOY MONITOR TEST & ANALYZE ALERT DEV APPLY FIXES NEW RELEASE NEW RELEASE DEPLOY DEPLOY
Even Better Way, Automate Enforcement DEPLOY MONITOR ANALYZE REMEDIATE VIA AWS LAMBDA COMPLIANT NEW RELEASE NEW RELEASE DEPLOY DEPLOY
Copyright © 2017, Evident.io, Inc. Remediate with AWS Lambda
Copyright © 2017, Evident.io, Inc. Policy Enforcement as Code for admin_port in admin_port_list: proto = re.split('-', admin_port)[0] port = re.split('-', admin_port)[1] find_port='true' if from_port <= int(port) <= to_port else 'false’ if cidr_ip in global_cidr_list and ip_protocol.lower() == proto and find_port == 'true': try: ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=[ {'IpProtocol': ip_protocol, 'FromPort': from_port, 'ToPort': to_port, IpRanges: [{ IpCidr: cidr_ip }] } ]) except Exception as e: error = str(e.message) if 'rule does not exist' not in error: print('=> Error: ', error) else: print("=> Revoked rule permitting %s/%d-%d with cidr %s from %s" % (ip_protocol, from_port, to_port, cidr_ip, sg_id)) Control: PCI DSS 3.21.2.1 Restrict inbound and outbound traffic Description: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
Copyright © 2017, Evident.io, Inc. ESP Dashboard AWS LambdaAlert Fix Problem ESP Updated Amazon SNS Integrations Find Problem/ Open Ticket Compliant Problem Resolved Ticket Updated
Copyright © 2017, Evident.io, Inc. Common Pitfalls NOT INVOLVING POLICY MAKERS IN EACH STEP AND AS EACH PROJECT IS DEPLOYED#1
Copyright © 2017, Evident.io, Inc. Common Pitfalls FORGETTING THAT INCIDENTS HAPPEN WILL DERAIL YOUR TIMELINES#2
Copyright © 2017, Evident.io, Inc. Common Pitfalls TREATING THE CLOUD EXACTLY LIKE YOUR DATACENTER#3
Copyright © 2017, Evident.io, Inc. Common Pitfalls “IT’S JUST AN EXPERIMENT” PROTOTYPES BECOME PERMANENT#4
Copyright © 2017, Evident.io, Inc. Common Pitfalls ENGINEERS WHO BUILD SOLUTIONS LOOKING FOR PROBLEMS#5
Copyright © 2017, Evident.io, Inc. Simplifying NIST 800-53 Compliance in GovCloud Jive Software selected the Evident Security Platform (ESP) as an automation tool to continuously monitor vulnerabilities in their AWS infrastructure, saving them time and money. Simple one-click compliance reports for CIS AWS Foundations Benchmark, PCI and NIST 800-53 provides on-going measurement and industry frameworks. Matt Willman Principle Architect for FedRAMP, Jive Software
Copyright © 2017, Evident.io, Inc. Compliance in One Click
Copyright © 2017, Evident.io, Inc. BOOTH #2000
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!

Recomendados

The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Amazon Web Services
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Amazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
 

Recomendados

The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017The AWS Philosophy of Security - SID322 - re:Invent 2017
The AWS Philosophy of Security - SID322 - re:Invent 2017
Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Amazon Web Services
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
Amazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
Amazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
Amazon Web Services
 
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
Amazon Web Services
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
Amazon Web Services
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Amazon Web Services
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
Amazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
Amazon Web Services
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
Amazon Web Services
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
Amazon Web Services
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Amazon Web Services
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Amazon Web Services
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Amazon Web Services
 
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
Amazon Web Services
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Amazon Web Services
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Amazon Web Services
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
Amazon Web Services
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Amazon Web Services
 

La actualidad más candente (20)

How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
How Zocdoc Achieved Security and Compliance at Scale With Infrastructure as C...
 
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017Moving from the Shadows to the Throne - SID310 - re:Invent 2017
Moving from the Shadows to the Throne - SID310 - re:Invent 2017
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
 
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
Protect Your Web Applications from Common Attack Vectors Using AWS WAF - SID3...
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
How Dow Jones Identifies, Analyzes, and Remediates Security Issues with Hamme...
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
Cloud Adoption in Regulated Financial Services - SID328 - re:Invent 2017
 
ThreatResponse
ThreatResponseThreatResponse
ThreatResponse
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
 
Secure Configuration and Automation Overview
Secure Configuration and Automation OverviewSecure Configuration and Automation Overview
Secure Configuration and Automation Overview
 
Intro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWSIntro to Threat Detection and Remediation on AWS
Intro to Threat Detection and Remediation on AWS
 
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
Security Validation through Continuous Delivery at Verizon - DEV403 - re:Inve...
 
AI & Deep Learning At Amazon
AI & Deep Learning At AmazonAI & Deep Learning At Amazon
AI & Deep Learning At Amazon
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
 
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
Cloud Adoption Framework: Security Persepctive - Incident Response: Preparing...
 

Similar a From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017

SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Amazon Web Services
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade Security
Amazon Web Services
 
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
Amazon Web Services
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
Amazon Web Services
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Amazon Web Services
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
Casey Lee
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
Amazon Web Services
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation Workshop
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 

Similar a From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017 (20)

DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
DEV325_Application Deployment Techniques for Amazon EC2 Workloads with AWS Co...
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
 
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security DesignsAWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
AWS FSI Symposium 2017 NYC - 9 Cloud Enabled Security Designs
 
MAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade SecurityMAE401_Designing for DisneyMarvel Studio-Grade Security
MAE401_Designing for DisneyMarvel Studio-Grade Security
 
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
NEW LAUNCH! Introduction to Amazon GuardDuty - SID218 - re:Invent 2017
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
 
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech TalksAWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
 
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
Keys to Successfully Monitoring and Optimizing Innovative and Sophisticated C...
 
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
Centrally Protect Your AWS Resources with Amazon GuardDuty - AWS Online Tech ...
 
Implementing Governance as Code
Implementing Governance as CodeImplementing Governance as Code
Implementing Governance as Code
 
Adding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps PipelinesAdding the Sec to Your DevOps Pipelines
Adding the Sec to Your DevOps Pipelines
 
Using AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3MUsing AWS to Achieve Both Autonomy and Governance at 3M
Using AWS to Achieve Both Autonomy and Governance at 3M
 
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3MDEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
DEV332_Using AWS to Achieve Both Autonomy and Governance at 3M
 
CTD307_Case Study How Mobile Device Service Company Asurion Architected Its A...
CTD307_Case Study How Mobile Device Service Company Asurion Architected Its A...CTD307_Case Study How Mobile Device Service Company Asurion Architected Its A...
CTD307_Case Study How Mobile Device Service Company Asurion Architected Its A...
 
Threat Detection and Remediation Workshop
Threat Detection and Remediation WorkshopThreat Detection and Remediation Workshop
Threat Detection and Remediation Workshop
 
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization J O H N M A R T I N E Z , V P C U S T O M E R S U C C E S S , E V I D E N T . I O M A T T W I L L M A N , P R I N C I P A L A R C H I T E C T F O R F E D R A M P , J I V E S O F T W A R E N o v e m b e r 3 0 , 2 0 1 7 SID318
  • 2. Copyright © 2017, Evident.io, Inc. JOHN MARTINEZ VP CUSTOMER SUCCESS EVIDENT.IO MATT WILLMAN PRINCIPAL ARCHITECT FOR FEDRAMP JIVE SOFTWARE Introductions
  • 3. Copyright © 2017, Evident.io, Inc. Cloud Security is a Team Sport SECOPS DEVOPS RISK & COMPLIANCE CISO CIO, CFO, CEO Success Is Achieved When Everyone Works Together
  • 4. Copyright © 2017, Evident.io, Inc. Cloud Adoption Maturity: Where Are You? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging Auto Scaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  • 5. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Implement Optimize Monitoring & Enforcement Always Behind/ Out-resourced SecOps
  • 6. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Implement Optimize Monitoring & Enforcement Automating Workflows Always Behind/ Out-resourced Adopting/Creating New Workflows DevOps
  • 7. Copyright © 2017, Evident.io, Inc. Security Challenges by Role Explore Loss of Control & Visibility Don’t Know What They Don’t Know Don’t Know Implement Optimize Automating Monitoring & Enforcement Automating Workflows Don’t Know Always Behind/ Out-resourced Adopting/Creating New Workflows Don’t Know Compliance
  • 8. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment. Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  • 9. Copyright © 2017, Evident.io, Inc. What Should Be Occurring At Each Stage? Explore CI/CD Toolchain CloudFormation Templates Code Analysis & Review Pre/Post Deploy Testing Adapting Policies, Exploring Tools Adopting a Security-First Approach, Learning What Is Available in AWS Learning Plans and Impact of Deployments, What Is Inherited from AWS
  • 10. Copyright © 2017, Evident.io, Inc. Security by Design • AWS-recommended for proactive security in AWS • Provides a practical approach to creating your security controls matrix and enforcing those controls • Heavy on the proactive automation with AWS CloudFormation https://aws.amazon.com/compliance/security-by-design/
  • 11. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Security Monitoring & Assessment for Full Visibility Developing Processes to Ensure Best Practices Are Followed Performing Periodic Measurement to Identify Gaps in Compliance Implement Infrastructure Testing & Alerting Application Logging AutoScaling HISA/NIDS FIM Config Mngment.
  • 12. Copyright © 2017, Evident.io, Inc. Security Policy as Code Policy: Ensure the default security group restricts all traffic Description: A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don’t specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. def perform(aws) aws.ec2.describe_security_groups.security_groups.each do |sg| group_name = sg[:group_name] if group_name == "default" group_id = sg[:group_id] set_data(group_id: group_id, group_name: group_name, sg: sg) if sg[:ip_permissions].empty? && sg[:ip_permissions_egress].empty? pass(message: "Default security group '#{group_id}' restricts all traffic.", resource_id: group_id) else fail(message: "Default security group '#{group_id}' does not restrict all traffic.", resource_id: group_id) end end end end
  • 13. Copyright © 2017, Evident.io, Inc. Do You Know Where You Stand?
  • 14. Copyright © 2017, Evident.io, Inc. What Should Be Occurring at Each Stage? Automating Enforcement of Policy Automating Workflows to Validate Configuration Before Deployment Compliance Scorecard by Month, Week, or Day Optimize Auto-remediation via AWS Lambda Automatic Roll-back to Know Good State Automatic Failover to Other Regions
  • 15. Manage Security Continuously DEPLOY MONITOR TEST & ANALYZE ALERT DEV APPLY FIXES NEW RELEASE NEW RELEASE DEPLOY DEPLOY
  • 16. Even Better Way, Automate Enforcement DEPLOY MONITOR ANALYZE REMEDIATE VIA AWS LAMBDA COMPLIANT NEW RELEASE NEW RELEASE DEPLOY DEPLOY
  • 17. Copyright © 2017, Evident.io, Inc. Remediate with AWS Lambda
  • 18. Copyright © 2017, Evident.io, Inc. Policy Enforcement as Code for admin_port in admin_port_list: proto = re.split('-', admin_port)[0] port = re.split('-', admin_port)[1] find_port='true' if from_port <= int(port) <= to_port else 'false’ if cidr_ip in global_cidr_list and ip_protocol.lower() == proto and find_port == 'true': try: ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=[ {'IpProtocol': ip_protocol, 'FromPort': from_port, 'ToPort': to_port, IpRanges: [{ IpCidr: cidr_ip }] } ]) except Exception as e: error = str(e.message) if 'rule does not exist' not in error: print('=> Error: ', error) else: print("=> Revoked rule permitting %s/%d-%d with cidr %s from %s" % (ip_protocol, from_port, to_port, cidr_ip, sg_id)) Control: PCI DSS 3.21.2.1 Restrict inbound and outbound traffic Description: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
  • 19. Copyright © 2017, Evident.io, Inc. ESP Dashboard AWS LambdaAlert Fix Problem ESP Updated Amazon SNS Integrations Find Problem/ Open Ticket Compliant Problem Resolved Ticket Updated
  • 20. Copyright © 2017, Evident.io, Inc. Common Pitfalls NOT INVOLVING POLICY MAKERS IN EACH STEP AND AS EACH PROJECT IS DEPLOYED#1
  • 21. Copyright © 2017, Evident.io, Inc. Common Pitfalls FORGETTING THAT INCIDENTS HAPPEN WILL DERAIL YOUR TIMELINES#2
  • 22. Copyright © 2017, Evident.io, Inc. Common Pitfalls TREATING THE CLOUD EXACTLY LIKE YOUR DATACENTER#3
  • 23. Copyright © 2017, Evident.io, Inc. Common Pitfalls “IT’S JUST AN EXPERIMENT” PROTOTYPES BECOME PERMANENT#4
  • 24. Copyright © 2017, Evident.io, Inc. Common Pitfalls ENGINEERS WHO BUILD SOLUTIONS LOOKING FOR PROBLEMS#5
  • 25. Copyright © 2017, Evident.io, Inc. Simplifying NIST 800-53 Compliance in GovCloud Jive Software selected the Evident Security Platform (ESP) as an automation tool to continuously monitor vulnerabilities in their AWS infrastructure, saving them time and money. Simple one-click compliance reports for CIS AWS Foundations Benchmark, PCI and NIST 800-53 provides on-going measurement and industry frameworks. Matt Willman Principle Architect for FedRAMP, Jive Software
  • 26. Copyright © 2017, Evident.io, Inc. Compliance in One Click
  • 27. Copyright © 2017, Evident.io, Inc. BOOTH #2000
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!