Más contenido relacionado La actualidad más candente (20) Similar a From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 2017 (20) Más de Amazon Web Services (20) From Obstacle to Advantage: The Changing Role of Security & Compliance in Your Organization - SID318 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
From Obstacle to Advantage:
The Changing Role of Security &
Compliance in Your Organization
J O H N M A R T I N E Z , V P C U S T O M E R S U C C E S S , E V I D E N T . I O
M A T T W I L L M A N , P R I N C I P A L A R C H I T E C T F O R F E D R A M P , J I V E
S O F T W A R E
N o v e m b e r 3 0 , 2 0 1 7
SID318
2. Copyright © 2017, Evident.io, Inc.
JOHN MARTINEZ
VP CUSTOMER SUCCESS
EVIDENT.IO
MATT WILLMAN
PRINCIPAL ARCHITECT FOR FEDRAMP
JIVE SOFTWARE
Introductions
3. Copyright © 2017, Evident.io, Inc.
Cloud Security is a Team Sport
SECOPS DEVOPS RISK &
COMPLIANCE
CISO CIO, CFO,
CEO
Success Is Achieved When Everyone Works Together
4. Copyright © 2017, Evident.io, Inc.
Cloud Adoption Maturity: Where Are You?
Explore
CI/CD Toolchain
CloudFormation
Templates
Code Analysis &
Review
Pre/Post Deploy
Testing
Implement
Infrastructure
Testing & Alerting
Application Logging
Auto Scaling
HISA/NIDS
FIM
Config Mngment.
Optimize
Auto-remediation via
AWS Lambda
Automatic Roll-back
to Know Good State
Automatic Failover to
Other Regions
5. Copyright © 2017, Evident.io, Inc.
Security Challenges by Role
Explore
Loss of Control &
Visibility
Implement Optimize
Monitoring &
Enforcement
Always Behind/
Out-resourced
SecOps
6. Copyright © 2017, Evident.io, Inc.
Security Challenges by Role
Explore
Loss of Control &
Visibility
Don’t Know What
They Don’t Know
Implement Optimize
Monitoring &
Enforcement
Automating
Workflows
Always Behind/
Out-resourced
Adopting/Creating
New Workflows
DevOps
7. Copyright © 2017, Evident.io, Inc.
Security Challenges by Role
Explore
Loss of Control &
Visibility
Don’t Know What
They Don’t Know
Don’t Know
Implement Optimize
Automating
Monitoring &
Enforcement
Automating
Workflows
Don’t Know
Always Behind/
Out-resourced
Adopting/Creating
New Workflows
Don’t Know
Compliance
8. Copyright © 2017, Evident.io, Inc.
What Should Be Occurring at Each Stage?
Explore
CI/CD Toolchain
CloudFormation
Templates
Code Analysis &
Review
Pre/Post Deploy
Testing
Implement
Infrastructure
Testing & Alerting
Application Logging
AutoScaling
HISA/NIDS
FIM
Config Mngment.
Optimize
Auto-remediation via
AWS Lambda
Automatic Roll-back
to Know Good State
Automatic Failover to
Other Regions
9. Copyright © 2017, Evident.io, Inc.
What Should Be Occurring At Each Stage?
Explore
CI/CD Toolchain
CloudFormation
Templates
Code Analysis &
Review
Pre/Post Deploy
Testing
Adapting Policies, Exploring Tools
Adopting a Security-First
Approach, Learning What Is
Available in AWS
Learning Plans and Impact of
Deployments, What Is Inherited
from AWS
10. Copyright © 2017, Evident.io, Inc.
Security by Design
• AWS-recommended for proactive security in AWS
• Provides a practical approach to creating your security controls
matrix and enforcing those controls
• Heavy on the proactive automation with AWS CloudFormation
https://aws.amazon.com/compliance/security-by-design/
11. Copyright © 2017, Evident.io, Inc.
What Should Be Occurring at Each Stage?
Automating Security Monitoring &
Assessment for Full Visibility
Developing Processes to Ensure
Best Practices Are Followed
Performing Periodic Measurement
to Identify Gaps in Compliance
Implement
Infrastructure
Testing & Alerting
Application Logging
AutoScaling
HISA/NIDS
FIM
Config Mngment.
12. Copyright © 2017, Evident.io, Inc.
Security Policy as Code
Policy:
Ensure the default security group
restricts all traffic
Description:
A VPC comes with a default security group
whose initial settings deny all inbound
traffic, allow all outbound traffic, and allow
all traffic between instances assigned to the
security group. If you don’t specify a security
group when you launch an instance, the
instance is automatically assigned to this
default security group. Security groups
provide stateful filtering of ingress/egress
network traffic to AWS resources. It is
recommended that the default security
group restrict all traffic.
def perform(aws)
aws.ec2.describe_security_groups.security_groups.each do |sg|
group_name = sg[:group_name]
if group_name == "default" group_id = sg[:group_id]
set_data(group_id: group_id, group_name: group_name, sg: sg)
if sg[:ip_permissions].empty? && sg[:ip_permissions_egress].empty?
pass(message: "Default security group '#{group_id}' restricts all
traffic.", resource_id: group_id)
else
fail(message: "Default security group '#{group_id}' does not restrict all
traffic.", resource_id: group_id)
end
end
end
end
14. Copyright © 2017, Evident.io, Inc.
What Should Be Occurring at Each Stage?
Automating Enforcement of Policy
Automating Workflows to Validate
Configuration Before Deployment
Compliance Scorecard by Month,
Week, or Day
Optimize
Auto-remediation via
AWS Lambda
Automatic Roll-back
to Know Good State
Automatic Failover to
Other Regions
16. Even Better Way, Automate Enforcement
DEPLOY
MONITOR
ANALYZE
REMEDIATE
VIA AWS
LAMBDA
COMPLIANT
NEW
RELEASE
NEW
RELEASE
DEPLOY DEPLOY
18. Copyright © 2017, Evident.io, Inc.
Policy Enforcement as Code
for admin_port in admin_port_list:
proto = re.split('-', admin_port)[0]
port = re.split('-', admin_port)[1]
find_port='true' if from_port <= int(port) <= to_port else 'false’
if cidr_ip in global_cidr_list and ip_protocol.lower() == proto and find_port
== 'true':
try:
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=[
{'IpProtocol': ip_protocol, 'FromPort': from_port, 'ToPort': to_port, IpRanges: [{
IpCidr: cidr_ip }] } ])
except Exception as e:
error = str(e.message)
if 'rule does not exist' not in error:
print('=> Error: ', error)
else:
print("=> Revoked rule permitting %s/%d-%d with cidr %s from %s" %
(ip_protocol, from_port, to_port, cidr_ip, sg_id))
Control:
PCI DSS 3.21.2.1
Restrict inbound and
outbound traffic
Description:
Restrict inbound and
outbound traffic to that
which is necessary for the
cardholder data
environment, and
specifically deny all other
traffic.
19. Copyright © 2017, Evident.io, Inc.
ESP Dashboard
AWS LambdaAlert
Fix Problem ESP Updated
Amazon SNS
Integrations
Find Problem/
Open Ticket
Compliant
Problem
Resolved
Ticket
Updated
20. Copyright © 2017, Evident.io, Inc.
Common Pitfalls
NOT INVOLVING POLICY MAKERS IN
EACH STEP AND AS EACH PROJECT
IS DEPLOYED#1
21. Copyright © 2017, Evident.io, Inc.
Common Pitfalls
FORGETTING THAT INCIDENTS
HAPPEN WILL DERAIL YOUR
TIMELINES#2
22. Copyright © 2017, Evident.io, Inc.
Common Pitfalls
TREATING THE CLOUD EXACTLY LIKE
YOUR DATACENTER#3
23. Copyright © 2017, Evident.io, Inc.
Common Pitfalls
“IT’S JUST AN EXPERIMENT”
PROTOTYPES BECOME PERMANENT#4
24. Copyright © 2017, Evident.io, Inc.
Common Pitfalls
ENGINEERS WHO BUILD SOLUTIONS
LOOKING FOR PROBLEMS#5
25. Copyright © 2017, Evident.io, Inc.
Simplifying NIST 800-53 Compliance in GovCloud
Jive Software selected the Evident Security Platform (ESP) as an automation tool to
continuously monitor vulnerabilities in their AWS infrastructure, saving them time
and money. Simple one-click compliance reports for CIS AWS Foundations
Benchmark, PCI and NIST 800-53 provides on-going measurement and industry
frameworks.
Matt Willman
Principle Architect
for FedRAMP,
Jive Software
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
THANK YOU!