More Related Content Similar to Implementing Governance as Code (20) More from Amazon Web Services (20) Implementing Governance as Code1. Governance as Code
Using Security by Design
J o h n M c D o n a l d
H e a d o f R i s k & C o m p l i a n c e – A m e r i c a s
A W S G l o b a l F i n a n c i a l S e r v i c e s
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
““CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
— G a r t n e r ( 9 / 2 2 / 1 5 ) : Clouds Are Secure: Are You Using Them Securely?
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer
Customer data management
Operating system, network & firewall configuration
AWS
Platform, applications, identity & access management
Responsibility
for security IN
the cloud
Compute Storage Database Networking
Client-side data
encryption & data
Integrity authentication
Operations compliance,
control implementation &
enforcement, monitoring
Networking traffic
protection (encryption /
integrity / identity)
Responsibility
for security OF
the cloud
AWS Global
Infrastructure
Edge
Locations
Regions
Availability Zones
Governance & the Share Responsibility Model
C o m p l i a n c e i s a j o i n t e f f o r t , w i t h c u s t o m e r s m a n a g i n g t h e i r p r o g r a m s a n d d a t a
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance as Code Key Concepts
1
Changing the
Cloud Governance
Model
T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y
2
Implementing a
Security by Design
Deployment
Model
3
Continuous
Compliance Using
Dedicated Tooling
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Problem Statement
Increasing complexity (mobility, system
connectivity, speed of innovation, and
threat vectors, etc.)
……causes increasing difficulty in
managing risk and security and
demonstrating compliance to control
frameworks
H o w t o b e c o m p l i a n t i n t h e c l o u d a t s c a l e
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Current State of Technology Governance
Policies
Procedures
and Guidelines
Standards
T h e D e p a r t m e n t o f N e r v o u s n e s s i s r e s p o n s i b l e f o r t h e i r o w n p i e c e o f t h e p i e
Then get
translated
into IT
Speak….
And become
Tactical IT
Implementations
across multiple
environments..…
………you hope
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Opportunity: Modernize Technology Governance
Technology governance relies predominantly on
administrative & operational security controls with
LIMITED technology enforcement…….and usually
only at the RISK point
M o v e f r o m m a n u a l i m p l e m e n t a t i o n s t o a u t o m a t i o n s o y o u s l e e p w e l l a t n i g h t
Assets
ThreatVulnerability
RISK
The cloud has an opportunity to innovate and
advance Technology Governance Services.
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – Modernize Technology Governance
Complexity is growing……..making the old way to govern technology obsolete
W h y c h a n g e w h a t w e h a v e b e e n d o i n g f o r y e a r s ?
Adopt “Prevent” controls
To make “Detect” controls more powerful
Goal
You need automation to manage security in real time
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – Modern IT Governance in the Cloud
N e w p r o c e s s f o r m a n a g i n g g o v e r n a n c e i n t h e C l o u d
1.2 Identify Your Workloads Moving to AWS
2.1 Rationalize Security
Requirements
2.2 Define Data
Protections and Controls
2.3 Document
Security Architecture
3.1 Build/deploy
Security Architecture
2. Analyze and
Document
(outside of AWS)
1.1 Identify Stakeholders
3. Automate,
Deploy & Monitor 3.2 Automate
Security Operations
4. Certify
3.3 Continuous
Monitor
4.1 Audit and Certification
3.4 Testing and
Game Days
1. Decide what
to do (Strategy)
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Cloud Brings Flexibility and Complexity
S e c u r i t y s t a n d a r d s m u s t b e e n f o r c e d a c r o s s m u l t i p l e s e r v i c e s
Single VPC orMultiple VPCs
How many AWS
accounts
Public or private
subnets
What type of
encryption Who will manage the
keys
IAM groups or roles
Security groups or
NACLs
What is the regulatory
requirement?
What's in-scope or out-of-
scope?
How to verify the standards
are met?
Can we use S3 for this
Which AWS
database
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design - Overview
S e c u r i t y & G o v e r n a n c e t h r o u g h a u t o m a t i o n
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design – Key Design Factors
ü Build security in every layer by default
ü Design for failures ….of services, of controls, of people
ü Implement auto-healing using reactive controls
ü Think parallel…. look for what can be rather than for what is
ü Plan for Breach….and rehearse the breach scenarios
ü Don't fear constraints….they are your friend
ü Treat Infrastructure as code…..Modular, Versioned, Constrained
D e v e l o p n e w r i s k m i t i g a t i o n c a p a b i l i t i e s v i a r i g i d a u t o m a t i o n a n d o p t i m i z e d a u d i t e v i d e n c e
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD - Standard Security Baseline Example
A W S h a s p a r t n e r e d w i t h C I S B e n c h m a r k s t o c r e a t e c o n s e n s u s - b a s e d b e s t - p r a c t i c e s
• Technical control rules/values for
hardening OS, middleware,
applications, & network devices
• Used by thousands of enterprises as
the basis for security configuration
policies in the cloud
• Distributed free of charge by CIS in
PDF format: https://cissecueity.org
• Available in AWS via Quick Start
templates and deployment guides:
AWS CIS Benchmark Quick Starts
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – Compliance Standard Benefits
D e f i n e d d a t a p r o t e c t i o n s a n d c o n t r o l s f o r g l o b a l r e q u i r e m e n t s
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – AWS CIS Benchmark ScopeB e s t p r a c t i c e s f o r i n f r a s t r u c t u r e & a p p l i c a t i o n d e p l o y m e n t s
Foundational Benchmark
CloudTrail
Config & Config
Rules
Key Management
Service
Identity & Access
Management
CloudWatch
S3
SNS
Three-tier Web Architecture
EC2
Elastic Load
Balancing
VPC
Direct Connect
Amazon EBS
Cloud HSM Glacier Route 53VPN
Gateway
CloudFront
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – Automate Security Operations
A u t o m a t e d e p l o y m e n t s , p r o v i s i o n i n g , a n d c o n f i g u r a t i o n s o f t h e A W S c u s t o m e r e n v i r o n m e n t s
CloudFormation Service CatalogStack
Template
Instances AppsResources
Stack
Stack
Design Package
Products &
Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Continuous Compliance in the Cloud
Today’s Challenges
q Validating compliance to IT controls occurs once or twice a year
q This is usually done manually, and in time consuming audits
q You hope you see controls people say are there….and will stay that way
The Revolution
ü In the cloud, we can prove controls exist in real time….across all accounts
ü We can test new environments at almost the push of a button
ü See real time portals for any compliance regime, for any audience
A n e w p a r a d i g m f o r c l o u d g o v e r n a n c e a n d c o n t r o l v a l i d a t i o n
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS TrustedAdvisor
Best practices (or checks) in
five categories: cost
optimization, security, fault
tolerance, performance, and
service limits.
AWS Identity &
Access Mgmt. (IAM)
Securely control access to
AWS services and
resources for your users
Amazon Inspector
Amazon Inspector
automatically assesses
applications for
vulnerabilities or deviations
from best practices.
AWS Service Catalog &
CloudFormation
AWS tools to manage approved
services and environments
across all accounts, Lines of
Business, and user bases.
Amazon Macie
Security service that uses
machine learning to
automatically discover, classify,
and protect sensitive data in
AWS
AWS Shield Advanced
Managed Distributed Denial
of Service (DDoS) protection
service that safeguards web
applications running on AWS
AWS CloudTrail
AWS CloudTrail is a service
that enables governance,
compliance, operational
auditing, and risk auditing of
your AWS account.
AWS Organizations
Policy-based controls &
cost management for
multiple AWS accounts
AWS Config &
Config Rules
AWS resource inventory,
configuration history, and
configuration change
notifications & preventive rules.
Amazon Guard Duty
Uses machine learning for
automated threat detection
allowing you to continuously
monitor and protect AWS
accounts and workloads.
Governance as Code Tools & Sources
A W S e n a b l e s y o u t o a u t o m a t e t a s k s f o r c o m p r e h e n s i v e g o v e r n a n c e
AWS Systems Manager
Fleet management service that
helps you automatically collect
software inventory, apply OS
patches, create system images,
AWS CloudWatch
Amazon CloudWatch gives
you system-wide visibility
into resource utilization,
application performance,
and operational health.
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Continuous Compliance Tooling
O n e t o o l i s c r i t i c a l f o r c o m p l i a n c e t e a m s u c c e s s
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SbD – Key Principles
M o d e r n i z i n g t e c h n o l o g y g o v e r n a n c e t h r o u g h c o d e
Automate
Deployments
Automate
Security
Operations
Continuous
Compliance
Automate
Governance
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance as Code Key Takeaways
T h e b i g r o c k i d e a s t o r e m e m b e r f r o m t o d a y
Security by Design
Creates a control
environment that
cannot be overridden
by the users who aren’t
allowed to modify
those functions.
Consistent implementation, measurement & enforcement of
operational controls
Modernize IT
Governance
A modern cloud based
approach will deliver
game changing results,
and change your audit
practices
Continuous
Compliance
Creates an ongoing
measure of your cloud
security & health across
multiple dimensions &
all your applications
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Governance as Code Resources
Ø Amazon Web Services Cloud Compliance
https://aws.amazon.com/compliance/
Ø SbD website and whitepaper – to wrap your head around this
https://aws.amazon.com/compliance/security-by-design/
Ø AWS Well Architected Framework– Security Pillar
https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf
Ø AWS Cloud Adoption Framework– Security Perspective
https://d1.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
K e y r e s o u r c e s t o h e l p y o u o n y o u r j o u r n e y t o a s e c u r e a n d c o m p l i a n t c l o u d
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
John McDonald
Head of Risk & Compliance – Americas
AWS Global Financial Services
johnemcd@amazon.om