Implementing a DevSecOps Approach in Cloud
•Télécharger en tant que PPTX, PDF•
0 j'aime•833 vues
DevSecOps is the name of the game, but there isnt always a clear path to implementation and adoption. Between protecting against major attacks that arrive on a daily basis to maintaining compliance with strict regulations, leaving the boundaries of traditional IT can leave some security professionals quaking in their boots. Fear not, friends! There is a way to be secure and compliant in the cloud with the right approach. In this webinar, George Gerchow, VP of Security and Compliance at Sumo Logic, will do a deep dive into the steps it takes to successfully implement and maintain DevSecOps in your organization at scale. He will be discussing: · What it took to build a world-class data analytics service on AWS from the ground up · Technologies used to gain necessary operational and security visibility · Tips and tricks to maintain optimal levels of performance, integrity and availability of the data · How to best approach regulatory compliance in the cloud in pursuing certifications like PCI DSS, ISO 27001, CSA STAR, TRUSTe, SOC 2, Type 2, etc. · Challenges encountered in the journey and how they were addressed
Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (6)
Plus de Sumo Logic
Plus de Sumo Logic (20)
Dernier
Dernier (20)
Implementing a DevSecOps Approach in Cloud
- 1. Sumo Logic Confidential Implementing and Maintaining a DevSecOps Approach in the Cloud Operational and Security Tips, Tricks and Best Practices Wednesday January 25 10am PST / 12 noon CST
- 2. Sumo Logic Confidential Today’s Presenters George Gerchow, VP Security & Compliance As Sumo Logic's Vice President of Security and Compliance, George Gerchow brings 18 years of information technology and systems management expertise to the application of IT processes and disciplines. His expertise impacts the security, compliance, and operational status of complex, heterogeneous, virtual and cloud computing environments. Mr. Gerchow's practical experience and insight from managing the infrastructures of some of the world's largest corporate and government institutions, make him a highly regarded speaker and invited panelist on topics including cloud secure architecture design, virtualization, configuration management, operational security and compliance. George was one of the original founders of the VMware Center for Policy and Compliance and he holds CISSP, ITIL, Cisco, and Microsoft Certifications. Mr. Gerchow is also an active Board Member for several technology start ups and the coauthor of Center for Internet Security Quick Start Cloud Infrastructure Benchmark v1.0.0 and is a Faculty Member for IANS Institute of Applied Network Security. Mark Bloom, Dir. Product Marketing, Security & Compliance Mark has over 15 years of sales, marketing and business development experience in a variety of financial service and high-technology markets. Past clients/employers have included Ford, Motorola, United Technologies, Cisco, Chrysler, SonicWall/Dell, Trend Micro and Compuware.
- 3. Sumo Logic Confidential DevSecOps in the Cloud
- 4. "Security must be more tightly integrated into the DevOps process to deliver a DevSecOps process that builds in security from the earliest stages of application design." Gartner Top 10 Strategic Technology Trends for 2016: Adaptive Security Architecture Gartner Top 10 Strategic Trend for 2016 http://www.gartner.com/document/3229017
- 6. Sumo Logic Confidential Security Challenges in Our Cloud Journey • Starts simple, get more complex • CSP offerings are growing • Filling in the CSP offerings with 3rd party solutions • Compliance, audit and more regulations are coming • Attacks on the Cloud are increasing
- 7. Sumo Logic Confidential Sumo Logic’s AWS Footprint
- 8. Sumo Logic Confidential 1,300+Customers in the cloud 100+ PBDataAnalyzed Daily 10M+Keys Under Management Sumo Logic at Scale in the Cloud SECURITY BAKED IN 10K+EC2 Instances
- 9. Sumo Logic Confidential Sumo Logic’s AWS Technology Stack
- 10. Sumo Logic Confidential The Sumo Logic Security Stack in AWS Cloud Shared responsibility Functional Areas: • Threat Intelligence • File Integrity Monitoring • IDS / IPS • End Point Protection • Security Analytics
- 11. Sumo Logic Confidential Drinking Your Own Champagne
- 12. Sumo Logic Confidential AWS Operational and Security Visibility
- 13. Sumo Logic Confidential Regulatory Compliance
- 14. Sumo Logic Confidential Sumo Logic: Fully Secure Protecting Customer Data with Best-in-Class Security • PCI/DSS 3.1 Service Provider Level 1 Certified • SOC 2 Type attestation • ISO 27001 certified • CSA Star certified • HIPAA-HITECH compliance • U.S. – EU Privacy Shield • AES 256-bit encryption at rest • TLS encryption in transit • FIPS 140-2 compliant Industry’s Most Secure Cloud-Native Analytics Service
- 15. Sumo Logic Confidential Sumo Logic PCI App for AWS CloudTrail Protecting Customer Data with Best-in-Class Security
- 16. Sumo Logic Confidential Security & Operational Excellence
- 17. Sumo Logic Confidential Security, Compliance & Operational Excellence PLATFORM SECURITY CONTINUOUS MONITORING COMPLIANCE END POINT PROTECTION
- 18. Sumo Logic Confidential Threat Landscape
- 19. Sumo Logic Confidential • Password Hygiene is still the #1 threat to security • People who should be the most responsible are not • Audit everything • BitCoin Miners The Cloud Attack that never goes away
- 20. Sumo Logic Confidential Bitcoin mining in AWS • Only 21 Million BitCoin Allowed to be Mined • International Non Regulated Currency • AWS GPU EC2 P2 Instances are perfect for mining Bitcoins • Use two-factor authentication. • Never hardcode your cloud computing credentials • Use Identity Access Management Seeking Free Compute Power! please put your AWS credentials into a config file and upload to GitHub “Don’t put your Amazon credentials into source code and then share that source code in a public place like GitHub!”
- 21. Sumo Logic Confidential • Recent DDoS attacks targeted Dynamic Network Services Inc., better known as Dyn • Dyn is one of many DNS providers to AWS • AWS has some services (Shield)in place to help, and we have 3rd party tools but… • Could AWS eat itself or be used to attack Azure in Mass? “Security may be critical, but “agility is the single biggest reason enterprise are moving to the cloud” The latest Akamai security report highlights a 138 percent YoY increase in total DDoS
- 23. Sumo Logic Confidential In Summary Simplicity & visibility = scale SecOps: Do more with less Visibility & compliance
- 24. Sumo Logic Confidential Sign up for a free trial of Sumo Logic at: https://www.sumologic.com/signup-free
Notes de l'éditeur
- Q1: DevSecOps seems like a buzz word that everyone is using these days. What does DevSecOps really mean?
- Q2: So SL is a cloud native service running in AWS – why did you decide to build your service in the cloud? Can you describe a bit about that journey, what was it likes, what obstacles did you face, how did you overcome them? what did you learn?
- Q3: So what is your current footprint like in AWS? -- after the question, move immediately to the next slide
- Q4: So What Tools and Technologies are you using in AWS? -- after the question, move immediately to the next slide
- Q5: So how are you leveraging Sumo to secure your own service? Can you share some of the tips, tricks and best practices you have gleaned over the years?
- Q6: You talked earlier about the technology stack you use. How does this stack help you with Compliance?
- Sumo provides the most secure cloud-based analytics service on the market Only Sumo has achieved this level of validation and certification We have done this because our business is collecting and storing our customers’ sensitive log data. If they don’t trust us, then we don’t have a business model. So we have made significant investment in security certifications and attestations. Not only do we encrypt data at rest and in transit, but we hold various attestations as you can see by this comprehensive list. We are the only service in the machine data analytics space that holds the PCI DSS 3.1 certification and are helping our customers like Twitter and AirBnB simplify the process for demonstrating compliance with PCI…. particulary around Req. 10 Organizations are making different decisions based on the trust level they have with their partners, and we take this very seriously investing significant resources to achieve and maintain on an ongoing basis, these competitive differentiators Too many people try to live vicariously through the certifications AWS has and pass this on as adequate
- Q7: Can you talk about the operational and security best practices that SL employs to maintain a scalable, highly secure, always on service? As well as the DevSecOps methodologies that are followed? A: it all starts with embedding security directly into engineering Checks and balances Process dev QA prod All changes to production follow a well documented change management process. Traditional processes never seemed like a suitable way to implement change management at Sumo Logic. Even a Change Management Board (CMB) that meets daily is much too slow for our environment, where changes are implemented every day, at any time of the day. In this blog, I’ll describe our current solution, which we have iterated towards over the past several years. The goals for a our change management process are that: Anybody can propose a change to the production system, at anytime, and anybody can follow what changes are being proposed. A well-known set of reviewers can quickly and efficiently review changes and decide on whether to implement them. Any change to production needs to leave an audit trail to meet compliance requirements. Workflow and Audit Trail We used Atlassian JIRA to model the workflow for any System Change Request (SCR). Not only is JIRA a good tool for workflows, but we also use it for most of our other bug and project tracking, making it trivial to link to relevant bugs or issues. Here’s what the current workflow for a system change request looks like: -- after the question, move immediately to the next slide
- Q8: There are a lot of threat actors out there, from Cyber Criminals, Corporate Spies, Hacktivists and Nation States. My question is: How do you see the threat landscape changing wrt the cloud. Is the risk greater given the massive scale of the attack surface? If someone hacked into an account, could they cause more damage by pointing their attack at Amazon, from within the service, possibly affecting millions of customers?
- Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers
- Q9: So when you look out toward the future, wrt the DevSecOps movement, the phenomenal growth of cloud providers like AWS and Azure, Machine learning and Artificial Intelligence, the rise of security as code, …. What are your thoughts, where do you see things going, and how should companies respond?
- AWS and Sumo Logic and other tools provide us with an opportunity for all teams to use the same tool. We are able to scale due to the simplicity of the Sumo Logic product and the visibility that it provides. Our Security Operations team works more effectively with the Operations allowing us to do more with less. All this while providing visibility into the on-going operations and verifying compliance as needed.