Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benjamin Andrew
Global Leader, Security & Network Infrastructure
AWS Marketplace – Amazon Web Services
Cloud DevSecOps and compliance considerations leveraging AWS
Marketplace sellers
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud DevSecOps Considerations Leveraging AWS Marketplace Software
• Cloud native procurement, entitlement & deployment
• Why DevSecOps?• DevSecOps Secure AMI Factory• What we hear from customers• Mapping security to compliance
controls• RansomWare? No More Ransom
2
A G E N D A
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.3
Cloud native procurement, entitlement & deployment
• 35 software categories• 1,400+ ISVs • 4,200+ product listings • Deployed in 16 regions around the world • Billed through AWS account• 170,000 active customers • 550M EC2 hours deployed per month
A W S M A R K E T P L A C E
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.4
Why DevSecOps?
Business ImperativesCompeting forces
DevelopmentBuild it faster
OperationsKeep it stable
SecurityMake it secure
D E V O P S
BUILD TEST DISTRIBUTE
MONITOR
Developers Users
D E V S E C O P S
BUILD TEST DISTRIBUTE
MONITORDevelopers Users
SECURITY
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.5
29 Accounts | 62 VPCs
2016
Shared Services
Security
Data Center35 Accounts | 35 VPCs
2017
+
2 Accounts | 20 VPCs
Production
Non-Prod
2015
CLOUD-FIRST• The cloud is not just another data center with virtual machines• Leverage managed services• For every problem, ask: how do we best solve this in the cloud
using current best practices?• Let modern tools solve old hard problems
SECURITY BY DESIGN• Secure every part all
the time• Apply the principle
of Least Privilege
AUTOMATE EVERYTHING• Build everything as
Infrastructure as Code• Do not log in to the console
and make changes• Never log in to a server
Customer Journey C H A N G E H E A L T H C A R E
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.6
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• Select Marketplace OS • Protect instance integrity• Tailor to your toolchain policy• Harden to risk profile• Follow industry regulations• Next gen endpoint protection• File integrity monitoring
• Secure AMI template• Effective, Reliable, Stable • Mitigated risk
Build Phase
Process
Outcome
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.7
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• Anitian PCI (OS)• Center for Internet Security (OS)• Cloud Passage Server Secure • Chef Automate • Puppet Enterprise• Trend Micro Deep Security
• Amazon EC2• Amazon EC2 SSM• Amazon CloudWatch• Amazon ECS, S3
Build Phase
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.8
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
Test Phase: Approve
• Configuration and vulnerability analysis
• Inspect scan reports • Logging and monitoring• Automated config management
• Baseline AMI is devoid of vulnerabilities
• Security requirements are met
Process
Outcome
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.9
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• Alert Logic Cloud Defender• Evident.io• CloudPassage Server Secure• Microfocus Unified Functional
Testing• Splunk Cloud• AlienVault USM
• Amazon Inspector• Amazon EC2 SSMTest Phase: Approve
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.10
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
Distribution Phase
• Generate CloudFormation• Deploy and distribute using a
Continuous Integration server• Deploy across regions• Deploy across accounts• Control the distribution by policy
to teams with Service Catalog
• AMI is deployed across all regions and accounts
• AWS Service Catalog portfolios are updated
Outcome
Process
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.11
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• CloudPassage Server Secure• Shippable• Electric Cloud ElectricFlow• Midvision RapidDeploy• Splunk Cloud• AlienVault USM
• AWS CodeCommit• AWS CodePipeline• AWS Service Catalog
Distribution Phase
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.12
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• AMI is free of CVEs• Continuous operational
intelligence
Monitor Phase
• Regularly scan to ensure AMI doesn’t contain CVEs
• Monitor, analyze and visualize data• Behavioral monitoring• Log Management
Outcome Process
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.13
DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE
• SumoLogic• Dynatrace• Elasticsearch• New Relic• CA Application
Performance Management
• Amazon CloudWatch • Amazon Inspector • Amazon Macie• Amazon GuardDuty
Monitor Phase
• Trend Micro Deep Security
• Splunk Enterprise• AlienVault USM• AppDynamics• CloudPassage
Server Secure
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security & compliance is a shared responsibility
CustomerResponsible for Security IN the Cloud
AWSResponsible for Security OF the Cloud
Customer data
Applications, identity & access management
Operating system, network & firewall configuration
Client-side data encryption & Data integrity authentication
Server-side encryption (file system and/or
data)
Network traffic protection
(encryption/integrity/identity)
Compute Storage Database Networking
AWS global infrastructure
Regions
Edge locations
Availability zones
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Competency Solutions Network security
Security intelligence
Identity & access management
Security orchestration
Cloud workload security
Data security
Application security
Easy, fast, and secure way to search, analyze, and visualize massive data streams
Secures access through single sign-on, multi-factor authentication and privileged access security
Protection of data, digital identities, payments, and transactions from the edge to the core
Get hourly proactive protection for your AWS workloads with Trend Micro Deep Security
Technology and managed security services to assess vulnerabilities and streamline compliance
Extends all security and management capabilities of the world's most-trusted web application firewall to Amazon Web Services environments
Quickly create a hybrid architecture that extends your existing data center into AWS via encrypted tunnels
Collect, compress, and securely transfer all of your log data regardless of volume, type, or location
OneLogin, the innovator in Identity and Access Management-as-a-Service (IDaaS)
Offers encryption with integrated key management to secure machines and data throughout their lifecycle
Automates AWS security groups and adds an extra layer of protection against hackers
Complementing AWS services, enabling you to deploy a comprehensive security architecture and seamless experience across cloud and on-premises
Other popular solutions:Fortinet
Other popular solutions:Bitium, ClearLogin, Ping Identity
Other popular solutions:CTERA
Other popular solutions:Tenable, Qualys
Other popular solutions:McAfee, CrowdStrike
Other popular solutions:F5, Fortinet
Other popular solutions:Check Point, Fortinet, Alert Logic
Delivers complete content and network protection by combining stateful inspection with a comprehensive suite of powerful security features
Automates security for public cloud workloads, enabling agility, risk reduction, and cost savings, while easing DevOps & admin burdens
15
15
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we hear from our customers
Software entitlement & deployment models
16
C H A L L E N G E
Rapidly innovate by buying and deploying software solutions on-demand
C U S T O M E R S W A N T T O
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we hear from our customers
Out-of-date procurement mechanisms, with multiple places to procure software
17
C H A L L E N G E
Reduce cost while picking new standards
C U S T O M E R S W A N T T O
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we hear from our customers
Compliance in hybrid and cloud computing
18
C H A L L E N G E
Understand what AWS Services and Seller listings provide
compliance
C U S T O M E R S W A N T T O
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we hear from our customers
Complex agreement management and constant renewal and replacement
19
C H A L L E N G E
Simplify and streamline purchasing, license management, invoicing and
upgrade on demand
C U S T O M E R S W A N T T O
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enterprise Contract for AWS Marketplace
9 commonly negotiated clauses
50+ participating companies
Standardized contract template
Decrease Time Spent Negotiating Contracts
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Allgress Regulatory Product Mapping Tool
amzn.to/RPM
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Compliance controls mapped to AWS Marketplace products
• Select a product and quickly see all the controls it fulfills
• Select a control and see what AWS Marketplace products cover it
• Generate a report of selected products; link to AWS Marketplace listing page
• Free for customers• Visit amzn.to/RPM
22
Allgress Regulatory Product Mapping
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
NoMoreRansom.org
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
#NoMoreRansom Stats
24
• Can decrypt 84 ransomware families with 52 decryption tools in 29 languages
• 120 partners: (including founding members, Barracuda and AWS)
• 40 LEA: New: Cypriot & Estonian police
• 80 non-LEA: New: KPN; Telenor; CPIC
• 1.6 million visitors from more than 180 countries
• More than 35,000 people have retrieved their files for free, preventing criminals from profiting from more than $12M USD
• CryptXXX, CrySIS and Dharma are the most detected infections.
• NoMoreRansom.org
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to Action
• Learn more about how AWS Marketplace can help strengthen your Security Posture in the Cloud: https://aws.amazon.com/mp/security-network/
• Reach out to the AWS Marketplace Customer Advisor team for more information about DevSecOps solutions available on Marketplace: [email protected]
M O R E I N F O R M A T I O N
25
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in the summit mobile app.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
B E N J A M I N A N D R E [email protected]
linkedin.com/in/benandrew
Thank You!