Cloud DevSecOps and compliance considerations leveraging ...aws-de-media.s3.amazonaws.com/images/AWS_Summit... · © 2018, Amazon Web Services, Inc. or its affiliates. All rights

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Benjamin Andrew

Global Leader, Security & Network Infrastructure

AWS Marketplace – Amazon Web Services

Cloud DevSecOps and compliance considerations leveraging AWS

Marketplace sellers


Cloud DevSecOps Considerations Leveraging AWS Marketplace Software

• Cloud native procurement, entitlement & deployment

• Why DevSecOps?• DevSecOps Secure AMI Factory• What we hear from customers• Mapping security to compliance

controls• RansomWare? No More Ransom

2

A G E N D A

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.3

Cloud native procurement, entitlement & deployment

• 35 software categories• 1,400+ ISVs • 4,200+ product listings • Deployed in 16 regions around the world • Billed through AWS account• 170,000 active customers • 550M EC2 hours deployed per month

A W S M A R K E T P L A C E


Why DevSecOps?

Business ImperativesCompeting forces

DevelopmentBuild it faster

OperationsKeep it stable

SecurityMake it secure

D E V O P S

BUILD TEST DISTRIBUTE

MONITOR

Developers Users

D E V S E C O P S

BUILD TEST DISTRIBUTE

MONITORDevelopers Users

SECURITY


29 Accounts | 62 VPCs

2016

Shared Services

Security

Data Center35 Accounts | 35 VPCs

2017

+

2 Accounts | 20 VPCs

Production

Non-Prod

2015

CLOUD-FIRST• The cloud is not just another data center with virtual machines• Leverage managed services• For every problem, ask: how do we best solve this in the cloud

using current best practices?• Let modern tools solve old hard problems

SECURITY BY DESIGN• Secure every part all

the time• Apply the principle

of Least Privilege

AUTOMATE EVERYTHING• Build everything as

Infrastructure as Code• Do not log in to the console

and make changes• Never log in to a server

Customer Journey C H A N G E H E A L T H C A R E


DevSecOps: Secure AMI FactoryBUILD TEST MONITORDISTRIBUTE

• Select Marketplace OS • Protect instance integrity• Tailor to your toolchain policy• Harden to risk profile• Follow industry regulations• Next gen endpoint protection• File integrity monitoring

• Secure AMI template• Effective, Reliable, Stable • Mitigated risk

Build Phase

Process

Outcome



• Anitian PCI (OS)• Center for Internet Security (OS)• Cloud Passage Server Secure • Chef Automate • Puppet Enterprise• Trend Micro Deep Security

• Amazon EC2• Amazon EC2 SSM• Amazon CloudWatch• Amazon ECS, S3

Build Phase



Test Phase: Approve

• Configuration and vulnerability analysis

• Inspect scan reports • Logging and monitoring• Automated config management

• Baseline AMI is devoid of vulnerabilities

• Security requirements are met

Process

Outcome



• Alert Logic Cloud Defender• Evident.io• CloudPassage Server Secure• Microfocus Unified Functional

Testing• Splunk Cloud• AlienVault USM

• Amazon Inspector• Amazon EC2 SSMTest Phase: Approve



Distribution Phase

• Generate CloudFormation• Deploy and distribute using a

Continuous Integration server• Deploy across regions• Deploy across accounts• Control the distribution by policy

to teams with Service Catalog

• AMI is deployed across all regions and accounts

• AWS Service Catalog portfolios are updated

Outcome

Process



• CloudPassage Server Secure• Shippable• Electric Cloud ElectricFlow• Midvision RapidDeploy• Splunk Cloud• AlienVault USM

• AWS CodeCommit• AWS CodePipeline• AWS Service Catalog

Distribution Phase



• AMI is free of CVEs• Continuous operational

intelligence

Monitor Phase

• Regularly scan to ensure AMI doesn’t contain CVEs

• Monitor, analyze and visualize data• Behavioral monitoring• Log Management

Outcome Process



• SumoLogic• Dynatrace• Elasticsearch• New Relic• CA Application

Performance Management

• Amazon CloudWatch • Amazon Inspector • Amazon Macie• Amazon GuardDuty

Monitor Phase

• Trend Micro Deep Security

• Splunk Enterprise• AlienVault USM• AppDynamics• CloudPassage

Server Secure


Security & compliance is a shared responsibility

CustomerResponsible for Security IN the Cloud

AWSResponsible for Security OF the Cloud

Customer data

Applications, identity & access management

Operating system, network & firewall configuration

Client-side data encryption & Data integrity authentication

Server-side encryption (file system and/or

data)

Network traffic protection

(encryption/integrity/identity)

Compute Storage Database Networking

AWS global infrastructure

Regions

Edge locations

Availability zones


AWS Security Competency Solutions Network security

Security intelligence

Identity & access management

Security orchestration

Cloud workload security

Data security

Application security

Easy, fast, and secure way to search, analyze, and visualize massive data streams

Secures access through single sign-on, multi-factor authentication and privileged access security

Protection of data, digital identities, payments, and transactions from the edge to the core

Get hourly proactive protection for your AWS workloads with Trend Micro Deep Security

Technology and managed security services to assess vulnerabilities and streamline compliance

Extends all security and management capabilities of the world's most-trusted web application firewall to Amazon Web Services environments

Quickly create a hybrid architecture that extends your existing data center into AWS via encrypted tunnels

Collect, compress, and securely transfer all of your log data regardless of volume, type, or location

OneLogin, the innovator in Identity and Access Management-as-a-Service (IDaaS)

Offers encryption with integrated key management to secure machines and data throughout their lifecycle

Automates AWS security groups and adds an extra layer of protection against hackers

Complementing AWS services, enabling you to deploy a comprehensive security architecture and seamless experience across cloud and on-premises

Other popular solutions:Fortinet

Other popular solutions:Bitium, ClearLogin, Ping Identity

Other popular solutions:CTERA

Other popular solutions:Tenable, Qualys

Other popular solutions:McAfee, CrowdStrike

Other popular solutions:F5, Fortinet

Other popular solutions:Check Point, Fortinet, Alert Logic

Delivers complete content and network protection by combining stateful inspection with a comprehensive suite of powerful security features

Automates security for public cloud workloads, enabling agility, risk reduction, and cost savings, while easing DevOps & admin burdens

15

15


What we hear from our customers

Software entitlement & deployment models

16

C H A L L E N G E

Rapidly innovate by buying and deploying software solutions on-demand

C U S T O M E R S W A N T T O



Out-of-date procurement mechanisms, with multiple places to procure software

17

C H A L L E N G E

Reduce cost while picking new standards




Compliance in hybrid and cloud computing

18

C H A L L E N G E

Understand what AWS Services and Seller listings provide

compliance




Complex agreement management and constant renewal and replacement

19

C H A L L E N G E

Simplify and streamline purchasing, license management, invoicing and

upgrade on demand



Enterprise Contract for AWS Marketplace

9 commonly negotiated clauses

50+ participating companies

Standardized contract template

Decrease Time Spent Negotiating Contracts



Allgress Regulatory Product Mapping Tool

amzn.to/RPM


• Compliance controls mapped to AWS Marketplace products

• Select a product and quickly see all the controls it fulfills

• Select a control and see what AWS Marketplace products cover it

• Generate a report of selected products; link to AWS Marketplace listing page

• Free for customers• Visit amzn.to/RPM

22

Allgress Regulatory Product Mapping



NoMoreRansom.org


#NoMoreRansom Stats

24

• Can decrypt 84 ransomware families with 52 decryption tools in 29 languages

• 120 partners: (including founding members, Barracuda and AWS)

• 40 LEA: New: Cypriot & Estonian police

• 80 non-LEA: New: KPN; Telenor; CPIC

• 1.6 million visitors from more than 180 countries

• More than 35,000 people have retrieved their files for free, preventing criminals from profiting from more than $12M USD

• CryptXXX, CrySIS and Dharma are the most detected infections.

• NoMoreRansom.org


Call to Action

• Learn more about how AWS Marketplace can help strengthen your Security Posture in the Cloud: https://aws.amazon.com/mp/security-network/

• Reach out to the AWS Marketplace Customer Advisor team for more information about DevSecOps solutions available on Marketplace: [email protected]

M O R E I N F O R M A T I O N

25


Please complete the session survey in the summit mobile app.


B E N J A M I N A N D R E [email protected]

linkedin.com/in/benandrew

Thank You!

Documents

Cloud DevSecOps and compliance considerations leveraging ...aws-de-media.s3.amazonaws.com/images/AWS_Summit... · © 2018, Amazon Web Services, Inc. or its affiliates. All rights