Embed Size (px)
Citation preview
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark Ryland (markry@), Director of Solutions Architecture, WWPS
Alan Halachmi (halachmi@), Principal Solutions Architect, WWPS
October 2015
ISM206
Modern IT Governance Through
Transparency and Automation
IT governance: high-level definition
• “The leadership, organizational structures, and
processes to ensure that the organization's IT
sustains and extends the organization's
strategies and objectives.”
→IT Governance Institute
Where does governance sit?
• Part of a larger complex of GRC(S): governance, risk management, compliance/security
• Compliance (policy) and security (implementation) are shared responsibilities on AWS
• Risk management (balancing of risks and benefits) is a strategic requirement and responsibility
• Governance: high level category encompassing all required policies and practices that assure safe and sane usage of IT
• Governance is your responsibility, with help from AWS tools and capabilities
Key governance questions
• What do I have?
• How it is performing?
• Who is controlling it?
• What is it costing me?
• Is it secure and compliant?
• Are changes occurring with the right processes and
protections?
AWS and governance
• AWS capabilities and services provide key building
blocks for systems that answer these questions
• Better answers than ever before in traditional
infrastructure
• Integration challenges remain, but don’t be constrained
by on-prem systems when leveraging the cloud
What do I have?
• Describe* calls provide comprehensive lists of all resources (for example, aws ec2 describe-instances)
• AWS Config provides graph-based integration, time-
based insights
• (Building a comprehensive, accurate configuration DB on-
premises is practically impossible)
• AWS Config Rules to evaluate changes and respond
• Partner ecosystem adds more value, richer capabilities
• Theme: AWS provides data feeds, anyone can build tooling
How is it performing?
• Services emit metrics into Amazon CloudWatch• Accessible through console, CLI, API
• Alerting and alarming on all metrical data
• Amazon CloudWatch Logs integrates OS and app log data• AWS Elastic Search automates the pooling, querying, and
visualization of CW Logs
• Rich integration of both CW and CWL w/ Simple Notification Service
• AWS Trusted Advisor (TA) for dashboard and alerts for under-utilization, security, availability issues
• Rich integration into third-party monitoring platforms from AWS partners
Who is controlling it?
• Powerful, fine-grained AWS Identity and Access
Management (IAM) capabilities
• Authentication and authorization
• Reporting and analysis
• Rich integration to enterprise identity systems
through SAML or directly into Active Directory
• Tagging for authorization, administration, billing
Cost transparency and control
• Everything billed by hour, gigabyte, etc.
• Billing data updated ~4x per day
• Programmatic access to all billing data
linked to user-created resource tags
• Cost Explorer and other tooling
• CloudWatch tools/alarms for billing data
• AWS MarketPlace helps with software
license management challenges
Secure and compliant?...
• … Are changes occurring with the right processes and
protections?
• AWS infrastructure: yes
• See frequently updated third-party audits
• Customer usage: get to yes like never before
• Great tools and building blocks to build the right models,
processes, and automation
Tools and building blocks
• Trusted Advisor displays obvious (possible) issues
• CloudWatch (Logs), VPC Flow Logs, Amazon S3 logs, Elastic
Load Balancing logs
• AWS Elasticsearch Service for managed search, analysis, visualization
• AWS CloudTrail, Config, and Config Rules, Inspector
• VPC peering (including cross-account)
• Identity federation and cross-account role-based access
• AWS Service Catalog/AWS CloudFormation for repeatable
processes
• GoldBase: pre-audited layers w/ automation framework for
completely compliant environments (demo coming)
Customer’s horizontal shared responsibility
• Mission teams control their own infrastructure (VPCs,
instances, Amazon Machine Images (AMIs), databases,
S3 buckets, etc.)
• Central GRC/security team has audit and control rights
over core infrastructure along with “shared security &
compliance services”
• Best of both worlds: agility benefits of mission-driven
“shadow IT,” governance/security benefits of central IT
control
Concretely: Managed Services Organization (MSO)
• Central team providing shared services:
• Account creation and AWS IAM provisioning/setup
• Identity management, federation endpoints
• Core networking security and IAM policies
• Golden OS images (AMIs), associated IAM limits
• Central auditing services
• CloudTrail, Config, security log management
• Incident response/forensics services
• Cost alarm/review/auditing services
Demo: scenario
• Development Team requires:• Direct access to AWS Management Console
• On-demand provisioning of dev environments
• Login credentials for running instances
• Support for continuous integration and deployment
• Company requires:• Adherence to approved reference architectures
• Auditability of activities within the account and instances
• Visibility to resources used and network traffic flow
• Control of the account, VPCs, and instances
Demo: automating governance
• Company creates a Managed Services Organization (MSO)
• Delivers the implementation piece of
the governance puzzle
• Provides automated, self-service
delivery of approved architectures
• Maintains centralized control of
accounts, security oversight
• Leverages AWS GoldBase
Demonstration: target architecture
Demo [screen capture video]
Automate, automate, automate
• Programmable infrastructure changes everything!
• Service Catalog, AWS CloudFormation, APIs for everything at the infrastructure level
• For apps, AWS Elastic Beanstalk, AWS OpsWorks, AWS CodeDeploy, AWS CodePipeline
• Visibility and control via
• Manage everything (including security and compliance) using SDL from a source code repository
• Security and compliance baked in to your continuous integration/continuous deployment pipeline
It’s happening!
• Not a pipe dream, but a growing reality at enterprises
and agencies around the globe
• Even security-conscious government agencies like USA
Dept of Homeland Security (Citizenship and Immigration
Services)
• Mark Schwartz, CIO: https://youtu.be/QwHVlJtqhaI
• DevOps and CI/CD on the AWS cloud providing dev/ops
CI/CD agility with baked-in governance and security
benefits
Relevant upcoming sessions
• SEC314: AWS Config: Using Visibility to Improve Governance over
Configuration Changes to Your ResourcesSEC318: AWS CloudTrail Deep
Dive
• SEC403: Timely Security Alerts and Analytics: Diving into AWS CloudTrail Events
by Using Apache Spark on Amazon EMR
• SEC321: AWS for the Enterprise—Implementing Policy, Governance, and
Security for Enterprise Workloads
• SEC307: A Progressive Journey Through AWS IAM Federation Options:
From Roles to SAML to Custom Identity Brokers
• SEC316: Harden Your Architecture with Security Incident Response
Simulations (SIRS)
• DVO206L: Lessons from a CISO: How to Securely Scale Teams,
Workloads, and Budgets
Remember to complete
your evaluations!
