Splitting the Check on Compliance and Security


The Presentation inside:

Slide 0

Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs


Slide 1

2015 for Developers


Slide 2

2015 for Auditors and Security Teams


Slide 3

The Problem


Slide 4

Developers: Incentives Speed Features Want Freedom to innovate New technology Incentives and Perspectives Auditors: Incentives Compliance with regulatory obligations Verifiable processes Want Well-known technology Predictability and stability


Slide 5

The Resolution


Slide 6

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)


Slide 7

Who Cares About These Answers? When did that code change? Who made the change? Who logged in to that host? What did they do? Who pushed that code? When was this dependency introduced? Was that build tested before deployment? What were the test results? ?


Slide 8

Before Developers and Auditors After


Slide 9

How Do We Get There?


Slide 10

Two Approaches to Compliance


Slide 11

Pillars for Effective, Efficient, and Flexible Compliance


Slide 12

The Pillars Traceability in development Continuous security visibility Compartmentalization


Slide 13

Discussion Format


Slide 14

Traceability in Development


Slide 15

Common Audit Requirements for Software Development Review changes. Track changes. Test changes. Deploy only approved code. For all actions: Who did it? When?


Slide 16

Spinnaker for Continuous Deployment Customizable development pipelines (workflows) Based on team requirements Single interface to entire deployment process Answers who, what, when, and why For developers and auditors


Slide 17

Spinnaker: Compliance-Relevant Features Integrated access to development artifacts Pull requests, test results, build artifacts, etc. Push authorization Restricted deployment windows (time, region) Deployment notifications


Slide 18

Spinnaker: App-Centric View & Multistage Pipeline


Slide 19

Automated Canary Analysis


Slide 20

Manual Approval (Optional)


Slide 21

Restricted Deployment Window (Optional)


Slide 22

Restricted Deployment Window (Optional)


Slide 23

Deployment Notification (Optional)


Slide 24

Spinnaker vs. Manual Deployments Deployment is independent of languages and other underlying technology. Java, Python, Linux, Windows… Multiple stages of automated testing. Integration, security, functional, production canary. Fully traceable pipeline. Changes and change drivers are fully visible. All artifacts and test results available.


Slide 25

Control Mapping


Slide 26

Continuous Security Visibility


Slide 27

Issues with Application Security Risk Management Spreadsheets and surveys! Human driven. Presuppose managed intake. One-time vs. continuous.


Slide 28


Slide 29

Penguin Shortbread – Automated Risk Analysis for Microservice Architectures Analyze microservice connectivity. Passively monitor app and cloud configuration. Develop risk scoring based on observations.


Slide 30

Application Risk Metric


Slide 31

Application Risk Rollup


Slide 32

Control Mapping


Slide 33

Compartmentalization


Slide 34

Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know


Slide 35

Monolithic Card Processing in the Data Center


Slide 36

Microservices and Tokenization in AWS


Slide 37

Control Mapping


Slide 38

Wrapping Up! Limit investments in approaches that meet narrow regulatory needs. Embrace core security design and operational principles. Focus on tools and techniques that serve multiple audiences.


Slide 39

@chanjbs - [email protected]


×

HTML:





Ссылка: