Splitting the Check on Compliance and Security

If you like this presentation – show it...

Slide 0

Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs

Slide 1

2015 for Developers

Slide 2

2015 for Auditors and Security Teams

Slide 3

The Problem

Slide 4

Developers: Incentives Speed Features Want Freedom to innovate New technology Incentives and Perspectives Auditors: Incentives Compliance with regulatory obligations Verifiable processes Want Well-known technology Predictability and stability

Slide 5

The Resolution

Slide 6

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)

Slide 7

Who Cares About These Answers? When did that code change? Who made the change? Who logged in to that host? What did they do? Who pushed that code? When was this dependency introduced? Was that build tested before deployment? What were the test results? ?

Slide 8

Before Developers and Auditors After

Slide 9

How Do We Get There?

Slide 10

Two Approaches to Compliance

Slide 11

Pillars for Effective, Efficient, and Flexible Compliance

Slide 12

The Pillars Traceability in development Continuous security visibility Compartmentalization

Slide 13

Discussion Format

Slide 14

Traceability in Development

Slide 15

Common Audit Requirements for Software Development Review changes. Track changes. Test changes. Deploy only approved code. For all actions: Who did it? When?

Slide 16

Spinnaker for Continuous Deployment Customizable development pipelines (workflows) Based on team requirements Single interface to entire deployment process Answers who, what, when, and why For developers and auditors

Slide 17

Spinnaker: Compliance-Relevant Features Integrated access to development artifacts Pull requests, test results, build artifacts, etc. Push authorization Restricted deployment windows (time, region) Deployment notifications

Slide 18

Spinnaker: App-Centric View & Multistage Pipeline

Slide 19

Automated Canary Analysis

Slide 20

Manual Approval (Optional)

Slide 21

Restricted Deployment Window (Optional)

Slide 22

Restricted Deployment Window (Optional)

Slide 23

Deployment Notification (Optional)

Slide 24

Spinnaker vs. Manual Deployments Deployment is independent of languages and other underlying technology. Java, Python, Linux, Windows… Multiple stages of automated testing. Integration, security, functional, production canary. Fully traceable pipeline. Changes and change drivers are fully visible. All artifacts and test results available.

Slide 25

Control Mapping

Slide 26

Continuous Security Visibility

Slide 27

Issues with Application Security Risk Management Spreadsheets and surveys! Human driven. Presuppose managed intake. One-time vs. continuous.

Slide 28

Slide 29

Penguin Shortbread – Automated Risk Analysis for Microservice Architectures Analyze microservice connectivity. Passively monitor app and cloud configuration. Develop risk scoring based on observations.

Slide 30

Application Risk Metric

Slide 31

Application Risk Rollup

Slide 32

Control Mapping

Slide 33


Slide 34

Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know

Slide 35

Monolithic Card Processing in the Data Center

Slide 36

Microservices and Tokenization in AWS

Slide 37

Control Mapping

Slide 38

Wrapping Up! Limit investments in approaches that meet narrow regulatory needs. Embrace core security design and operational principles. Focus on tools and techniques that serve multiple audiences.

Slide 39

@chanjbs - chan@netflix.com