Splitting the Check on Compliance and Security

Понравилась презентация – покажи это...

Слайд 0

Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs

Слайд 1

2015 for Developers

Слайд 2

2015 for Auditors and Security Teams

Слайд 3

The Problem

Слайд 4

Developers: Incentives Speed Features Want Freedom to innovate New technology Incentives and Perspectives Auditors: Incentives Compliance with regulatory obligations Verifiable processes Want Well-known technology Predictability and stability

Слайд 5

The Resolution

Слайд 6

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)

Слайд 7

Who Cares About These Answers? When did that code change? Who made the change? Who logged in to that host? What did they do? Who pushed that code? When was this dependency introduced? Was that build tested before deployment? What were the test results? ?

Слайд 8

Before Developers and Auditors After

Слайд 9

How Do We Get There?

Слайд 10

Two Approaches to Compliance

Слайд 11

Pillars for Effective, Efficient, and Flexible Compliance

Слайд 12

The Pillars Traceability in development Continuous security visibility Compartmentalization

Слайд 13

Discussion Format

Слайд 14

Traceability in Development

Слайд 15

Common Audit Requirements for Software Development Review changes. Track changes. Test changes. Deploy only approved code. For all actions: Who did it? When?

Слайд 16

Spinnaker for Continuous Deployment Customizable development pipelines (workflows) Based on team requirements Single interface to entire deployment process Answers who, what, when, and why For developers and auditors

Слайд 17

Spinnaker: Compliance-Relevant Features Integrated access to development artifacts Pull requests, test results, build artifacts, etc. Push authorization Restricted deployment windows (time, region) Deployment notifications

Слайд 18

Spinnaker: App-Centric View & Multistage Pipeline

Слайд 19

Automated Canary Analysis

Слайд 20

Manual Approval (Optional)

Слайд 21

Restricted Deployment Window (Optional)

Слайд 22

Restricted Deployment Window (Optional)

Слайд 23

Deployment Notification (Optional)

Слайд 24

Spinnaker vs. Manual Deployments Deployment is independent of languages and other underlying technology. Java, Python, Linux, Windows… Multiple stages of automated testing. Integration, security, functional, production canary. Fully traceable pipeline. Changes and change drivers are fully visible. All artifacts and test results available.

Слайд 25

Control Mapping

Слайд 26

Continuous Security Visibility

Слайд 27

Issues with Application Security Risk Management Spreadsheets and surveys! Human driven. Presuppose managed intake. One-time vs. continuous.

Слайд 28

Слайд 29

Penguin Shortbread – Automated Risk Analysis for Microservice Architectures Analyze microservice connectivity. Passively monitor app and cloud configuration. Develop risk scoring based on observations.

Слайд 30

Application Risk Metric

Слайд 31

Application Risk Rollup

Слайд 32

Control Mapping

Слайд 33


Слайд 34

Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know

Слайд 35

Monolithic Card Processing in the Data Center

Слайд 36

Microservices and Tokenization in AWS

Слайд 37

Control Mapping

Слайд 38

Wrapping Up! Limit investments in approaches that meet narrow regulatory needs. Embrace core security design and operational principles. Focus on tools and techniques that serve multiple audiences.

Слайд 39

@chanjbs - chan@netflix.com