'

Splitting the Check on Compliance and Security

Понравилась презентация – покажи это...





Слайд 0

Splitting the Check on Compliance and Security Jason Chan Engineering Director – Cloud Security @chanjbs


Слайд 1

2015 for Developers


Слайд 2

2015 for Auditors and Security Teams


Слайд 3

The Problem


Слайд 4

Developers: Incentives Speed Features Want Freedom to innovate New technology Incentives and Perspectives Auditors: Incentives Compliance with regulatory obligations Verifiable processes Want Well-known technology Predictability and stability


Слайд 5

The Resolution


Слайд 6

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)


Слайд 7

Who Cares About These Answers? When did that code change? Who made the change? Who logged in to that host? What did they do? Who pushed that code? When was this dependency introduced? Was that build tested before deployment? What were the test results? ?


Слайд 8

Before Developers and Auditors After


Слайд 9

How Do We Get There?


Слайд 10

Two Approaches to Compliance


Слайд 11

Pillars for Effective, Efficient, and Flexible Compliance


Слайд 12

The Pillars Traceability in development Continuous security visibility Compartmentalization


Слайд 13

Discussion Format


Слайд 14

Traceability in Development


Слайд 15

Common Audit Requirements for Software Development Review changes. Track changes. Test changes. Deploy only approved code. For all actions: Who did it? When?


Слайд 16

Spinnaker for Continuous Deployment Customizable development pipelines (workflows) Based on team requirements Single interface to entire deployment process Answers who, what, when, and why For developers and auditors


Слайд 17

Spinnaker: Compliance-Relevant Features Integrated access to development artifacts Pull requests, test results, build artifacts, etc. Push authorization Restricted deployment windows (time, region) Deployment notifications


Слайд 18

Spinnaker: App-Centric View & Multistage Pipeline


Слайд 19

Automated Canary Analysis


Слайд 20

Manual Approval (Optional)


Слайд 21

Restricted Deployment Window (Optional)


Слайд 22

Restricted Deployment Window (Optional)


Слайд 23

Deployment Notification (Optional)


Слайд 24

Spinnaker vs. Manual Deployments Deployment is independent of languages and other underlying technology. Java, Python, Linux, Windows… Multiple stages of automated testing. Integration, security, functional, production canary. Fully traceable pipeline. Changes and change drivers are fully visible. All artifacts and test results available.


Слайд 25

Control Mapping


Слайд 26

Continuous Security Visibility


Слайд 27

Issues with Application Security Risk Management Spreadsheets and surveys! Human driven. Presuppose managed intake. One-time vs. continuous.


Слайд 28


Слайд 29

Penguin Shortbread – Automated Risk Analysis for Microservice Architectures Analyze microservice connectivity. Passively monitor app and cloud configuration. Develop risk scoring based on observations.


Слайд 30

Application Risk Metric


Слайд 31

Application Risk Rollup


Слайд 32

Control Mapping


Слайд 33

Compartmentalization


Слайд 34

Compartmentalization Resilience: Limit blast radius Confidentiality: Need to know


Слайд 35

Monolithic Card Processing in the Data Center


Слайд 36

Microservices and Tokenization in AWS


Слайд 37

Control Mapping


Слайд 38

Wrapping Up! Limit investments in approaches that meet narrow regulatory needs. Embrace core security design and operational principles. Focus on tools and techniques that serve multiple audiences.


Слайд 39

@chanjbs - chan@netflix.com


×

HTML:





Ссылка: