AWS Security the DevOps Way (AWS Loft SF Edition)

Transcript

1. AWS Security the DevOps Way AWS Pop-Up Loft SF John

   Martinez Principal Solutions Architect July 16, 2015

2. About Me ▪Been doing DevOps and Cloud stuff for ~5

   years ▪Helped architect and build Creative Cloud @ Adobe ▪Cut my teeth on “the cloud” at Netflix ▪UNIX and Linux throat beard for >20 years ▪I now talk to people about security for a living ▪I’m completely addicted to building Raspberry Pi 2’s for random things around the house 2

3. 3 Elation Pain Suffering Winning Losing Failing Innovating SecOps The

   Security Roller Coaster

4. Why do Security? 4 Reasons Vary by Organization Regulatory Customers

   Demand It Industrial Partners Demand It Self-Imposed Protect Your IP Imposed Upon You Steal Their IP

5. Needs of DevOps 5

6. Needs of Security 6

7. A Converged World 7

8. The Gap is Technical 8 OVERCOMING people-objections is EASY

9. Modern Security Sucks 9 Dependent on presence Doesn’t understand non-TCP/IP

   stacks Too human-dependent Assumption that resources are relatively static Attackers use automation, defenders don’t Security companies don’t get Cloud and DevOps

10. DevSecOps > sum(dev,sec,ops) Take the best of Dev, Sec, Ops

    Now we can have some fun… 10

11. Rugged DevOps http://devops.com/2015/04/20/the-rugged-devops-ebook/ What is Rugged Software? “Rugged” describes software

    development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure, and resilient software. —From www.ruggedsoftware.org * Disclaimer: Evident.io was one of the corporate sponsors for the production cost of the book – we believe in it! 11

12. Rugged DevOps My favorite quote from Rugged DevOps: Understand that

    attackers already deliver continuously 12

13. Security Scanning The Old Way Run Security Scans weekly/monthly/ quarterly

    13 The New Way Continuous Scanning of Threats

14. Host Integrity The Old Way Expensive, single purpose tools 14

    The New Way Configuration Management platforms like Chef, Puppet, Ansible

15. Compliance 15 The New Way Automated compliance testing, evidence and

    audits The Old Way Quarterly audits, manual reviews “You are in direct violation of PCI DSS 3.0 requirement 3 section 6.1. You have 10 seconds to comply…”

16. Enforcement 16 The New Way Automated defense The Old Way

    Manual, reactive behaviors

17. Incident Management 17 The New Way Instant, out of band

    forensic data and automation The Old Way Long discovery phase of breach, panic

18. Infrastructure Security 18 The New Way Template-based infrastructure via CloudFormation,

    (commercial) Evident.io The Old Way Homegrown scripts, outdated CMDB

19. What you should take away 19 Don’t wait for security

    to come to you – chase it 1 Automate your security behaviors 2 Champion the marriage of DevOps & Security 3

20. Coming Soon to a Loft Near You (SF or NYC)

    20 Programmatic Security (with real code, too!)

21. Thank You! [email protected] • [email protected] @johnmartinez • LinkedIn 21