Compliance is Hard: Two Worlds at Odds (AWS SF Loft Edition)

Transcript

1. Compliance is Hard: Two Worlds at Odds John Martinez AWS

   Pop-Up Loft April 28, 2015

2. About Me 2 ✴ Been doing DevOps and Cloud stuff

   for ~5 years ✴ Did heavy Chef work for ~3 ✴ UNIX throat beard since way back ✴ Compliance scars on my back ✴ I now talk to people about security for a living ✴ I recently built my 2nd Raspberry Pi (random fact, but true)

3. “When management says you are going to meet regulatory compliance,

   Don’t fight it. Embrace it! Because compliance done right is also best practices, and who doesn’t want to be the best?” Wayne Sisk, Compliance & Security Manager, Adobe 3

4. What is Compliance? ▪Boiled down: It’s about assessing risk and

   implementing governance ▪Most common are government mandated and industry specific compliance certifications ▪Compliance != Security ▪YOU: It’s not necessarily because management says-so…you are a hugely important part of the process ▪Examples of regulatory compliance: HIPAA, FISMA, FedRAMP ▪Examples of industry compliance: SOC-2, PCI, ISO 27001 4

5. Typical Compliance Workflow 5 Define Discover Control Report / Certify

   Test Remediate Where do I fit in?

6. Case Study - SoftCorp* ▪Embarked on a journey to SOC-2

   Compliance ▪Define and Discovery took about 4 months ▪Control took about 3 months ▪Test / Remediate / Report took about 6 months ▪Total effort: 12 months: 4 dedicated people, 4 partially-dedicated people ▪Most phases of the workflow overlapped ▪The final phase was continuous *SoftCorp is a fictitious corporation 6 SoftCorp

7. Compliance is for Humans, Not Technology 7 ▪Auditors and compliance

   officers don’t understand the cloud or DevOps ▪Embrace it as a challenge to mold them in your way ▪You’ll have to talk to a lot of people, mostly internal auditors and managers (meetings to schedule other meetings BRING A LAPTOP!) ▪Don’t take questions about your cool architecture personally

8. 8 ▪Evidence gathering requires automation - let your bots do

   your work for you ▪Tons of time will be spent writing automation of infrastructure in the early phases ▪Tons of time will be spent gathering data from your automation in the late phases ▪Self described systems 4TW ▪Chef is awesome for this (knife node show -l) ▪Log aggregation to gather your evidence ▪Save them somewhere else ▪Use 3rd party tools to have an independent view of your world ▪(I may know a good one!) technology == automation

9. What will you be asked for? ▪Diagrams and diagrams and

   diagrams (of networks and application stacks) ▪“Evidence” for “Controls" (i.e. TONS of data) ▪Your cloud provider’s certifications doesn’t mean you don’t have to work ▪In fact, you have to prove you’re following their customer responsibility requirement ▪In the test phase, you will need to sit through many many long hours of meetings (or not) with both internal and external auditors ▪HINT: let your internal auditors use the “no” word ▪More than likely: DOCUMENTATION ▪Because, why not do it with Chef? 9

10. What will you be asked for? The Sensitive Parts ▪Cloud

    Configurations ▪System Configurations ▪Firewall logs ▪Application Descriptions ▪Network Access Testing ▪Authentication and Authorization ▪Privilege Escalation ▪Data Isolation ▪Segregation of Duties 10

11. Compliance on AWS ▪AWS has made it easy: order compliance

    packets ▪http://aws.amazon.com/compliance/ ▪Follows Shared Security Responsibility Model ▪Talk to your account team, they’re there to help 11

12. Where can I read more? ▪Start with the Cloud Security

    Alliance Cloud Controls Matrix https://cloudsecurityalliance.org/research/ccm/ 12

13. Final Note: Compliance is Continuous! 13 ▪You mean I’ll have

    to go through this again? ▪Maybe you, maybe someone else, but yes ▪Be the process ▪Bring it on! (other compliance projects)

14. Give me a shout! 14 ✴ Twitter: @johnmartinez ✴ Email:

    [email protected]
15. None