for ~5 years ✴ Did heavy Chef work for ~3 ✴ UNIX throat beard since way back ✴ Compliance scars on my back ✴ I now talk to people about security for a living ✴ I recently built my 2nd Raspberry Pi (random fact, but true)
Don’t fight it. Embrace it! Because compliance done right is also best practices, and who doesn’t want to be the best?” Wayne Sisk, Compliance & Security Manager, Adobe 3
implementing governance ▪Most common are government mandated and industry specific compliance certifications ▪Compliance != Security ▪YOU: It’s not necessarily because management says-so…you are a hugely important part of the process ▪Examples of regulatory compliance: HIPAA, FISMA, FedRAMP ▪Examples of industry compliance: SOC-2, PCI, ISO 27001 4
Compliance ▪Define and Discovery took about 4 months ▪Control took about 3 months ▪Test / Remediate / Report took about 6 months ▪Total effort: 12 months: 4 dedicated people, 4 partially-dedicated people ▪Most phases of the workflow overlapped ▪The final phase was continuous *SoftCorp is a fictitious corporation 6 SoftCorp
officers don’t understand the cloud or DevOps ▪Embrace it as a challenge to mold them in your way ▪You’ll have to talk to a lot of people, mostly internal auditors and managers (meetings to schedule other meetings BRING A LAPTOP!) ▪Don’t take questions about your cool architecture personally
your work for you ▪Tons of time will be spent writing automation of infrastructure in the early phases ▪Tons of time will be spent gathering data from your automation in the late phases ▪Self described systems 4TW ▪Chef is awesome for this (knife node show -l) ▪Log aggregation to gather your evidence ▪Save them somewhere else ▪Use 3rd party tools to have an independent view of your world ▪(I may know a good one!) technology == automation
diagrams (of networks and application stacks) ▪“Evidence” for “Controls" (i.e. TONS of data) ▪Your cloud provider’s certifications doesn’t mean you don’t have to work ▪In fact, you have to prove you’re following their customer responsibility requirement ▪In the test phase, you will need to sit through many many long hours of meetings (or not) with both internal and external auditors ▪HINT: let your internal auditors use the “no” word ▪More than likely: DOCUMENTATION ▪Because, why not do it with Chef? 9