Uploaded byCloudHesive
PPTX, PDF169 views

Winning Governance Strategies for the Technology Disruptions of our Time

The document discusses governance strategies for technology disruptions using AWS. It provides an overview of AWS services and frameworks that can help with governance, risk and compliance (GRC) challenges posed by disruptive technologies. These include the Cloud Adoption Framework, Well Architected Framework, and security services like GuardDuty, Inspector and Macie. It recommends starting simple on AWS and iterating architectures over time using available guidance.

Embed presentation

Download to read offline
Winning Governance Strategies for the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
About Me • Who am I? • What’s my background?
About CloudHesive • Professional Services – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
Agenda • Disruptive technology history • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
Disruptive Technology History • Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
Challenges faced in GRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
AWS Shared Responsibility Model
Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
General Design Principles • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
Operational Excellence • Design Principles – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
Reliability • Design Principles – Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
Performance Efficiency • Design Principles – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
Cost Optimization • Design Principles – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
Supporting Services • Certificate Manager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
Conclusion • AWS provides a number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
Further Learning – Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
Meetups • Boca Raton: https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

More Related Content

PPTX
Fort Lauderdale Tech Talks - The Future is the Cloud
byCloudHesive
 
PPTX
Operating and Managing Hybrid Cloud on AWS
byTom Laszewski
 
PPTX
AWS 101 - An Introduction to the Amazon Cloud
byCloudHesive
 
PPTX
Big Data and Machine Learning on AWS
byCloudHesive
 
PPTX
AWS 2020 Year in Review reInvent ReCap
byCloudHesive
 
PPTX
From Monolithic to Modern Apps: Best Practices
byTom Laszewski
 
PDF
AWS Technical Due Diligence Workshop Session Two
byTom Laszewski
 
PPTX
AWS 101 and the benefits of Migrating to the Cloud
byCloudHesive
 
Fort Lauderdale Tech Talks - The Future is the Cloud
byCloudHesive
 
Operating and Managing Hybrid Cloud on AWS
byTom Laszewski
 
AWS 101 - An Introduction to the Amazon Cloud
byCloudHesive
 
Big Data and Machine Learning on AWS
byCloudHesive
 
AWS 2020 Year in Review reInvent ReCap
byCloudHesive
 
From Monolithic to Modern Apps: Best Practices
byTom Laszewski
 
AWS Technical Due Diligence Workshop Session Two
byTom Laszewski
 
AWS 101 and the benefits of Migrating to the Cloud
byCloudHesive
 

Similar to Winning Governance Strategies for the Technology Disruptions of our Time

PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
PPTX
Best Practices in Secure Cloud Migration
byCloudHesive
 
PDF
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
byJames Strong
 
PPTX
Security on AWS
byCloudHesive
 
PPTX
Building Bulletproof Infrastructure on AWS
by2nd Watch
 
PDF
AWS Architecture Fundamentals - Houston
byNicole Maus
 
PDF
AWS for Auditors
byAndrew Clark
 
PPTX
NIST Cybersecurity Framework (CSF) on the Public Cloud
byCloudHesive
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
PPTX
5 minutes on security
byCloudHesive
 
PDF
AWS Cloud Security
byAmazon Web Services LATAM
 
PPTX
Cloud Security (AWS)
byScott Arveseth
 
PDF
Cloud 101: Your Gateway to Computing Freedom With AWS
byShivanshi Singh
 
PDF
Migrate and Govern Applications on Cloud Infrastructure
byManuj Bawa
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
PPTX
Amazon-Web-Services-AWS-From-Basics-to-Hands-On-Practical.pptx
bydevsingh8983292894
 
PPTX
Adopting AWS in your organization - ITPalooza 2015
byCloudHesive
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
Security on AWS, 2021 Edition Meetup
byCloudHesive
 
Best Practices in Secure Cloud Migration
byCloudHesive
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
byJames Strong
 
Security on AWS
byCloudHesive
 
Building Bulletproof Infrastructure on AWS
by2nd Watch
 
AWS Architecture Fundamentals - Houston
byNicole Maus
 
AWS for Auditors
byAndrew Clark
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
byCloudHesive
 
Blue Chip Tek Connect and Protect Presentation #3
byKimberly Macias
 
5 minutes on security
byCloudHesive
 
AWS Cloud Security
byAmazon Web Services LATAM
 
Cloud Security (AWS)
byScott Arveseth
 
Cloud 101: Your Gateway to Computing Freedom With AWS
byShivanshi Singh
 
Migrate and Govern Applications on Cloud Infrastructure
byManuj Bawa
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bybvpxmqwie0546
 
Amazon-Web-Services-AWS-From-Basics-to-Hands-On-Practical.pptx
bydevsingh8983292894
 
Adopting AWS in your organization - ITPalooza 2015
byCloudHesive
 

More from CloudHesive

PPTX
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 
PPTX
Modernization of your AWS based SaaS platform - Short
byCloudHesive
 
PPTX
Modernization of your AWS based SaaS platform
byCloudHesive
 
PPTX
Serverless Generative AI on AWS, AWS User Groups of Florida
byCloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
PPTX
Accelerating Business and Research Through Automation and Artificial Intellig...
byCloudHesive
 
PPTX
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
byCloudHesive
 
PPTX
ConnectPath Introduction
byCloudHesive
 
PDF
Modernize your contact center with ConnectPath CX v2.pdf
byCloudHesive
 
PDF
Modernize your contact center with ConnectPath CX — Chart.pdf
byCloudHesive
 
PPTX
End User Computing at CloudHesive.pptx
byCloudHesive
 
PPTX
Analytics at CloudHesive
byCloudHesive
 
PPTX
Supporting your CMMC initiatives with Sumo Logic
byCloudHesive
 
PDF
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
byCloudHesive
 
PPTX
Serverless data and analytics on AWS for operations
byCloudHesive
 
PPTX
reInvent reCap 2022
byCloudHesive
 
PPTX
Serverless without Code (Lambda)
byCloudHesive
 
PDF
AWS Advanced Analytics Automation Toolkit (AAA)
byCloudHesive
 
PDF
AWS Control Tower
byCloudHesive
 
CloudHesive x Datadog Multi Generational Observability
byCloudHesive
 
Modernization of your AWS based SaaS platform - Short
byCloudHesive
 
Modernization of your AWS based SaaS platform
byCloudHesive
 
Serverless Generative AI on AWS, AWS User Groups of Florida
byCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
byCloudHesive
 
Accelerating Business and Research Through Automation and Artificial Intellig...
byCloudHesive
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
byCloudHesive
 
ConnectPath Introduction
byCloudHesive
 
Modernize your contact center with ConnectPath CX v2.pdf
byCloudHesive
 
Modernize your contact center with ConnectPath CX — Chart.pdf
byCloudHesive
 
End User Computing at CloudHesive.pptx
byCloudHesive
 
Analytics at CloudHesive
byCloudHesive
 
Supporting your CMMC initiatives with Sumo Logic
byCloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
byCloudHesive
 
Serverless data and analytics on AWS for operations
byCloudHesive
 
reInvent reCap 2022
byCloudHesive
 
Serverless without Code (Lambda)
byCloudHesive
 
AWS Advanced Analytics Automation Toolkit (AAA)
byCloudHesive
 
AWS Control Tower
byCloudHesive
 

Recently uploaded

PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
MathML Core in WebKit
byIgalia
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
MathML Core in WebKit
byIgalia
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
WebXR in Android and Linux with OpenXR
byIgalia
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 

Winning Governance Strategies for the Technology Disruptions of our Time

  • 1.
    Winning Governance Strategiesfor the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
  • 2.
    About Me • Whoam I? • What’s my background?
  • 3.
    About CloudHesive • ProfessionalServices – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
  • 4.
    Agenda • Disruptive technologyhistory • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
  • 5.
    Disruptive Technology History •Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
  • 6.
    Challenges faced inGRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
  • 7.
    Who is usingAWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
  • 8.
    GovCloud • Additional AssurancePrograms Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
  • 9.
  • 10.
    Cloud Adoption Framework •Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
  • 11.
    Well Architected Framework •Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
  • 12.
    General Design Principles •Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
  • 13.
    Operational Excellence • DesignPrinciples – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
  • 14.
    Security • Design Principles –Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
  • 15.
    Reliability • Design Principles –Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
  • 16.
    Performance Efficiency • DesignPrinciples – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
  • 17.
    Cost Optimization • DesignPrinciples – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
  • 18.
    Sample Implementation • “NISTQuickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
  • 19.
    Supporting Services • VPC:Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
  • 20.
    Supporting Services • S3/Glacier:File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
  • 21.
    Supporting Services • Config:Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
  • 22.
    Supporting Services • CertificateManager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
  • 23.
    Enforcement • AWS – GuardDuty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
  • 24.
    Conclusion • AWS providesa number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
  • 25.
    Recommended Reading • AWSWell Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
  • 26.
    Further Learning • GettingStarted: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
  • 27.
    Further Learning –Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
  • 28.
    Meetups • Boca Raton:https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

Editor's Notes

  • #3 Certifications in CCSK, CCSP, ITIL Experience with AWS, GovCloud, FedRAMP, specifically
  • #6 From Wiki: Disruptive innovation is an innovation that creates a new market and value network and eventually disrupts an existing market and value network, displacing established market-leading firms, products, and alliances
  • #8 AWS Public Sector Summit – June 20-21, 2018, Walter E. Washington Convention Center
  • #9 https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ https://aws.amazon.com/compliance/services-in-scope/ See also C2S and Secret Region: https://aws.amazon.com/federal/us-intelligence-community/
  • #19 https://aws.amazon.com/quickstart/architecture/accelerator-nist/ NIST – Cybersecurity Framework, SP 800-53, SP 800-37 CIS – Benchmarks CSA – CCM + CAIQ Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles. Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability. Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data. Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services. Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application. A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database. Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
  • #20 The next few slides I will detail some of the supporting services; a number of the AWS published matrices detail the alignment of these services to specific controls, rather than read through a matrix, I thought it would help to explain what these services are and how they can help