cloud security by design: tailoring devops for regulatory...

Maria C. Horton

Founder, CEO

CISSP-ISSMP, Cloud Essentials, IAM

Cloud Security by Design: Tailoring DevOps for Regulatory Compliance

EmeSec Incorporated ©2017

• EmeSec Incorporated

• Core services are in cloud, security, and engineering

• Compliance consulting

• An accredited FedRAMP 3PAO

• Leader in CUI Compliance

• Hold 4 ISO certifications: • ISO 9001: 2008

• ISO/IEC 20000-1: 2011

• ISO/IEC 27001: 2013

• ISO/IEC 17020: 2012

Who We Are


• Attendees will explore, learn and discuss:

• Planning DevOps to address regulatory requirements for cyber, cloud, CUI (DFARS), and privacy like EU GDPR

• Top 3 DevOps practices required by FedRAMP, CUI, and other sectors focusing on supply chain

• DevOps and Compliance Auditing in the near future

Today’s Learning Objectives


• Why the Emphasis?• Today, every business is a

digital business

• Due diligence is taking the effort to avoid harm or loss through reasonable care

• Liability almost always comes from not demonstrating due diligence

Compliance Due Diligence Liability

The implications of non-compliance, diminished due diligence will likely

result in unique privacy and commerce risks and liabilities


DevOps Simplified


The DevOps Mindset Necessary for Business Digitalization and Compliance Security

Date and Information Flow & Potential Leakage(s)

Compliance Understanding

Data Center Cloud apps PR &

Marketing

Daily Work & Operations

Paper & PrintDevices

Apply or Adjust Security Controls Specific to the Data Flow of Your Organization


• Federal Risk Authorization and Management Program (FedRAMP)

• Standardizes cloud security controls and control enhancements

• FedRAMP template labeled CUI Compliant

• Controlled Unclassified Information (CUI); Deadline December 2017

• FAR 52.204.21

• DFARS 252.204.7012

• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); Deadline May 2018

Regulations

Regulatory Compliance Applicable to DevOps


Compliance Standards

8

NIST 800-53

ISO27001

National Cybersecurity Framework


Why the Focus on DevOps?


The History of Compliance and Security

Security Applied

• Security has gone from being the add on to being incorporated to being the mindset

• With DevOps and compliance the requirement now requires:

• Coordinated approach to uploads to third parties like GitHub

• Dynamic and Static code testing along with processes

• Automated approval capabilities for changes and version upgrades

• Signed Certificates


1. Policies

2. Handling Exceptions

4. Service Catalogs

5. Orchestration

6. Reign in Shadow IT

7. Tools (automation)

How to Tailor DevOps for Compliance?


• Align DevOps with the corporate security policies

• Automate processes to continually review development, testing, ops, and security

• Create a Service Catalog/ Pre-define system images

• Use as one stop shop by all (Dev, Test, and Modeling)

• Use containers and micro services to facilitate standardization and deployment

• Always use APIs

How to Tailor DevOps for Compliance?


By the Numbers

1. Policies

2. Handling Exceptions

4. Service Catalogs

5. Orchestration

6. Reign in Shadow IT

7. Tools (automation)

• Dev, QA & IT have similar skill sets and desire similar control

• Determine by policy

• Look for enablers

• Focus on Data Privacy and Auditability

• Secure both the code and the environment

• Better compliance through automation

• Evidence of software code analysis needed for compliance

Consider


Summarizing DevOps for Regulatory Compliance

• DevOps is now the mindset of business; it is the expected and needed practice for cloud, IoT, and future digitalized ecosystem

• Security and compliance must be part of the mindset/culture

• DevOps must primarily be DevSecOps

• The design should protect the application, the IP, the customer and the entity from a due diligence perspective• Use auditing and evidence as the practice for determining the

strength of compliance

• Choose automation whenever you can

• Use human review for further analysis on summary findings, repeated alerts, and/or other issues

• NIST, ISO Standards, FedRAMP, and EU-GDPR all reflect this thinking


• @EmeSec

• @mariahorton

• Phone: 703.429.4492/4491

• Email: [email protected]

Continue the Conversation


mailto:[email protected]

cloud security by design: tailoring devops for regulatory...

Documents