cloud security by design: tailoring devops for regulatory...
TRANSCRIPT
Maria C. Horton
Founder, CEO
CISSP-ISSMP, Cloud Essentials, IAM
Cloud Security by Design: Tailoring DevOps for Regulatory Compliance
EmeSec Incorporated ©2017
• EmeSec Incorporated
• Core services are in cloud, security, and engineering
• Compliance consulting
• An accredited FedRAMP 3PAO
• Leader in CUI Compliance
• Hold 4 ISO certifications: • ISO 9001: 2008
• ISO/IEC 20000-1: 2011
• ISO/IEC 27001: 2013
• ISO/IEC 17020: 2012
Who We Are
EmeSec Incorporated ©2017
• Attendees will explore, learn and discuss:
• Planning DevOps to address regulatory requirements for cyber, cloud, CUI (DFARS), and privacy like EU GDPR
• Top 3 DevOps practices required by FedRAMP, CUI, and other sectors focusing on supply chain
• DevOps and Compliance Auditing in the near future
Today’s Learning Objectives
EmeSec Incorporated ©2017
• Why the Emphasis?• Today, every business is a
digital business
• Due diligence is taking the effort to avoid harm or loss through reasonable care
• Liability almost always comes from not demonstrating due diligence
Compliance Due Diligence Liability
The implications of non-compliance, diminished due diligence will likely
result in unique privacy and commerce risks and liabilities
EmeSec Incorporated ©2017
The DevOps Mindset Necessary for Business Digitalization and Compliance Security
Date and Information Flow & Potential Leakage(s)
Compliance Understanding
Data Center Cloud apps PR &
Marketing
Daily Work & Operations
Paper & PrintDevices
Apply or Adjust Security Controls Specific to the Data Flow of Your Organization
EmeSec Incorporated ©2017
• Federal Risk Authorization and Management Program (FedRAMP)
• Standardizes cloud security controls and control enhancements
• FedRAMP template labeled CUI Compliant
• Controlled Unclassified Information (CUI); Deadline December 2017
• FAR 52.204.21
• DFARS 252.204.7012
• The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); Deadline May 2018
Regulations
Regulatory Compliance Applicable to DevOps
EmeSec Incorporated ©2017
Compliance Standards
8
NIST 800-53
ISO27001
National Cybersecurity Framework
EmeSec Incorporated ©2017
The History of Compliance and Security
Security Applied
• Security has gone from being the add on to being incorporated to being the mindset
• With DevOps and compliance the requirement now requires:
• Coordinated approach to uploads to third parties like GitHub
• Dynamic and Static code testing along with processes
• Automated approval capabilities for changes and version upgrades
• Signed Certificates
EmeSec Incorporated ©2017
1. Policies
2. Handling Exceptions
4. Service Catalogs
5. Orchestration
6. Reign in Shadow IT
7. Tools (automation)
How to Tailor DevOps for Compliance?
EmeSec Incorporated ©2017
• Align DevOps with the corporate security policies
• Automate processes to continually review development, testing, ops, and security
• Create a Service Catalog/ Pre-define system images
• Use as one stop shop by all (Dev, Test, and Modeling)
• Use containers and micro services to facilitate standardization and deployment
• Always use APIs
How to Tailor DevOps for Compliance?
EmeSec Incorporated ©2017
By the Numbers
1. Policies
2. Handling Exceptions
4. Service Catalogs
5. Orchestration
6. Reign in Shadow IT
7. Tools (automation)
• Dev, QA & IT have similar skill sets and desire similar control
• Determine by policy
• Look for enablers
• Focus on Data Privacy and Auditability
• Secure both the code and the environment
• Better compliance through automation
• Evidence of software code analysis needed for compliance
Consider
EmeSec Incorporated ©2017
Summarizing DevOps for Regulatory Compliance
• DevOps is now the mindset of business; it is the expected and needed practice for cloud, IoT, and future digitalized ecosystem
• Security and compliance must be part of the mindset/culture
• DevOps must primarily be DevSecOps
• The design should protect the application, the IP, the customer and the entity from a due diligence perspective• Use auditing and evidence as the practice for determining the
strength of compliance
• Choose automation whenever you can
• Use human review for further analysis on summary findings, repeated alerts, and/or other issues
• NIST, ISO Standards, FedRAMP, and EU-GDPR all reflect this thinking
EmeSec Incorporated ©2017
• @EmeSec
• @mariahorton
• Phone: 703.429.4492/4491
• Email: [email protected]
Continue the Conversation
EmeSec Incorporated ©2017