© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shannon Lietz – Intuit – Sr. Manager, Cloud Security Engineering
Matt Bretan – AWS Professional Services – Senior Consultant
October 2015
SEC402
Enterprise Cloud Security via DevSecOps 2.0Crawl. Walk. Run.
What to expect from this session
• Are you ready to adopt security so compelling it
changes how your company operates???
• Learn from our lessons and war stories.
• Gain knowledge about how to do DevSecOps at your
organization.
• Discover what we are doing to learn more!
…DevSecOps is an evolving storyCopyright © 2009 José-Manuel Benitos
2007 2008 2009 2010 2011 2012 2013 2014 2015
48 6182
159
280
514
?
Security, compliance, governance, and audit related launches and updates
AWS constantly innovating – driven by your needs
Cloud security Then and Now
From: To:
Human
InteractionsRecon Operations
Security
Intelligence
UX API
Security Intelligence
Recon Tools Agents
Operations
Human Interactions
Where are we today?
• DevSecOps is different and
addictive.
• Cloud attacks and
compromises are faster.
• Investing in native cloud
solutions.
• Doubling down on educating
security on AWS services.
• Focusing on attack modeling
and operationalizing security.
Since 2014:
+ 37 DevSecOps worldwide
+ 2k cloud security
+ 3 open-source projects underway
+ Full day of SecDevOps @RSA
+ Dedicated track for security in
Rugged DevOps @ Goto
How can I catch up? Quick recap?
Problem statement
• DevOps requires continuous deployments
• Fast decision making is critical to DevOps
success
• Traditional security just doesn’t scale or move
fast enough
Welcome, DevSecOps!
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response
Bang
Head
Here
DevSecOps
Security
Engineering
Security
Operations
Compliance
Operations
Security
Science
Experiment,
Automate,
Test
Hunt,
Detect,
Contain
Respond,
Manage,
Train
Learn,
Measure,
Forecast
Why is this so important? The Case for Change
• DevOps, Agile, and Scrum on the rise…
• Workload migrations to software defined environments…
• Mass adoption of the public cloud…
• Talent migration to progressive cloud companies…
• Startups have game-changing tech at their disposal…
• Competitive landscape is becoming fierce…
• The perimeter is no longer an option…
• Security, now more than ever, is an arms race…
The DevSecOps mindset
• Customer focus
• Open and transparent
• Iteration over perfection
• Hunting over reaction
• Hmmm → Wait a minute, this sounds like a
manifesto…insert shameless plug here:
http://www.devsecops.org
OK → Ready, Set, Crawl?
Where to start?
• Pontificate?
• Checklists?
• 1-pagers? 6-pagers?
Documents?
Page 3 of 433
Security as code
Security as code is easy with AWS
AWS provides all the APIs!
• Programmatically test environments
• Determine state of environment at a
specific point in time
• Repeatable processes
• Scalable operations
How can we learn DevSecOps?
Security as
Code?
Security as
Operations?
Compliance
Operations?Science?
Experiment:
Automate
Policy
Governance
Experiment:
Detection
via Security
Operations
Experiment:
Compliance
via
DevSecOps
Toolkit
Experiment:
Science via
Profiling
DevOps
+
Security
Start
Here?
DevOps
+
DevSecOps
Crawl demo
Lessons learned
• One and done does not work.
• Documenting decisions is useful but not enough.
• Traditional security tools make operating a cloud
environment challenging.
• Need to suspend disbelief.
• Enterprise cloud security is a big-data problem.
The “who” matters
Operations
Red team
Blue team
Developer
Security
The “who” matters
Copyright © 2012 Martin Patten
The “who” matters
Can I skip walking?
Why walking is important…
Imagine that you will need to support all of the facets of
security inline with development and operations at speed.
• Were your crawl experiments enough to generate DevSecOps
experts?
• Have you got the right level of operational maturity?
• Do you have an All Star Team or a Team of All Stars?
• Is your organization listening, participating, and fully engaged?
• Is collaboration and communication working well?
• Do you have it all figured out?
Are you ready to make these decisions?
On-PremisesPartial
On-Premises
Outsourced w/ No
Indemnification
Outsourced w/
Partial
Indemnification
Outsourced w/ Full
Indemnification
Who is
responsible?
I
N
T
E
R
N
A
L
You You You You + Partner Partner
P
A
R
T
N
E
R
S
Which minimal
controls are
needed?
Physical Security,
Secure Handling,
Disposal
File Or Object
Encryption For
Sensitive Data,
Physical Security,
Secure Handling,
Disposal
File Or Object Encryption For
Sensitive Data, Partner
Security, SOC Attestation
File Or Object
Encryption For
Sensitive Data,
Partner Security, SOC
Attestation
Partner Security, SOC
Attestation
Where does
data transit
and get
stored?
Company “Owned”
Data Center Or Co-
location
Any Compute &
Transit, Data Store On
Premises
Public Cloud, Free Services
SaaS, Private Cloud,
Public Cloud, Free
Services,
Managed Services,
SaaS, Private Cloud
What are the
innovation
benefits?
Reduced Latency,
Search Sensitive Data
Speed, Reduced
Friction, Search
Sensitive Data
Speed, Reduced Friction,
Evolving Patterns, Community
Speed, Reduced
Friction, Evolving
Patterns, Community
Speed, Reduced
Friction, Indemnification
What are the
potential risks?
SQL Injection, Internal
Threats, Mistakes,
Phishing, Increased
Friction, Slow
Latency, SQL Injection,
Internal Threats,
Mistakes, Phishing,
Increased Friction,
Slow
Inability to Search Sensitive
Data, SQL Injection, Internal
Threats, Mistakes, Phishing,
Unknown Gov’t Requests,
Reduced Financial
Responsibility
Inability to Search
Sensitive Data, SQL
Injection, Internal
Threats, Mistakes,
Phishing, Unknown
Gov’t Requests
Inability to Search
Sensitive Data, SQL
Injection, Internal
Threats, Mistakes,
Phishing, Unknown
Gov’t Requests
Or govern these policies?
{“Version”: “2015-05-09”,“Statement”: {
“Effect”: “Allow”,“Action”: [
“iam:ChangePassword”,“iam:GetAccountPasswordPolicy”
],“Resource”: “*”
}}
Or hunt full stack security issues?
Or communicate simply and quickly?
Discover Evaluate Control Communicate
Or translate security like this?
Begin(iam.client.list_role_policies(:role_name => role_)[:policy_names]\
-roldedb.list_policies(role)).each do |policy|log.warn("Deleting Policy\"#{policy}\", which is not part of the approved baseline.")if policydiff("{}",
URI.decode(iam.client.get_role_policy(\:role_name => role,:policy_name => policy
)[:policy_document]),{:argv => ARGV, :diff => options.diff})
end options.dryrun ? nil : \iam.client.delete_role_policy(
:role_name => role,:policy_name => policy
)
Account Grade:
BHeal Account?
Walk demo
Lessons learned
• A lot of this is not new.
• It’s hard work and ever evolving.
• Enterprise cloud security is a bigger big-data problem than
we originally thought…petabytes!!!!
• Keys to success:
• Detect and resolve security issues quickly.
• Use native security capabilities as much as possible.
• Enlist and enable the organization.
• Educate inline and break it into bite-size chunks.
Up and running in 2 weeks
Guiding principles
• DevSecOps is a journey, not a destination.
• Small security teams can make a profound impact.
• Organize around self-service and enablement.
• Translate security for the layperson.
• Perfection is the enemy…get rugged.
What does Running look like?
• Operating model and process
• Open contribution
• Tools and rules
Operating model and process
• Empower everyone to participate.
• Enlighten decision makers with insights.
• Don’t reinvent the wheel—use organizational tools.
• Lightweight process.
• Pivot! Pivot! Pivot!
• Iterate.
Open contribution
• Use source control and collaboration features to
ensure the right rules are being created.
• Engage everyone in your organization.
• Track and resolve defects transparently.
Ready to build your DevSecOps platform?
insights
security
sciencesecurity
tools & data
AWS
accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
Demo:
Enterprise cloud security in AWS
What Next?
• Take the DevSecOps Survey at devsecops.org.
• Join the DevSecOps LinkedIn group and get involved.
• Follow us on Twitter @devsecops.
• Give us feedback on the Enterprise Cloud Security How-
To.
• Write an article for the DevSecOps community.
• Become a DevSecOps engineer.
• Spread the word!!!
Remember to complete
your evaluations!
Thank you!
@devsecops
Related sessions
SEC326 – Security Science Using Big Data
SEC312 – Reliable Design and Deployment of Security
and Compliance
SEC316 – Harden Your Architecture with Security Incident
Response Simulations (SIRS)
SEC308 – Wrangling Security Events in the Cloud