keeping developers and auditors happy in the cloud
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Keeping Developers and Auditors Happy in the Cloud
Brian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit
The Cloud from a Developer Perspective
The Cloud from an Auditor Perspective
The Problem
Incentives and Perspectives
Developers
Incentives Speed Features
Want Freedom to innovate New technology
Auditors
Incentives Compliance with regulatory obligations Verifiable processes
Want Well-known technology Predictability and stability
The Solution
“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
Traditional Deployment
developers
releasetestbuild
delivery pipelinestack
developers delivery pipelinesservices
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
You Build It, You Run It
AWS Assurance Programs
How Does that Help?
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
Vulnerability Management
Data Backups
Traditional Data Backup
Server
Database
Disk
Tape storage
Corporate data center Backup data center/media storage provider
Disk
Tape storage
Data Backup in the Cloud
RDBMS
Amazon EBS volume
Cassandra Amazon S3 bucket
Other region
S3 bucket
Other account
S3 bucket
Non-AWS cloud storage
Cloud backup
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
Common Audit Requirements for Software Development
Review changes. Track changes. Test changes. Deploy only approved code. For all actions:
Who did it? When?
AWS Config
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
Continuous ChangeRecordingChanging Resources
AWS ConfigHistory
Stream
Snapshot (ex. 2014-11-05)AWS Config
Audit logs for all operationsStore/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS services
around the world..
CloudTrail is continuously recording API
calls
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
DevOps
Infrastructure as Code is a practice by where traditional infrastructure management techniques are
supplemented and often replaced by using code based tools and software
development techniques.
Infrastructure-as-code workflow
code version control code review integrate
“It’s all software”
Development Lifecycle — DevOps
developers customers
releasetestbuild
plan monitor
feedback loop
Delivery Pipeline
DevSecOps
Where to Start?
Page 3 of 433
• Guidelines? • Checklists? • 1-pagers? • 6-pagers? • Full documents?
Security as Code
Security as Code is Easy with AWS
AWS provides all the APIs!
Programmatically test environments Determine state of environment at a specific point in time Repeatable processes Scalable operations
Development Lifecycle — DevOps
developers customers
releasetestbuild
plan monitor
feedback loop
Delivery Pipeline
Security as Code
How Can We Learn DevSecOps?
Start Here
Security as Code?
Security as Ops?
Compliance Ops? Science?
Experiment: Automate
Policy Governance
Experiment: Detection
via Security Operations
Experiment: Compliance
via DevSecOps
Toolkit
Experiment: Science via
Profiling
Dev
Sec
Ops
DevOps+
Security
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
amazon.com 2001
Traditional Deployment
developers
releasetestbuild
delivery pipelinestack
Service-Oriented Architecture (SOA)
Single-purpose
Connect only through APIs
“Microservices”
amazon.com 2009
Example Microservice
amazon.com 2009
Two-pizza teams
Full ownership
Full accountability
Aligned incentives
“DevOps”
developers delivery pipelinesservices
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
You Build It, You Run It
Keep Developers and Auditors Happy
Thank YouBrian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit