SlideShare a Scribd company logo
Compliance & Cost
Controlling
Tung Nguyen (tung@fossil.com)
(Nov 19, 2016)
What for today
A sharing from a Misfit insider on
Cost controlling
Compliance: PCI, ISO 27001, HIPAA
In a storytelling manner
Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)
Terms
“Cost” means “Cloud cost”
“ISO” means “ISO/IEC 27001”
About Misfit ...
Since 2011, now part of Fossil Group family
… and the speaker
Been a Misfit DevOps, for ~3 years
Cost Controlling
(very short list)
Learned Lessons
Separate AWS accounts for different environments
Tag your resources
By asking yourself, e.g.:
How much does this project cost?
How much does this team cost?
Who is handling this specific resource?
---> suggested tags
Learned Lessons (cont.)
Simplify conversation with non-AWS folks, e.g.:
using the approximate understandable unit cost: dollars/EC2-hours
EC2 cost last month: $1.3K
EC2 hours last month: 7K hours
Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour
Learned Lessons (cont.)
Never underestimate 3rd parties for cost management / cloud governance
Spend $2K to save $10K, why not?
These vendors will have their ways of evaluating and make guarantees
Cost controlling? ‘Nuff said.
Compliance
Why compliance?
We have a secure
environment, for the
organization in general,
and the development
team specifically. We
protect customer data
by encrypting … ^%&
$#$ % )(*&*&
Well …. Let’s
see how it
REALLY is ...
WHEN NON-COMPLIANT
YOU
POTENTIAL
CLIENT
Why compliance?
We are PCI
complia...
SHUT UP
AND TAKE
MY !!!
WHEN COMPLIANT
YOU
POTENTIAL
CLIENT
Why compliance?
Protecting your business
Getting better business deals
What is ...
ISO/IEC 27001
(International Organization for Standardization / International Electrotechnical Commission 27001)
A management framework to protect business-critical information
Via a set of control areas
Information Security Policies
Organization of Information Security
Human Resource Security
Asset management
Access control
What is ...
PCI DSS
(Payment Card Industry Data Security Standard)
A proprietary information security standard for organizations that handle
branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB)
The goal is
to increase controls around cardholder data to reduce credit card fraud
by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment
What is ...
HIPAA
(Health Insurance Portability and Accountability Act)
The law to protect the confidentiality and security of healthcare information
Further background
for the United States
signed into law in 1996
Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected
ISO
PCI
HIPAA
ISO Protects your business
information
PCI Protects payment card
data
HIPAA Protects health and
personal data
Common approach
1. Form up a Compliant team
(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain
(Documents, evidences needed)
6. Assess for compliance
(By an independent qualified assessor)
How we do
ISO
PCI
HIPAA
● Prioritize and work on the
projects/items in common first
● Deal with the rest later
Examples:
● Server/software patching process (ISO
& PCI)
● Data encyption (HIPAA & ISO)
What we do
1. Form up a Compliant team
(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain
(Documents, evidences needed)
6. Assess for compliance
(By an independent qualified assessor)
What we do (#4. Implementation)
Build up UTM (Unified Threat Management) system
VPN
IDS/IPS (Intrusion Detection/Intrusion Prevention Systems)
Eliminate public IP addresses of EC2 instances
Perform access control for AWS environments, servers, databases, systems
What we do (#4, cont.)
Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding
Practices)
Conduct annual trainings for employees on the standards
What we do (#4, cont.)
Collect and audit system logs
Vulnerability scanning/patching
Establish server/software patching process
Perform and keep track of vulnerability scans/pen tests
Remediate vulnerabilities found
Proactively patch our systems based on the security announcements
What we do (#4, cont.)
Review and control access to source codes
HR-workflow involved
Build up golden images for employees’ computers
The same for servers
How to deal with different requirements of departments?
What we do (#4, cont.)
Offices’ IT infrastructure
Other non-cloud non-technical requirements
Door access controlling
HR, again
Paper shredders (wait, what?)
What we confront
What we confront
The amount of work itself, and time to complete, of course
---> Careful planning and incremental work needed
---> Review your progress, resources frequently
The awareness of other teams who indeed need to involve
They simply don’t get what you are doing
They already have enough on their plate
---> Simple, repeated communication is the key
Names, please?
Example consultants
Example assessors
Individuals?
Thank you
Q&A
See ya!
Ad

More Related Content

What's hot (14)

Project Sherpa: How RightScale Went All in on Docker
Project Sherpa: How RightScale Went All in on DockerProject Sherpa: How RightScale Went All in on Docker
Project Sherpa: How RightScale Went All in on Docker
RightScale
 
104 meets cloud
104 meets cloud104 meets cloud
104 meets cloud
Cliff Chao-kuan Lu
 
Container Management with Amazon ECS
Container Management with Amazon ECSContainer Management with Amazon ECS
Container Management with Amazon ECS
AWS Germany
 
Intro to Serverless
Intro to ServerlessIntro to Serverless
Intro to Serverless
Cliff Chao-kuan Lu
 
Serverless Patterns
Serverless PatternsServerless Patterns
Serverless Patterns
Cliff Chao-kuan Lu
 
Containerization: The DevOps Revolution
Containerization: The DevOps Revolution Containerization: The DevOps Revolution
Containerization: The DevOps Revolution
SoftServe
 
AWS to Bare Metal: Motivation, Pitfalls, and Results
AWS to Bare Metal: Motivation, Pitfalls, and ResultsAWS to Bare Metal: Motivation, Pitfalls, and Results
AWS to Bare Metal: Motivation, Pitfalls, and Results
MongoDB
 
AWS Cloudformation Session 01
AWS Cloudformation Session 01AWS Cloudformation Session 01
AWS Cloudformation Session 01
AWS Riyadh User Group
 
What are clouds made from
What are clouds made fromWhat are clouds made from
What are clouds made from
John Garbutt
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
Shuen-Huei Guan
 
Crash Course in Cloud Computing
Crash Course in Cloud ComputingCrash Course in Cloud Computing
Crash Course in Cloud Computing
All Things Open
 
On-demand Continuous Integration with Jenkins, jclouds, and CloudStack
On-demand Continuous Integration with Jenkins, jclouds, and CloudStackOn-demand Continuous Integration with Jenkins, jclouds, and CloudStack
On-demand Continuous Integration with Jenkins, jclouds, and CloudStack
ke4qqq
 
Lessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack CloudsLessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack Clouds
Kenneth Hui
 
Building a Dev/Test Cloud with Apache CloudStack
Building a Dev/Test Cloud with Apache CloudStackBuilding a Dev/Test Cloud with Apache CloudStack
Building a Dev/Test Cloud with Apache CloudStack
ke4qqq
 
Project Sherpa: How RightScale Went All in on Docker
Project Sherpa: How RightScale Went All in on DockerProject Sherpa: How RightScale Went All in on Docker
Project Sherpa: How RightScale Went All in on Docker
RightScale
 
Container Management with Amazon ECS
Container Management with Amazon ECSContainer Management with Amazon ECS
Container Management with Amazon ECS
AWS Germany
 
Containerization: The DevOps Revolution
Containerization: The DevOps Revolution Containerization: The DevOps Revolution
Containerization: The DevOps Revolution
SoftServe
 
AWS to Bare Metal: Motivation, Pitfalls, and Results
AWS to Bare Metal: Motivation, Pitfalls, and ResultsAWS to Bare Metal: Motivation, Pitfalls, and Results
AWS to Bare Metal: Motivation, Pitfalls, and Results
MongoDB
 
What are clouds made from
What are clouds made fromWhat are clouds made from
What are clouds made from
John Garbutt
 
AWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast ForwardAWS re:Invent 2016 Fast Forward
AWS re:Invent 2016 Fast Forward
Shuen-Huei Guan
 
Crash Course in Cloud Computing
Crash Course in Cloud ComputingCrash Course in Cloud Computing
Crash Course in Cloud Computing
All Things Open
 
On-demand Continuous Integration with Jenkins, jclouds, and CloudStack
On-demand Continuous Integration with Jenkins, jclouds, and CloudStackOn-demand Continuous Integration with Jenkins, jclouds, and CloudStack
On-demand Continuous Integration with Jenkins, jclouds, and CloudStack
ke4qqq
 
Lessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack CloudsLessons Learned Running The Largest OpenStack Clouds
Lessons Learned Running The Largest OpenStack Clouds
Kenneth Hui
 
Building a Dev/Test Cloud with Apache CloudStack
Building a Dev/Test Cloud with Apache CloudStackBuilding a Dev/Test Cloud with Apache CloudStack
Building a Dev/Test Cloud with Apache CloudStack
ke4qqq
 

Viewers also liked (20)

Cloudsolutionday 2016: Opening Remarks
Cloudsolutionday 2016: Opening RemarksCloudsolutionday 2016: Opening Remarks
Cloudsolutionday 2016: Opening Remarks
AWS Vietnam Community
 
Cloud Solution Day 2016: Service Mesh for Kubernetes
Cloud Solution Day 2016: Service Mesh for KubernetesCloud Solution Day 2016: Service Mesh for Kubernetes
Cloud Solution Day 2016: Service Mesh for Kubernetes
AWS Vietnam Community
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
AWS Vietnam Community
 
Meetup#6: AWS-AI & Lambda Serverless
Meetup#6: AWS-AI & Lambda Serverless Meetup#6: AWS-AI & Lambda Serverless
Meetup#6: AWS-AI & Lambda Serverless
AWS Vietnam Community
 
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSS
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSSCloud Solution Day 2016: Microservices on Mesos & Netflix OSS
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSS
AWS Vietnam Community
 
Cloudsolutionday 2016: Docker & FAAS at getvero.com
Cloudsolutionday 2016: Docker & FAAS at getvero.comCloudsolutionday 2016: Docker & FAAS at getvero.com
Cloudsolutionday 2016: Docker & FAAS at getvero.com
AWS Vietnam Community
 
Arquitetura Serverless e AWS Lambda - Demo Session
Arquitetura Serverless e AWS Lambda - Demo SessionArquitetura Serverless e AWS Lambda - Demo Session
Arquitetura Serverless e AWS Lambda - Demo Session
Amazon Web Services LATAM
 
Introducing Serverless Computing (20160802)
Introducing Serverless Computing (20160802)Introducing Serverless Computing (20160802)
Introducing Serverless Computing (20160802)
Keisuke Nishitani
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
DevSecOpsSg
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dominic Tancredi
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
Adam Baldwin
 
Cloudsolutionday 2016: Opening Remarks
Cloudsolutionday 2016: Opening RemarksCloudsolutionday 2016: Opening Remarks
Cloudsolutionday 2016: Opening Remarks
AWS Vietnam Community
 
Cloud Solution Day 2016: Service Mesh for Kubernetes
Cloud Solution Day 2016: Service Mesh for KubernetesCloud Solution Day 2016: Service Mesh for Kubernetes
Cloud Solution Day 2016: Service Mesh for Kubernetes
AWS Vietnam Community
 
Cloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless ArchitectureCloudsolutionday 2016: Getting Started with Severless Architecture
Cloudsolutionday 2016: Getting Started with Severless Architecture
AWS Vietnam Community
 
Meetup#6: AWS-AI & Lambda Serverless
Meetup#6: AWS-AI & Lambda Serverless Meetup#6: AWS-AI & Lambda Serverless
Meetup#6: AWS-AI & Lambda Serverless
AWS Vietnam Community
 
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSS
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSSCloud Solution Day 2016: Microservices on Mesos & Netflix OSS
Cloud Solution Day 2016: Microservices on Mesos & Netflix OSS
AWS Vietnam Community
 
Cloudsolutionday 2016: Docker & FAAS at getvero.com
Cloudsolutionday 2016: Docker & FAAS at getvero.comCloudsolutionday 2016: Docker & FAAS at getvero.com
Cloudsolutionday 2016: Docker & FAAS at getvero.com
AWS Vietnam Community
 
Arquitetura Serverless e AWS Lambda - Demo Session
Arquitetura Serverless e AWS Lambda - Demo SessionArquitetura Serverless e AWS Lambda - Demo Session
Arquitetura Serverless e AWS Lambda - Demo Session
Amazon Web Services LATAM
 
Introducing Serverless Computing (20160802)
Introducing Serverless Computing (20160802)Introducing Serverless Computing (20160802)
Introducing Serverless Computing (20160802)
Keisuke Nishitani
 
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix toolsJakob Holderbaum - Managing Shared secrets using basic Unix tools
Jakob Holderbaum - Managing Shared secrets using basic Unix tools
DevSecCon
 
RoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CDRoboCop: Bringing Law and Order to CI/CD
RoboCop: Bringing Law and Order to CI/CD
Franklin Mosley
 
DevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August MeetupDevSecOps SG Introduction - August Meetup
DevSecOps SG Introduction - August Meetup
DevSecOpsSg
 
DevSecOps Singapore introduction
DevSecOps Singapore introductionDevSecOps Singapore introduction
DevSecOps Singapore introduction
Stefan Streichsbier
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016   intelliment securityDev seccon london 2016   intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
SeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
SeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
SeniorStoryteller
 
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dom & Tom NYC Healthcare Cloud Meetup Case Study (5/4)
Dominic Tancredi
 
Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016Continuous Security - Thunderplains 2016
Continuous Security - Thunderplains 2016
Adam Baldwin
 
Ad

Similar to Cloudsolutionday 2016: Compliance and cost controlling on AWS (20)

PDF MIS Essentials 4th Edition Kroenke Solutions Manual download
PDF MIS Essentials 4th Edition Kroenke Solutions Manual downloadPDF MIS Essentials 4th Edition Kroenke Solutions Manual download
PDF MIS Essentials 4th Edition Kroenke Solutions Manual download
deyissabos37
 
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
shiunydich
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
Krzysztof Kąkol
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
carperzeon
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
varjasalsn
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
Krzysztof Kąkol
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
besioteroo
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdfISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Next-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 MinutesNext-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 Minutes
Tim Bass
 
Info. Archive Customer Presentation - SSI version
Info. Archive Customer Presentation - SSI versionInfo. Archive Customer Presentation - SSI version
Info. Archive Customer Presentation - SSI version
IBM India Smarter Computing
 
Stu r36 b
Stu r36 bStu r36 b
Stu r36 b
SelectedPresentations
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudSecuring Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid Cloud
RightScale
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
AIIM International
 
Trm Vilnius Oais New
Trm Vilnius Oais NewTrm Vilnius Oais New
Trm Vilnius Oais New
DigitalPreservationEurope
 
Ethical solutions services
Ethical solutions servicesEthical solutions services
Ethical solutions services
ShyamalMukherjee9
 
PDF MIS Essentials 4th Edition Kroenke Solutions Manual download
PDF MIS Essentials 4th Edition Kroenke Solutions Manual downloadPDF MIS Essentials 4th Edition Kroenke Solutions Manual download
PDF MIS Essentials 4th Edition Kroenke Solutions Manual download
deyissabos37
 
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
Secure immediate PDF access to every chapter of MIS Essentials 4th Edition Kr...
shiunydich
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
Krzysztof Kąkol
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
carperzeon
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
varjasalsn
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
Krzysztof Kąkol
 
MIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions ManualMIS Essentials 4th Edition Kroenke Solutions Manual
MIS Essentials 4th Edition Kroenke Solutions Manual
besioteroo
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS  by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdfISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
ISO 27000 STANDARD FAMILY TOOLKIT SETUP.pdf
spore090
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Next-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 MinutesNext-Generation IDS: A CEP Use Case in 10 Minutes
Next-Generation IDS: A CEP Use Case in 10 Minutes
Tim Bass
 
Info. Archive Customer Presentation - SSI version
Info. Archive Customer Presentation - SSI versionInfo. Archive Customer Presentation - SSI version
Info. Archive Customer Presentation - SSI version
IBM India Smarter Computing
 
5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet5 Standards And Recommendations For Information Security On Internet
5 Standards And Recommendations For Information Security On Internet
Ana Meskovska
 
Securing Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid CloudSecuring Sensitive Data in Your Hybrid Cloud
Securing Sensitive Data in Your Hybrid Cloud
RightScale
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
AIIM International
 
Ad

More from AWS Vietnam Community (13)

Data Exchange talk AWSVNUG
Data Exchange talk AWSVNUGData Exchange talk AWSVNUG
Data Exchange talk AWSVNUG
AWS Vietnam Community
 
Build multi region data warehouse on AWS - AWSVNUG
Build multi region data warehouse on AWS - AWSVNUGBuild multi region data warehouse on AWS - AWSVNUG
Build multi region data warehouse on AWS - AWSVNUG
AWS Vietnam Community
 
Growth journey 2018 AWSVN
Growth journey 2018 AWSVNGrowth journey 2018 AWSVN
Growth journey 2018 AWSVN
AWS Vietnam Community
 
Re invent 2018 top 15 launch announcements
Re invent 2018 top 15 launch announcementsRe invent 2018 top 15 launch announcements
Re invent 2018 top 15 launch announcements
AWS Vietnam Community
 
Vietnam AWS Community Day 2018
Vietnam AWS Community Day 2018Vietnam AWS Community Day 2018
Vietnam AWS Community Day 2018
AWS Vietnam Community
 
Series Meetup #1: Speech 2: Elastic beanstalk
Series Meetup #1: Speech 2: Elastic beanstalkSeries Meetup #1: Speech 2: Elastic beanstalk
Series Meetup #1: Speech 2: Elastic beanstalk
AWS Vietnam Community
 
Series Meetup #1: Speech 1: Computing
Series Meetup #1: Speech 1: Computing Series Meetup #1: Speech 1: Computing
Series Meetup #1: Speech 1: Computing
AWS Vietnam Community
 
Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)
AWS Vietnam Community
 
Vn introduction to cloud computing with amazon web services
Vn   introduction to cloud computing with amazon web servicesVn   introduction to cloud computing with amazon web services
Vn introduction to cloud computing with amazon web services
AWS Vietnam Community
 
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWSMeetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
AWS Vietnam Community
 
Cloudsolutionday 2016: How to build a "zero-downtime" web application
Cloudsolutionday 2016: How to build a "zero-downtime" web application Cloudsolutionday 2016: How to build a "zero-downtime" web application
Cloudsolutionday 2016: How to build a "zero-downtime" web application
AWS Vietnam Community
 
Meetup #4: AWS ELB Deep dive & Best practices
Meetup #4: AWS ELB Deep dive & Best practicesMeetup #4: AWS ELB Deep dive & Best practices
Meetup #4: AWS ELB Deep dive & Best practices
AWS Vietnam Community
 
Meetup #5: Architecting for High Availability
Meetup #5: Architecting for High Availability Meetup #5: Architecting for High Availability
Meetup #5: Architecting for High Availability
AWS Vietnam Community
 
Build multi region data warehouse on AWS - AWSVNUG
Build multi region data warehouse on AWS - AWSVNUGBuild multi region data warehouse on AWS - AWSVNUG
Build multi region data warehouse on AWS - AWSVNUG
AWS Vietnam Community
 
Re invent 2018 top 15 launch announcements
Re invent 2018 top 15 launch announcementsRe invent 2018 top 15 launch announcements
Re invent 2018 top 15 launch announcements
AWS Vietnam Community
 
Series Meetup #1: Speech 2: Elastic beanstalk
Series Meetup #1: Speech 2: Elastic beanstalkSeries Meetup #1: Speech 2: Elastic beanstalk
Series Meetup #1: Speech 2: Elastic beanstalk
AWS Vietnam Community
 
Series Meetup #1: Speech 1: Computing
Series Meetup #1: Speech 1: Computing Series Meetup #1: Speech 1: Computing
Series Meetup #1: Speech 1: Computing
AWS Vietnam Community
 
Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)
AWS Vietnam Community
 
Vn introduction to cloud computing with amazon web services
Vn   introduction to cloud computing with amazon web servicesVn   introduction to cloud computing with amazon web services
Vn introduction to cloud computing with amazon web services
AWS Vietnam Community
 
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWSMeetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
Meetup#7: AWS LightSail - The Simplicity of VPS - The Power of AWS
AWS Vietnam Community
 
Cloudsolutionday 2016: How to build a "zero-downtime" web application
Cloudsolutionday 2016: How to build a "zero-downtime" web application Cloudsolutionday 2016: How to build a "zero-downtime" web application
Cloudsolutionday 2016: How to build a "zero-downtime" web application
AWS Vietnam Community
 
Meetup #4: AWS ELB Deep dive & Best practices
Meetup #4: AWS ELB Deep dive & Best practicesMeetup #4: AWS ELB Deep dive & Best practices
Meetup #4: AWS ELB Deep dive & Best practices
AWS Vietnam Community
 
Meetup #5: Architecting for High Availability
Meetup #5: Architecting for High Availability Meetup #5: Architecting for High Availability
Meetup #5: Architecting for High Availability
AWS Vietnam Community
 

Recently uploaded (20)

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 

Cloudsolutionday 2016: Compliance and cost controlling on AWS

  • 2. What for today A sharing from a Misfit insider on Cost controlling Compliance: PCI, ISO 27001, HIPAA In a storytelling manner Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)
  • 3. Terms “Cost” means “Cloud cost” “ISO” means “ISO/IEC 27001”
  • 4. About Misfit ... Since 2011, now part of Fossil Group family
  • 5. … and the speaker Been a Misfit DevOps, for ~3 years
  • 7. Learned Lessons Separate AWS accounts for different environments Tag your resources By asking yourself, e.g.: How much does this project cost? How much does this team cost? Who is handling this specific resource? ---> suggested tags
  • 8. Learned Lessons (cont.) Simplify conversation with non-AWS folks, e.g.: using the approximate understandable unit cost: dollars/EC2-hours EC2 cost last month: $1.3K EC2 hours last month: 7K hours Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour
  • 9. Learned Lessons (cont.) Never underestimate 3rd parties for cost management / cloud governance Spend $2K to save $10K, why not? These vendors will have their ways of evaluating and make guarantees
  • 12. Why compliance? We have a secure environment, for the organization in general, and the development team specifically. We protect customer data by encrypting … ^%& $#$ % )(*&*& Well …. Let’s see how it REALLY is ... WHEN NON-COMPLIANT YOU POTENTIAL CLIENT
  • 13. Why compliance? We are PCI complia... SHUT UP AND TAKE MY !!! WHEN COMPLIANT YOU POTENTIAL CLIENT
  • 14. Why compliance? Protecting your business Getting better business deals
  • 15. What is ... ISO/IEC 27001 (International Organization for Standardization / International Electrotechnical Commission 27001) A management framework to protect business-critical information Via a set of control areas Information Security Policies Organization of Information Security Human Resource Security Asset management Access control
  • 16. What is ... PCI DSS (Payment Card Industry Data Security Standard) A proprietary information security standard for organizations that handle branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB) The goal is to increase controls around cardholder data to reduce credit card fraud by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment
  • 17. What is ... HIPAA (Health Insurance Portability and Accountability Act) The law to protect the confidentiality and security of healthcare information Further background for the United States signed into law in 1996 Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected
  • 19. ISO Protects your business information PCI Protects payment card data HIPAA Protects health and personal data
  • 20. Common approach 1. Form up a Compliant team (with/without a Consultant) 2. Conduct gap assessment 3. Identify sub-projects and personnel 4. Implement 5. Maintain (Documents, evidences needed) 6. Assess for compliance (By an independent qualified assessor)
  • 21. How we do ISO PCI HIPAA ● Prioritize and work on the projects/items in common first ● Deal with the rest later Examples: ● Server/software patching process (ISO & PCI) ● Data encyption (HIPAA & ISO)
  • 22. What we do 1. Form up a Compliant team (with/without a Consultant) 2. Conduct gap assessment 3. Identify sub-projects and personnel 4. Implement 5. Maintain (Documents, evidences needed) 6. Assess for compliance (By an independent qualified assessor)
  • 23. What we do (#4. Implementation) Build up UTM (Unified Threat Management) system VPN IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) Eliminate public IP addresses of EC2 instances Perform access control for AWS environments, servers, databases, systems
  • 24. What we do (#4, cont.) Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding Practices) Conduct annual trainings for employees on the standards
  • 25. What we do (#4, cont.) Collect and audit system logs Vulnerability scanning/patching Establish server/software patching process Perform and keep track of vulnerability scans/pen tests Remediate vulnerabilities found Proactively patch our systems based on the security announcements
  • 26. What we do (#4, cont.) Review and control access to source codes HR-workflow involved Build up golden images for employees’ computers The same for servers How to deal with different requirements of departments?
  • 27. What we do (#4, cont.) Offices’ IT infrastructure Other non-cloud non-technical requirements Door access controlling HR, again Paper shredders (wait, what?)
  • 29. What we confront The amount of work itself, and time to complete, of course ---> Careful planning and incremental work needed ---> Review your progress, resources frequently The awareness of other teams who indeed need to involve They simply don’t get what you are doing They already have enough on their plate ---> Simple, repeated communication is the key
  • 32. Q&A

Editor's Notes

  • #5: FUTURE Misfit finds its unique position as the futurist in the family FASHION We see our position as being the perfect accessory to a fashionable life WELLNESS Misfit has its origins in wellness, beginning with our initial fitness-based innovations. At our core, we are driven by the will to inspire change and improve lives—a far broader mission than fitness. We consider the entire picture: exercise, sleep, nutrition, and even the environment. Healthy living, sum total. INTELLIGENCE Misfit is rooted in intelligence. We invest in the humans, the technology, and the data that drive our connection to the world around us. We inhale and exhale that intelligence—a constant dialogue of learning and teaching, giving and receiving, pushing and pulling—to drive the insights and inspirations of our next innovations.
  • #21: Depends on specific organization, might need: Leadership awareness Cost planning etc.
  • #23: Cover implementation only
  • #30: Communication example: Code repository access management (“ISO requirements” vs. “protect our products”)