SlideShare a Scribd company logo

Winning Governance Strategies for the Technology Disruptions of our Time

Download as PPTX, PDF
C
CloudHesive

The document discusses governance strategies for technology disruptions using AWS. It provides an overview of AWS services and frameworks that can help with governance, risk and compliance (GRC) challenges posed by disruptive technologies. These include the Cloud Adoption Framework, Well Architected Framework, and security services like GuardDuty, Inspector and Macie. It recommends starting simple on AWS and iterating architectures over time using available guidance.

Technology
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Winning Governance Strategies for the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
About Me • Who am I? • What’s my background?
About CloudHesive • Professional Services – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
Agenda • Disruptive technology history • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
Disruptive Technology History • Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
Challenges faced in GRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
AWS Shared Responsibility Model
Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
General Design Principles • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
Operational Excellence • Design Principles – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
Reliability • Design Principles – Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
Performance Efficiency • Design Principles – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
Cost Optimization • Design Principles – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
Supporting Services • Certificate Manager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
Conclusion • AWS provides a number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
Further Learning – Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
Meetups • Boca Raton: https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

More Related Content

PPTX
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
PPTX
Operating and Managing Hybrid Cloud on AWS
Tom Laszewski
 
PPTX
AWS 101 - An Introduction to the Amazon Cloud
CloudHesive
 
PPTX
Big Data and Machine Learning on AWS
CloudHesive
 
PPTX
AWS 2020 Year in Review reInvent ReCap
CloudHesive
 
PPTX
From Monolithic to Modern Apps: Best Practices
Tom Laszewski
 
PDF
AWS Technical Due Diligence Workshop Session Two
Tom Laszewski
 
PPTX
AWS 101 and the benefits of Migrating to the Cloud
CloudHesive
 
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
Operating and Managing Hybrid Cloud on AWS
Tom Laszewski
 
AWS 101 - An Introduction to the Amazon Cloud
CloudHesive
 
Big Data and Machine Learning on AWS
CloudHesive
 
AWS 2020 Year in Review reInvent ReCap
CloudHesive
 
From Monolithic to Modern Apps: Best Practices
Tom Laszewski
 
AWS Technical Due Diligence Workshop Session Two
Tom Laszewski
 
AWS 101 and the benefits of Migrating to the Cloud
CloudHesive
 

Similar to Winning Governance Strategies for the Technology Disruptions of our Time (20)

PPTX
AWS Spotlight Series - Modernization and Security with AWS
CloudHesive
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
CloudHesive
 
PPTX
Security on AWS, 2021 Edition Meetup
CloudHesive
 
PPTX
Best Practices in Secure Cloud Migration
CloudHesive
 
PDF
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
PPTX
Security on AWS
CloudHesive
 
PPTX
Building Bulletproof Infrastructure on AWS
2nd Watch
 
PDF
AWS Architecture Fundamentals - Houston
Nicole Maus
 
PDF
AWS for Auditors
Andrew Clark
 
PPTX
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
PPTX
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
PPTX
5 minutes on security
CloudHesive
 
PDF
AWS Cloud Security
Amazon Web Services LATAM
 
PPTX
Cloud Security (AWS)
Scott Arveseth
 
PDF
Cloud 101: Your Gateway to Computing Freedom With AWS
Shivanshi Singh
 
PDF
Migrate and Govern Applications on Cloud Infrastructure
Manuj Bawa
 
PDF
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bvpxmqwie0546
 
PPTX
Adopting AWS in your organization - ITPalooza 2015
CloudHesive
 
PPTX
Securing your Cloud Deployment
Hrusostomos Vicatos
 
AWS Spotlight Series - Modernization and Security with AWS
CloudHesive
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
Security on AWS, 2021 Edition Meetup
CloudHesive
 
Security on AWS, 2021 Edition Meetup
CloudHesive
 
Best Practices in Secure Cloud Migration
CloudHesive
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Security on AWS
CloudHesive
 
Building Bulletproof Infrastructure on AWS
2nd Watch
 
AWS Architecture Fundamentals - Houston
Nicole Maus
 
AWS for Auditors
Andrew Clark
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Blue Chip Tek Connect and Protect Presentation #3
Kimberly Macias
 
5 minutes on security
CloudHesive
 
AWS Cloud Security
Amazon Web Services LATAM
 
Cloud Security (AWS)
Scott Arveseth
 
Cloud 101: Your Gateway to Computing Freedom With AWS
Shivanshi Singh
 
Migrate and Govern Applications on Cloud Infrastructure
Manuj Bawa
 
Practical Cloud Security A Guide for Secure Design and Deployment 1st Edition...
bvpxmqwie0546
 
Adopting AWS in your organization - ITPalooza 2015
CloudHesive
 
Securing your Cloud Deployment
Hrusostomos Vicatos
 
Ad

More from CloudHesive (20)

PPTX
CloudHesive x Datadog Multi Generational Observability
CloudHesive
 
PPTX
Modernization of your AWS based SaaS platform - Short
CloudHesive
 
PPTX
Modernization of your AWS based SaaS platform
CloudHesive
 
PPTX
Serverless Generative AI on AWS, AWS User Groups of Florida
CloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
PPTX
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
PPTX
Accelerating Business and Research Through Automation and Artificial Intellig...
CloudHesive
 
PPTX
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
PPTX
ConnectPath Introduction
CloudHesive
 
PDF
Modernize your contact center with ConnectPath CX v2.pdf
CloudHesive
 
PDF
Modernize your contact center with ConnectPath CX — Chart.pdf
CloudHesive
 
PPTX
End User Computing at CloudHesive.pptx
CloudHesive
 
PPTX
Analytics at CloudHesive
CloudHesive
 
PPTX
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
PDF
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
CloudHesive
 
PPTX
Serverless data and analytics on AWS for operations
CloudHesive
 
PPTX
reInvent reCap 2022
CloudHesive
 
PPTX
Serverless without Code (Lambda)
CloudHesive
 
PDF
AWS Advanced Analytics Automation Toolkit (AAA)
CloudHesive
 
PDF
AWS Control Tower
CloudHesive
 
CloudHesive x Datadog Multi Generational Observability
CloudHesive
 
Modernization of your AWS based SaaS platform - Short
CloudHesive
 
Modernization of your AWS based SaaS platform
CloudHesive
 
Serverless Generative AI on AWS, AWS User Groups of Florida
CloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
CloudHesive
 
Accelerating Business and Research Through Automation and Artificial Intellig...
CloudHesive
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
CloudHesive
 
ConnectPath Introduction
CloudHesive
 
Modernize your contact center with ConnectPath CX v2.pdf
CloudHesive
 
Modernize your contact center with ConnectPath CX — Chart.pdf
CloudHesive
 
End User Computing at CloudHesive.pptx
CloudHesive
 
Analytics at CloudHesive
CloudHesive
 
Supporting your CMMC initiatives with Sumo Logic
CloudHesive
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
CloudHesive
 
Serverless data and analytics on AWS for operations
CloudHesive
 
reInvent reCap 2022
CloudHesive
 
Serverless without Code (Lambda)
CloudHesive
 
AWS Advanced Analytics Automation Toolkit (AAA)
CloudHesive
 
AWS Control Tower
CloudHesive
 
Ad

Recently uploaded (20)

PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Teaching material agriculture food technology
LiaRayya
 

Winning Governance Strategies for the Technology Disruptions of our Time

  • 1. Winning Governance Strategies for the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
  • 2. About Me • Who am I? • What’s my background?
  • 3. About CloudHesive • Professional Services – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
  • 4. Agenda • Disruptive technology history • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
  • 5. Disruptive Technology History • Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
  • 6. Challenges faced in GRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
  • 7. Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
  • 8. GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
  • 10. Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
  • 11. Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
  • 12. General Design Principles • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
  • 13. Operational Excellence • Design Principles – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
  • 14. Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
  • 15. Reliability • Design Principles – Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
  • 16. Performance Efficiency • Design Principles – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
  • 17. Cost Optimization • Design Principles – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
  • 18. Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
  • 19. Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
  • 20. Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
  • 21. Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
  • 22. Supporting Services • Certificate Manager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
  • 23. Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
  • 24. Conclusion • AWS provides a number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
  • 25. Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
  • 26. Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
  • 27. Further Learning – Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
  • 28. Meetups • Boca Raton: https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

Editor's Notes

  • #3: Certifications in CCSK, CCSP, ITIL Experience with AWS, GovCloud, FedRAMP, specifically
  • #6: From Wiki: Disruptive innovation is an innovation that creates a new market and value network and eventually disrupts an existing market and value network, displacing established market-leading firms, products, and alliances
  • #8: AWS Public Sector Summit – June 20-21, 2018, Walter E. Washington Convention Center
  • #9: https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ https://aws.amazon.com/compliance/services-in-scope/ See also C2S and Secret Region: https://aws.amazon.com/federal/us-intelligence-community/
  • #19: https://aws.amazon.com/quickstart/architecture/accelerator-nist/ NIST – Cybersecurity Framework, SP 800-53, SP 800-37 CIS – Benchmarks CSA – CCM + CAIQ Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles. Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability. Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data. Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services. Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application. A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database. Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
  • #20: The next few slides I will detail some of the supporting services; a number of the AWS published matrices detail the alignment of these services to specific controls, rather than read through a matrix, I thought it would help to explain what these services are and how they can help