Post on 11-Jul-2015
Spoiler Alert:
Secure Enterprise Workloads in the Cloud…
• Pain
• Trial & Error
• Blood, sweat & tears
• Ouch, my head hurts!
It would have been great to hear this speech a couple years
ago….
Bang
Head
Here
Intuit Cloud Security AWS Professional Services
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Start
Here?
Embedding into DevOps was a disaster…
– Compliance checklists didn’t take us far before we
stopped scaling…
– We couldn’t keep up with deployments without
automation…
– Standard Security Operations did not work…
– And we needed far more data than we expected to help
the business make decisions…
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
Security
as Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Page 3 of 267
Security
Configuration
ProceduresV 3.6.0.1.1,
January 2011
Frozen in Time
AWS provides a programmable infrastructure
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Central Account
(Trusted)
Admin
IAM IAMIAM IAM IAM IAM
BU Accounts (Trusting)
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
Role Name
Access Policies
Trust Policy
Short Description
Pull Push
Source Code
Repository
Baseline
IAM Catalog
Trusting BU Accounts
SecRole
IAM Role
Develop
Review
Test
Approve
CommitRuby
AKID/SAK
1 2
Admin
3
5
STS
Creds
4
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations
?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
applying these principles…
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection
via Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
experimenting with these
principles…
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
Security as
Code?
Experiment:
Automate
Policy
Governance
Security
Operations?
Experiment:
Detection via
Security
Operations
Experiment:
Compliance
via
DevSecOps
toolkit
Experiment:
Science via
Profiling
DevOps +
Security
DevOps +
DevSecOps
Compliance
Operations?Science?
AWSome!
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals