Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Automating Security in Cloud Workloads with DevSecOps

Amazon Web Services
Amazon Web Services

This session is designed to teach security engineers, developers, solutions architects, and other technical security practitioners how to use a DevSecOps approach to design and build robust security controls at cloud-scale. This session walks through the design considerations of operating high-assurance workloads on top of the AWS platform and provides examples of how to automate configuration management and generate audit evidence for your own workloads. We’ll discuss practical examples using real code for automating security tasks, then dive deeper to map the configurations against various industry frameworks. This advanced session showcases how continuous integration and deployment pipelines can accelerate the speed of security teams and improve collaboration with software development teams.

1 of 26
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Iolaire McKinnon ProServe - Security Risk & Compliance June 21, 2017 Automating Security in Cloud Workloads with DevSecOps
What to expect from the session Why do security automation? Who is responsible for security in a DevOps world? Where do you want security automation? When? pre, post, and everything in between What you can do, practical examples How? Tools and partners
So what is DevSecOps anyway?
So what is DevSecOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. So what is DevOps anyway?
So what is DevOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. Tooling that you have/use/develop to perform this activity Cultural philosophy on how change and deployment are handled within the organization Processes which enable this activity
So what is DevSecOps anyway? DevSecOps is expanding the Dev + Ops collaboration to include Security. The aim: to have security that is: • applied throughout the development process, • is non-blocking, • and works at scale.
So, Meet the new security team Operations Engineering Application Security Compliance
So, Meet the new security team Operations Engineering Application Security Compliance Development
So, Meet the new security team Operations Engineering Application Security Compliance Security team development responsibilities: - Tool creation - Guide app dev teams - Enabling automation of security
How to win at DevSecOps – Automate! - Automation is responsive - Automation is reliable - Automation is scalable…. - Don’t worry… we still need humans
How to win at DevSecOps – The Mindset • Develop a Customer-centric mindset • Successful DevSecOps is not blocking a rapid pace of innovation. • Security is built in, automated, and current. • Security as a self service, with strong auditability • Security that is moving faster than Developers
Where? All over the place!
Continuous Integration / Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles – separation of duties • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis • Validation prior to infrastructure change
CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Deployment templates for infrastructure Generate Artifact Repo
Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook Artifact Repo
Okay, but what about my other stuff?
© 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Take a Cloud-native approach to security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Runtime security • Tag based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services
When? All of the time!
When – Control and Validate Pre-event - Where possible • Store infrastructure in code repository • Validate each push (git event hooks) • Use managed microservices as the execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Force infrastructure change via templates (Service Catalog) • Block or add manual review if needed/unsure
When – Control and Validate Post-event - Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine in CI/CD • Decide on remediation
When – Control and Validate Triggers – Event based: • Per change • API-based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
What? Iolaire! I want examples!
Okay, jeez fine, have some examples: Security validation in a elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure of security check Automatic Incident Response Remediation • Autoheal Cloudtrail logging, then • Disable offenders Integrate host-based activity with cloud-based control • Immutable infrastructure – Auto isolate instances that fail checks
It’s demo time! – Logging enforcement Detect • CloudTrail logging disabled Respond • Automatically re-enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user?
Recap: Security Automation? Why? Keep up with DevOps, and focus on higher value work Who? Everyone (self-service model) Where? Everywhere! When? All the time! More info: Search “DevSecOps” on AWS Security & DevOps blogs
iolaire@amazon.com

More Related Content

Automating Security in Cloud Workloads with DevSecOps

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Iolaire McKinnon ProServe - Security Risk & Compliance June 21, 2017 Automating Security in Cloud Workloads with DevSecOps
  • 2. What to expect from the session Why do security automation? Who is responsible for security in a DevOps world? Where do you want security automation? When? pre, post, and everything in between What you can do, practical examples How? Tools and partners
  • 3. So what is DevSecOps anyway?
  • 4. So what is DevSecOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. So what is DevOps anyway?
  • 5. So what is DevOps anyway? DevOps is a collaboration between Development and Operations to improve agility and pace of innovation. Tooling that you have/use/develop to perform this activity Cultural philosophy on how change and deployment are handled within the organization Processes which enable this activity
  • 6. So what is DevSecOps anyway? DevSecOps is expanding the Dev + Ops collaboration to include Security. The aim: to have security that is: • applied throughout the development process, • is non-blocking, • and works at scale.
  • 7. So, Meet the new security team Operations Engineering Application Security Compliance
  • 8. So, Meet the new security team Operations Engineering Application Security Compliance Development
  • 9. So, Meet the new security team Operations Engineering Application Security Compliance Security team development responsibilities: - Tool creation - Guide app dev teams - Enabling automation of security
  • 10. How to win at DevSecOps – Automate! - Automation is responsive - Automation is reliable - Automation is scalable…. - Don’t worry… we still need humans
  • 11. How to win at DevSecOps – The Mindset • Develop a Customer-centric mindset • Successful DevSecOps is not blocking a rapid pace of innovation. • Security is built in, automated, and current. • Security as a self service, with strong auditability • Security that is moving faster than Developers
  • 13. Continuous Integration / Continuous Deployment 1. Security of the CI/CD Pipeline • Access roles – separation of duties • Hardening build servers/nodes 2. Security in the CI/CD Pipeline • Artifact validation • Static code analysis • Validation prior to infrastructure change
  • 14. CI/CD for DevOps Version Control CI Server Package Builder Deploy Server Commit to Git/masterDev Get / Pull Code Images Send build report to Dev Stop everything if build failed Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Deployment templates for infrastructure Generate Artifact Repo
  • 15. Version Control CI Server Package Builder Promote Process Block creds From gitDev Get / Pull Code Images Log for audit Staging Env Test Env Code Config Tests Prod Env Audit/Validate Config Checksum Continuous Scan CI/CD for DevSecOps Send build report to Security Stop everything if audit/validation failed Deployment templates for infrastructure Scan hook Artifact Repo
  • 16. Okay, but what about my other stuff?
  • 17. © 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Take a Cloud-native approach to security Infrastructure as code • Base requirement! • Split ownership • Pre-deploy validation Elastic security automation • API driven • Auto Scaling groups – hooks • Execution layer scales with targets Runtime security • Tag based targeting • Rip-n-replace • Continuous pen testing Immutable infrastructure • Validation and enforcement • Integrate with managed services
  • 19. When – Control and Validate Pre-event - Where possible • Store infrastructure in code repository • Validate each push (git event hooks) • Use managed microservices as the execution engine • Scan cloud infrastructure templates for unwanted/risk valued configurations • Validate container definitions • Force infrastructure change via templates (Service Catalog) • Block or add manual review if needed/unsure
  • 20. When – Control and Validate Post-event - Always • Follow-up on sensitive APIs • IAM, security groups/firewall, encryption keys, logging, etc. • Alert/inform • Use source of truth • Locked to execution function (read only) • Validate source • Human or machine in CI/CD • Decide on remediation
  • 21. When – Control and Validate Triggers – Event based: • Per change • API-based • Event logs • Per day • Per framework • Overall infrastructure, components, and resources • One component, multiple frameworks
  • 23. Okay, jeez fine, have some examples: Security validation in a elastic infrastructure • Implement -> Validate -> Decide • Terminate upon failure of security check Automatic Incident Response Remediation • Autoheal Cloudtrail logging, then • Disable offenders Integrate host-based activity with cloud-based control • Immutable infrastructure – Auto isolate instances that fail checks
  • 24. It’s demo time! – Logging enforcement Detect • CloudTrail logging disabled Respond • Automatically re-enable logging Forensics • Has this happened before? Countermeasures • If num_disabled > x: # x could be zero based on type and user disable_user() • Safeguard: Should I temporarily disable the user? Who is the user?
  • 25. Recap: Security Automation? Why? Keep up with DevOps, and focus on higher value work Who? Everyone (self-service model) Where? Everywhere! When? All the time! More info: Search “DevSecOps” on AWS Security & DevOps blogs