Compliance-as-Code

ANITIAN

COMPLIANCE AS CODE

intelligent information securityA N I T I AN

MEET THE SPEAKERS

Adam Gaydosh - Anitian

• Director of Security Intelligence at Anitian

• Principal consultant for governance, risk and compliance practices

• PCI QSA since 2008

• Co-author of workbook on PCI compliance in AWS

• Worked with AWS ProServe to develop PCI ruleset for AWS Config

Tim Sandage - AWS

• Senior Security Partner Strategist for AWS World Wide Public Sector

• Responsible for global strategic alignment of AWS cloud computing services with current and future compliance capabilities

• Extensive US federal government security background with over 25 years of service in the US Air Force

WHO

HOW

Build great security…

~ Programs ~ Controls

~ Practices ~ Leaders

WHY

We believe security is

essential to growth,

innovation, and prosperity



WHAT

intelligent information securityAN IT IAN

OVERVIEW

Our Intent

• Provide a basic overview on compliance as code (CaC)

• Describe strategies for automating compliance and security

in AWS

Presentation Outline

1. CaC overview

2. AWS services supporting CaC

3. CaC strategies

4. Final thoughts


COMPLIANCE AS CODE OVERVIEW

• What is CaC?

• Why implement CaC?

• How do you implement CaC?


WHAT IS COMPLIANCE AS CODE?

• Using code to automate the implementation, validation,

remediation (potentially), monitoring, and reporting of

compliance status.

• Compliance is measured against security requirements, such

as from regulatory standards and internal governance.


WHY IMPLEMENT COMPLIANCE AS CODE?

• The precision and repeatability of software eliminates

human error.

• Reduces total level of effort to deploy and maintain

compliant workloads.

• Integrates compliance into business-as-usual practices,

mitigating compliance knowledge silos.

• Simplifies audit preparation and assessment by providing

automated evidence gathering that is fully defined

programmatically.


HOW DO YOU IMPLEMENT COMPLIANCE AS CODE?

• Automation

• Use the APIs throughout AWS to programmatically

interact your AWS resources

• Security by Design

• Make support for CaC a fundamental design

consideration in your architecture

• Cloud Adoption Framework Security Perspective

• https://d0.awsstatic.com/whitepapers/AWS_CAF_Security

_Perspective.pdf

• Use the 6 focus areas (perspectives) to ensure

completeness of CaC efforts

https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf


TRADITIONAL VERSUS CLOUD GOVERNANCE

Traditional Governance

• Information and technology (IT)

governance is a subset discipline of

corporate governance, focused on

information and technology (IT) and

its performance and risk management.

• The interest in IT governance is due to

the ongoing need within

organizations to focus value creation

efforts on an organization's strategic

objectives, and to better manage the

performance of those responsible for

creating this value in the best interest

of all stakeholders.

Cloud Governance

• Technology drives your governance

alignment

• Governance is a “Shared Responsibility”

• Automation is the Key to successful

governance

• Pre-Cloud decision-making processes are

paramount (e.g., service selection, policies,

frameworks architecture, data protections).

• Focus is on Continuous Risk Treatments

(CRTs)


SECURITY BY DESIGN

• Security by Design (SbD) is a

security assurance approach

that formalizes AWS account

design, automates security

controls, and streamlines

auditing.

• Instead of relying on

auditing security

retroactively, SbD builds

security controls into the

AWS IT management

process.


SECURITY BY DESIGN - DESIGN PRINCIPLES

Developing new risk mitigation capabilities, which go beyond

global security frameworks, by treating risks, eliminating

manual processes, optimizing evidence and audit ratifications

processes through RIGID automation.

• Build security in every

layer

• Design for failures

• Implement auto-healing

• Think parallel

• Plan for breach

• Don't fear constraints

• Leverage different storage

options

• Design for cost

• Treat Infrastructure as

Code

‒ Modular

‒ Versioned

‒ Constrained


TRADITIONAL RISK TREATMENTS

Avoid ReduceShare or Transfer

Accept


TRADITIONAL RISK MANAGEMENT/GOVERNANCE

Define criticality/sensitivity of information system according to

potential worst-case, adverse impact to mission/business.

CATEGORIZE Information System

1

Security Life-Cycle

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

SELECTSecurity Controls

2

Implement security controls within enterprise architecture

using sound systems engineering practices; apply security configuration settings.

IMPLEMENTSecurity Controls

3

Continuously track changes to the information system that may

affect security controls and reassess control effectiveness.

MONITORSecurity State

6

Determine risk to organizational operations and assets,

individuals, other organizations, and the Nation; if acceptable,

authorize operation.

AUTHORIZEInformation System

5

Determine security control effectiveness

(i.e., controls implemented correctly, operating as intended,

meeting security requirements for information system).

ASSESSSecurity Controls

4


CONTINUOUS RISK TREATMENT (CRT)

• CRT is a process and technology approach designed to

detect, maintain and, in MOST cases, correct security

concerns, compliance issues, and threats associated with an

organization's solution and service deployment within their

AWS account.

• CRT processes monitor security controls in real-time to

ensure the risk and/or threat treatment (Control Intent) is

working as designed, or at least within an intended margin of

acceptance, based on guard rails, swim lanes and/or rules

built into the control to allow for business operations.


MODERNIZING TECHNOLOGY GOVERNANCE (MTG)


AUTOMATE, DEPLOY+ MONITOR (RISK TREATMENTS)


CLOUD RISK TREATMENT/GOVERNANCE


AUTOMATION RESOURCES

Amazon Web Services - Labs

AWS Config Rules Repository - AWS Config Rules

(http://amzn.to/2aFZZw2); periodic rules can now be triggered without

the need for a configuration snapshot.

aws-security-automation - Collection of scripts and resources for

DevSecOps, Security Automation and Automated Incident Response

Remediation

AWS WAF Security Automations - A solution that contains all AWS

WAF samples developed so far

aws-automating-security-group-updates - AWS Lambda function, in

combination with AutoScaling Lifecycle Hooks and a DynamoDB table,

to automatically update security groups

aws-security-benchmark - Collection of resources related to security

benchmark frameworks.

http://amzn.to/2aFZZw2


AWS SERVICES SUPPORTING COMPLIANCE AS CODE

Automation

• Lambda

• CloudFormation

• Config

• AWS OpsWorks

• Systems Manager

Code

• CodePipeline

• CodeBuild

• CodeDeploy

• CodeStar

Security

• CloudWatch

• Inspector

• WAF

• GuardDuty

• Macie


AWS AUTOMATION SERVICES

• Lambda – Serverless, event-driven compute service that

runs code in response to specific events. A keystone of

CaC.

• CloudFormation – Service for provisioning infrastructure

as code (IaC).

• Config – Service for automated and continuous

monitoring, logging and alerting of AWS resource

configurations in alignment with defined and custom

baselines.


AWS AUTOMATION SERVICES

• OpsWorks – Automated configuration management

using either Chef or Puppet that give you workflow

automation for continuous deployment, automated

testing for compliance and security for EC2 instances.

• Systems Manager – Centralized interface for managing

AWS resources and automating tasks, providing insights

including inventory and compliance management.


AWS CODING SERVICES

• AWS CodePipeline – Continuous integration and

continuous delivery service for fast and reliable application

and infrastructure updates.

• AWS CodeBuild – Fully managed build service that

compiles source code, runs tests, and produces software

packages that are ready to deploy.

• AWS CodeDeploy – Automates code deployments to any

instance, including Amazon EC2 instances and on-premises

servers.

• AWS CodeStar – Enables you to quickly develop, build, and

deploy applications on AWS.


AWS SECURITY SERVICES

• CloudWatch – Monitor AWS services and logs, provide

metrics, generate alarms and react to specific events via API.

Includes a dashboard and event-driven rules that can route

to Lambda and SNS among other targets.

• Inspector – Automated security assessment service for AWS

resources for evaluating application and system security

against security benchmarks. Findings are available in the

console, through reports, or by API for integrating directly

into your CI/CD pipeline.


AWS SECURITY SERVICES

• CloudWatch – Monitor AWS services and logs, provide

metrics, generate alarms and react to specific events.

• WAF – A web application firewall that integrates with Shield,

a managed DDoS service. WAF now supports marketplace

rules from commercial WAF vendors for enhanced detection

abilities.

• GuardDuty – New service providing automated and

continuous threat detection.

• Macie – Machine learning for data inventory and

classification for S3 data, ideal for regulatory compliance

such as GDPR.


GUARDDUTY EXAMPLE


COMPLIANCE AS CODE STRATEGIES

• Config Compliance as Code Engine and Rules

• Anitian PCI-hardened AMIs

• Anitian PCI Architecture Cloud Formation Templates


CONFIG COMPLIANCE AS CODE ENGINE

• CloudFormation stack that deploys a CaC engine with managed

rules for evaluating the compliance of AWS resources in a multi-

account environment.

• Initial rulesets test against the AWS CAF Security Epics, and a

baseline PCI ruleset developed in conjunction Anitian.

• Uses DynamoDB to store results.

• Includes an analytics component for data extraction,

transformation and visualization in Amazon QuickSight.

• https://github.com/awslabs/aws-config-engine-for-

compliance-as-code

https://github.com/awslabs/aws-config-engine-for-compliance-as-code


COMPLIANCE AS CODE MANAGED RULES

• 70+ rules that integrate with AWS Config, built against

industry-standard security controls for AWS.

• https://github.com/awslabs/aws-config-rules

• PCI Rules

• Top 7 PCI rules for validating compliance of AWS

resources

• Developed by AWS and Anitian Professional Services

• Initial release at 2017 re:Invent

• New IDE reduces development of custom rules by a factor of

5 based on workshops at 2017 re:Invent

• https://pypi.python.org/pypi/rdk

https://github.com/awslabs/aws-config-rules

https://pypi.python.org/pypi/rdk








CONFIG COMPLIANCE AS CODE PCI RULES


CONFIG COMPLIANCE AS CODE PCI RULES


COMPLIANCE AS CODE SECURITY EPICS RULES


ANITIAN HARDENED AMIS

• Hardened images of all AWS-supported server distributions,

available as a base server or web server configuration.

• Configured in alignment with industry best practices of

host-hardening, and specifically to address the requirements

for the PCI DSS.

• Contains a host-hardening standard on the filesystem,

documenting what changes have been made from the

defaults, as required by PCI DSS.

• https://aws.amazon.com/marketplace/seller-

profile?id=31e28297-b7d4-416f-b454-59f1d0aa8865

https://aws.amazon.com/marketplace/seller-profile?id=31e28297-b7d4-416f-b454-59f1d0aa8865


ANITIAN PCI CLOUD FORMATION TEMPLATES

• Use Infrastructure as Code to automatically deploy a PCI

compliant environment.

• Modeled after the “Dedicated” reference architecture in Anitian's

PCI DSS workbook.

• https://d0.awsstatic.com/.../AWS_Anitian_Workbook_PCI_Cloud_Compl

iance.pdf

• Deploys an e-commerce website hosted in a dedicated Amazon

AWS account and contained in a single, private network.

• Coming soon in the AWS Marketplace.

• https://aws.amazon.com/marketplace/seller-profile?id=31e28297-b7d4-

416f-b454-59f1d0aa8865

https://d0.awsstatic.com/.../AWS_Anitian_Workbook_PCI_Cloud_Compliance.pdf

https://aws.amazon.com/marketplace/seller-profile?id=31e28297-b7d4-416f-b454-59f1d0aa8865









Deployment Status:

Deployed:


FINAL THOUGHTS

• Integrate Security by Design when architecting your

environment.

• Identify all compliance requirements and automate

implementation, validating, monitoring and

reporting wherever possible.

• Publish and iterate; don’t let perfection be the

enemy of good.


EMAIL: [email protected]

TWITTER: @adam_gaydosh

@AnitianSecurity

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN