A NITIAN C OMPLIANCE A S C ODE
ANITIAN
COMPLIANCE AS CODE
intelligent information securityA N I T I AN
MEET THE SPEAKERS
Adam Gaydosh - Anitian
• Director of Security Intelligence at Anitian
• Principal consultant for governance, risk and compliance practices
• PCI QSA since 2008
• Co-author of workbook on PCI compliance in AWS
• Worked with AWS ProServe to develop PCI ruleset for AWS Config
Tim Sandage - AWS
• Senior Security Partner Strategist for AWS World Wide Public Sector
• Responsible for global strategic alignment of AWS cloud computing services with current and future compliance capabilities
• Extensive US federal government security background with over 25 years of service in the US Air Force
WHO
HOW
Build great security…
~ Programs ~ Controls
~ Practices ~ Leaders
WHY
We believe security is
essential to growth,
innovation, and prosperity
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
WHAT
intelligent information securityAN IT IAN
OVERVIEW
Our Intent
• Provide a basic overview on compliance as code (CaC)
• Describe strategies for automating compliance and security
in AWS
Presentation Outline
1. CaC overview
2. AWS services supporting CaC
3. CaC strategies
4. Final thoughts
intelligent information securityAN IT IAN
COMPLIANCE AS CODE OVERVIEW
• What is CaC?
• Why implement CaC?
• How do you implement CaC?
intelligent information securityAN IT IAN
WHAT IS COMPLIANCE AS CODE?
• Using code to automate the implementation, validation,
remediation (potentially), monitoring, and reporting of
compliance status.
• Compliance is measured against security requirements, such
as from regulatory standards and internal governance.
intelligent information securityAN IT IAN
WHY IMPLEMENT COMPLIANCE AS CODE?
• The precision and repeatability of software eliminates
human error.
• Reduces total level of effort to deploy and maintain
compliant workloads.
• Integrates compliance into business-as-usual practices,
mitigating compliance knowledge silos.
• Simplifies audit preparation and assessment by providing
automated evidence gathering that is fully defined
programmatically.
intelligent information securityAN IT IAN
HOW DO YOU IMPLEMENT COMPLIANCE AS CODE?
• Automation
• Use the APIs throughout AWS to programmatically
interact your AWS resources
• Security by Design
• Make support for CaC a fundamental design
consideration in your architecture
• Cloud Adoption Framework Security Perspective
• https://d0.awsstatic.com/whitepapers/AWS_CAF_Security
_Perspective.pdf
• Use the 6 focus areas (perspectives) to ensure
completeness of CaC efforts
intelligent information securityAN IT IAN
TRADITIONAL VERSUS CLOUD GOVERNANCE
Traditional Governance
• Information and technology (IT)
governance is a subset discipline of
corporate governance, focused on
information and technology (IT) and
its performance and risk management.
• The interest in IT governance is due to
the ongoing need within
organizations to focus value creation
efforts on an organization's strategic
objectives, and to better manage the
performance of those responsible for
creating this value in the best interest
of all stakeholders.
Cloud Governance
• Technology drives your governance
alignment
• Governance is a “Shared Responsibility”
• Automation is the Key to successful
governance
• Pre-Cloud decision-making processes are
paramount (e.g., service selection, policies,
frameworks architecture, data protections).
• Focus is on Continuous Risk Treatments
(CRTs)
intelligent information securityAN IT IAN
SECURITY BY DESIGN
• Security by Design (SbD) is a
security assurance approach
that formalizes AWS account
design, automates security
controls, and streamlines
auditing.
• Instead of relying on
auditing security
retroactively, SbD builds
security controls into the
AWS IT management
process.
intelligent information securityAN IT IAN
SECURITY BY DESIGN - DESIGN PRINCIPLES
Developing new risk mitigation capabilities, which go beyond
global security frameworks, by treating risks, eliminating
manual processes, optimizing evidence and audit ratifications
processes through RIGID automation.
• Build security in every
layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for breach
• Don't fear constraints
• Leverage different storage
options
• Design for cost
• Treat Infrastructure as
Code
‒ Modular
‒ Versioned
‒ Constrained
intelligent information securityAN IT IAN
TRADITIONAL RISK TREATMENTS
Avoid ReduceShare or Transfer
Accept
intelligent information securityAN IT IAN
TRADITIONAL RISK MANAGEMENT/GOVERNANCE
Define criticality/sensitivity of information system according to
potential worst-case, adverse impact to mission/business.
CATEGORIZE Information System
1
Security Life-Cycle
Select baseline security controls; apply tailoring guidance and
supplement controls as needed based on risk assessment.
SELECTSecurity Controls
2
Implement security controls within enterprise architecture
using sound systems engineering practices; apply security configuration settings.
IMPLEMENTSecurity Controls
3
Continuously track changes to the information system that may
affect security controls and reassess control effectiveness.
MONITORSecurity State
6
Determine risk to organizational operations and assets,
individuals, other organizations, and the Nation; if acceptable,
authorize operation.
AUTHORIZEInformation System
5
Determine security control effectiveness
(i.e., controls implemented correctly, operating as intended,
meeting security requirements for information system).
ASSESSSecurity Controls
4
intelligent information securityAN IT IAN
CONTINUOUS RISK TREATMENT (CRT)
• CRT is a process and technology approach designed to
detect, maintain and, in MOST cases, correct security
concerns, compliance issues, and threats associated with an
organization's solution and service deployment within their
AWS account.
• CRT processes monitor security controls in real-time to
ensure the risk and/or threat treatment (Control Intent) is
working as designed, or at least within an intended margin of
acceptance, based on guard rails, swim lanes and/or rules
built into the control to allow for business operations.
intelligent information securityAN IT IAN
MODERNIZING TECHNOLOGY GOVERNANCE (MTG)
intelligent information securityAN IT IAN
AUTOMATE, DEPLOY+ MONITOR (RISK TREATMENTS)
intelligent information securityAN IT IAN
CLOUD RISK TREATMENT/GOVERNANCE
intelligent information securityAN IT IAN
AUTOMATION RESOURCES
Amazon Web Services - Labs
AWS Config Rules Repository - AWS Config Rules
(http://amzn.to/2aFZZw2); periodic rules can now be triggered without
the need for a configuration snapshot.
aws-security-automation - Collection of scripts and resources for
DevSecOps, Security Automation and Automated Incident Response
Remediation
AWS WAF Security Automations - A solution that contains all AWS
WAF samples developed so far
aws-automating-security-group-updates - AWS Lambda function, in
combination with AutoScaling Lifecycle Hooks and a DynamoDB table,
to automatically update security groups
aws-security-benchmark - Collection of resources related to security
benchmark frameworks.
intelligent information securityAN IT IAN
AWS SERVICES SUPPORTING COMPLIANCE AS CODE
Automation
• Lambda
• CloudFormation
• Config
• AWS OpsWorks
• Systems Manager
Code
• CodePipeline
• CodeBuild
• CodeDeploy
• CodeStar
Security
• CloudWatch
• Inspector
• WAF
• GuardDuty
• Macie
intelligent information securityAN IT IAN
AWS AUTOMATION SERVICES
• Lambda – Serverless, event-driven compute service that
runs code in response to specific events. A keystone of
CaC.
• CloudFormation – Service for provisioning infrastructure
as code (IaC).
• Config – Service for automated and continuous
monitoring, logging and alerting of AWS resource
configurations in alignment with defined and custom
baselines.
intelligent information securityAN IT IAN
AWS AUTOMATION SERVICES
• OpsWorks – Automated configuration management
using either Chef or Puppet that give you workflow
automation for continuous deployment, automated
testing for compliance and security for EC2 instances.
• Systems Manager – Centralized interface for managing
AWS resources and automating tasks, providing insights
including inventory and compliance management.
intelligent information securityAN IT IAN
AWS CODING SERVICES
• AWS CodePipeline – Continuous integration and
continuous delivery service for fast and reliable application
and infrastructure updates.
• AWS CodeBuild – Fully managed build service that
compiles source code, runs tests, and produces software
packages that are ready to deploy.
• AWS CodeDeploy – Automates code deployments to any
instance, including Amazon EC2 instances and on-premises
servers.
• AWS CodeStar – Enables you to quickly develop, build, and
deploy applications on AWS.
intelligent information securityAN IT IAN
AWS SECURITY SERVICES
• CloudWatch – Monitor AWS services and logs, provide
metrics, generate alarms and react to specific events via API.
Includes a dashboard and event-driven rules that can route
to Lambda and SNS among other targets.
• Inspector – Automated security assessment service for AWS
resources for evaluating application and system security
against security benchmarks. Findings are available in the
console, through reports, or by API for integrating directly
into your CI/CD pipeline.
intelligent information securityAN IT IAN
AWS SECURITY SERVICES
• CloudWatch – Monitor AWS services and logs, provide
metrics, generate alarms and react to specific events.
• WAF – A web application firewall that integrates with Shield,
a managed DDoS service. WAF now supports marketplace
rules from commercial WAF vendors for enhanced detection
abilities.
• GuardDuty – New service providing automated and
continuous threat detection.
• Macie – Machine learning for data inventory and
classification for S3 data, ideal for regulatory compliance
such as GDPR.
intelligent information securityAN IT IAN
GUARDDUTY EXAMPLE
intelligent information securityAN IT IAN
COMPLIANCE AS CODE STRATEGIES
• Config Compliance as Code Engine and Rules
• Anitian PCI-hardened AMIs
• Anitian PCI Architecture Cloud Formation Templates
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE ENGINE
• CloudFormation stack that deploys a CaC engine with managed
rules for evaluating the compliance of AWS resources in a multi-
account environment.
• Initial rulesets test against the AWS CAF Security Epics, and a
baseline PCI ruleset developed in conjunction Anitian.
• Uses DynamoDB to store results.
• Includes an analytics component for data extraction,
transformation and visualization in Amazon QuickSight.
• https://github.com/awslabs/aws-config-engine-for-
compliance-as-code
intelligent information securityAN IT IAN
COMPLIANCE AS CODE MANAGED RULES
• 70+ rules that integrate with AWS Config, built against
industry-standard security controls for AWS.
• https://github.com/awslabs/aws-config-rules
• PCI Rules
• Top 7 PCI rules for validating compliance of AWS
resources
• Developed by AWS and Anitian Professional Services
• Initial release at 2017 re:Invent
• New IDE reduces development of custom rules by a factor of
5 based on workshops at 2017 re:Invent
• https://pypi.python.org/pypi/rdk
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE ENGINE
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE ENGINE
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE ENGINE
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE PCI RULES
intelligent information securityAN IT IAN
CONFIG COMPLIANCE AS CODE PCI RULES
intelligent information securityAN IT IAN
COMPLIANCE AS CODE SECURITY EPICS RULES
intelligent information securityAN IT IAN
ANITIAN HARDENED AMIS
• Hardened images of all AWS-supported server distributions,
available as a base server or web server configuration.
• Configured in alignment with industry best practices of
host-hardening, and specifically to address the requirements
for the PCI DSS.
• Contains a host-hardening standard on the filesystem,
documenting what changes have been made from the
defaults, as required by PCI DSS.
• https://aws.amazon.com/marketplace/seller-
profile?id=31e28297-b7d4-416f-b454-59f1d0aa8865
intelligent information securityAN IT IAN
ANITIAN PCI CLOUD FORMATION TEMPLATES
• Use Infrastructure as Code to automatically deploy a PCI
compliant environment.
• Modeled after the “Dedicated” reference architecture in Anitian's
PCI DSS workbook.
• https://d0.awsstatic.com/.../AWS_Anitian_Workbook_PCI_Cloud_Compl
iance.pdf
• Deploys an e-commerce website hosted in a dedicated Amazon
AWS account and contained in a single, private network.
• Coming soon in the AWS Marketplace.
• https://aws.amazon.com/marketplace/seller-profile?id=31e28297-b7d4-
416f-b454-59f1d0aa8865
intelligent information securityAN IT IAN
ANITIAN PCI CLOUD FORMATION TEMPLATES
intelligent information securityAN IT IAN
ANITIAN PCI CLOUD FORMATION TEMPLATES
intelligent information securityAN IT IAN
ANITIAN PCI CLOUD FORMATION TEMPLATES
intelligent information securityAN IT IAN
ANITIAN PCI CLOUD FORMATION TEMPLATES
Deployment Status:
Deployed:
intelligent information securityAN IT IAN
FINAL THOUGHTS
• Integrate Security by Design when architecting your
environment.
• Identify all compliance requirements and automate
implementation, validating, monitoring and
reporting wherever possible.
• Publish and iterate; don’t let perfection be the
enemy of good.
intelligent information securityAN IT IAN
EMAIL: [email protected]
TWITTER: @adam_gaydosh
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN