2. What for today
A sharing from a Misfit insider on
Cost controlling
Compliance: PCI, ISO 27001, HIPAA
In a storytelling manner
Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)
7. Learned Lessons
Separate AWS accounts for different environments
Tag your resources
By asking yourself, e.g.:
How much does this project cost?
How much does this team cost?
Who is handling this specific resource?
---> suggested tags
8. Learned Lessons (cont.)
Simplify conversation with non-AWS folks, e.g.:
using the approximate understandable unit cost: dollars/EC2-hours
EC2 cost last month: $1.3K
EC2 hours last month: 7K hours
Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour
9. Learned Lessons (cont.)
Never underestimate 3rd parties for cost management / cloud governance
Spend $2K to save $10K, why not?
These vendors will have their ways of evaluating and make guarantees
12. Why compliance?
We have a secure
environment, for the
organization in general,
and the development
team specifically. We
protect customer data
by encrypting … ^%&
$#$ % )(*&*&
Well …. Let’s
see how it
REALLY is ...
WHEN NON-COMPLIANT
YOU
POTENTIAL
CLIENT
13. Why compliance?
We are PCI
complia...
SHUT UP
AND TAKE
MY !!!
WHEN COMPLIANT
YOU
POTENTIAL
CLIENT
15. What is ...
ISO/IEC 27001
(International Organization for Standardization / International Electrotechnical Commission 27001)
A management framework to protect business-critical information
Via a set of control areas
Information Security Policies
Organization of Information Security
Human Resource Security
Asset management
Access control
16. What is ...
PCI DSS
(Payment Card Industry Data Security Standard)
A proprietary information security standard for organizations that handle
branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB)
The goal is
to increase controls around cardholder data to reduce credit card fraud
by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment
17. What is ...
HIPAA
(Health Insurance Portability and Accountability Act)
The law to protect the confidentiality and security of healthcare information
Further background
for the United States
signed into law in 1996
Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected
19. ISO Protects your business
information
PCI Protects payment card
data
HIPAA Protects health and
personal data
20. Common approach
1. Form up a Compliant team
(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain
(Documents, evidences needed)
6. Assess for compliance
(By an independent qualified assessor)
21. How we do
ISO
PCI
HIPAA
● Prioritize and work on the
projects/items in common first
● Deal with the rest later
Examples:
● Server/software patching process (ISO
& PCI)
● Data encyption (HIPAA & ISO)
22. What we do
1. Form up a Compliant team
(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain
(Documents, evidences needed)
6. Assess for compliance
(By an independent qualified assessor)
23. What we do (#4. Implementation)
Build up UTM (Unified Threat Management) system
VPN
IDS/IPS (Intrusion Detection/Intrusion Prevention Systems)
Eliminate public IP addresses of EC2 instances
Perform access control for AWS environments, servers, databases, systems
24. What we do (#4, cont.)
Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding
Practices)
Conduct annual trainings for employees on the standards
25. What we do (#4, cont.)
Collect and audit system logs
Vulnerability scanning/patching
Establish server/software patching process
Perform and keep track of vulnerability scans/pen tests
Remediate vulnerabilities found
Proactively patch our systems based on the security announcements
26. What we do (#4, cont.)
Review and control access to source codes
HR-workflow involved
Build up golden images for employees’ computers
The same for servers
How to deal with different requirements of departments?
27. What we do (#4, cont.)
Offices’ IT infrastructure
Other non-cloud non-technical requirements
Door access controlling
HR, again
Paper shredders (wait, what?)
29. What we confront
The amount of work itself, and time to complete, of course
---> Careful planning and incremental work needed
---> Review your progress, resources frequently
The awareness of other teams who indeed need to involve
They simply don’t get what you are doing
They already have enough on their plate
---> Simple, repeated communication is the key
FUTURE
Misfit finds its unique position as the futurist in the family
FASHION
We see our position as being the perfect accessory to a fashionable life
WELLNESS
Misfit has its origins in wellness, beginning with our initial fitness-based innovations. At our core, we are driven by the will to inspire change and improve lives—a far broader mission than fitness. We consider the entire picture: exercise, sleep, nutrition, and even the environment. Healthy living, sum total.
INTELLIGENCE
Misfit is rooted in intelligence. We invest in the humans, the technology, and the data that drive our connection to the world around us. We inhale and exhale that intelligence—a constant dialogue of learning and teaching, giving and receiving, pushing and pulling—to drive the insights and inspirations of our next innovations.
Depends on specific organization, might need:
Leadership awareness
Cost planning
etc.
Cover implementation only
Communication example: Code repository access management (“ISO requirements” vs. “protect our products”)