SlideShare uma empresa Scribd logo

Winning Governance Strategies for the Technology Disruptions of our Time

Transferir como PPTX, PDF
C
CloudHesive

Winning Governance Strategies for the Technology Disruptions of our Time

Tecnologia
1 de 28
Winning Governance Strategies for the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
About Me • Who am I? • What’s my background?
About CloudHesive • Professional Services – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
Agenda • Disruptive technology history • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
Disruptive Technology History • Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
Challenges faced in GRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
AWS Shared Responsibility Model
Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
General Design Principles • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
Operational Excellence • Design Principles – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
Reliability • Design Principles – Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
Performance Efficiency • Design Principles – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
Cost Optimization • Design Principles – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
Supporting Services • Certificate Manager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
Conclusion • AWS provides a number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
Further Learning – Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
Meetups • Boca Raton: https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

Recomendados

Fort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudFort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
Operating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSOperating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWS
Tom Laszewski
 
Cost Optimization at Scale
Cost Optimization at ScaleCost Optimization at Scale
Cost Optimization at Scale
Amazon Web Services
 
AWS 101 - An Introduction to the Amazon Cloud
AWS 101 - An Introduction to the Amazon CloudAWS 101 - An Introduction to the Amazon Cloud
AWS 101 - An Introduction to the Amazon Cloud
CloudHesive
 
Big Data and Machine Learning on AWS
Big Data and Machine Learning on AWSBig Data and Machine Learning on AWS
Big Data and Machine Learning on AWS
CloudHesive
 
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Amazon Web Services
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Amazon Web Services
 
AWS 2020 Year in Review reInvent ReCap
AWS 2020 Year in Review reInvent ReCapAWS 2020 Year in Review reInvent ReCap
AWS 2020 Year in Review reInvent ReCap
CloudHesive
 

Recomendados

Fort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the CloudFort Lauderdale Tech Talks - The Future is the Cloud
Fort Lauderdale Tech Talks - The Future is the Cloud
CloudHesive
 
Operating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWSOperating and Managing Hybrid Cloud on AWS
Operating and Managing Hybrid Cloud on AWS
Tom Laszewski
 
Cost Optimization at Scale
Cost Optimization at ScaleCost Optimization at Scale
Cost Optimization at Scale
Amazon Web Services
 
AWS 101 - An Introduction to the Amazon Cloud
AWS 101 - An Introduction to the Amazon CloudAWS 101 - An Introduction to the Amazon Cloud
AWS 101 - An Introduction to the Amazon Cloud
CloudHesive
 
Big Data and Machine Learning on AWS
Big Data and Machine Learning on AWSBig Data and Machine Learning on AWS
Big Data and Machine Learning on AWS
CloudHesive
 
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Understanding AWS Managed Databases and Analytic Services - AWS Innovate Otta...
Amazon Web Services
 
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa: Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Key Considerations for Cloud Procurement - AWS Innovate Ottawa:
Amazon Web Services
 
AWS 2020 Year in Review reInvent ReCap
AWS 2020 Year in Review reInvent ReCapAWS 2020 Year in Review reInvent ReCap
AWS 2020 Year in Review reInvent ReCap
CloudHesive
 
Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa: Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa:
Amazon Web Services
 
Cloud Economics: il Business Case per la Cloud Migration
Cloud Economics: il Business Case per la Cloud MigrationCloud Economics: il Business Case per la Cloud Migration
Cloud Economics: il Business Case per la Cloud Migration
Amazon Web Services
 
Building your Cloud Strategy
Building your Cloud StrategyBuilding your Cloud Strategy
Building your Cloud Strategy
Amazon Web Services
 
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
Amazon Web Services
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud Journey
Amazon Web Services
 
Come costruire apllicazioni "12-factor microservices" in AWS
Come costruire apllicazioni "12-factor microservices" in AWSCome costruire apllicazioni "12-factor microservices" in AWS
Come costruire apllicazioni "12-factor microservices" in AWS
Amazon Web Services
 
Getting started on your AWS migration journey
Getting started on your AWS migration journeyGetting started on your AWS migration journey
Getting started on your AWS migration journey
Amazon Web Services
 
From Monolithic to Modern Apps: Best Practices
From Monolithic to Modern Apps: Best PracticesFrom Monolithic to Modern Apps: Best Practices
From Monolithic to Modern Apps: Best Practices
Tom Laszewski
 
AWS Technical Due Diligence Workshop Session Two
AWS Technical Due Diligence Workshop Session TwoAWS Technical Due Diligence Workshop Session Two
AWS Technical Due Diligence Workshop Session Two
Tom Laszewski
 
AWS 101 and the benefits of Migrating to the Cloud
AWS 101 and the benefits of Migrating to the CloudAWS 101 and the benefits of Migrating to the Cloud
AWS 101 and the benefits of Migrating to the Cloud
CloudHesive
 
Expanding Your Data Center with Hybrid Cloud Infrastructure
Expanding Your Data Center with Hybrid Cloud InfrastructureExpanding Your Data Center with Hybrid Cloud Infrastructure
Expanding Your Data Center with Hybrid Cloud Infrastructure
Amazon Web Services
 
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Tom Laszewski
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & Compliance
Amazon Web Services
 
Application Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternApplication Modernization using the Strangler Pattern
Application Modernization using the Strangler Pattern
Tom Laszewski
 
AWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWSAWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWS
Amazon Web Services
 
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWSAWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
Amazon Web Services
 
When Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by DatacomWhen Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by Datacom
Amazon Web Services
 
Cloud Economics: The Financial Case for Cloud Migration
Cloud Economics: The Financial Case for Cloud MigrationCloud Economics: The Financial Case for Cloud Migration
Cloud Economics: The Financial Case for Cloud Migration
Amazon Web Services
 
Azure vs AWS
Azure vs AWSAzure vs AWS
Azure vs AWS
Josh Lane
 
Cloud Migration: A How-To Guide
Cloud Migration: A How-To GuideCloud Migration: A How-To Guide
Cloud Migration: A How-To Guide
Amazon Web Services
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
CloudHesive
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
CloudHesive
 

Mais conteúdo relacionado

Mais procurados

AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
Amazon Web Services
 
AWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWSAWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWS
Amazon Web Services
 
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWSAWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
Amazon Web Services
 
When Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by DatacomWhen Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by Datacom
Amazon Web Services
 

Mais procurados (20)

Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa: Cloud Adoption Framework - AWS Innovate Ottawa:
Cloud Adoption Framework - AWS Innovate Ottawa:
 
Cloud Economics: il Business Case per la Cloud Migration
Cloud Economics: il Business Case per la Cloud MigrationCloud Economics: il Business Case per la Cloud Migration
Cloud Economics: il Business Case per la Cloud Migration
 
Building your Cloud Strategy
Building your Cloud StrategyBuilding your Cloud Strategy
Building your Cloud Strategy
 
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
AWS Webcast - The Business Value of Running SAP Solutions on the AWS Cloud (D...
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud Journey
 
Come costruire apllicazioni "12-factor microservices" in AWS
Come costruire apllicazioni "12-factor microservices" in AWSCome costruire apllicazioni "12-factor microservices" in AWS
Come costruire apllicazioni "12-factor microservices" in AWS
 
Getting started on your AWS migration journey
Getting started on your AWS migration journeyGetting started on your AWS migration journey
Getting started on your AWS migration journey
 
From Monolithic to Modern Apps: Best Practices
From Monolithic to Modern Apps: Best PracticesFrom Monolithic to Modern Apps: Best Practices
From Monolithic to Modern Apps: Best Practices
 
AWS Technical Due Diligence Workshop Session Two
AWS Technical Due Diligence Workshop Session TwoAWS Technical Due Diligence Workshop Session Two
AWS Technical Due Diligence Workshop Session Two
 
AWS 101 and the benefits of Migrating to the Cloud
AWS 101 and the benefits of Migrating to the CloudAWS 101 and the benefits of Migrating to the Cloud
AWS 101 and the benefits of Migrating to the Cloud
 
Expanding Your Data Center with Hybrid Cloud Infrastructure
Expanding Your Data Center with Hybrid Cloud InfrastructureExpanding Your Data Center with Hybrid Cloud Infrastructure
Expanding Your Data Center with Hybrid Cloud Infrastructure
 
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
Hybrid Cloud on AWS : Provisioning, Operations, Management, and Monitoring
 
AWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & ComplianceAWS Innovate Ottawa: Security & Compliance
AWS Innovate Ottawa: Security & Compliance
 
Application Modernization using the Strangler Pattern
Application Modernization using the Strangler PatternApplication Modernization using the Strangler Pattern
Application Modernization using the Strangler Pattern
 
AWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWSAWS Enterprise Day | Running Critical Business Applications on AWS
AWS Enterprise Day | Running Critical Business Applications on AWS
 
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWSAWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
AWS Summit Stockholm 2014 – B3 – Integrating on-premises workloads with AWS
 
When Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by DatacomWhen Clouds Collide - Session Sponsored by Datacom
When Clouds Collide - Session Sponsored by Datacom
 
Cloud Economics: The Financial Case for Cloud Migration
Cloud Economics: The Financial Case for Cloud MigrationCloud Economics: The Financial Case for Cloud Migration
Cloud Economics: The Financial Case for Cloud Migration
 
Azure vs AWS
Azure vs AWSAzure vs AWS
Azure vs AWS
 
Cloud Migration: A How-To Guide
Cloud Migration: A How-To GuideCloud Migration: A How-To Guide
Cloud Migration: A How-To Guide
 

Semelhante a Winning Governance Strategies for the Technology Disruptions of our Time

Cloud Computing Overview
Cloud Computing OverviewCloud Computing Overview
Cloud Computing Overview
Manju Srinivas
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
Data Tactics dhs introduction to cloud technologies wtc
Data Tactics dhs introduction to cloud technologies wtcData Tactics dhs introduction to cloud technologies wtc
Data Tactics dhs introduction to cloud technologies wtc
DataTactics
 

Semelhante a Winning Governance Strategies for the Technology Disruptions of our Time (20)

NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
AWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWSAWS Spotlight Series - Modernization and Security with AWS
AWS Spotlight Series - Modernization and Security with AWS
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Boot camp - Migration to AWS
Boot camp - Migration to AWSBoot camp - Migration to AWS
Boot camp - Migration to AWS
 
SecureKloud_Corporate Deck.pdf
SecureKloud_Corporate Deck.pdfSecureKloud_Corporate Deck.pdf
SecureKloud_Corporate Deck.pdf
 
Cloud Computing Overview
Cloud Computing OverviewCloud Computing Overview
Cloud Computing Overview
 
Best Practices in Secure Cloud Migration
Best Practices in Secure Cloud MigrationBest Practices in Secure Cloud Migration
Best Practices in Secure Cloud Migration
 
CSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps sessionCSC AWS re:Invent Enterprise DevOps session
CSC AWS re:Invent Enterprise DevOps session
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
AWS Finland User Group Meetup 2017-05-23
AWS Finland User Group Meetup 2017-05-23AWS Finland User Group Meetup 2017-05-23
AWS Finland User Group Meetup 2017-05-23
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
IT Resilience Use Case
IT Resilience Use CaseIT Resilience Use Case
IT Resilience Use Case
 
Why You Are Secure in the AWS Cloud
Why You Are Secure in the AWS CloudWhy You Are Secure in the AWS Cloud
Why You Are Secure in the AWS Cloud
 
Data Tactics dhs introduction to cloud technologies wtc
Data Tactics dhs introduction to cloud technologies wtcData Tactics dhs introduction to cloud technologies wtc
Data Tactics dhs introduction to cloud technologies wtc
 

Mais de CloudHesive

Mais de CloudHesive (20)

Serverless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of FloridaServerless Generative AI on AWS, AWS User Groups of Florida
Serverless Generative AI on AWS, AWS User Groups of Florida
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
 
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
Amazon Connect & AI - Shaping the Future of Customer Interactions - GenAI and...
 
Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...Accelerating Business and Research Through Automation and Artificial Intellig...
Accelerating Business and Research Through Automation and Artificial Intellig...
 
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptxAmazon Connect Rethink Your Contact Center with CloudHesive.pptx
Amazon Connect Rethink Your Contact Center with CloudHesive.pptx
 
ConnectPath Introduction
ConnectPath IntroductionConnectPath Introduction
ConnectPath Introduction
 
Modernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdfModernize your contact center with ConnectPath CX v2.pdf
Modernize your contact center with ConnectPath CX v2.pdf
 
Modernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdfModernize your contact center with ConnectPath CX — Chart.pdf
Modernize your contact center with ConnectPath CX — Chart.pdf
 
End User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptxEnd User Computing at CloudHesive.pptx
End User Computing at CloudHesive.pptx
 
Analytics at CloudHesive
Analytics at CloudHesiveAnalytics at CloudHesive
Analytics at CloudHesive
 
Supporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo LogicSupporting your CMMC initiatives with Sumo Logic
Supporting your CMMC initiatives with Sumo Logic
 
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS CostsBest Practices and Resources to Effectively Manage and Optimize Your AWS Costs
Best Practices and Resources to Effectively Manage and Optimize Your AWS Costs
 
Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations Serverless data and analytics on AWS for operations
Serverless data and analytics on AWS for operations
 
reInvent reCap 2022
reInvent reCap 2022reInvent reCap 2022
reInvent reCap 2022
 
Serverless without Code (Lambda)
Serverless without Code (Lambda)Serverless without Code (Lambda)
Serverless without Code (Lambda)
 
AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)AWS Advanced Analytics Automation Toolkit (AAA)
AWS Advanced Analytics Automation Toolkit (AAA)
 
AWS Control Tower
AWS Control TowerAWS Control Tower
AWS Control Tower
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
Meetup Protect from Ransomware Attacks
Meetup Protect from Ransomware AttacksMeetup Protect from Ransomware Attacks
Meetup Protect from Ransomware Attacks
 
Amazon Connect Bootcamp
Amazon Connect BootcampAmazon Connect Bootcamp
Amazon Connect Bootcamp
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Winning Governance Strategies for the Technology Disruptions of our Time

  • 1. Winning Governance Strategies for the Technology Disruptions of our Time ISACA South Florida Annual GRC Conference June 22, 2018 Patrick Hannah, VP of Engineering, CloudHesive
  • 2. About Me • Who am I? • What’s my background?
  • 3. About CloudHesive • Professional Services – Assessment (Current environment, datacenter or cloud footprint) – Strategy (Getting to the future state) – Migration (Environment-to-cloud, Datacenter-to-cloud) – Implementation (Point solutions) – Support (Break/fix and ongoing enhancement) • DevOps Services – Assessment – Strategy – Implementation (Point solutions) – Management (Supporting infrastructure, solutions or ongoing enhancement) – Support (Break/fix and ongoing enhancement) • Managed Security Services (SecOps) – Encryption as a Service (EaaS) – encryption at rest and in flight – End Point Security as a Service – Threat Management – SOC II Type 2 Validated • Next Generation Managed Services – Leveraging our Professional, DevOps and Managed Security Services – Single payer billing – Intelligent operations and automation – AWS Audited
  • 4. Agenda • Disruptive technology history • Challenges faced in GRC by disruptive technologies • Brief introduction to AWS • Introduction of Shared Responsibility models, specifically around Cloud Computing and AWS • Overview of AWS Frameworks that can be leveraged by Security and Compliance teams for GRC with technology disruptors • Overview of AWS Services that can be leveraged to support GRC on AWS • Overview of AWS Reference Architectures that align to a number of Frameworks and leverage the previously referenced AWS Services • Conclusion
  • 5. Disruptive Technology History • Then – Storage – Communications – Computing – Transportation – Manufacturing – Discreet Components • Now – Social – Mobile – Analytics/Big Data/AI – Cloud – Smart Things/IoT – Blockchain
  • 6. Challenges faced in GRC by disruptive technologies • Endpoints – From a single, non network connected computing device to multiple (desktops, laptops, tablets, mobile phones), mixed platforms – Smart Appliances (Kitchen, TV, etc.), Consumer IoT (Smart Home, Alexa, Dash, etc.), Commercial/Industrial IoT (Environmental, Manufacturing, etc.), also mixed platforms • Data – Wider breadth of sources, formats, and technologies to ingest, process, store, retrieve, analyze and display – Growth in the four v’s (volume, variety, velocity and veracity) • Policy – Attempting to apply legacy policies to disruptive technologies – Looked at as not agile/slow to adopt disruptive technologies/slow to apply to disruptive technologies • Shadow IT – The nature of disruptive technologies supports the adoption of them by non IT users – Disruptive technologies tend to be enablers to avoid traditional methods of acquisition
  • 7. Who is using AWS (US and Abroad)? • Federal Government • Government-Sponsored Enterprise • State • Local • Higher Education • K-12 • Non-Profit • Private Sector
  • 8. GovCloud • Additional Assurance Programs Above and Beyond other AWS Regions – ITAR – FedRAMP ATO (High for GovCloud, Medium for us-east/west) – DoD SRG (2,4,5 for GovCloud, 2 for us-east/west) • General – Separate Endpoints (utilize FIPS 140-2 approved cryptographic modules) – Separate Namespace – Separate Authentication (Tied to a non-GovCloud account for billing purposes - no Root Account) – 46 of the 127 AWS Services Available (EC2 Classic not Available) – US Citizen only Access • Physical Location – Northwestern US – Eastern US (forthcoming)
  • 10. Cloud Adoption Framework • Perspectives – Business • Value Realization – People • Roles & Readiness – Governance • Prioritization & Control – Platform • Applications & Infrastructure – Security • Risk & Compliance – Operations • Manage & Scale
  • 11. Well Architected Framework • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization
  • 12. General Design Principles • Stop guessing your capacity needs • Test systems at production scale • Automate to make architectural experimentation easier • Allow for evolutionary architectures • Drive architectures using data • Improve through game days
  • 13. Operational Excellence • Design Principles – Perform operations as code – Annotate documentation – Make frequent, small, reversible changes – Refine operations procedures frequently – Anticipate failure – Learn from all operational failures • Best Practices – Prepare – Operate – Evolve
  • 14. Security • Design Principles – Implement a strong identity foundation – Enable traceability – Apply security at all layers – Automate security best practices – Protect data in transit and at rest – Prepare for security events • Best Practices – Identity and Access Management – Detective Controls – Infrastructure Protection – Data Protection – Incident Response
  • 15. Reliability • Design Principles – Test recovery procedures – Automatically recover from failure – Scale horizontally to increase aggregate system availability – Stop guessing capacity – Manage change in automation • Best Practices – Foundations – Change Management – Failure Management
  • 16. Performance Efficiency • Design Principles – Democratize advanced technologies – Go global in minutes – Use serverless architectures – Experiment more often – Mechanical sympathy • Best Practices – Selection – Review – Monitoring – Tradeoffs
  • 17. Cost Optimization • Design Principles – Adopt a consumption model – Measure overall efficiency – Stop spending money on data center operations – Analyze and attribute expenditure – Use managed services to reduce cost of ownership • Best Practices – Cost-Effective Resources – Matching Supply and Demand – Expenditure Awareness – Optimizing Over Time
  • 18. Sample Implementation • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCI Variants Available • Good starting point
  • 19. Supporting Services • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • VPC: Flow Logs (NetFlow) • VPC: VGW (Point to Point and IPSEC Connectivity) + Peering (VPC to VPC Connectivity) + Endpoints (Private Connectivity to AWS Services) • VPC: NAT Gateway (Private to Public IP Address NAT’ing) • EC2: Patch Manager (OS and above patching + auditing) • EC2: Parameter Store (Secure Storage of Service Accounts)
  • 20. Supporting Services • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off” OS and configuration management + application deployment • CloudWatch Logs: OS and above log management • CloudWatch Events + Lambda: Event triggered code • CloudTrail: Audit Trail, Exportable as JSON to idempotent storage
  • 21. Supporting Services • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • CloudFormation: Infrastructure automation described as JSON/YAML, Version Controllable • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • CloudHSM: FIPS 140-2 Certified cryptographic module with PKCS11 and JCE Interfaces
  • 22. Supporting Services • Certificate Manager: Secure Certificate Store • Workspaces: Secure Bastion • WAF: Layer 7 WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • Artifact: AWS Audit Reports available on demand • Tags: Built-in asset + inventory marking and tracking on configuration items • Service Catalog: Predefined configurations available to end users, can be integrated to ITSM system
  • 23. Enforcement • AWS – Guard Duty – Inspector – Macie – Trusted Advisor – Config Rules – Various “Widgets” • Third Party – CIS CAT – CloudCheckr – AlertLogic – Tenable
  • 24. Conclusion • AWS provides a number of services to support your frameworks + controls, in addition to core infrastructure (server + storage) capabilities. • AWS provides guidance (in the form of the CAF and WAF) for organizations which do not have an existing framework to base their cloud adoption model on. • Getting started on AWS is easy; with the free tier, you can experiment with a number of services without incurring significant cost. • Adoption of AWS in your organization can be as easy or as hard as you want to make it; start simple and iterate.
  • 25. Recommended Reading • AWS Well Architected Framework – https://aws.amazon.com/architecture/well-architected/ • AWS Cloud Adoption Framework – https://aws.amazon.com/professional-services/CAF/ • AWS Cloud Transformation Maturity Model – https://d0.awsstatic.com/whitepapers/AWS-Cloud-Transformation-Maturity-Model.pdf • Shared Responsibility Model – https://aws.amazon.com/compliance/shared-responsibility-model/ • Operational Checklists for AWS – https://d1.awsstatic.com/whitepapers/aws-operational-checklists.pdf • Introduction to Auditing the Use of AWS – https://d1.awsstatic.com/whitepapers/compliance/AWS_Auditing_Security_Checklist.pdf
  • 26. Further Learning • Getting Started: https://aws.amazon.com/getting-started • General Reference: http://docs.aws.amazon.com/general/latest/gr • Global Infrastructure: https://aws.amazon.com/about-aws/global-infrastructure/ • FAQs: https://aws.amazon.com/faqs • Documentation: https://aws.amazon.com/documentation/ • Architecture: https://aws.amazon.com/architecture • Whitepapers: https://aws.amazon.com/whitepapers • Security: https://aws.amazon.com/security • Blog: https://aws.amazon.com/blogs • Service Specific Pages: https://aws.amazon.com/service • AWS Answers: https://aws.amazon.com/answers/ • AWS Knowledge Center: https://aws.amazon.com/premiumsupport/knowledge-center/ • SlideShare: http://www.slideshare.net/AmazonWebServices • Github: https://github.com/aws and https://github.com/awslabs
  • 27. Further Learning – Security • http://blogs.aws.amazon.com/security/post/Tx71TWXXJ3UI14/Enabling-Federation-to-AWS-using-Windows-Active- Directory-ADFS-and-SAML-2-0 • http://blogs.aws.amazon.com/security/post/Tx1LDN0UBGJJ26Q/How-to-Implement-Federated-API-and-CLI- Access-Using-SAML-2-0-and-AD-FS • http://blogs.aws.amazon.com/security/post/Tx2KL0TCWFBBAB1/How-to-Use-a-Single-IAM-User-to-Easily-Access- All-Your-Accounts-by-Using-the-AWS • http://blogs.aws.amazon.com/security/post/Tx1XWZ93EAFL9C4/How-to-Switch-Easily-Between-AWS-Accounts-by- Using-the-AWS-Management-Console-an • http://blogs.aws.amazon.com/security/post/Tx4BUZIS3E2QG2/Make-a-New-Year-s-Resolution-Adhere-to-IAM-Best- Practices • http://blogs.aws.amazon.com/security/post/TxASQFTVGZ5HMT/How-to-Receive-Alerts-When-Your-IAM- Configuration-Changes • http://blogs.aws.amazon.com/security/post/Tx3PSPQSN8374D/How-to-Receive-Notifications-When-Your-AWS- Account-s-Root-Access-Keys-Are-Used • http://blogs.aws.amazon.com/security/post/Tx3NVS2JAL7KWOM/How-to-Help-Prepare-for-DDoS-Attacks-by- Reducing-Your-Attack-Surface • http://blogs.aws.amazon.com/security/post/Tx280RX2WH6WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access • http://www.slideshare.net/AmazonWebServices/network-security-and-access-control-within-aws-54456790 • http://www.slideshare.net/AmazonWebServices/cloud-security-guidance-from-cesg-and-aws
  • 28. Meetups • Boca Raton: https://www.meetup.com/awsflorida/ • Doral: https://www.meetup.com/AWSUserGroupDoral/ • Fort Lauderdale: https://www.meetup.com/South-Florida-Amazon-Web-Services-Meetup/ • Jacksonville: https://www.meetup.com/AWS-User-Groups-of-Florida-Jacksonville/ • Miami: https://www.meetup.com/Miami-AWS-Users-Group/ • Miami Beach: https://www.meetup.com/aws-user-group-miami/ • Orlando: https://www.meetup.com/Orlando-AWS-Users-Group/ • Palm Beach Gardens: https://www.meetup.com/AWS-Users-Group-of-Florida-Palm-Beach- Gardens/ • Tampa: https://www.meetup.com/Tampa-AWS-Users-Group/ • Montevideo, Uruguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-AWS-en- Montevideo/ • Asuncion, Paraguay: https://www.meetup.com/Meetup-de-Amazon-Web-Services-en-Asuncion/ • South Florida Jenkins Area Meetup: https://www.meetup.com/South-Florida-Jenkins-Area-Meetup/

Notas do Editor

  1. Certifications in CCSK, CCSP, ITIL Experience with AWS, GovCloud, FedRAMP, specifically
  2. From Wiki: Disruptive innovation is an innovation that creates a new market and value network and eventually disrupts an existing market and value network, displacing established market-leading firms, products, and alliances
  3. AWS Public Sector Summit – June 20-21, 2018, Walter E. Washington Convention Center
  4. https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/ https://aws.amazon.com/compliance/services-in-scope/ See also C2S and Secret Region: https://aws.amazon.com/federal/us-intelligence-community/
  5. https://aws.amazon.com/quickstart/architecture/accelerator-nist/ NIST – Cybersecurity Framework, SP 800-53, SP 800-37 CIS – Benchmarks CSA – CCM + CAIQ Basic AWS Identity and Access Management (IAM) configuration with custom (IAM) policies, with associated groups, roles, and instance profiles. Standard, external-facing Amazon Virtual Private Cloud (Amazon VPC) Multi-AZ architecture with separate subnets for different application tiers and private (back-end) subnets for application and database. The Multi-AZ architecture helps ensure high availability. Amazon Simple Storage Service (Amazon S3) buckets for encrypted web content, logging, and backup data. Standard Amazon VPC security groups for Amazon Elastic Compute Cloud (Amazon EC2) instances and load balancers used in the sample application stack. The security groups limit access to only necessary services. Three-tier Linux web application using Auto Scaling and Elastic Load Balancing, which can be modified and/or bootstrapped with customer application. A secured bastion login host to facilitate command-line Secure Shell (SSH) access to Amazon EC2 instances for troubleshooting and systems administration activities. Encrypted, Multi-AZ Amazon Relational Database Service (Amazon RDS) MySQL database. Logging, monitoring, and alerts using AWS CloudTrail, Amazon CloudWatch, and AWS Config rules (where available).
  6. The next few slides I will detail some of the supporting services; a number of the AWS published matrices detail the alignment of these services to specific controls, rather than read through a matrix, I thought it would help to explain what these services are and how they can help