© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Keeping Developers and Auditors Happy in the Cloud

Brian Wagner, Solutions Architect, AWS Germany

18 May, Taiwan Summit

The Cloud from a Developer Perspective

The Cloud from an Auditor Perspective

The Problem

Incentives and Perspectives

Developers

Incentives Speed Features

Want Freedom to innovate New technology

Auditors

Incentives Compliance with regulatory obligations Verifiable processes

Want Well-known technology Predictability and stability

The Solution

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)

Traditional Deployment

developers

releasetestbuild

delivery pipelinestack

developers delivery pipelinesservices

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

You Build It, You Run It

AWS Assurance Programs

How Does that Help?

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Vulnerability Management

Data Backups

Traditional Data Backup

Server

Database

Disk

Tape storage

Corporate data center Backup data center/media storage provider

Disk

Tape storage

Data Backup in the Cloud

RDBMS

Amazon EBS volume

Cassandra Amazon S3 bucket

Other region

S3 bucket

Other account

S3 bucket

Non-AWS cloud storage

Cloud backup

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Common Audit Requirements for Software Development

Review changes. Track changes. Test changes. Deploy only approved code. For all actions:

Who did it? When?

AWS Config

AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

Continuous ChangeRecordingChanging Resources

AWS ConfigHistory

Stream

Snapshot (ex. 2014-11-05)AWS Config

Audit logs for all operationsStore/ Archive

Troubleshoot

Monitor & Alarm

You are making API

calls...

On a growing set of AWS services

around the world..

CloudTrail is continuously recording API

calls

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

DevOps

Infrastructure as Code is a practice by where traditional infrastructure management techniques are

supplemented and often replaced by using code based tools and software

development techniques.

Infrastructure-as-code workflow

code version control code review integrate

“It’s all software”

Development Lifecycle — DevOps

developers customers

releasetestbuild

plan monitor

feedback loop

Delivery Pipeline

DevSecOps

Where to Start?

Page 3 of 433

• Guidelines? • Checklists? • 1-pagers? • 6-pagers? • Full documents?

Security as Code

Security as Code is Easy with AWS

AWS provides all the APIs!

Programmatically test environments Determine state of environment at a specific point in time Repeatable processes Scalable operations

Development Lifecycle — DevOps

developers customers

releasetestbuild

plan monitor

feedback loop

Delivery Pipeline

Security as Code

How Can We Learn DevSecOps?

Start Here

Security as Code?

Security as Ops?

Compliance Ops? Science?

Experiment: Automate

Policy Governance

Experiment: Detection

via Security Operations

Experiment: Compliance

via DevSecOps

Toolkit

Experiment: Science via

Profiling

Dev

Sec

Ops

DevOps+

Security

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

amazon.com 2001

Traditional Deployment

developers

releasetestbuild

delivery pipelinestack

Service-Oriented Architecture (SOA)

Single-purpose

Connect only through APIs

“Microservices”

amazon.com 2009

Example Microservice

amazon.com 2009

Two-pizza teams

Full ownership

Full accountability

Aligned incentives

“DevOps”

developers delivery pipelinesservices

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

You Build It, You Run It

Keep Developers and Auditors Happy

Thank YouBrian Wagner, Solutions Architect, AWS Germany

18 May, Taiwan Summit