cloudsolutionday 2016: compliance and cost controlling on aws
TRANSCRIPT
Compliance & Cost ControllingTung Nguyen ([email protected])
(Nov 19, 2016)
What for todayA sharing from a Misfit insider on
Cost controlling
Compliance: PCI, ISO 27001, HIPAA
In a storytelling manner
Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)
Terms“Cost” means “Cloud cost”
“ISO” means “ISO/IEC 27001”
About Misfit ...
Since 2011, now part of Fossil Group family
… and the speaker
Been a Misfit DevOps, for ~3 years
Cost Controlling(very short list)
Learned LessonsSeparate AWS accounts for different environments
Tag your resources
By asking yourself, e.g.:
How much does this project cost?
How much does this team cost?
Who is handling this specific resource?
---> suggested tags
Learned Lessons (cont.)Simplify conversation with non-AWS folks, e.g.:
using the approximate understandable unit cost: dollars/EC2-hours
EC2 cost last month: $1.3K
EC2 hours last month: 7K hours
Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour
Learned Lessons (cont.)Never underestimate 3rd parties for cost management / cloud governance
Spend $2K to save $10K, why not?
These vendors will have their ways of evaluating and make guarantees
Cost controlling? ‘Nuff said.
Compliance
Why compliance?
We have a secure environment, for the organization in general, and the development team specifically. We protect customer data by encrypting … ^%& $#$ % )(*&*&
Well …. Let’s see how it REALLY is ...
WHEN NON-COMPLIANT
YOU POTENTIAL CLIENT
Why compliance?
We are PCI complia...
SHUT UP AND TAKE MY !!!
WHEN COMPLIANT
YOU POTENTIAL CLIENT
Why compliance?Protecting your business
Getting better business deals
What is ...ISO/IEC 27001(International Organization for Standardization / International Electrotechnical Commission 27001)
A management framework to protect business-critical information
Via a set of control areas
Information Security Policies
Organization of Information Security
Human Resource Security
Asset management
Access control
Cryptology
etc.
What is ...PCI DSS(Payment Card Industry Data Security Standard)
A proprietary information security standard for organizations that handle branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB)
The goal is
to increase controls around cardholder data to reduce credit card fraud
by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment
What is ...HIPAA(Health Insurance Portability and Accountability Act)
The law to protect the confidentiality and security of healthcare information
Further background
for the United States
signed into law in 1996
Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected
ISOPCI
HIPAA
ISO Protects your business information
PCI Protects payment card data
HIPAA Protects health and personal data
Common approach1. Form up a Compliant team(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain(Documents, evidences needed)
6. Assess for compliance(By an independent qualified assessor)
How we do
ISOPCI
HIPAA
● Prioritize and work on the projects/items in common first
● Deal with the rest later
Examples:● Server/software patching process (ISO
& PCI)● Data encyption (HIPAA & ISO)
What we do1. Form up a Compliant team(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain(Documents, evidences needed)
6. Assess for compliance(By an independent qualified assessor)
What we do (#4. Implementation)Build up UTM (Unified Threat Management) system
VPN
IDS/IPS (Intrusion Detection/Intrusion Prevention Systems)
Eliminate public IP addresses of EC2 instances
Perform access control for AWS environments, servers, databases, systems
What we do (#4, cont.)Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding
Practices)
Conduct annual trainings for employees on the standards
What we do (#4, cont.)Collect and audit system logs
Vulnerability scanning/patching
Establish server/software patching process
Perform and keep track of vulnerability scans/pen tests
Remediate vulnerabilities found
Proactively patch our systems based on the security announcements
What we do (#4, cont.)Review and control access to source codes
HR-workflow involved
Build up golden images for employees’ computers
The same for servers
How to deal with different requirements of departments?
What we do (#4, cont.)Offices’ IT infrastructure
Other non-cloud non-technical requirements
Door access controlling
HR, again
Paper shredders (wait, what?)
What we confront
What we confrontThe amount of work itself, and time to complete, of course
---> Careful planning and incremental work needed
---> Review your progress, resources frequently
The awareness of other teams who indeed need to involve
They simply don’t get what you are doing
They already have enough on their plate
---> Simple, repeated communication is the key
Names, please?Example consultants
Example assessors
Individuals?
Thank you
Q&A
See ya!