Compliance & Cost ControllingTung Nguyen (tung@fossil.com)

(Nov 19, 2016)

What for todayA sharing from a Misfit insider on

Cost controlling

Compliance: PCI, ISO 27001, HIPAA

In a storytelling manner

Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)

Terms“Cost” means “Cloud cost”

“ISO” means “ISO/IEC 27001”

About Misfit ...

Since 2011, now part of Fossil Group family

… and the speaker

Been a Misfit DevOps, for ~3 years

Cost Controlling(very short list)

Learned LessonsSeparate AWS accounts for different environments

Tag your resources

By asking yourself, e.g.:

How much does this project cost?

How much does this team cost?

Who is handling this specific resource?

---> suggested tags

Learned Lessons (cont.)Simplify conversation with non-AWS folks, e.g.:

using the approximate understandable unit cost: dollars/EC2-hours

EC2 cost last month: $1.3K

EC2 hours last month: 7K hours

Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour

Learned Lessons (cont.)Never underestimate 3rd parties for cost management / cloud governance

Spend $2K to save $10K, why not?

These vendors will have their ways of evaluating and make guarantees

Cost controlling? ‘Nuff said.

Compliance

Why compliance?

We have a secure environment, for the organization in general, and the development team specifically. We protect customer data by encrypting … ^%& $#$ % )(*&*&

Well …. Let’s see how it REALLY is ...

WHEN NON-COMPLIANT

YOU POTENTIAL CLIENT

Why compliance?

We are PCI complia...

SHUT UP AND TAKE MY !!!

WHEN COMPLIANT

YOU POTENTIAL CLIENT

Why compliance?Protecting your business

Getting better business deals

What is ...ISO/IEC 27001(International Organization for Standardization / International Electrotechnical Commission 27001)

A management framework to protect business-critical information

Via a set of control areas

Information Security Policies

Organization of Information Security

Human Resource Security

Asset management

Access control

Cryptology

etc.

What is ...PCI DSS(Payment Card Industry Data Security Standard)

A proprietary information security standard for organizations that handle branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB)

The goal is

to increase controls around cardholder data to reduce credit card fraud

by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment

What is ...HIPAA(Health Insurance Portability and Accountability Act)

The law to protect the confidentiality and security of healthcare information

Further background

for the United States

signed into law in 1996

Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected

ISOPCI

HIPAA

ISO Protects your business information

PCI Protects payment card data

HIPAA Protects health and personal data

Common approach1. Form up a Compliant team(with/without a Consultant)

2. Conduct gap assessment

3. Identify sub-projects and personnel

4. Implement

5. Maintain(Documents, evidences needed)

6. Assess for compliance(By an independent qualified assessor)

How we do

ISOPCI

HIPAA

● Prioritize and work on the projects/items in common first

● Deal with the rest later

Examples:● Server/software patching process (ISO

& PCI)● Data encyption (HIPAA & ISO)

What we do1. Form up a Compliant team(with/without a Consultant)

2. Conduct gap assessment

3. Identify sub-projects and personnel

4. Implement

5. Maintain(Documents, evidences needed)

6. Assess for compliance(By an independent qualified assessor)

What we do (#4. Implementation)Build up UTM (Unified Threat Management) system

VPN

IDS/IPS (Intrusion Detection/Intrusion Prevention Systems)

Eliminate public IP addresses of EC2 instances

Perform access control for AWS environments, servers, databases, systems

What we do (#4, cont.)Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding

Practices)

Conduct annual trainings for employees on the standards

What we do (#4, cont.)Collect and audit system logs

Vulnerability scanning/patching

Establish server/software patching process

Perform and keep track of vulnerability scans/pen tests

Remediate vulnerabilities found

Proactively patch our systems based on the security announcements

What we do (#4, cont.)Review and control access to source codes

HR-workflow involved

Build up golden images for employees’ computers

The same for servers

How to deal with different requirements of departments?

What we do (#4, cont.)Offices’ IT infrastructure

Other non-cloud non-technical requirements

Door access controlling

HR, again

Paper shredders (wait, what?)

What we confront

What we confrontThe amount of work itself, and time to complete, of course

---> Careful planning and incremental work needed

---> Review your progress, resources frequently

The awareness of other teams who indeed need to involve

They simply don’t get what you are doing

They already have enough on their plate

---> Simple, repeated communication is the key

Names, please?Example consultants

Example assessors

Individuals?

Thank you

Q&A

See ya!