keeping developers and auditors happy in the cloud
TRANSCRIPT
![Page 1: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Keeping Developers and Auditors Happy in the Cloud
Brian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit
![Page 2: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/2.jpg)
The Cloud from a Developer Perspective
![Page 3: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/3.jpg)
The Cloud from an Auditor Perspective
![Page 4: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/4.jpg)
The Problem
![Page 5: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/5.jpg)
Incentives and Perspectives
Developers
Incentives Speed Features
Want Freedom to innovate New technology
Auditors
Incentives Compliance with regulatory obligations Verifiable processes
Want Well-known technology Predictability and stability
![Page 6: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/6.jpg)
The Solution
![Page 7: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/7.jpg)
“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)
![Page 8: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/8.jpg)
Traditional Deployment
developers
releasetestbuild
delivery pipelinestack
![Page 9: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/9.jpg)
developers delivery pipelinesservices
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
You Build It, You Run It
![Page 10: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/10.jpg)
AWS Assurance Programs
![Page 11: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/11.jpg)
How Does that Help?
![Page 12: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/12.jpg)
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
![Page 13: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/13.jpg)
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
![Page 14: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/14.jpg)
Vulnerability Management
![Page 15: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/15.jpg)
![Page 16: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/16.jpg)
![Page 17: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/17.jpg)
Data Backups
![Page 18: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/18.jpg)
Traditional Data Backup
Server
Database
Disk
Tape storage
Corporate data center Backup data center/media storage provider
Disk
Tape storage
![Page 19: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/19.jpg)
Data Backup in the Cloud
RDBMS
Amazon EBS volume
Cassandra Amazon S3 bucket
Other region
S3 bucket
Other account
S3 bucket
Non-AWS cloud storage
Cloud backup
![Page 20: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/20.jpg)
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
![Page 21: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/21.jpg)
Common Audit Requirements for Software Development
Review changes. Track changes. Test changes. Deploy only approved code. For all actions:
Who did it? When?
![Page 22: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/22.jpg)
AWS Config
AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
![Page 23: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/23.jpg)
Continuous ChangeRecordingChanging Resources
AWS ConfigHistory
Stream
Snapshot (ex. 2014-11-05)AWS Config
![Page 24: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/24.jpg)
Audit logs for all operationsStore/ Archive
Troubleshoot
Monitor & Alarm
You are making API
calls...
On a growing set of AWS services
around the world..
CloudTrail is continuously recording API
calls
![Page 25: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/25.jpg)
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
![Page 26: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/26.jpg)
DevOps
![Page 27: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/27.jpg)
Infrastructure as Code is a practice by where traditional infrastructure management techniques are
supplemented and often replaced by using code based tools and software
development techniques.
![Page 28: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/28.jpg)
Infrastructure-as-code workflow
code version control code review integrate
“It’s all software”
![Page 29: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/29.jpg)
Development Lifecycle — DevOps
developers customers
releasetestbuild
plan monitor
feedback loop
Delivery Pipeline
![Page 30: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/30.jpg)
DevSecOps
![Page 31: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/31.jpg)
Where to Start?
Page 3 of 433
• Guidelines? • Checklists? • 1-pagers? • 6-pagers? • Full documents?
Security as Code
![Page 32: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/32.jpg)
Security as Code is Easy with AWS
AWS provides all the APIs!
Programmatically test environments Determine state of environment at a specific point in time Repeatable processes Scalable operations
![Page 33: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/33.jpg)
Development Lifecycle — DevOps
developers customers
releasetestbuild
plan monitor
feedback loop
Delivery Pipeline
Security as Code
![Page 34: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/34.jpg)
How Can We Learn DevSecOps?
Start Here
Security as Code?
Security as Ops?
Compliance Ops? Science?
Experiment: Automate
Policy Governance
Experiment: Detection
via Security Operations
Experiment: Compliance
via DevSecOps
Toolkit
Experiment: Science via
Profiling
Dev
Sec
Ops
DevOps+
Security
![Page 35: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/35.jpg)
Four Pillars
1. Undifferentiated heavy lifting and shared responsibility
2. Traceability in development 3. Continuous security visibility 4. Compartmentalization
![Page 36: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/36.jpg)
amazon.com 2001
![Page 37: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/37.jpg)
Traditional Deployment
developers
releasetestbuild
delivery pipelinestack
![Page 38: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/38.jpg)
Service-Oriented Architecture (SOA)
Single-purpose
Connect only through APIs
“Microservices”
amazon.com 2009
![Page 39: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/39.jpg)
Example Microservice
![Page 40: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/40.jpg)
amazon.com 2009
Two-pizza teams
Full ownership
Full accountability
Aligned incentives
“DevOps”
![Page 41: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/41.jpg)
developers delivery pipelinesservices
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
releasetestbuild
You Build It, You Run It
![Page 42: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/42.jpg)
Keep Developers and Auditors Happy
![Page 43: Keeping Developers and Auditors Happy in the Cloud](https://reader031.vdocuments.site/reader031/viewer/2022022413/58eebe861a28ab60468b45f9/html5/thumbnails/43.jpg)
Thank YouBrian Wagner, Solutions Architect, AWS Germany
18 May, Taiwan Summit