43
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Keeping Developers and Auditors Happy in the Cloud Brian Wagner, Solutions Architect, AWS Germany 18 May, Taiwan Summit

Keeping Developers and Auditors Happy in the Cloud

Embed Size (px)

Citation preview

Page 1: Keeping Developers and Auditors Happy in the Cloud

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Keeping Developers and Auditors Happy in the Cloud

Brian Wagner, Solutions Architect, AWS Germany

18 May, Taiwan Summit

Page 2: Keeping Developers and Auditors Happy in the Cloud

The Cloud from a Developer Perspective

Page 3: Keeping Developers and Auditors Happy in the Cloud

The Cloud from an Auditor Perspective

Page 4: Keeping Developers and Auditors Happy in the Cloud

The Problem

Page 5: Keeping Developers and Auditors Happy in the Cloud

Incentives and Perspectives

Developers

Incentives Speed Features

Want Freedom to innovate New technology

Auditors

Incentives Compliance with regulatory obligations Verifiable processes

Want Well-known technology Predictability and stability

Page 6: Keeping Developers and Auditors Happy in the Cloud

The Solution

Page 7: Keeping Developers and Auditors Happy in the Cloud

“You build it, you run it.” -Werner Vogels, Amazon CTO (June 2006)

Page 8: Keeping Developers and Auditors Happy in the Cloud

Traditional Deployment

developers

releasetestbuild

delivery pipelinestack

Page 9: Keeping Developers and Auditors Happy in the Cloud

developers delivery pipelinesservices

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

You Build It, You Run It

Page 10: Keeping Developers and Auditors Happy in the Cloud

AWS Assurance Programs

Page 11: Keeping Developers and Auditors Happy in the Cloud

How Does that Help?

Page 12: Keeping Developers and Auditors Happy in the Cloud

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Page 13: Keeping Developers and Auditors Happy in the Cloud

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Page 14: Keeping Developers and Auditors Happy in the Cloud

Vulnerability Management

Page 15: Keeping Developers and Auditors Happy in the Cloud
Page 16: Keeping Developers and Auditors Happy in the Cloud
Page 17: Keeping Developers and Auditors Happy in the Cloud

Data Backups

Page 18: Keeping Developers and Auditors Happy in the Cloud

Traditional Data Backup

Server

Database

Disk

Tape storage

Corporate data center Backup data center/media storage provider

Disk

Tape storage

Page 19: Keeping Developers and Auditors Happy in the Cloud

Data Backup in the Cloud

RDBMS

Amazon EBS volume

Cassandra Amazon S3 bucket

Other region

S3 bucket

Other account

S3 bucket

Non-AWS cloud storage

Cloud backup

Page 20: Keeping Developers and Auditors Happy in the Cloud

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Page 21: Keeping Developers and Auditors Happy in the Cloud

Common Audit Requirements for Software Development

Review changes. Track changes. Test changes. Deploy only approved code. For all actions:

Who did it? When?

Page 22: Keeping Developers and Auditors Happy in the Cloud

AWS Config

AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.

Page 23: Keeping Developers and Auditors Happy in the Cloud

Continuous ChangeRecordingChanging Resources

AWS ConfigHistory

Stream

Snapshot (ex. 2014-11-05)AWS Config

Page 24: Keeping Developers and Auditors Happy in the Cloud

Audit logs for all operationsStore/ Archive

Troubleshoot

Monitor & Alarm

You are making API

calls...

On a growing set of AWS services

around the world..

CloudTrail is continuously recording API

calls

Page 25: Keeping Developers and Auditors Happy in the Cloud

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Page 26: Keeping Developers and Auditors Happy in the Cloud

DevOps

Page 27: Keeping Developers and Auditors Happy in the Cloud

Infrastructure as Code is a practice by where traditional infrastructure management techniques are

supplemented and often replaced by using code based tools and software

development techniques.

Page 28: Keeping Developers and Auditors Happy in the Cloud

Infrastructure-as-code workflow

code version control code review integrate

“It’s all software”

Page 29: Keeping Developers and Auditors Happy in the Cloud

Development Lifecycle — DevOps

developers customers

releasetestbuild

plan monitor

feedback loop

Delivery Pipeline

Page 30: Keeping Developers and Auditors Happy in the Cloud

DevSecOps

Page 31: Keeping Developers and Auditors Happy in the Cloud

Where to Start?

Page 3 of 433

• Guidelines? • Checklists? • 1-pagers? • 6-pagers? • Full documents?

Security as Code

Page 32: Keeping Developers and Auditors Happy in the Cloud

Security as Code is Easy with AWS

AWS provides all the APIs!

Programmatically test environments Determine state of environment at a specific point in time Repeatable processes Scalable operations

Page 33: Keeping Developers and Auditors Happy in the Cloud

Development Lifecycle — DevOps

developers customers

releasetestbuild

plan monitor

feedback loop

Delivery Pipeline

Security as Code

Page 34: Keeping Developers and Auditors Happy in the Cloud

How Can We Learn DevSecOps?

Start Here

Security as Code?

Security as Ops?

Compliance Ops? Science?

Experiment: Automate

Policy Governance

Experiment: Detection

via Security Operations

Experiment: Compliance

via DevSecOps

Toolkit

Experiment: Science via

Profiling

Dev

Sec

Ops

DevOps+

Security

Page 35: Keeping Developers and Auditors Happy in the Cloud

Four Pillars

1. Undifferentiated heavy lifting and shared responsibility

2. Traceability in development 3. Continuous security visibility 4. Compartmentalization

Page 36: Keeping Developers and Auditors Happy in the Cloud

amazon.com 2001

Page 37: Keeping Developers and Auditors Happy in the Cloud

Traditional Deployment

developers

releasetestbuild

delivery pipelinestack

Page 38: Keeping Developers and Auditors Happy in the Cloud

Service-Oriented Architecture (SOA)

Single-purpose

Connect only through APIs

“Microservices”

amazon.com 2009

Page 39: Keeping Developers and Auditors Happy in the Cloud

Example Microservice

Page 40: Keeping Developers and Auditors Happy in the Cloud

amazon.com 2009

Two-pizza teams

Full ownership

Full accountability

Aligned incentives

“DevOps”

Page 41: Keeping Developers and Auditors Happy in the Cloud

developers delivery pipelinesservices

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

releasetestbuild

You Build It, You Run It

Page 42: Keeping Developers and Auditors Happy in the Cloud

Keep Developers and Auditors Happy

Page 43: Keeping Developers and Auditors Happy in the Cloud

Thank YouBrian Wagner, Solutions Architect, AWS Germany

18 May, Taiwan Summit


Criteria for SQF Food Safety Auditors, Quality Auditors ......Criteria for SQF Food Safety Auditors, Quality Auditors and Technical Reviewers First Published May 1995 Edition 9 –

Criteria for SQF Food Safety Auditors, Quality Auditors ......Criteria for SQF Food Safety Auditors, Quality Auditors and Technical Reviewers First Published May 1995 Edition 9 –

Documents
Designers + Developers, Designers vs. Developers

Designers + Developers, Designers vs. Developers

Design
What is keeping my phone awake? Characterizing and ...lilicoding.github.io/SA3Repo/papers/2012_pathak2012what.pdf · app developers to explicitly juggle power control APIs exported

What is keeping my phone awake? Characterizing and ...lilicoding.github.io/SA3Repo/papers/2012_pathak2012what.pdf · app developers to explicitly juggle power control APIs exported

Documents
Accounts & Auditors

Accounts & Auditors

Documents
Auditors Report1

Auditors Report1

Documents
The Statutory Auditors and Third Country Auditors · PDF file · 2015-12-08S TATUTORY INSTRUMENTS 2016 No. COMPANIES . AUDITORS . The Statutory Auditors and Third Country Auditors

The Statutory Auditors and Third Country Auditors · PDF file · 2015-12-08S TATUTORY INSTRUMENTS 2016 No. COMPANIES . AUDITORS . The Statutory Auditors and Third Country Auditors

Documents
Developers, developers, developers, developers

Developers, developers, developers, developers

Engineering
Auditors Manual

Auditors Manual

Documents
Introduction to CaseWare IDEA - Designed by Auditors for Auditors

Introduction to CaseWare IDEA - Designed by Auditors for Auditors

Data & Analytics
Evidence from Auditors about Managers’ and Auditors

Evidence from Auditors about Managers’ and Auditors

Documents
Facebook developers facebook for developers

Facebook developers facebook for developers

Internet
Developers Developers Developers

Developers Developers Developers

Technology
Keeping Developers and Auditors Happy in the Cloud

Keeping Developers and Auditors Happy in the Cloud

Technology
ML Developers Real Estate Developers

ML Developers Real Estate Developers

Documents
Criteria for SQF Food Safety Auditors, Quality … Auditors, Quality Auditors and Technical ... Criteria for SQF Food Safety Auditors, Quality Auditors and ... System Lead Auditor”

Criteria for SQF Food Safety Auditors, Quality … Auditors, Quality Auditors and Technical ... Criteria for SQF Food Safety Auditors, Quality Auditors and ... System Lead Auditor”

Documents
STATUTORY AUDITORS

STATUTORY AUDITORS

Documents
Auditors’ Reports

Auditors’ Reports

Documents
Auditors’ professional and organisational identities and ...hkr.diva-portal.org/smash/get/diva2:716491/FULLTEXT01.pdf · 2010, with only one country –Malta – keeping the statutory

Auditors’ professional and organisational identities and ...hkr.diva-portal.org/smash/get/diva2:716491/FULLTEXT01.pdf · 2010, with only one country –Malta – keeping the statutory

Documents
Auditors, s.A

Auditors, s.A

Documents
AUDITORS LIABILITY.ppt

AUDITORS LIABILITY.ppt

Documents
Energy Auditors

Energy Auditors

Documents
Ci3 India Developers Roundtable · Developers’ Roundtable at Mumbai on 23 Feb. 2016 2.1. INTRODUCTION In keeping with the imperative to mobilize the national construction industry,

Ci3 India Developers Roundtable · Developers’ Roundtable at Mumbai on 23 Feb. 2016 2.1. INTRODUCTION In keeping with the imperative to mobilize the national construction industry,

Documents
Keeping the Promise of Casual Games: Entertainment for Everyone John Welch CEO, PlayFirst Casual Games Summit @ Game Developers Conference 08 February

Keeping the Promise of Casual Games: Entertainment for Everyone John Welch CEO, PlayFirst Casual Games Summit @ Game Developers Conference 08 February

Documents
KKRRAFTON DEVELOPERS LIMITED · 2017-10-16 · KKRRAFTON DEVELOPERS LIMITED (FORMERLY KNOWN AS SEQUEL E- ... the Companies Act, 2013 and the Companies (Audit and Auditors) Rules,

KKRRAFTON DEVELOPERS LIMITED · 2017-10-16 · KKRRAFTON DEVELOPERS LIMITED (FORMERLY KNOWN AS SEQUEL E- ... the Companies Act, 2013 and the Companies (Audit and Auditors) Rules,

Documents
Regd. Office - Thakkers Developers · 31st March,2014, the reports of the Board of Directors and Auditors thereon. 2. To appoint M/s.Govilkar & Associates, Chartered Accountants,

Regd. Office - Thakkers Developers · 31st March,2014, the reports of the Board of Directors and Auditors thereon. 2. To appoint M/s.Govilkar & Associates, Chartered Accountants,

Documents
(SEC310) Keeping Developers and Auditors Happy in the Cloud

(SEC310) Keeping Developers and Auditors Happy in the Cloud

Technology
EUROPEAN INFRASTRUCTURE & RENEWABLES ......· Impact of zero-subsidy on off-taker arrangements Joao Macedo, Country Head, Portugal, Akuo Energy Keeping it clean: how will developers

EUROPEAN INFRASTRUCTURE & RENEWABLES ......· Impact of zero-subsidy on off-taker arrangements Joao Macedo, Country Head, Portugal, Akuo Energy Keeping it clean: how will developers

Documents
secrets secret Keeping - VarnaConfvarnaconf.com/system/uploads/presentations/Keeping... · 2019-06-18 · CLI for sysadmins Web UI for users API for developers. High availability

secrets secret Keeping - VarnaConfvarnaconf.com/system/uploads/presentations/Keeping... · 2019-06-18 · CLI for sysadmins Web UI for users API for developers. High availability

Documents
Deconstructing ColdFusion Whitepaper v0.6 · penetration testers, but they are less beneficial to ColdFusion developers and code auditors. Adobe’s official whitepaper on securing

Deconstructing ColdFusion Whitepaper v0.6 · penetration testers, but they are less beneficial to ColdFusion developers and code auditors. Adobe’s official whitepaper on securing

Documents
OUP...Prysmian Group at a glance Vision, Mission, Values Keeping customers as our focus Directors and auditors Organisational structure Top manager Letter to Shareholders ... technical

OUP...Prysmian Group at a glance Vision, Mission, Values Keeping customers as our focus Directors and auditors Organisational structure Top manager Letter to Shareholders ... technical

Documents