AWS re:Inforce 2019: Leadership Session: Governance, Risk, and Compliance (GRC326-L)



welcome thank you for attending this is the leadership session on governance risk and compliance I'm Chad wolf vice president of security for AWS and this is Hart you wanna introduce yourself hi Hart Rossman director of security and infrastructure and AWS great today we're talking about governance in general the general introduction really to the governance risk and compliance Trak even though the track is pretty much almost over seeing how there's only a half day left of the conference but we want to talk a little bit about governance in general and talk about what that means today well well we'll discuss a little bit about automated reasoning and do do some interview write another a couple of the people coming on stage so hopefully it'll be interesting to you guys so ten years ago what was governance I think if you really think back at what the governance risk and compliance team in your organization's was you know 10 years ago who were they probably the kind of person who interjects themselves and during an audit or does some documentation on the side that maybe nobody really reads or creates those big manuals that are sit on yourself and collect us you know that's kind of 10 years ago that's what the governance risk and compliance function was the change that it's happening now in the last couple years is they're seeing more and more companies go with more of internet integrated governance models so the same with integrated security models they're putting the governance functions the functions whereby the controls and the security requirements and everything that needs to happen to make sure you're secure and compliant are more integrated in the entirety of the process and from the design phase all the way through to operations the auditor himself has a lot of different challenges we expected to be to handle the complexity of the new way that your company may be progressing in its use of technology technology itself is getting more complex the the applications of technology are getting more complex in order to you know build businesses and provide customers with services and and products auditors and go you know people responsible for the governance of the environment need to be more efficient they need to provide an increasing level of assurance over those processes but given the traditional models and the traditional way this is done this is becoming more and more of an impossible process to do with the method that is traditionally practiced so we need to talk about ways that we can integrate governance within more in with the process of design development and deployment today governance is integrated into the code as we as we look at the way that that we're changing everything to be as as code security as code infrastructure as code governance this code this also applies today here whereby the governance structure has to be done in the code itself probably the most common question I get from customers when I talk to customers on a regular basis is Chad tell me how I can put the guardrails in tell me how to govern this environment because everybody is it's just the Wild West here and you know in our company people are using their credit card to spin up you know to pay for and spin up cloud environments and I just cannot get keep track of everything that's going on and let alone figure out how to put some guardrails in place that'll enable them to do what they need to do to experiment with new technologies and new new services without breaking compliance rules or breaking security rules or or being insecure general so the new to answer this question we're gonna we're going to discuss a lot of about that today what that means and what governance really means today and how its evolving during during this the session think about what won't exist in ten years and five or ten years what parts of the governance risk and compliance or auditing function won't or can't exist in five years you do what is that maybe spreadsheets spreadsheets maybe spreadsheets will die yeah yeah I think that's the same the same thought like you know Finance ten years ago was all about spreadsheets and now I think they're doing better but yeah without without without having spreadsheets like having controls mapped to each other and mapped to you know the using unified control framework hopefully that'll be gone but but really think about what what will be gone and what has to be gone what what manual processes are we going to be are we doing today that cannot be done when your business is 10x what you're doing today or the complexity of your IT is 10x or 100x of what it is today and and I'll bet as you think about it the existing today the governance processes you may be you may be using and practicing in your company are either if they're not already obsolete they're going to be very very quickly so we got to think about how how we're going to evolve and I think about this a lot as the as the person primary in charge of audits and doing kind of governance functions at AWS we're constantly trying to rethink how we're doing this as our own services start using AWS services to deploy we call natives native services like lambda you know lambdas as a service built on AWS not built on our own you know on Prem systems like s3 and ec2 is so as we as we see more of that we have to really challenge challenge ourselves and think about it the growth of our the innovation the that that you see coming from AWS is pretty astounding this is the chart of things and services features things that we are releasing new security products new features within security within existing products that enable security this is the pace of innovation that AWS is is providing to our customer base and what that means for you is to or the those working in governance we need to go from a a linear model of governance where you would be able have the luxury of sitting down I didn't you know identifying things you need to assess performing an assessment remediate and then recover I mean how many times is this linear process happened today in your in your companies – there's too many times it's being repeated too many iterations too many issues coming up so it needs to the security lifecycle needs to mature to a point where the detect correct deter and prevent process is constantly being practiced in the organization and that it's built in into the code and that those services those governing functions are self-service by default and make it so you cannot in any way unless you break all kinds of rules and they're alerted on you can't do deploy something that's non-compliant or insecure so I'm gonna pass it over to Hart to talk a little bit about the service offerings and as he as he goes through these think about that think about as you as we're progressing this function of governance and risk and compliance think about how that can be achieved or at least the the next generation of GRC can be achieved using these services art oh hey thanks Chad so kind of get a little bit of a sense of the crowd here right when you're talking about governance it's a vital vital topic to discuss not always the one that has the most glitz and glamor right and so I want to get a little bit of a sense for the audience today who here is like a spreadsheet jockey right like the way you do governance today is by lovingly handcrafting multi-tab spreadsheets and asking people to respond right to every cell within them all right do you build your own macros as part of that right put in a little bit of automation right maybe pre-populated a few fields right that's kind of the state of the art today for a lot of organizations and the way they scale that is by sharing those spreadsheets with their business partners so you know not only do we get the pleasure of filling those out but why don't you fill one out for us – right and so it's not really a scalable mechanism it's not really something that you're truly automating although there are little pieces that you can make a little less painful as Chad was saying what we want you to do is think about today ways that we can use the cloud to protect the cloud through increased in automated governance but also ways you can back port that the way you do things on premise right a lot of this comes down to how you approach solving the problem not strictly the technology you're using and all the spreadsheet really is is a fancy checklist it's a fancy clipboard right and so we've taken that old-school inspection mechanism and we put it in a different format well we want to talk to you about today is breaking that paradigm almost entirely and thinking about how do we audit right how do we demonstrate compliance and how do we build systems with change control that as Chad said is done in code right it's code native where you're building deploying and operating with the same mechanisms and governance risk and compliance as you are to serve up that you know wonderful image on the front page year website we've got a bunch of services in AWS they're going to help you do that I'm gonna highlight just a couple of them today I'm not trying to not love some of our services but there's a lot of ways to approach this the first one is cloud trail this is often the bread and butter of any governance strategy in AWS what cloud trail provides is an audit log of what your users are doing from perspective of identity and access control so who access what service when and from where essentially what cloud trail tells you it it's very quick it has a high degree of detail in it and so you can really parse that log in a variety of ways to understand what people are doing in the system you want to govern they say well now that I understand the environment how do I want to think about establishing those guardrails right at at a basic level what will work and what won't work and a lot of our customers go directly to config rules it's a way to codify some of these guardrails that Chad was referring to in a scalable way right you can not only develop them centrally and push them out to the organization but you can encourage the individual dev teams to develop their own config rules and ship them with the application or the workload when they're deploying right guard duties fantastic is something we launched about a year ago maybe a little less and what it allows us to do in AWS is exposed to you threat intelligence intrusion detection data so that you can consume that and make risk-based decisions on how you want to govern your environment from an operational standpoint right you can really look at what's going on in the environment how are we exposing some of this information to you about what we're seeing alright and make changes maybe to those guardrails maybe think about how your policies are affecting your implementation could be if that there's not actually an adversary that's causing you the issue it's you have a bad policy and people are trying to comply with it and that's forcing them to make some optimal decisions and operations and that's resulting in performance that you don't want to say and so sometimes when you look at guard duty day for instance it's not an adversary that's out to get you right it's the Reformation or the improvement of a policy that's gonna really get you the right result cloud watch is the Swiss Army knife of logging data so I talked a second ago about linking guard duty not just to governance but to operations right an important aspect of governance I think we can all agree on is that if you're governing something well a primary result of that is that you're operating it well right you're not just compliant but you're operating the system in an effective manner at scale and so what cloud watch allows you to do is begin to factor some of that operations telemetry and how you're thinking about your government governance regime right so you can look at you know CPU you can look at memory you can look at a variety of bits of data and then you can also import other data sources into cloud watch to give you a common operating picture that can inform your governance process where do we see customers using that quite a bit today when you're thinking about change management you want to file a cm ticket and make a substantial change one of the things you need to be looking at is of course cloud trail guard duty and all the rest of it but that's gonna live from or were we successful in that cm in the cloud watch domain right another service that recently went GA I think yesterday is security hub right and so here's familiar with security hub all right as a governance specialist to somebody who's fanatical about this stuff security hub is your best friend right this is a space where we can expose to you not only what's going on in your environment so never instead of having to look at each individual service and how its performing from a security standpoint like it implies it's a hub where you can go one centralized location it also allows you to conduct automated checks against certain compliance regimes and also develop some of your own right and so it's a great first place to look if you want to get that overall view of how things are going for my security and government standpoint another one I want to highlight today is control tower right this is another one really excited about it also went GA recently I think yesterday or today we've had so much of a citement here I'll be honest I'm not sure what happened today versus yesterday I think today's Wednesday still may be control tower is fantastic in that there's a lot of customers who are really comfortable with building deploying and operating guardrails as part of their development pipeline and that's fantastic if you're able to do that on your own today and you can do that at scale we've got many customers though who say if you already know what the basic guardrails should look like why can't we just have them baked in from the start why can't we centrally govern them why do we have to have every dev team develop their own and so control tower is this really fantastic way to launch new environments what the guardrails baked in right there already ready to go and then you can load your workloads and on top of that and continue to develop right in that environment the last service I want to talk about today in this context is lamda right what lamda allows you to do is really automatically Auto remediate right all of these things are going to find as you're traversing the environment using the telemetry and the services I just talked about and want to make changes right too often the environment we're in from a governance standpoint is we have a long list of things that we want to address but not enough time to address them because we got to go on at the next system right and so you never quite circle back around to really at a root cause level remediating what the problems are and so lambda being a Swiss Army knife that gives you this ability to remediate in an automatical way right what you can do is you can develop a series of event driven responses that when you see something in security hub when you see something in guard duty or cloud watch or config role you can have a prescribed set of actions that occur can be as simple as alerting a developer right based on some of the information you find in the runtime environment the incidents metadata or it could be something a little more dramatic like changing a security rule back to the way it's supposed to be right or updating a policy or switching out an IM policy for a different one right there's a lot of things you can do in this space for auto remediation okay so with that as a background what I'd like to introduce to is Jayson Callie's director of security of fidelity and he's going to talk to you about a couple of the ways that his team has implemented automated governance at scale and then we're gonna have a chance to ask him a few questions Jason why not that's cool thanks for being here sure hello my name is Jason Cal I'm a director of security architecture at fidelity investments and I'm here to talk to you about how we do compliance at scale first off the pursuit of compliance how do we achieve this and here I want to shock you guys a little bit because identity and access management permissions are not the same as security policies our security policies are much more complex they're basically a combination of different things including identity access management we use infrastructure as code we use CloudFormation heavily at fidelity investments and we use a few other things right using some logging telemetry we have a suite of detective security controls which include preventative detective and remediation controls in our environments so how do we achieve compliance at scale I'd like to share with you an example that is very near and dear to my heart so some of my colleagues in the crowd know this and I've worked on this with me one of the things that we're very passionate about is some of our network constructs that fidelity so a couple months ago actually almost a year ago when some team wanted to come to us and work on security groups what they had to do is they had a submit a request to a central organization and basically asked them to change a security group or create a different rule so for example easy to authorize to create a group egress easy to authorize your group ingress create security group things like that and then after they come through the central logger Pro is it and then deploys that into an AW environment guess what turns out that this is doesn't really scale very well it can be a little bit cumbersome and it can be slow and we got a lot of requests and guess what guess who understands networking up applications the most it turns out it's not the central organization but it's actually the development teams who work on these applications so we thought about this how do we scale this across our organization and then we sat down and looked at our policy and said what's the best way to do this so we created a suite of controls we created it detective remediation controls and we also create a preventive controls so we created tool or rules in C F and AG which is an open source rule set built by Stella Jane and we built on top of what they've already provided and create a suite of controls that we can now put in our pipelines so what we did after that was we release these permissions back to the developers for a self-service experience it's none the pipeline in the middle you can see the developer will actually have those permissions they scan their CloudFormation templates they see what's compliant what's not and then they're able to deploy that into our end environments which is great this is a more self-service model that we got to the last pipeline of the page is for specific example we have very specific use cases where it can even make this a better model of compliance and with that I want to talk about a Tobias service catalog with similar use case we use a W service catalog to abstract away I am I am permissions and this example here we use sage maker which is an ml service provided Amazon and they actually we use this for a data scientist and one of the things that we require is that we require direct internet access to be disabled and require direct or root access to the machine to be disabled as well by default when you spin up a sage maker instance these are enabled by default today so this doesn't quite meet our regular security policy so with service called– what we can do is we actually do not give out those i.m permissions the end user and we can actually have these data scientists go through this pipeline and that's the only way they can deploy a sage maker instance and they will never have these and I am permissions so I want to go back to the security or example we talked about earlier this is actually happened a few days ago this weekend I'm a couple of us in the audience we're on an email chain where a development group actually email us and asked us how do I make my security groups and lower environments so for example sandbox and also development environments how can I make these more secure and when I saw this as an amount office I almost jumped out of my chair for this because what this means it's this is a fundamental shift and how people think because now we have development teams who are now proactively trying to do the right thing and trying to build security into their application components and this is a shift that we're very excited about and we're all I think it really shows the shift of responsibly and shows that shared responsibility model we have of now how security is everyone's responsibility cool Jason appreciate that so while we've got you here thank you it's alright I'd like to ask you a couple of questions that that story you tell about your experience this weekend is super compelling to me right because it tells two things one is you've been able to effectively decentralize some of the governance yes and at the same time you've brought people to the table you've got developers interested in governance which is kind of sexy right and so my first question to you is you know how do you get buy-in from your peers right to go from this highly centralized model you started at in the financial institution to a more decentralized model you're operating in today sure so one of the things that we've seen is as we build more tooling we build more automation about these controls right building the right detective building the right preventive controls the right remediation controls and building you know the right set of the framework for developers to operate in we actually create a more frictionless environment which allows developers a more think for themselves and push what they really want to do and move at a faster scale right and what this does it makes it a frictionless experience and we've actually seen cases where developers come to us suggesting better security rules better security posture and they contribute back into this net like decentralized security environment that's super awesome so you gave it to this kind of a creative value right people take pride in ownership you're extending the shared responsibility model yes right and then you have this opportunity to have some of your really bright developers contribute novel ways of solving the problem that just benefits the rest of the organization definitely that's super cool the other thing that's really interesting to me about what you talked about is you didn't use the word spreadsheet once I don't know what a spreadsheet is yeah you didn't use that one so I think it's fantastic but at the same time I think that kind of means that the people you're working with and the people you're looking to hire in the future probably have a different skill set than the governance folks you looked for in the past what makes an ideal team member for you today so I went back and forth on this with some of my colleagues earlier today about like how do we build the right teams how do we build good teams at fidelity and one of things that stuck out to us is I know AWS always pushes new features changes things you know and produces new things of value one things I really look for is developers or engineers for willing to go that extra while they're able to dig down and really find things that can possibly impact our security posture at fidelity and they can dive down in the details and truly understand the true impact of what these services bring new fidelity super awesome super awesome so you said engineer and there are a few times I want to be clear there's a role for engineers and governance right correct but there's also a role for people who are compliance specialists and auditors how do you think about the skill set for them how are you incorporating them into what you're doing we incorporate them because I I think one of the good things that we've had is we've had a lot of collaborations so we've had these auditors we've had these engineers kind of work together to truly find out implementable policies that gonna help developers get their job done but also keep fidelity secure and that's what's beautiful about that collaboration that we see I love it the word implementable is just so key here right it's absolutely crucial and so the last question I want to ask why while you're up here is this sounds like an awesome thing you've done over the last year a few months what's in store for us in 2028 fidelity what's next so we're never done with our journey as we continue to develop my group more things in cloud and develop more we face the scaling issue right so we always look at how do we automate more how do we kind of build up our framework a detective remediation preventive controls and kind of help build more self-service options to enable a more frictionless experience for all parties involved all that is super cool yeah particularly you know the self-service thing is you know what brings everybody at the table and allows them to do their job in a way that they can focus on the outcome and not necessarily the governance and the whole time they're being governed effectively right yeah that's super cool hey thanks laughing sorry man thanks Jason awesome so Jason painted a picture of what they're doing today which i think is fantastic but one of the challenges chad set out for us at the beginning of this session is to think about the art of the possible right and so i'm gonna talk a little bit about in this next case study nerdvana right this kind of idea where you can put together a bunch of the pieces of the story you've heard today in an infrastructure as code driven manner and there are some customers who are doing all this at various levels of maturity but often we have customers focusing in on one particular area and developing some competence and expertise and then they're thinking well if I can do that this year what am I gonna do next year right and so we'll get into a little bit of the Nirvana case study so if you think about infrastructure as code you've got to have a software supply chain right you have to have something that allows you to design build deploy and operate what it is you're going to have working in the cloud and today that can be in a couple of different modalities I'm gonna zoom in on one area which is this idea of using pipelines and DevOps teams to drive governance and to drive the development of infrastructure but it's not the only way you can do it right and so I'm going to tell you a little story who here today develops a threat model with every application that they design or deploy well first of all we get to get that number way up in the future right so that's homework assignment number one we have to think more deeply about threat modeling the format doesn't matter the tooling to develop it doesn't matter we've got some great partners that can help you threat model right whether it's on premise or in the cloud but the point is what a threat model does from a governance standpoint is hope prioritize what's important when you've got a checklist a mile long you've got a spreadsheet with you know 24 lovingly crafted tabs in it you have to tell the developers what to focus on in the sprint this week like what am I going to build this week and then what am I going to build next week and the week after that and week after that until we're kind of feature complete from a governance standpoint and the threat model is a great way to do that and I'll tell you why if you develop a threat model Wow doesn't have to be beautiful or perfect but if you develop it well and check it into the code repository which all of the other code in your environment is going to live in it allows you to then look at that and say what are the user stories I need to create that either mitigate one of the threats I'm concerned about or prevent us from developing a system that creates a scenario where this bad thing can occur right I can then take that user story and go off and build something right now when I'm ready to test to see if it's valid I go back to that threat model and I say what's the unit test the security unit test that ensures that the code I just wrote is going to be effective in mitigating the threat I'm concerned about right and so now if it passes the test I can promote that to the next stage in the process if you get a devta tasks test the P minus one or integration integration to production right whatever it might be and then I can trigger some monitoring writing cloud watch we can have vulnerability scanning we can have third-party pen tests right and then we can take that information and feed it back to update the threat model right it's not only you have test-driven development but now you've got user stories that are driven by a governance or security point of view right that works equally well with other apps best governance today we've been talking a lot I think implicitly about security right but you can do the same thing from a cost standpoint if you want to optimize for cost in your environment some of our customers say you know we need to bundle a cost governance model or a change control governance model along with ensuring we have the right guardrails in place right so that's one thing that you can do using a pipeline that's really interesting and fits right into the developers workflow so kind of like Jason was talking about you build the right frameworks that allow them to do it self-service and bring them to the conversation this is a model of governance they will understand when you bring them the spreadsheet they're like does not compute right you're like hey I need you to write me a user story that allows us to do this governance function and then I want you to show me the evidence from the unit test they go no problem we'll do that in the next sprint totally get it right so you got to kind of weave that in so that's one thing the other thing that you can do is shift your model of how you're thinking about the evidentiary portions of governance right and so today a shadow saying often that's some sort of audit log spreadsheet you go in you sample some things right decide how big of a sample size is statistically significant to feel comfortable with the controls that you have in place right which is an alright method of doing things if you're using a pipeline then you're taking the approach that we're kind of suggesting today one of the cool things about this is that the pipeline itself that software supply chain is going to emit a lot of the evidence you need to know if your controls are first of all in existence and second of all if they're effective right and then third of all in operations how are they performing right and you can do that seamlessly with that chain of custody right and and the ability to go walk back the provenance and pedigree of what drove that outcome right which developer checked in which code that got which effect which tests passed or failed right and you can kind of see that end-to-end from a governance standpoint and you can slice and dice that a few different ways you can ask questions about cost you can ask questions about change management right you can ask questions about identity span of control right a bunch of things so that's one way of looking at this is as a pipeline and I want you to walk away with kind of two ideas the first is that you want to create a feedback loop from a governance perspective where you're identifying the things that are most important in helping the team prioritize the work to ensure that you have a high integrity highly scalable system that has the right guardrails in place all right and that you can trace that back and when you get to the end you can take that lessons learn and feed it right back into update the threat model or write a new user story to go and sprint again right MVP and iterate the second thing I'd like you to take away is that the supply chain itself is a critical component of the evidence you need to be effective at governance at scale I'll say in the cloud but really anywhere right I mean you want to go right to the supply chain to kind of get that and not worry about sampling things on the runtime environment right so this is a great way of thinking about it some of you may like I said already be approaching components of this today all right but if you're not right it's something to think about it's a bit of nerdvana but we have folks who are doing this to varying degrees and really benefiting from it from a governance risk compliance and also security engineering standpoint the other way to look at this same story is from the perspective of a– what if i'm not doing the whole devops the agile thing or I'm not doing it consistently across the enterprise but we've got workloads that we want to make sure are governed in a particular way are there AWS services to help earlier we talked about a number of services that had a lot to do with the telemetry right and then the auto remediation I'm gonna highlight a couple of services now that do some of the things same things I just talked about but do it from a service specific level so for example Jason touched on Service Catalog right that's a phenomenal way to govern in an enterprise the types of workloads and how they're deployed and whether or not they have the right identity or they have the right guardrails in from the get-go and what's cool about Service Catalog is although it has an API which is fantastic it also literally has push-button deployment so people just like you if you think you have an IT sm Service Catalog you can go in and say I need a three-tiered web application that roughly does this with these controls and you go oh there it is deploy right and if you have the permissions and Service Catalog as a program manager or as an auditor or as a developer to do that then you can do that if not right then you have a means of going to say well why don't I have access to this let me go find out there maybe there's a governance rule that that's appropriate here and go work through that so Service Catalog is a great way enterprise scale to take some of the things I was doing and not only give you the API but also literally give you the easy button right to deploy a highly governed compliant system by default another one is AWS Systems Manager and ops center right this is a way to take some of that operational data that I was referring to earlier and really driving it in to the governance and compliance program by adding not only the guardrails but the ability to create remediation and response documentation right that goes along with it and so if you're managing a help desk if you're looking at escalations remediating audit finding it's a great tool to use another tool that I think the governance community doesn't spend enough time thinking about is our well architected framework and the well architected tooling right let's say there's a bunch of you out in the audience because I saw many of you and you said I don't threat model today and it seems like it's gonna be really hard to build the competency and the capability around threat model I start with well architected right we have a service available to you that has a security pillar with some of the foundational and fundamental security risk compliance requirements that you ought to be considering for your systems right and there's an API alright and so right out of the gate if you say I don't know what's important start with the well architected framework start with the well architected tool do self assessments use the API to compare improvement over time right and drive change in your organization from that gecko developing the user stories right doing the builds all the rest of it the last one I want to highlight right here is CloudFormation all right one of the things that I will often do when I'm working with the compliance and audit teams and our customers and I'll do it a little cheekily but I'll slide a CloudFormation template across the table and say what do you think and often they'll kind of look at it and I don't know it's I guess some code or something well must be important if you passed it over to me all right I'm not saying the community has to be a bunch of developers but you heard today the theme was automation API oriented service orientation right and the nice thing about languages like clot that CloudFormation uses is that they're basically human readable if you spend a few minutes kind of reading through it even without being a developer you can kind of figure out what this means this and this is where we apply this policy and you start off star that's probably not good right and you can sort of figure out what's going on I would really encourage you in the governance community to think about cloud formation and when I asked that question earlier about who write their own macros to develop some of the automation in your spreadsheets CloudFormation and lambda need to be your weapon of choice for governance risk and compliance in the future it's not hard takes just a little bit of time to get comfortable at but it's gonna open up the world to you in terms of your effectiveness and your ability to partner with teams like Jason's right to be able to decentralize what you're doing it's a governance function but more importantly to be able to have an assured point-of-view to know what's being done where and people to interpret the evidence that's being provided to you right to be comfortable with what's going on so the last thing I want to share with you on this topic is just a simple example of how you can bring a number of data points together across AWS using lambda to auto remediate right and so this is a pretty common pattern you see on the board here well we're ingesting cloud from a cloud trail or ingesting VPC flow logs we're using a laugh we have shield for anti-ddos we're using guard duty for threat intelligence we've got AWS config providing a series of guardrails as well as some feedback on how those guardrails are being applied we're pumping that into cloud watch and then we're using events from all of those data sources to make decisions about how we want to govern the environment right so that's the alerting the remediation we're having pre-programmed countermeasures particularly if you have something that's behaving in a usual manner you might want to quarantine that off for additional investigation and forensic analysis right and so we have this ability without a whole lot of effort right to really bring all of this together and create an environment that begins to automate the governance of it and allows you as a person is passionate about governance to move up the stack to higher order issues that are gonna impact your your business in a positive way because you know those guardrails are in place you know the data is being analyzed and you know the right mechanisms are there to alert and escalate when needed right so that's one version of nerdvana for the governance space I'm sure there are others but it's definitely something to think about that's not what we want to do is actually take you even further than that and talk about how we can use math and science to elevate the level of assurance you might have in these types of systems that I'm talking about and so Chad and Rima are going to talk about that a little bit thank you all right so before we talk about more more math and automated reasoning I think from this presentation I think it's clear what the future of the GRC function is and that is that it's very small decentralized and that the tools that the entire engineering or architect environment have the the the teams in your in your environment have the things they need to deploy securely and in a compliant way you know what Jason was talking about and heart calling very sexy compliance function the sexiest compliance function is a very tiny compliance function and a compliance function that has a lot of technical ability and knows what those guardrails are and how to evidence those two auditors how to evidence to how the controls are designed and how they're operating to those who need to like the external independent auditors so I would just say like as you think about it and as you go back can I have a raise of hand who here is a dedicated GRC function in your company okay so there's some but there's not a lot and I would totally expect that because what's what's happening here at this conference is a lot of very technical people trying to understand how to bring this governance into their design and so I would say for those of you who are in the GRC function this is an invitation to get more technical to really understand how to create these guardrails and then partner with the technical teams the technical teams have to go back and kind of push from your side push the value of the CloudFormation template example of pushing that across the table and saying what do you think of this that's a good way to get the traditional audit folks to really start thinking about this from a compliances code and security is code aspect one of the other things that we're doing here in AWS is really exploring what automated reasoning can do for us in the compliance world automated reasoning as and we have really here who will come up and talk more about this but automated reasoning in using mathematical proofs to prove a system characteristic a condition of the system such as strong encryption keys or such as extensibility of the network whether or not a network has access to the Internet anywhere defined in any node or any policy in the entire network these to understand a condition or a characteristic of a system is a much better way to audit it than doing a population sampling method or a manual any kind of manual control or even an interview because many times when a audit team doesn't know technically what's going on they resort completely to an interview to understand document and and test controls so I would say as we move to something more advanced such as using mathematical proofs to say to give a very very high level assurance that yes encryption keys of 256 bit or greater are used in the system that is going to be the only way for some in some cases to prove or at least get a high level assurance over a very very complex system so with that I'd like to invite Reema up come on up Rina and I guess we'll just stand here or okay Reema why don't why don't you want to introduce yourself to the to the group yeah hello everyone I'm remotes I am a security engineer with AWS security health and just a little background about myself back in 2011 I worked as a system auditor for the inspector general for GSA and I remember back then things were pretty manual right like we did a lot of manual system testing inspections of system logs although also we built pen testing procedures and many of you may know that these could be really complicated right and expensive especially when you were testing production systems and one of but one of the other things that I wanted to also mention is that GSA was the first government agency at that time to adopt cloud technologies so when we had to do audit for cloud-based systems it wasn't like it wasn't really clear right like how do you do that how do you take principles and testing procedures for on-prem systems and apply them to the cloud environment so it wasn't really clear but I'd say before I left things have changed quite a bit so that's just a bit of my background as it relates to this topic right what are you working on now at AWS yeah so as I mentioned I am a security engineer working on AWS security hub and security hub just g8 actually this week as Hart mentioned if for those of you are not familiar with the service security hub gives you a common place to view your compliance status and your highest priority alerts across of across all of your AWS accounts so interestingly I have been recently focused on a functionality in AWS security hub that automates checking for compliance so that's been my recent focus it's security hub and how does that I mean when what is the general value proposition to customers they're like I was a benefiting customers the work you're doing there yeah so so customers that we talked to in the past told us that they have a really huge backlog of compliance requirements and some of our financial institution customers have like hundreds of compliance checks in their backlog that they really want it to build right but they didn't have the enough resources or time and further when you look at these compliance standards like PCI CIS and so many you you know you it takes it takes some time to try and figure out how you know how do they map and how do they translate to a cloud environment so at security hub the the first compliance standard that we rolled out is DCIS benchmark and we you know we're planning to add more so the CIS benchmark in security hub consists currently of forty three fully automated compliance checks that are constantly checking across related resources in your account and and and giving you this compliance status right now the other feature is also available in the compliance standard is that once well let me actually go back so once these checks are ran the results are called finding so like if you go in security hub you will see you know there's like a list of finding in the compliance section so for each finding you will also receive a status of the compliance for that resource as well as steps that can help you remediate right so you can follow these steps and try to figure out how to resolve this issue the other nice thing is a security hub is fully integrated with cloud watch events so what does that mean that is that you now customers have ability to build custom automation like Hart was talking about lambda and step functions so through cloud watch events you can now route these findings and build some logic and a lambda function or a step function or even third-party solutions so you can build some automation logic to resolve and remediate your compliance findings so we've we've tested that whatever we've a beta customers trying that and what is their general like response been to that those those features yes so we actually worked with a we worked with a control group focus group customers we've also been in preview since last year reinforce and we received a lot of great feedback from our customers we also received a lot of feature requests that we worked on between then and now before we went GA so we are really fortunate to have all that feedback from our customers okay so can you tell us a little bit about what you're doing with automated reasoning kind of your work there as the team's work so so AWS has a number of automated reasoning technologies available that are integrated and a number of AWS services so and and the these these services help our customer check for compliance so I'm gonna talk about two of the the tools that are available one of the tools which we refer to internally as zelkova is an access management well it's access control really governance tool and what this tool helps you do is kind of check properties of I am and resource policies and it would tell you you know whether some property exists or not so I'm going to give you some some examples the particular tool is currently integrated with AWS s3 buckets so you might have noticed if you go to the SD console there is actually a column that tells you and lurtz you if an s3 bucket is allowing an unauthorized access to some user so it will alert you that there is an unauthorized user they can read or write to your bucket so that is actually powered by an automated reasoning tool that uses math and and logic the other prominent also service at AWS that is using the same technology for access control verification is AWS config so curly AWS config offers eight managed rules that customer can use to like do more specific checks that are targeted at s3 there's some other integration also but I I'm just going to mention these the other automated reasoning tool that is also available that deals more with network configuration is internally called TIROS but kind of known as a feature in Amazon inspector it is the network reach ability rules package so you have the ability to go into Amazon inspector and run an assessment and what these rules do they automate monitoring your AWS network and assess if there is an access to your ec2 that's misconfigured right it also gives you some guidance as to how you can you know figure out like fix these issues but what I really like about heroes is that there is no like pentesting right there is it's packet 'less you're not you're not right you know you're not throwing any of testing any networks really using packets which makes it really manageable and not expensive also you don't need to install any scanners so that's that's really great about using these you know churros and and the other tools they're really seamlessly you know I know we have a website that talks more about this I mean we could we actually there are a lot of sessions that we have had at this at reinforce about this about automated reasoning and I'm gonna recommend a couple in a minute but I think it's something to really seriously think about how automated reasoning can can be used to provide a much higher level of security and a loach higher level of assurance than doing traditional testing pen testing or scanning and things like that so go here to learn more about provable security and then also there's some related breakouts that we have here around both provable security and some other things around using the services and tools that we've just described to talk more about you know freeing your environment to do better governance risk and compliance okay I think that's it I don't have time for and thank you all for coming and have a great rest of the conference [Applause]

Maurice Vega

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment