How To Establish a Security and Governance Framework Without Getting in the Way of Innovation

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 1 Accelerating Business Outcomes with Hybrid Cloud

Cloud Technology Partners is the premier, born-in-the-cloud services and company. Our unmatched intellectual property, cloud expertise and people are helping F500 clients transform their business at every stage of the cloud journey.

Thought Leadership Execution Experience

Transforming enterprises in the cloud since 2010 600+ enterprise engagements across AWS, Experience Google Cloud and Azure platforms 800+ free Doppler articles, podcasts and papers 40+ F500 cloud transformation clients Industry’s most trusted source for cloud best practices and expert advice 20+ years average delivery experience

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 2 The future belongs to the fast

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 3 Barriers to Speed in a Cloud-Enabled World

Managing costs Alignment

Funding transformation Cloud skills gap

The full value of cloud is yet to be realized

Maturity Laws and regulations Cloud security

Scarcity of talent Legacy debt

Proprietary concerns

Complexity

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 4 Setting Context - 2 things to remember

Please Protect:

Your Deployment Pipeline

Your Environments Dev QA Prod Development Production Testing Environment Environment Environment

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 5 Cloud Security is still Security

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 6 Cloud Governance is still Governance

..but at speed which can lead to unforeseen issues.

Service Areas Legacy IT Public Cloud New Governance Demands Dev / Test Provisioning ✗ Weeks ✓ Minutes Sprawl, Cost Containment Change Management ✗ Months ✓ Days / Hours Security, SLAs, Performance Release Management ✗ Weeks ✓ Minutes Conformity, Metadata Consistency, Chargeback Service Access ✗ Administered ✓ Self-service IAM, Sprawl, Cost Containment Standardization ✗ Complex ✓ Reuse / Share Education, Consistency, Rule Book Changes Metering / Billing ✗ Fixed Cost ✓ Variable Cost Chargeback, Visibility, Consistency Server / Storage Utilization ✗ 10 – 20% ✓ 70 – 90% Accountability, Ownership, Service Alignment Payback Period Years Weeks

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 7 9 Guiding Principles to Cloud Security

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 8 Assume Breach

The quicker Security recognizes that it is simply inevitable that an organization will get hacked (or that it has already happened), the quicker it can develop mature action plans.

• Know your shared security model with your cloud provider • Recognize you will be compromised either purposefully or accidently • Build mature security responses to remediate • Use the assumption of compromise to guide decision making

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 9 Life is difficult enough in the world of Identity. Don't make it harder.

• Federate • Use RBAC Minimize Sources of Identity • MFA for all privilege access • Use Privileged User Management • No local users on cloud except for break glass

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 10 When appropriate use native Cloud security functionality to satisfy infrastructure-related security controls.

• Native internal network controls work well and are well integrated at scale. • Leverage *aaS solutions where Go Native possible (e.g. AWS services) • At the edge consider third party providers • Think cross cloud

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 11 Security should not be a ‘bolt on’ option.

• Security should be involved early on • Educate Developers on cloud security principles • Give them opportunities to experiment Shift Left with AWS services and learn • Establish a Cloud Curriculum and require developers to attend training before allowing them to write / deploy code for the cloud • Provide a security focused forum for developers to communicate and learn from each other

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 12 In a world where velocity is paramount: Automate Automate Automate • Automate as much as you can • Minimize manual interventions

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 13 ZHMHmkwDmcpA8ygjbFa9Rhz12bDpa7npp+87e7IiyC /9gTmAmEevIREn2eIfYFNgXvU4rsV6Szz9XjizxnmK7 H3Nlc/Fn2e8u5x6UuFgFJHvfWffsSetUfy2E2RCR+4tz QfPYUCladCMhYlVQmPxaGz7Pjqp8Q9gIQUm199P4d p/6EIkEfLxAuhxyVA5EsVo0xZ3+c2vopwD9XVAmFLcP Encryption is now a service and not the zY1HVEVc8GY9FI27ErIdq8dLgDuLGXnjnDg9zux/cunc I7AGJVYRRiYOx9Tyf7Uq79D8CbRb7FwSNP67/2Sm5 burden it once was. It would be unwise not to OwI+s1DOr4TZYGyTIMRSnzWDoStgMFa8usU1hIYkd MThdxYNf34P0mGbURc/2y8yyX9npZO7X84CLeVYZ7 take advantage of it. ZErvVzdgh7iAK6g6Mv0+/GmtWm8n6zAk/hToNc2huxX nZNDFbAkxqE8dytMozho/+a0ct+BPW0UrB7z8FOSZwEncrypt Everything UKKZTYh5pWf//DjDW/f+b8K2k7TBwJNvAxpbuOE1s8 • Provides a safety-net for misclassified 8txKo0FdXf8+tJlgk4tBbUWlunQNW1UhF4pTFwaG8F0 yA9kNCJefhR/KHD4n59N9JXzDnA/yBKsZz/7dLUM/1U data UufsAlrSngLbFLL7vYyvEl4pgH2baYoI5yEynVEQ8koU pLz86eV+y52Eez+3iLfU+SnQHTQGpxpfTzPpc8+Yt0B • Increases obfuscation of critical data SKEPZQa+/sJ6RhQHA8F25nJe0ySTgGwWaiPFq+yS • Allows for crypto-shredding of all data 4HyFDKNSlLCaSIrKhjQkyDdlPgdd5rx6jbiay+7MFVAln 2btb64Pq+u8j/+6iBrtrwWB+OwSSfxTGcxf3jGOpdZpJT • Encrypt at all levels PL1ycSJtLzKT5pwPKq1Hj44Fv5s62LdXjspff34BmPcjD qchDeCiHFHlgsauLALvzc1xX6m5skjEYQgtgt5ppjbWa e3Xp+IdmMfMj+yTBTM9O6c4syYltGF5yDAbyuEH8yZ EzJy71IYfMes18ejSnDH0wxlQhJI+7Qxfzwl0x+bIDt0ch © 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 14 hxexXyyiLWjS/RtGrS79xy2ULc54QjUcHxRCAfX2a18e 93.114.45.13 - - [17/May/2015:10:05:04 +0000] "GET /reset.css HTTP/1.1" 200 1015 "http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 /25.0" 93.114.45.13 - - [17/May/2015:10:05:45 +0000] "GET /style2.css HTTP/1.1" 200 4877 "http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0" 93.114.45.13 - - [17/May/2015:10:05:14 +0000] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0" 93.114.45.13 - - [17/May/2015:10:05:17 +0000] "GET /images/jordan-80.png HTTP/1.1" 200 6146 "http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0" 93.114.45.13 - - [17/May/2015:10:05:21 +0000] "GET /images/web/2009/banner.png HTTP/1.1" 200 52315 "http://www.semicomplete.com/style2.css" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0" 66.249.73.135 - - [17/May/2015:10:05:40 +0000] "GET /blog/tags/ipv6 HTTP/1.1" 200 12251 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e /8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 50.16.19.13 - - [17/May/2015:10:05:10 +0000] "GET /blog/tags/puppet?flav=rss20 HTTP/1.1" 200 14872 • Protect the log from attacks / tampering "http://www.semicomplete.com/blog/tags/puppet?flav=rss20" "Tiny Tiny RSS/1.11 (http://tt-rss.org/)" 66.249.73.185 - - [17/May/2015:10:05:37 +0000] "GET / HTTP/1.1" 200 37932 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 110.136.166.128 - - [17/May/2015:10:05:35 +0000] "GET /projects/xdotool/ HTTP/1.1" 200 12292 • Ensure that logging requirements meet "http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&sqi=2&ved=0CFYQFjAE&url=http%3A%2F%2F www.semicomplete.com%2Fprojects%2Fxdotool%2F&ei=6cwAU_bRHo6urAeI0YD4Ag&usg=AFQjCNE3V_aCf3- gfNcbS924S6jZ6FqffA&bvm=bv.61535280,d.bmk" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" appropriate regulations 46.105.14.53 - - [17/May/2015:10:05:03 +0000] "GET /blog/tags/puppet?flav=rss20 HTTP/1.1" 200 14872 "-" "UniversalFeedParser/4.2-pre-314-svnLog +http://feedparser.org/" Everything 110.136.166.128 - - [17/May/2015:10:05:06 +0000] "GET /reset.css HTTP/1.1" 200 1015 "http://www.semicomplete.com/projects/xdotool/" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" • Log at the source (cloud) of the event 110.136.166.128 - - [17/May/2015:10:05:03 +0000] "GET /style2.css HTTP/1.1" 200 4877 "http://www.semicomplete.com/projects/xdotool/" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" 110.136.166.128 - - [17/May/2015:10:05:41 +0000] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" • Log accuracy is critical 110.136.166.128 - - [17/May/2015:10:05:32 +0000] "GET /images/jordan-80.png HTTP/1.1" 200 6146 "http://www.semicomplete.com/projects/xdotool/" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" 123.125.71.35 - - [17/May/2015:10:05:46 +0000] "GET /blog/tags/release HTTP/1.1" 200 40693 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" • Audit Your AWS Logs Annually 110.136.166.128 - - [17/May/2015:10:05:08 +0000] "GET /images/web/2009/banner.png HTTP/1.1" 200 52315 "http://www.semicomplete.com/style2.css" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" 50.150.204.184 - - [17/May/2015:10:05:46 +0000] "GET /images/googledotcom.png HTTP/1.1" 200 65748 "http://www.google.com/search?q=https//:google.com&source=lnms&tbm=isch&sa=X&ei=4- r8UvDrKZOgkQe7x4CICw&ved=0CAkQ_AUoAA&biw=320&bih=441" "Mozilla/5.0 (Linux; U; Android 4.0.4; en-us; LG-MS770 Build/IMM76I) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30" 207.241.237.225 - - [17/May/2015:10:05:58 +0000] "GET /blog/tags/examples HTTP/1.0" 200 9208 "http://www.semicomplete.com/blog/tags/C" "Mozilla/5.0 (compatible; archive.org_bot +http://www.archive.org/details/archive.org_bot)" 200.49.190.101 - - [17/May/2015:10:05:36 +0000] "GET /reset.css HTTP/1.1" 200 1015 "-" "-" 200.49.190.100 - - [17/May/2015:10:05:38 +0000] "GET /blog/tags/web HTTP/1.1" 200 44019 "-" "QS304 Profile/MIDP-2.0 Configuration/CLDC-1.1" 200.49.190.101 - - [17/May/2015:10:05:11 +0000] "GET /style2.css HTTP/1.1" 200 4877 "-" "-" 200.49.190.101 - - [17/May/2015:10:05:37 +0000] "GET /images/jordan-80.png HTTP/1.1" 200 6146 "-" "QS304 Profile/MIDP-2.0 Configuration/CLDC-1.1" 66.249.73.185 - - [17/May/2015:10:05:00 +0000] "GET /reset.css HTTP/1.1" 200 1015 "-" "Mozilla/5.0 (compatible; Googlebot/2.1;© 2018 Cloud +http://www.google.com/bot.html)" Technology Partners, a Hewlett Packard Enterprise company / Confidential 15 Monitor AWS with appropriate native and third party compliance tooling.

• Catch accidental or malicious behavior • Alert appropriate parties or automatically take action. • Compliance checking should aim to be real- time • Automation is key • Logging is key Leverage Continuous Compliance

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 16 Moving workloads to cloud is an opportunity to start fresh:

Don’t bring a process to cloud: • If your deployment pipeline is insecure • If your Identity Provisioning is inconsistent • If your Change Management has mostly adhoc changes and few standard changes • If you make manual changes to environments

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 17 Boston Headquarters Contact 263 Summer Street 617.674.0874 Fourth Floor [email protected] Boston MA, 02210 www.Cloudtp.com

© 2018 Cloud Technology Partners, a Hewlett Packard Enterprise company / Confidential 18