cloudsolutionday 2016: compliance and cost controlling on aws
TRANSCRIPT
![Page 2: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/2.jpg)
What for todayA sharing from a Misfit insider on
Cost controlling
Compliance: PCI, ISO 27001, HIPAA
In a storytelling manner
Not a “how-to,” more of a “how it has been” (aka. “how my life has been effed up”)
![Page 3: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/3.jpg)
Terms“Cost” means “Cloud cost”
“ISO” means “ISO/IEC 27001”
![Page 4: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/4.jpg)
About Misfit ...
Since 2011, now part of Fossil Group family
![Page 5: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/5.jpg)
… and the speaker
Been a Misfit DevOps, for ~3 years
![Page 6: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/6.jpg)
Cost Controlling(very short list)
![Page 7: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/7.jpg)
Learned LessonsSeparate AWS accounts for different environments
Tag your resources
By asking yourself, e.g.:
How much does this project cost?
How much does this team cost?
Who is handling this specific resource?
---> suggested tags
![Page 8: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/8.jpg)
Learned Lessons (cont.)Simplify conversation with non-AWS folks, e.g.:
using the approximate understandable unit cost: dollars/EC2-hours
EC2 cost last month: $1.3K
EC2 hours last month: 7K hours
Approx. EC2 unit cost: 1.3/7 = 0.19 $/hour
![Page 9: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/9.jpg)
Learned Lessons (cont.)Never underestimate 3rd parties for cost management / cloud governance
Spend $2K to save $10K, why not?
These vendors will have their ways of evaluating and make guarantees
![Page 10: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/10.jpg)
Cost controlling? ‘Nuff said.
![Page 11: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/11.jpg)
Compliance
![Page 12: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/12.jpg)
Why compliance?
We have a secure environment, for the organization in general, and the development team specifically. We protect customer data by encrypting … ^%& $#$ % )(*&*&
Well …. Let’s see how it REALLY is ...
WHEN NON-COMPLIANT
YOU POTENTIAL CLIENT
![Page 13: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/13.jpg)
Why compliance?
We are PCI complia...
SHUT UP AND TAKE MY !!!
WHEN COMPLIANT
YOU POTENTIAL CLIENT
![Page 14: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/14.jpg)
Why compliance?Protecting your business
Getting better business deals
![Page 15: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/15.jpg)
What is ...ISO/IEC 27001(International Organization for Standardization / International Electrotechnical Commission 27001)
A management framework to protect business-critical information
Via a set of control areas
Information Security Policies
Organization of Information Security
Human Resource Security
Asset management
Access control
Cryptology
etc.
![Page 16: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/16.jpg)
What is ...PCI DSS(Payment Card Industry Data Security Standard)
A proprietary information security standard for organizations that handle branded credit cards (e.g., Visa, MasterCard, American Express, Discover, JCB)
The goal is
to increase controls around cardholder data to reduce credit card fraud
by ensuring that ALL companies that process, store or transmit credit card information maintain a secure environment
![Page 17: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/17.jpg)
What is ...HIPAA(Health Insurance Portability and Accountability Act)
The law to protect the confidentiality and security of healthcare information
Further background
for the United States
signed into law in 1996
Our understanding: Personally Identifiable Information (PII) & Protected Health Information (PHI) need to be protected
![Page 18: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/18.jpg)
ISOPCI
HIPAA
![Page 19: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/19.jpg)
ISO Protects your business information
PCI Protects payment card data
HIPAA Protects health and personal data
![Page 20: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/20.jpg)
Common approach1. Form up a Compliant team(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain(Documents, evidences needed)
6. Assess for compliance(By an independent qualified assessor)
![Page 21: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/21.jpg)
How we do
ISOPCI
HIPAA
● Prioritize and work on the projects/items in common first
● Deal with the rest later
Examples:● Server/software patching process (ISO
& PCI)● Data encyption (HIPAA & ISO)
![Page 22: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/22.jpg)
What we do1. Form up a Compliant team(with/without a Consultant)
2. Conduct gap assessment
3. Identify sub-projects and personnel
4. Implement
5. Maintain(Documents, evidences needed)
6. Assess for compliance(By an independent qualified assessor)
![Page 23: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/23.jpg)
What we do (#4. Implementation)Build up UTM (Unified Threat Management) system
VPN
IDS/IPS (Intrusion Detection/Intrusion Prevention Systems)
Eliminate public IP addresses of EC2 instances
Perform access control for AWS environments, servers, databases, systems
![Page 24: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/24.jpg)
What we do (#4, cont.)Adapt coding standards (e.g., OWASP Top 10, OWASP Secure Coding
Practices)
Conduct annual trainings for employees on the standards
![Page 25: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/25.jpg)
What we do (#4, cont.)Collect and audit system logs
Vulnerability scanning/patching
Establish server/software patching process
Perform and keep track of vulnerability scans/pen tests
Remediate vulnerabilities found
Proactively patch our systems based on the security announcements
![Page 26: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/26.jpg)
What we do (#4, cont.)Review and control access to source codes
HR-workflow involved
Build up golden images for employees’ computers
The same for servers
How to deal with different requirements of departments?
![Page 27: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/27.jpg)
What we do (#4, cont.)Offices’ IT infrastructure
Other non-cloud non-technical requirements
Door access controlling
HR, again
Paper shredders (wait, what?)
![Page 28: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/28.jpg)
What we confront
![Page 29: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/29.jpg)
What we confrontThe amount of work itself, and time to complete, of course
---> Careful planning and incremental work needed
---> Review your progress, resources frequently
The awareness of other teams who indeed need to involve
They simply don’t get what you are doing
They already have enough on their plate
---> Simple, repeated communication is the key
![Page 30: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/30.jpg)
Names, please?Example consultants
Example assessors
Individuals?
![Page 31: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/31.jpg)
Thank you
![Page 32: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/32.jpg)
Q&A
![Page 33: Cloudsolutionday 2016: Compliance and cost controlling on AWS](https://reader031.vdocument.in/reader031/viewer/2022030313/58aac8d81a28ab2f728b534f/html5/thumbnails/33.jpg)
See ya!