Automate Compliance in the Well-Architected Framework Vice President of Cloud One – Conformity
Transcript
Sameer Kumar Vasanthapuram [00:00]
Good morning everyone, thank you for joining us on today’s webinar. Before we get started a few housekeeping items, today’s topic is best practices for automated compliance in the AWS well architected framework. When you join today’s webinar you selected to either join by phone or computer audio, if for any reason you would like to change that selection use that same audio pain in your control panel to change the selection. You can also from that control panel you have the option to submit your questions to present us today who I will introduce and if for any reason you couldn’t get if you couldn’t get your questions, we plan on responding to each of you through email. The deck itself will be available through slide share along with recording of the webinar so with that let’s get started.
Sameer Kumar Vasanthapuram [01:10]
So what are we going to cover today, we’re going to cover a little bit of what security is on AWS, we will then move on and talk a little bit about Cloud-One and Cloud-One Conformity and how it works with AWS. We’ll dive a little deeper on the well-architected framework, we will then go through all of the questions and answers at the end and then finish up with a bunch of next steps.
Sameer Kumar Vasanthapuram [01:36]
So I am joined by Aaron Ansari and Joe Henderson. I am Sameer Kumar Vasanthapuram, I am a Partner Solutions Architect at AWS, Aaron’s a VP of Sales at Trend Micro and Joe Henderson is the General Manager of North America at Edrans. So let’s talk a little bit of security on AWS and what that is. Before we get there let’s talk a little bit about why many organizations face challenges and, you know, why security has traditionally been so hard and it comes down to two different factors. One being the lack of visibility and the second being a lack of automation and they sort of play into each other. Lack of visibility really means in an on-premise environment it can be quite difficult to know what resources and data are out there at any given time, where it’s moving, who’s utilizing it, who’s accessing it. And to wrap your head around all of this you might be using multiple point solutions, each having their own silo of data and you have complex tooling and processes to get an accurate assessment of things like real-time inventory and inventing data. Many organizations just don’t have this level of responsibility either because they’re not tying all of this data together or they might not be getting that in real time. Without visibility it’s challenging for these organizations to adequately secure their infrastructure and to meet the security and compliance requirements.
Sameer Kumar Vasanthapuram [03:19]
The second part of it which is low degree of automation is another typical challenge that we see where we’re trying to get rid of these manual processes that are employed to remediate issues. So, if you think about it you’re probably copying and pasting information from one tool to another. You’re probably applying manual patches and it’s always been difficult to automate key security tasks due to these issues. These can be varying things, right, it can also be that you know third-party or homegrown tools don’t work with each other and so requires these manual processes to be in place. They also lead to inconsistent execution when you have to do these things manually which means you are also addressing things at a at a later point of time leading to a much later time to detection and much later time to response in most cases it also disrupts customer experience. So really the goal of automation is to programmatically handle tasks that would have been otherwise been done by IT staff. This is much easier in the cloud as you’ll see but this combination of lack of visibility into, you know, customers on their own environment and the lower degree of automation, really comprises an organization’s ability to move quickly and effectively and secure their on-premise environment. So traditionally organizations have been forced into a trade-off which is you can either choose to move quickly or you can choose to stay secure. And due to these overly manual processes, the infosec teams have been forced to slow down things to a human speed. So they can ensure the security of their organization. However, today it’s possible to automate many of these basic security tasks. Things like patching, with the right tooling, gaining visibility into, you know, critical assets and data. All of these can be made easier with the cloud. So you can stay agile while maintaining, in many cases actually improving, your security. And by providing highly integrated logging and monitoring as well as integrated tools to automate core security functions, organizations can use AWS to innovate quickly and maintain the security posture. So when customers come on to AWS they are elevating their security when they move on to the cloud.
Sameer Kumar Vasanthapuram [05:57]
So, security at AWS really is our top priority and it starts with our core infrastructure which is designed to meet some of the most stringent security requirements in the world. And our infrastructure is monitored 24×7 to ensure confidentiality and integrity of our customers data. The same experts that monitor this infrastructure also build and maintain a broad selection of innovative security services which can help you maintain or improve your security posture. As an AWS customer you also inherit these best practices and all of the benefits and experience that you know we provide and all of which are tested against some of the most strictest third-party assurance frameworks. This also allows you to transform the way you do business by automating and integrating with some of the security services that AWS provides and in addition we have the largest network of security partners and solutions that extend the benefits of AWS. Utilizing some of these services in technology that you might be familiar with, like Trend Micro. This is another benefit that you gain, by moving to AWS you also inherit some of the most comprehensive security and compliance controls.
Sameer Kumar Vasanthapuram [07:26]
To aid in your compliance efforts AWS regularly achieves third-party validation for thousands of global compliance requirements that we continually monitor to help you maintain your security and compliance standards across segments this could be finance, retail, healthcare, government and beyond. We support many security standards and certifications, some of them being PCI, DSS, HIPPA, FebRAMP, SEC rule 17a, FISMA, and others. You inherit these latest security controls operated by AWS strengthening your own compliance and certification programs, while also receiving access to tools you can use to reduce your cost and time to run your own specific security assurance requirements.
Sameer Kumar Vasanthapuram [08:13]
So, with that said when customers move to the cloud they often ask us what does security in the cloud look like and what is my responsibility. Security is a shared responsibility on AWS and we delineate it by saying AWS is responsible for security of the cloud and customers are responsible for security in the cloud. What that really mean? AWS is responsible for the security of everything from the physical security of our data centers where all of our services run, up to the hypervisor layer, and customers are responsible for the security of the applications that are built on top of it. A quick example on this is let’s assume you pick an elastic cloud compute instance and you want to run a workload on top of that. You might be responsible for everything from the security of the guest operating system which includes things like patching, malware detection, antivirus firewalling, and all of these different things combined together is what customers are required to do. So, this is where partners like Trend Micro can come in and help add that extra layer of protection and help customers secure their workloads on top of the already secure infrastructure that AWS provides. Now once customers have understood that this is the responsibility that they have with security securing their infrastructure. They also want to understand how do they make their workloads perform effectively in the cloud.
Sameer Kumar Vasanthapuram [09:57]
Now we put together what we call the well architected framework and the well architected framework has been developed by cloud architects to build secure high performing and resilient applications. And they’re based off of five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. So, what do each of these mean? Let’s talk a little bit about operational excellence or operations. So operations really covers the ability or it really concentrates on whether you’re running and monitoring systems to deliver business value. And you’re continually improving these processes and procedures you might want to think about how you’re automating changes, how you’re responding to events and make sure that it’s done in an efficient manner. When it comes to security it really focuses on how you want to protect both your information and the systems that use them and these could include how you would maintain confidentiality and integrity of data. Identifying and managing who can do what with that data, protecting systems and establishing controls, tools to establish that the application, the workload that you’re running has the least level of privilege, and controls for each person that needs access to it.
Sameer Kumar Vasanthapuram [11:30]
We also talk a lot about reliability and this pillar really focuses on the ability to prevent and recover from failures so you can meet the business and customer demand that you’re getting. We generally talk a little bit about how to set up and plan for disasters and recovery planning, and how we handle those changes when the time comes.
Sameer Kumar Vasanthapuram [11:56]
We also then move and talk about how to be efficient and be performant on AWS and we focus on selecting the right resource types based on the applications that you run, how do you monitor for performance, and how do you make informed decisions. Once you realize that something needs to be changed. And finally cost optimization which customers will understand how and where the money is being spent and selecting again based on the other pillars whether you’re being efficient with the right resource types. Analyzing spend over time and it’s really using the scalability of the cloud to meet business needs without really overspending.
Sameer Kumar Vasanthapuram [12:48]
So today we’re going to talk a little bit about Trend, and Trend who’s been an APN security partner and has been working with us on multiple service integrations and launches. They’re also part of the AWS managed services, they’re part of the seller advisory board for marketplace and has been a leading security partner for many AWS customers. So we’re happy to have them and I’m going to pass it off to Aaron who is going to talk a little bit about Cloud One Conformity
Aaron Ansari [13:29]
Thanks, Sameer, appreciate it, and thanks for the great introduction and that wonderful overview of the well architected framework as well as the partnership that AWS and Trend have together, we certainly appreciate it, and certainly are looking forward to this discussion as we introduce Edrans as well to this. So let’s talk about Cloud One Conformity. Notice that there’s a couple of components to that, there’s this Cloud One, and then the Conformity piece to it. Cloud One Conformity was a 2019 AWS technology partner of the year and the security competency as well as the cloud competency. It’s an organization that began in about 2016 and quickly grew both in size as well as, I’ll say impact, in the AWS and cloud security posture management space. And the reason that I say that is because the number of customers and the adoption of the technology grew but one of the ways that we grew, and the reason that I think that we grew so successfully was because we’re very community focused. We believe what is now deemed to cloud posture management to be a community problem and we actually give away some of our secret sauce to the community via our knowledge base as well as of a couple of Github projects. So, we, from the beginning it came out of the gate or came out of incubation with a very community minded and very AWS technology focused platform and it served us well, obviously by winning the technology partner of the year, by becoming a part of Trend Micro, and by, you know, the accolades that are laid upon us by our customers. And why not, so I guess all that to say is you know, we have a reason to be up here talking to you about what we’re talking about.
Aaron Ansari [15:18]
As I mentioned at the beginning Cloud One Conformity or Conformity is a piece of an overall cloud platform that’s provided by Trend. As Sameer mentioned Trend is a premier and multi-level partner with AWS and so we have a large smattering of offerings the most germane and biggest would be our Cloud One platform. This platform extends across many different components of your cloud and is meant to be kind of your one-stop shop for your AWS multi-cloud, for your AWS cloud service needs as it goes from, you know, everything from container to file to network. Today we’re going to talk about the configuration piece or the cloud posture management piece which is known as Conformity. As Sameer shared in the beginning the shared responsibility model and I have a slide on this as well so I’m going to speak to a little bit of a different point about it but as Sameer shared there is a large burden that is put upon the customer. For adoption and usage into AWS and it’s not an unfair burden, but it’s a burden in which is very well laid out via what Sammer just mentioned, the well architected framework. Right so while there is an onus on you for that all that extends all the way up to the hypervisor layer of the application that you’re building. There’s a great methodology and taxonomy to utilize to get that onus and burden done correctly. To get that done in a secure and compliant manner and to get that done in the best practices ways that AWS recommends. I mean you’re dealing with the, you know, the king or the biggest cloud provider that has seen billions of implementations, you’d be best to listen to what they have to say as it relates to the well architected framework. And so when you’re going through and you’re developing and you’re building out your entire infrastructure you’ve got, you know, infrastructures code and you’ve got development teams and you’ve got shadow IT and you’ve got business units that are all across your organization from Dubai to London. And you know the visibility and the standardization that needs to come with the dynamic or with the nature of your release to AWS isn’t there right. And so what ends up happening is that you have issues with containers, you have issues with your application, you have issues with the repository or the usage of the code and so what you get is this need or this necessity to understand all of the components that that are part of the application that you build. And the need for the visibility to have access to what is being put out there in your name in the AWS cloud.
Aaron Ansari [18:09]
And so you know as we’ve gone through and done this more and more organizations are migrating to AWS and more and more organizations are using the exploding set of AWS services that are being offered, comes kind of the peb cac issues right, the problem exists between keyboard and chair. It’s the configuration and the human element that causes the, we’ll say you know, my last light, the breaches. But just cause of the issues that are part of the build or the environment that’s being put out into AWS. And so you have, you know, breaches, you have organizational misalignments and again you have that lack of visibility as to what’s actually happening in your AWS footprint and environment. And more and more, you know re:Invent Comes, and more and more services are being released and AI and machine learning, and all sorts of new things are being announced, and your organization wants to adopt these quickly right. You want to be DevOps, you want to be agile, you want to be pushing and promoting code as much as possible. And so what happens is this large complex set of wonderfully available services that are being produced possible skills gap that exists at your organization and then a lack of visibility and the lack of alignment that comes there. And so when all of that is put on you right you don’t have the expertise, you don’t have the visibility, you don’t have the need or the capacity to do the things that you’re able, that you’re required to do. You need help right and so that’s where Cloud One, that’s where Conformity, that’s where Edrans comes in. Right, we’re able to take that burden off of you or at least alleviate that burden and work with you to make it manageable, to make it secure, to make it compliant and to do the work and to fill that skills gap that’s needed.
Aaron Ansari [20:05]
To be part of and hold up your responsibility that is part of the AWS responsibility model and so as Sameer already said right, you need to align to the well architecture framework. Well, the Cloud One Conformity platform is built off of the well architected framework. So each of the components that are built into Cloud One Conformity align directly to one of the five pillars, if not all of the five pillars. So an example would be like tagging. Tagging is a best practice that extends across all five pillars we have many, many, components and rules and pieces that adhere to the tagging best practice and allow you to ensure that you’re being compliant with that particular component. Moreover, we get very deep into the security piece right so if you actually go out to our knowledge base this is that sort of community facing portal that is available to you from Trend, from trend.com, from cloudconformity.com. You can go out there and get AWS instructional steps on how to properly configure and align your AWS environment to make it best practice, to make it best of breed, and to align it to the well architected framework. And so you can go out there right now, open up another tab, go out and look at how to properly configure s3 buckets. Go out and look at how to do RDS correctly, go out and look at how to do Ec2 compute. All these popular services that are used billions of times a week. You can get the proper steps and configuration pieces for free with no dollars needed to be exchanged as part of the offering that’s out there but the beauty of the application is that we take all of those, we combine them into an application, we combine them into an auto-remediation piece, we combine it into a software package that’ll actually give you the ability to correct, give you the ability to detect, and give you the ability to respond to the configuration issues.
Aaron Ansari [22:00]
If you’re just using our knowledge base you’re kind of doing it manually and you’re doing it with check by check. If you’re using our application, well you know, you’ve got everything that I talked about. That’s taking care of the shared responsibility model and then when you use the expertise of resources and certified experts such as Edrans, you know you’re total best of breed. And you’re doing you’re building out your environment with all the right pieces in place at the foundation. And so Conformity by itself, in addition to the features and components here does just like AWS align to the various frameworks and policies that you’re required to or that are the best practices, that go perhaps a step deeper than just the AWS well architected framework. Although, we all know that’s a great, great foundation to build upon so regardless of where you are and this is a, I like to I’d like to spend a little bit of time on this slide because it speaks well to the journey that we’re seeing from across our tens of thousands of customers and the partners with whom we work and the odds are you’re not just in one particular. I’ll say silo here, I know silo is a negative word but you know what I’m talking about. What we tend to see is that organizations are in multiple states meaning there might be some business units that are cloud first or cloud native and other components of the business that are that are cloud curious. So if you’re a financial services or entity your main frame team and some of your development teams that are tied to some legacy applications might be cloud curious versus your marketing team and your mobile app team might be cloud first or even cloud native. Regardless of where you are in your cloud journey and you are on a cloud journey, I mean you’re here with AWS because or you’re utilizing AWS because you know you’re moving or migrating into the cloud and you might operate you know 80 20 in the cloud or 100 in the cloud or 90 10.
Aaron Ansari [23:58]
But regardless of where you are you need that visibility because the dynamic nature of the environment with which you’re building tends to be so chaotic. And so if I can say this you tend to have such a lack of visibility right you’ve got this complex process with lots of different teams that are submitting builds and building applications and upgrading pieces within it a pipeline that there are a lot of places that you need to have visibility in. And so what conformity does very, very well is it gives you the plug-ins or it gives you the I’ll say the inputs in pipeline standpoint to go through and see and understand what’s happening at each major stage of the build. And oh by the way, we also integrate with the ticketing systems that you use because the trick to all of this is to speak with the development mindset and mentality there’s a golden path to release every application and what you don’t want to be is in the way of that golden path right you want, you don’t want to break the build and you don’t want to get in the way of the release of the application. And so when you’re trying to introduce security and compliance you can’t introduce it in a way that breaks that you have to introduce it in a way that the developers embrace it as part of the way in which they develop so we actually plug in and encourage you to introduce security fixes and remediation steps as bugs. And those to be tracked via the build coordinator and when you do that you have bugs that are squashed. Builds that are promoted and oh yeah it happened to be something that was tied to you know maybe an s3 bucket encryption or a best practice tagging policy but it was just a bug and I just developed. I just did the steps that were outlined in the fix and I just kept developing and when you do things that way you truly make it so that you are you are part of that. And then the next thing that you do is you take that and you start to automate it right you start to use, you’re using macy, using Config, you’re using guardrails, you’re using all the best practices that come from the services that are that are part of AWS. And then you plus those with the usage of Conformity, and then you have the services team that comes in from Edrans that does a great job of building on top of, and layering sort of that defense in depth strategy that helps you build and helps you maintain a consistent and securely developed application life cycle.
Aaron Ansari [26:23]
Regardless of how many releases you do a day a week a month a year you’re just constantly integrating and weaving in the compliance and the security and the best practices alignment to the well architected framework in the build process and that’s huge it’s not mythical it’s something that we help our customers do and deal with every day. And it’s truly something that we can do so if you’re playing along and kind of looking at your buzzword bingo sheet you might be looking for like shift left, and a couple of things like that DevOps CI/CD pipeline. All those sorts of things and we certainly integrate into those pipelines and with template scanning and infrastructure as code alignment that we can do. We can certainly help you, you know, shift left and get more earlier in your build process. But what I want to leave you with or what I want you to just kind of take away from this is the ability for the software to augment the processes or the processes that you’re developing and leveraging. And then when you bring in the experts right, like I mentioned before, when you bring in people that have gone and seen this hundreds and hundreds if not thousands of times. Seen the way the different development practices happen, seeing the best practices and the worst practices conducted audits, seeing the good side and the bad side of things that’s when you really get to the point where you have taken your build process and made it to the most mature and the most effective you know kind of process. So what Edrans does is they come in and they power their assessments that they’re going to do, and Joe’s going to talk about this with Conformity. And here you see a dashboard of Conformity that’s looking at my AWS environment and my accounts and telling me how I aligned to the various pillars of the well architected framework, and giving me the ability, obviously you’d be able to double click on this, and have the ability to remediate and respond to these. But the point is you have that instant real-time available assessment that’s done as part of the work that happens with Edrans. So what we want you to do is from a development practice you know kind of weave in this with the way in the life cycle that your projects and your AWS environment are being built have that central visibility that’s tied and aligned to the well architected framework. And you know sort of make it and build it so that that remediation component comes and becomes part of the way in which you build your applications. I’m going to pass this over to Joe Henderson. Joe is a good friend of mine, great person, also a very talented professional and he’s going to go over what Edrans is doing with AWS and Trend Micro’s Cloud One Conformity.
Joe Henderson [29:00]
Awesome. Thank you, Aaron for the great segue. Thanks, Sameer for kicking things off, kicking things off. And also thank you everyone for joining. So, my name is Joe Henderson, I’m the GM of Edrans. And I’ll be talking about how some of our customers have used the well architected framework as well as Trend Micro’s cloud performance tools to get better in their cloud security posture management. So, a little bit of background about myself. Hopefully this is relevant. Previously to Edrans, I spent the last nine years as a Partner Manager for a DevOps automation company and then a cloud optimization company. So, my job was to recruit and manage partners from traditional resellers, to giant systems integrators to small boutiques born in the cloud consultancy, so during this time in DevOps was becoming mainstream, and cloud was rapidly taking over the world. So along with the shift in technology, there was also a shift in the type of partners that were emerging as the leaders in the cloud. And it was these small boutiques born in the cloud consultancies that were standing out and delivering just amazing results for their customers. And some of them have now grown to be the most influential cloud companies today. So, in spending a lot of time with these types of partners, one of the common themes that emerged was that they focus solely on their cloud services. And they just don’t care about like reselling products or other things like that. However, they did have a small toolkit of their favorite software tools that they use to power there services on top of AWS. And they only recommend the use of these tools when it was truly a good fit, and it had a real benefit for the customers business. So during that time, it came across Edrans who was one of those fast growing more in the cloud at one point, boutique consultancies and then using the tool Conformity as one of their favorite recommended tools, the power of the cloud services, from assessments, to migration to optimization services. So I was lucky enough last summer to join Edrans and now I manage our customer and partner relationship as the general manager. So little bit about the company, we are a premier level AWS consultancy, that has been around for a little over 10 years. And we have offices where I’m here today in Portland, Oregon, other offices in Buenos Aires, Argentina, Barcelona, Spain, and London, England.
Joe Henderson [31:09]
So the services that we provide kind of fall into three buckets. The first is adoption, which is ultimately the strategy and the planning the ultimate migration to AWS. Second is optimization. So well architected reviews, cloud cost optimization, cloud security, and compliance, which is what we’re going to dig into today. There’s innovation where we help customers build new applications using serverless technologies. We leverage machine learning and AI services and even help customers develop IoT products with them. So before the well architected became a thing, Edrans in the early days have been doing the holistic reviews and assessments to customers. That was a lot of manual work. And then Luckily, in 2015, AWS officially formalized and launched the framework. So by definition, the well architected framework is a consistent set of design principles, and best practices for customers and partners to evaluate architectures. So why is this so important is because you can score and you can measure it. So famous quote from Peter Drucker, you can’t manage what you can’t measure, or you can’t manage, we can’t measure. So when we engage with our customers, there’s typically a theme or problem we’re trying to solve. And that theme or problem typically sits within one maybe two pillars of the well architected framework. What is super important to understand that each pillar of the well architected framework, which we learned from Aaron, we learned from Sameer, fully dependent on each other. So from performance, the cost of security. So before we tackle any problem, we always first to get a full view of where a customer’s cloud measures against that framework. Now, as you probably know, one of the main themes or problems or pillar that we see with our customers, and for sure, the one that contributes the most anxiety is cloud security.
Joe Henderson [32:56]
So we’ve worked with customers, you know, being a global company work with customers all around the world, ranging from series A start-ups to rocket ship, pre IPO companies, to large global enterprises. And within those companies, we work with folks like head of product, or director of security or VP of cloud operations, or committees of cloud centers of excellence, or simply just cloud architects on the team. And so we found that regardless of the profiles of the customer regardless the profile of the person, all these people face, very common challenges when it comes to cloud security. Now, ultimately, in their story, the hero is also the villain, which is they’re rapidly expanding the cloud, and then the potential security threats that exist within it. But usually people we work with were originally a part of making that decision to migrate to the cloud. So they’ve sold the dream of the cloud, the leadership that’s going to be faster, better tech, less expensive, it’s more secure. And so, you know, reminds me of another quote from Peter’s Uncle in Spider Man “With great power comes great responsibility”. So on top of all that, they are just we see that they’re just, they’re under so much pressure, so they have internal pressures, and just always push and push and move faster. So whether it be a sales department pushing them to get a feature released for a customer that they promised to without asking, I may be guilty of that one. Or their key engineers that was wearing too many hats, just resigned or just simply getting the release out the door, and all why trying to manage their potential security compliance risk. So then they feel like external pressures. So these are just general market pressures, maybe a competitor gaining traction on them. And then maybe a random global pandemic, we’ll put the world on hold for a few months. And then when we spend time with these customers, and do not talk about technology, just talk about some overall subject, sort of off the record, when it comes down to is that they got into IT to build cool stuff. They got into IT to create new technology that makes an impact. And then they’re asking themselves, why am I spending my time always reacting and playing whack a mole with security compliance issues? Or why am I worrying that my company is going to be in the paper the next day for a data breach. So all these pressures, and all these sorts of worries, and we sort of define them and what you’re seeing here. So here’s sort of more bulleted points of this is really getting those specific areas, which is little or no visibility in the cloud, they have a shortage of cloud engineers with specific security compliance background, they are moving at an uncomfortable but necessary pace. Maybe security and compliance was likely an afterthought in the past, they have current or prospective customers with strict requirements. And maybe they haven’t been successful in making that cultural engineering shift to de-silos from their teams. Also we find a lot, they just don’t have a large group of AWS experts in house. Finally, especially in this time, massive budget cuts are happening across all departments. And so what we kind of have here is, you know, these companies come to us as their guide, they come to us for help. And through these, you know, problems that we just discussed. In our past experience, we’ve likely seen a version of their story before. And we have a methodology that, you know, helps assess and prove things. So this guidance comes in the form of a plan, what we call the well architected security assessment. So this assessment is a service that’s powered by Conformity, which we learned all about from Aaron, and these assessments, or exercises gives customers full visibility into their cloud infrastructure across the five pillars of the well architected framework with a deep focus on security and compliance. So after things are visible, we’re able to perform a gap analysis on potential security risks, and specific failures based on the applicable compliance standards, whether it be SOC2, HIPAA, or PCI, or others. And ultimately, we then deliver a remediation roadmap, which gives a clear path of prioritize actionable tasks to improve their cloud security posture efficiently.
Joe Henderson [36:57]
So how these work first, I’ll give a quick analogy. So everyone’s been to the doctor. So you know, whether it’s for a checkup, sickness or you know, an ailment, you sit down the doctor’s office, and some questions, how you feel on, what’s your diet, like, how many drinks you had per week, how stressful is your job, how often you exercise? And you answer, you know, to the best of your knowledge, but in reality, you might embellish on one of those questions, you might leave out some things on another question, then the doctor wants to take a look a bit deeper, you might get a blood pressure taken, you might get some blood work done. You might even get hooked up to a couple machines. And then after that, the doctor has the full diagnosis of how they feel about your health. And they can give you recommendations for that. Maybe, you know, drink a little less, maybe try out yoga, maybe they’ll write you a prescription for some medicine. So maybe you take their advice. Maybe you don’t, maybe you take their advice temporarily and go back your own behavior. Or maybe you didn’t like your diagnosis, you got super motivated, and you hired a personal trainer, maybe you started a ketogenic diet, maybe started with wearing a fitness tracker to track all your movements.
Joe Henderson [38:00]
So these well architected security assessments are very similar. So we sit down with the stakeholders and ask them questions around first around the five pillars of the well architected framework. Example questions are, you know, how do you design a workload so that you can understand its state? How do you plan for disaster recovery? How do you monitor your resources ensure that they are performing as expected? How do you meet cost targets when you select resource types? Then we dig in and do a deep dive in security compliance, ask them some questions like, how are you managing credentials and authentication? How are you controlling human access? How do you defend against emerging security threat? And how do you protect your data in transit? How do you respond to an incident? And so it’s usually while we’re having those conversations, and we spent some time with the customer to actually install Conformity on all or a select group of AWS accounts. And just a couple hours, we have their real cloud data, that’s been matched against the one the well architected framework, as well as to security protocols and compliance standards that are relevant to them. We, then take that conversational data and analyze it against the data we get from conformity. And then we’re able to start building a report that gives me that visibility, those security gaps and those recommendations. So here’s an example of one of the output reports of the well architected framework of the data that we took from Conformity and just made it visible to the customer. So if we look at costs, you know, this team makes great cost, you know, decisions, but maybe they’re not transitioning to the latest server generations. Got an operational excellence, they’ve adopted infrastructures code, but maybe they don’t centralized deployment pipelines and single solution. So we take all these challenges and issues, and then we actually put them on a graph, and a list where we can show where those exist on this in a matter of importance and estimated complexity. And then also by high priority down to housekeeping items. So these are all very tactical approaches on how to actually improve the first part, which is their well architected, their overall cloud score. So we take that same methodology, and we do that security deep dive with them. So we’ve broken this down here, obviously, there’s a much, you know, deeper per customer. So from network compute protection to data protection to incident response to threat detection, credential access, you know, all those things, we take those, and again, we put them on a graph based on importance, based on estimated complexity, and then they have a playbook or they have like some guidance of how they actually can remediate these things in a short amount of time.
Joe Henderson [40:51]
So I want to take some time now, before we wrap up, to talk about a specific customer. So we recently worked with a well funded healthcare start-up, they were building an awesome, they still are building an awesome product. And they were racing to get it into production and sell it to a few potential customers. Now they had rapidly developed this product on AWS with pretty much no guardrails. They had some upcoming HIPAA compliance audits, and other security audits based on these potential new customers. And so what we found is that the team was just not confident in their current security posture. And they had no one on engineering that had specific security or healthcare compliance experience in the past. And then everybody was just kind of wearing too many hats. So they just had no bandwidth to handle this efficiently. So we spent some time with the customer engaged them on an assessment that showed them that they need to get count they were building on did not have the best scores across the framework. And more importantly, they have close to 300 out of 500 compliance failures that were trapped in conformity. So we presented our findings, and a remediation roadmap. And it was clear that the customer does not have the resources to fix these issues quickly by themselves. So we end up engaging with them. We had one of our cloud engineers work closely with their team and also basically live in the Conformity tool to quickly tackle their compliance failures, and then closely monitor each pillar of the well architected framework the whole time. So in a short amount of time, were able to improve their security and compliance score restring, a mid 70s, to the high 90s, as well as leave them with a high performing cloud across all pillars. So you see here today, you’re seeing those scores as measurements and also a histogram below of where they started, and where they got to. So they have the competence to bring on these customers, they their competence to scale this business, and they’re not going to be any potential pitfalls. Now, one of the most important parts is not just doing this assessment, not just you know, getting this health score, but also then sitting their operations up for the future. So they don’t have to do these types of assessments. You know, every week. They can set up Conformity to be fully operational to automate some of these security issues, and send alerts to whether it’s Slack, whether it’s email, however, they want to set it up. And then they’re ultimately set up for this continuous government, not only on the cloud, on security, compliance, but also on the well architected framework. So they know that their cloud is always secure, and it’s always running at the optimal level. So here are just some bullet points of just some general you know, what success does look like for customers that go through this process and they started kind of building for the future, which is, you know, they have assessment data across the five pillars. You know, they not only understand security applied threats, but know how it actually impacts the business. And that’s super important that people forget about sometimes. And also, they get knowledge on those specific compliance standards that they might not have had before. And they can now operate a little bit more responsibly. And then obviously, I just mentioned operations is set up for for automated, continuous cloud security compliance. And then their ability to thoughtfully forecast and plan beyond quarters because it’s, you know, everybody protecting here knows, things come up, things get distracted, you know, timelines get, you know, altered. And so at least this gives them some power to understand like, what they’re up against, and plans for the rest of the year of how they’re going to attack, you know, whatever security compliance issues so they can continue to build at a rapid pace. And then obviously, they have access to AWS premier level services, which is us.
Joe Henderson [44:23]
So going back to, you know, the health analogy, Edrans would kind of servers, that personal trainer who put the customers through that boot camp, and Conformity, at this point, you know, served as that continuous fitness tracker for them. So now not all customers go through this process, this assessment. Some customers that do they do this as a one time exercise, and then they’ll go back to normal after a couple months. And more times out of none those types of customers, we will see again, at some point, or they will ask for help. So definitely recommended process, the quick win to kind of get things under control. So we do these assessments quite often with our customers as a joint venture between you know, Edrans, Trend Micro, and the AWS marketplace. We’d like to make this offering as easily accessible to customers as well. So if they do want to get a hold or test out, or buy, you know, Conformity tool, as well as our services on top of that, we’ll make it very easy. We have a bundle that we can provide via the marketplace. So I’m going to wrap up here, and we’re going to kick it back to I believe, Sameer, we’re going to take some questions.
Sameer Kumar Vasanthapuram [45:30]
Oh, thank you, Aaron and Joe. We do have a few questions. So I’m going to go through a bunch of these as time permits. Take the first question, which sounds like, why does the client have to take care of a network issue if everything is on the Amazon network? So I think that the question is around network configurations or firewall configurations. Obviously, AWS protects our infrastructure and the services that run on it. Customers, when they deploy applications, use things like security groups to dictate what traffic enters, and egresses from their applications. So making sure that you are configuring that particular set of security group rules is important to make sure that your application is only receiving intended traffic, not only from the outside world, but as you build for microservices, you want to make sure that you’re using the controls that are provided through both at a network level as well as from an identity and access management standpoint, to make sure that you allow traffic from intended users and authorized users. So it’s not just network level things that we’re talking about. We’re also talking about how you would set up your application to give access to both users and maybe a microservice within that environment. That I’m going to ask the next question, which I believe this is for you, Aaron, can you help explain what the self-healing and DevOps integration looks like with your security solution?
Aaron Ansari [47:13]
Sure, absolutely. So what we end up doing is we have a set of Lambda functions that are tied into AWS environment and trigger off of any of the events that the Cloud One Conformity platform alerts to, that you configure. So, if something’s very high or extreme and is the finding that you need to remediate or correct such as you know, I keep using the example, but maybe you’ve got a you know, encrypted or unencrypted s3 bucket that’s put out there. And you need to correct that. And you can use our auto remediation component which is a set of Lambda functions to correct that and reset the environment or correct the drift that occurred as part of the standard path.
Sameer Kumar Vasanthapuram [48:06]
Awesome. Moving on to the next one. I guess again, going back to you again Aaron. Customers obviously have workloads deployed across multiple environments. How does you know Cloud Conformity help maintain sort of both the security posture and some of the other things that we talked about today?
Aaron Ansari [48:28]
Yeah, and so whether or not you’re dealing with a production, non production, a staging or even a sandbox, or, you know, scratchpad environment. Conformity’s monitoring is built in to be immediate in real time. And so we’re actually looking at log data, metadata, event bus data, you know, kind of cloud trail logs. And anytime it a change introduced in that environment, as long as you’re monitoring that environment, right, as long as we’ve connected that account, we’re able to then go through and give you, you know, information on what that account is doing as it relates to the checks that we’re performing. And so once you integrate this, you know, let’s be blunt with AWS accounts are like, come from a vending machine, right? Someone goes and puts in their coin, and they get five or six accounts, and they’re able to do their building. Once you tie this into your account pipeline, you truly weave this into the fact where you’re doing the monitoring across all platforms, we wanted to do that sort of shift left. So if you tie this into the account creation templates, or, you know, the infrastructures as code, or the software defined infrastructure and environment that you’re doing, you get complete visibility across every environment.
Sameer Kumar Vasanthapuram [49:45]
Well, thank you. And he probably maybe going a little bit into the well architected framework security tool itself. Is it available for AWS customers to use was the question. I think, there’s a well architected tool that AWS provides and customers are obviously able to use that. But in addition, you’re able to use partner tools, like Cloud Conformity to help address both security related questions, as well as some of the other pillars that we talked about. The next question that we’re getting is, how does security hub help with PCI? So security hub is actually a service that AWS uses that, or provides that customers can use to get sort of a centralized dashboard of all the security events that have taken place within your environment. Within security hub itself, we do have a bunch of checks that we do for multiple standards, CIS being one of them. We did add PHPCI as well. I would also make sure that in addition to looking at what security hub provides, you will have to potentially look at what are the other specific questions that may be your PCI auditor might ask you, right, we might not be able to cover every specific scenario that a specific application that has PCI compliance requirements, will have to adhere to. So I would always also go back and understand from the auditor what sort of compliance requirements you have to help make sure that you are able to comply with that specific requirement. Maybe we can move this to Joe. Joe with new services announced every day, you know, we see that customers might not be doing this assessment, you know, once, it’s not a once and done thing, right? In your experience, what is the recommendation that you’re providing to your customers? And how often do you feel that they should be running an assessment and planning for re-architecting or optimizing their environment?
Joe Henderson [52:36]
Yes, great question. So with the Conformity tool, once you take it for a spin, you’ll see very clearly that just like they’ve got some specific security compliance protocols where you can click, and it’ll start running based on those, there is actually a well architected tool in there. So typically, what we find is the customers will engage with these types of assessments, we’re doing this sort of deep dive assessment, which is the interviews, questions, and then we match it with the data. Once that’s done, that’s sort of like the deep dive the heavy lifting. And then they can actually set up sort of automated viewing of where they fit on the arc, well architected framework. So we have some customers that do sort of just a weekly review, see where it’s changed over the week, and they measure it, where it was last week, on all five pillars and check out what may have changed or why did this dip? Why did this go up? And then we have some customers that do it every every month. And then we typically recommend that at the very least, you’re going to do a more deep dive, whether it’s with a partner, whether it’s just internal, at least doing one every six months. But with the tool, you could really, you can you can automate it, or you can you can look in there all the time.
Sameer Kumar Vasanthapuram [53:45]
Awesome. Going back to you, Aaron. Do you find that cloud conformity as a tool helps accelerate the well architected review?
Aaron Ansari [54:00]
Very much, I mean, as I mentioned, it’s built off of that. And so when you leverage Conformity to give you insight into what’s happening with relation to your alignments to the well architected framework, it’s done in seconds or minutes. And it’s consistent. And so when when you’re constantly monitoring your environment, and constantly monitoring your environments at a lot at I guess, adherence is the word I’m looking for adherence to the well architected framework, you’re very much in the right spot, and you’re doing it, you know, automatedly. And then when you use people like Edrans to come help you do the remediation, you’re just firing on all cylinders.
Sameer Kumar Vasanthapuram [54:51]
All right, perfect for Joe. This one is, how much cost does a security architecture definition, implementation, and operation of a serverless in container environment with Edrans look like? I think I want to probably rephrase this a little bit, I guess, is that a little bit of a difference between how you guys will be evaluating serverless and container based workloads? Joe versus let’s say, a standard monolith that’s running on, let’s say, a standard instance?
Joe Henderson [55:29]
Yeah, it’s a bit different. So these assessments, you know, they don’t really cost anything, but the tools we use, you know, use our services. And then during those remediation processes, that’s where we identify sort of where to attack first and where to attack next. It’s really based on the time it takes to fix those issues. So it can really vary. So I don’t have an exact number for that at this point.
Sameer Kumar Vasanthapuram [55:55]
Oh, and and going back to Aaron, any product features you can highlight that you can talk about with regards to FedRAMP level four compliance?
Aaron Ansari [56:10]
Yeah, actually, Cloud One as a platform is moving towards FedRAMP and GovCloud sort of compliance. We’re not there yet. And I don’t want you to think as though you know, I can come here and say, yeah, we we’ve got it in the bag. But we are moving towards that as a platform. And Conformity is moving toward those as a piece of this. I can’t specifically speak to, you know, dates and timelines and those sorts of things. But our customers have been asking for it as well as our federal, you know, federal and sled prospects. So it’s definitely something we have in mind and that we are moving towards.
Sameer Kumar Vasanthapuram [56:49]
Alright, thank you. And one other question for you Aaron. Maybe talk to a little bit about how you guys maybe work with the well architected tool, as well as how you guys sort of have differing feature sets as compared to what the tool does.
Aaron Ansari [57:09]
Sure. So the well architected tool is a fantastic first step, but what happens with the Conformity component that aligns to the framework is you just goes n levels deeper. And so while the well architected tool consumes the findings of Config and Guard Duty and those features and builds off of the alignment there. There’s a much deeper and much richer set of data that we look at with the Conformity piece to do the scanning, and you can see those on our knowledge base, which again, is completely free. So you can see kind of just how deep we go. So not only we have components that align and build off of the well architected tool, but it’s exponential, the depth in which we go into, you know, operational excellence and security and you know, the other pillars. So it’s really quite augmentative and builds and aligns back to the actual questions that are part of the well architected review. So we want to make certain that we’re encompassing every element of a question that’s asked, it might be operational, might be security based. So you’ll see within the solution set that there really goes very, very deep.
Sameer Kumar Vasanthapuram [58:25]
Awesome, thank you very much. So with that said, we’re reaching the top of the hour here. Appreciate Joe and Aaron joining us for today’s webinar. In terms of next steps, we have a bunch of links where you can learn more about AWS security solutions and partner solutions. You can learn about what Trend Micro does with AWS as well as what Edrans is working on with with Trend Micro and AWS. Again, thank you everyone for the time and appreciate you, Aaron and Joe joining us today.
Read More HERE