How To

Zero to enterprise, your first 100 automations for compliance, security and operations.

Watch Turbot's re-invent talk on how to rapidly enable security, compliance and operations.

Turbot Team
5 min. read - Nov 30, 2017
Watch Turbot's re-invent talk on how to rapidly enable security, compliance and operations.

Disclaimer: Automated Transcript

good afternoon everyone and thank you for joining us our next presenter is with turbot and his name is Nathan Wallace please give him a warm welcome.

All right thanks for everyone coming we're going to do a 15 minute session here on how to think about automated compliance in your cloud so I work at turbot and we do this every day we large enterprises pharmaceutical companies financial organizations trying to help them get to a place so they can really automate their cloud so their teams have massive amounts of agility while they have the controls they need sitting underneath them so before we get into 100 different things it's actually really important to think about how you're going to tackle your automation what is the architecture you're putting underneath that what's almost your philosophy of cloud so at Everett we believe it's really important to think about a few things as you go through that journey the first of which is that you've absolutely got to choose to ride this rocket that is AWS and the other things in this environment right you can't compete with these you can't build services next to them in front of them you can't abstract them if you do you will be too slow and you will lose the battle you've got to work out how to turn their speed to your advantage now as you're doing that you really want to have your apps giving them that agility of that speed that access to the Amazon console that ability to use those different services and we really make that safe we have to isolate these workloads we used to do this with if we went had physical servers.

We had people sharing then we of the MS are a good idea let's separate them into virtual machines and gradually we got two containers and other things a tablet we believe that the physical data center was like the physical server and now we're going to this idea of all these virtual data centers separating out all these workloads into their own isolated environments when you pull that off particularly for in a heavily regulated environment the amazing thing is that you actually unlock change management the application has all the power now it manages its own infrastructure and as we move that up to the app that management the infrastructure we actually can move all the infrastructure change to the application change control process which lets us move really fast in some areas or as slow as we'd like you know areas now as you make that shift to AWS if your other got to think about how you're going to design that and we believe there's a maturity model we see most organizations going through as they make that journey the first one is they start with a few people in an account just testing some things out and trying then someone else gets word of it so their sides are move in there with them and start sharing that account and they're going a bunch of stuff of course unfortunately after a while you end up with a whole bunch of crap hanging around and posted notes pointing at each other and so you then you start to think of man how am I going to manage this of course enterprises then move to the idea of well let's organize it we'll do them as hosted services I'll manage the party everyone can come when I say but of course now we're completely bottlenecked we're sitting there moving at the you know that central team's capability and it doesn't remove the fact that you've still got your crazy uncle at the table so it's a but we believe you've really got to lean into the idea of that multi Tennessee that Amazon already gives you they're giving us hundreds of accounts that are already protected from each other as organizations.

We can turn that model to our advantage and actually separate all of our workloads into those separate Amazon accounts creating a hard blast radius around each person each group each team and then we can have services that really accelerate or help coordinate how we work within those isolated spaces now once you've got that model of all these different accounts hanging around people doing things it's really important to think about how you do policies on that force encryption you know manage that environment so as an organization you have to come up with those must and should rules things you're going to enforce and things you're going to recommend and don't forget there's gonna be a crapload of exceptions these are large enterprises everybody's always got something different they have to do somewhere we think about those as must rules or should rules which have a scope in a hierarchy of being applied making it easy to add new accounts and have them immediately done in the context of that rule set so now we have all these accounts with teams the agility of their own use protected and isolated and we've combined that with policies like enforcement of encryption setting up of an identity and access what we really want to do now is have real-time detection and correction of how people are working so if they create an s3 bucket we want to instantaneously detect that and enforce the policies we care about an environment and once we get that balance right we've now got the ability for these teams to have high agility and the ability to work coupled with these controls wrapping them and making them as safe as possible in the environment guardrails always are a basic flow you can go to a lot of sessions where people talk about this.

But the key thing is you're grabbing events and then making a decision in context with policies about what you want to do and how you want to implement that at so but we think it's really really important to think about that policy context and joining those pieces together and we spend a lot of time building a workflow engine and the capability to do this at very very large scale now we have the ability for these teams to be working independently we can rethink our operational model we're no longer doing things for them when they are in a world we're teaching them how to do it and letting them work within that safe isolated environment with the guardrails wrapping them so instead of having a request fulfillment model we're now moving to a world where app teams are directly working with AWS they can interface and learn from that cloud team and then we can combine that with these real-time software operational controls now we've got a app teams that are actually able to use over to us and move at their own speed and we've combined that with a team that's able to teach them work with them and build safety controls around them we can start to work together we're no longer requesting and arguing and telling who's doing why'd etc we're now in a place where I need to use queuing I need to use a new service from Amazon let's learn about that together sit side by side and work out how to make it work in the organization it changes the nature of the relationship that you're working on and that allows you to move a lot faster with that type of automation the other key to building out all your automation patterns is to have a really set of common languages and best practice patterns that you can deploy at scale.

I Denny an access language that you can use repeatedly like an admin person versus a metadata user networking patterns like you want to know when you say it's a DMZ what you mean that means it has access to the internal network as opposed to a public one which might have no access internally you have come up with patterns that you can use because then you can talk about them move faster but you can also automate them out together and with more clarity this is a model we happen to use for I am in turbo we automate out the idea of a levels s3 metadata s3 read-only s3 operator s3 admin ec2 metadata read-only operator admin making that simple to deploy and understand once you've got these real-time guardrails running now around a world where users making their own change visibility becomes drastically more important than it was in the past people need to know what you automated underneath them similarly you need to know who took what actions in the environment so you have a record of that no we all get the idea of audit logging and shoving stuff in s3 buckets but what we're talking about it so but is the idea that you can actually see a visual history of your infrastructure in the seeming to be and see that a user created a bucket and then 10 seconds later something like turbot came along and automated the guardrails you need into that environment with all of these pieces coming together we reach a place of automation where we're starting to think differently people are now unable to use those services and we don't require the central team to help them with everything they're able to move with more speed and agility and as a central team we're building more and more automation to make that faster and easier as the cloud team so we can reach a point where as we hear issues we're now thinking about not fixing tickets but instead killing tickets we never want to see this issue again what's the automation we canna build to avoid this problem or detect it earlier and take an appropriate action at CeBIT we believe that all of level 1 & 2 can be automated out anything that can be scripted for a human to do can be scripted to the computer to do and that starts to change.

The way we think about that and it really feeds a DevOps model where the application team is then responsible so when we tie all those pieces together we enter a world of software-defined operations so if a turbo we've to think about it is this we'd start to run inside an account and give access users access to just the Amazon accounts they're using you can see on the left-hand side here a list of accounts I haven't have access to use the user can click into that and immediately see context in their environment their controls a green their policies are English now we believe it's really important that users are not abstracted from that Amazon environment they should be able to use the Amazon console they should be able to use the different controls in that environment so they we encourage users to get straight in there and do their job you don't want to distract them with other ways of doing it or force them through templating systems so in the tablet they can go into an s3 service and literally just create a bucket we've all seen this before so we'll try and do it as quickly as possible now what's happening now in the background that we've created that bucket tablets wired up automatically although what event watching in this account or the cloud trail all those different pieces

It's now going to detect that event in real time and start taking actions to make sure it meets the policies of our environment so if we go down and have a look at that bucket we can see it's here if we come into the property step bucket we can see service active server access logging is already been enabled by turbine if we refresh you'll see some other things start to come through the default encryption has been set in the background the tags have been set in the environment these are all coming through from the policies that are set in that turbid environment allowing you to work quickly and easily we also implement things like protection so that people can't actually break or change those things in that environment making sure you're keeping them safe stuff like the bucket policies get set enforcing encryption in transit right these can all be automated getting to a halt due to a whole new place now if we go back to turbo we can actually see that in the background tablets realized the bucket was created and started keeping that visible history of what's going on so we can actually have a look at the activity of that bucket and understand what's gotten been changing or happening in that environment behind us just takes a second to load here I apologize I went to the wrong place so for the bucket we can see that it was originally created by Nathan and then turbot came along just a few seconds later and actually added the encryption add in the logging we can see that whole history added the tagging etc if we go to the controls framework we can see in turbot the status of each of things we're talking about whether it's encryption you know the ability for it to be updated in the CMDB other tags correct.

If we go into one of these we can actually see the history of what happened so we can see that the alarm was raised we can see turbot then corrected it in response to that alarm and then automatically close the alarm we've just gone to a ten second ticket closed time right this is a whole new world compared to our manual review processes we used to now developers need to know what's going on in that environment so turbot keeps a record of everything that's happened including for example the cloud watch event that triggered it all in the first place this was a create bucket action from Amazon they can see that we can then see the context for how this decision was made what was the value of the options in that area so how it made that decision all logged out in detail of course because it's your security and compliance care about these things we have to package all that up and push it at s3 for posterity to make sure we know exactly what happened now those controls are working depending on the policies you've set in the environment these are just policies we have around s3 into but we have over 900 of these across different services so if we go to something simple like versioning we can see here how the policy says that in this environment we can see that turbot has enforced versioning for all accounts that but once we come down to this account we've said .

Let's just skip it in this case but I can create an exception for this one bucket and say you know what I really want versioning enforced on this bucket as soon as I create that turbot will now ensure that policy is true on the bucket and true for all time so if anyone even changed it back it would immediately turn it back on so those policies give us that then that history of what's been happening and the managing the exceptions we can also see if we go up into about here's every exception I practiced a few times here before to this policy in the environment so you can see every bucket inside any account in this turbot scenario has versioning turned on you know except for these Cynara except for these exceptions now it's important that we have that idea of how to react and guardrail things out but as I mentioned it's that we also need the idea of how to manage our environment so into what we do things like try to make things like I am a lot easier with those common language and common models I said before these really accelerate your conversations so interpret for example we have the idea that you can search Active Directory for a user and then give them permissions based on the system.

Now you'll notice these are all simplified down like I mentioned to metadata operator admin you know metadata read-only operator it's getting your very standard language for how to think about those things in the environment when we do grant it to but we like the idea that they can always be temporary explorations so you can have the idea of some temporary elevated into that permission and then expire it after a period of time now that model of permissions is actually hierarchical so you can have a cloud team at the top with permission through the whole environment or in different accounts again a common language flowing through with automation when we make those changes in turbo they're automatically synchronized into AWS we think this is really really important your users need to see what's happening that visibility piece is critical so if we go and look at the users there we just gave some more permission to Cody we can see here that basically he's been added to that extra group we just gave him which is the operator group right and then we can actually drill through that to see the groups and see all the policies associated with it and understand what's happening in that environment you know in optimized in an optimized way so for turbo what that means once you bring together those sorts of policies you can start to use that framework across hundreds of services whether it's easy to your s3 lambda and combine those things in powerful ways you can use lambda creating an IM role because you have a guardrail that detects a new role and adds the lockdown policies to it and making it safe for users to do that sort of thing the sum total of that is that your Software Defined infrastructure now has software-defined operations to match it nothing else will move at the speed you need of that software-defined infrastructure if applications are changing things underneath you you have to have software that responds to that you're checking and reviewing later it's been possible to keep up we've all tried right putting people through templates first it's too hard to stay on top of so it's about the way we like to think about that is really thinking of your cloud team enabling those application teams and we really see turbo as a droid that's enabling that for you and you know enhancing your team in that capability.

So I'm out of time thank you so much for your time I'd love to talk to anyone afterwards we're a booth 26:17 on the other end if you'd like to be scanned on the way out we're giving away some r2d2 Leo and a bb-8 Lego you know five o'clock today and tomorrow thanks very much.

If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!