AWS re:Invent 2023
How to Optimize Continuous Compliance Processes in Your Deployments Sec101

Title

AWS re:Invent 2023 - How to optimize continuous compliance processes in your deployments (SEC101)

Summary

  • Speakers: Andy Schneider (Field CISO, Lacework) and Nils Kreft (Head of Cloud Center of Excellence, BioNTech).
  • BioNTech's Vision: Develop therapies against cancer, infectious, and severe diseases using the immune system.
  • BioNTech's Cloud Strategy: Cloud-first approach, migrating 80% of on-prem workloads to the cloud by 2025, and onboarding 100+ use cases in 12 months.
  • Challenges: Onboarding use cases while ensuring compliance and security, competitive IT security market, GXP compliance, dynamic research environment, and exposure to unauthorized access.
  • Solutions Implemented:
    • Lean service qualification to reduce checks and optimize processes.
    • Automation and CI/CD integration with Lacework for security and compliance.
    • Continuous compliance monitoring with Lacework for AWS services.
  • Results: Reduction in time for compliance processes by 85%, improved productivity, and continuous compliance for 41 AWS services.
  • Future Focus: Vulnerability management, runtime detection, and leveraging machine learning for security.
  • Lessons Learned:
    • Automate everything with CI/CD.
    • Integrate security tooling with a shift-left approach.
    • Continuous compliance is a game-changer.
    • Focus on people and mindset change.
  • Recommendations: Try out Lacework's free trial, focus on composite alerts and package detection, and engage with experts at Lacework's booth.

Insights

  • Cloud Security Posture Management (CSPM): BioNTech's search for a CSPM solution led them to Lacework, which provided a significant improvement in their compliance processes.
  • Automation and Shift-Left Security: By automating security checks and integrating them early in the development process, BioNTech was able to significantly reduce manual errors and improve security posture.
  • Continuous Compliance: The ability to continuously monitor the state of the infrastructure and receive alerts for any deviations is crucial for maintaining compliance, especially in a dynamic and regulated environment like BioNTech's.
  • Machine Learning in Security: Lacework's use of machine learning and behavior analytics is highlighted as a key factor in improving detection rates and reducing false positives, which is a common challenge in security operations.
  • Vulnerability Management: The approach to vulnerability management that focuses on the context of vulnerabilities (e.g., internet exposure, active exploits) can significantly reduce the noise and prioritize the most critical vulnerabilities to address.
  • Importance of People: Despite the advanced technology and processes, the human element remains critical. Convincing people to adopt new mindsets and approaches is essential for successful security transformation.
  • Partnership and Talent: The collaboration between AWS, Lacework, and BioNTech demonstrates the importance of partnerships in achieving security goals. Additionally, there is a continuous search for talent in the cybersecurity field.
How to Not Sabotage Your Transformation Seg201How to Scale at Speed on Aws While Addressing Security and Compliance Gbl205