The era of racks filled with hardware is over. The cloud offers numerous benefits, but perhaps the most profound improvement is to security and compliance. When security and compliance is codified, it transforms from an “after-the-fact” struggle, to a proactive, foundational component of the enterprise.However, you cannot merely forklift on-premise security into the cloud. That never works. Security must be written into the deployment and configuration code. Security must adopt DevOps practices. In this presentation, Ignacio Martinez, VP of Compliance at Smartsheet will discuss how his company achieved FedRAMP compliance in record time, with the help of Anitian and Trend Micro. Anitian CEO, Andrew Plato will then describe how using the power and scale of cloud automation can dramatically accelerate security and compliance.
2. We empower everyone to
improve how they work
Smartsheet is a registered trademark of Smartsheet Inc. The names and logos of actual companies and products used in this presentation
are the trademarks of their respective owners and no endorsement or affiliation is implied by their use.
4. Plan
& Manage
Grids
Projects
Cards
Calendars
Provide your organization with a powerful work platform that
offers exceptional speed to business value — so you say yes
to more ideas, more customers, and more revenue.
Automate
Workflows
Converse.ai
API
Accelerators
Report
Dashboards
Portals
Dynamic
Reports
Scale
Control Center
Security
Auditability
Compliance
Accelerators
Capture
Forms
Connectors
Integrations
The Smartsheet Platform for Work Execution
6. Keeping your
data secure
is our most
important job
Data Center Security
Smartsheet Gov is built on AWS GovCloud
infrastructure, which was designed and managed
in alignment with regulations, standards, and
best-practices for US Federal Government
agencies.
Data Security
We build security into our product to ensure that
your most valuable asset—your data—is
protected. We also contract with third-party
security professionals to conduct annual security
assessments.
Encryption
Encryption serves as the last and strongest
line of defense in a multilayered data security
strategy. Smartsheet uses encryption to
safeguard your data and help you maintain
control over it.
7. Federal Government Ready
FedRAMP In-Process April 2019
FedRAMP Joint Authorization
Board P-ATO (planned June 2019)
Initial ATO at “Moderate”
Multi-factor authentication,
CAC PIV & SSO
Event Reporting*
Directory Integration*
Administration Center*
Built on the AWS GovCloud (US)
Based off NIST Standards
Compliant Secure Enterprise Grade
*features on product roadmap
8. Amazon Web Services (AWS)
Smartsheet Gov partner
• Smartsheet Gov is built on the Amazon Web Services (AWS) GovCloud (US-
East) and AWS GovCloud (US-West) Regions, Amazon’s isolated cloud
infrastructure and services
• Designed to meet U.S. Government and other highly regulated industry security
and compliance requirements
• Smartsheet available via the Amazon Marketplace
• Smartsheet achieved Amazon Partner Network Advanced Tier
9. Smartsheet is a registered trademark of Smartsheet Inc. The names and logos of actual companies and products used in this presentation are the trademarks of their respective
owners and no endorsement or affiliation is implied by their use.
13. …AND NOW WITH THE MISSING PART
• Most organizations need 12-18 months to build out a compliant environment at a cost of $2M or
more
• Guess work and product integration slow down the process
AGENCYPROCESS
12-18 months
0
Build a FedRAMP control environment and onboard apps
14. …AND NOW WITH COMPLIANCE AUTOMATION
ANITIAN COMPLIANCE AUTOMATION CAN REDUCE THE
TIME TO COMPLIANCE BY 75% AND THE COST BY 50%
AGENCYPROCESS
60 days
0
Build a FedRAMP control environment and onboard apps
15. PROBLEM 1: COMPLEXITY
• Frameworks (like FedRAMP) are onerous, arcane, and difficult
to learn
• For internal teams, compliance is (at best) guesswork
• GRC tools do not solve anything, and create more work
• Professional services firms build one-off environments and are
motivated to work slowly to maximize billable hours
• You are at the mercy of auditor’s interpretations (who may not
understand the cloud)
• Compliance efforts seldom lead to good security
16. PROBLEM 2: MISERY
• Nobody really wants to do compliance
work, it is distracting, unrewarding,
and frustrating
• Internal compliance talent is difficult to
obtain, train, and retain
• Compliance slows down
development, and therefore time to
market (and time to money!)
18. WHAT IS COMPLIANCE AUTOMATION?
• Automated: Deploys and configures an infrastructure to
compliance requirements automatically
• Turnkey: Includes all the required security controls
(SIEM, IDS/IPS, etc.), policy templates, and
configurations
• Proven: Uses known-good reference architectures,
generates audit artifacts
• Guardrails: Continuous monitoring to maintain
compliant, secure state
• Isolated: Does not co-mingle data, controls, or access
with any external party
• Flexible: Suitable for a broad range of organizational
types
21. RESPONSIBILITY MATRIX
User Access Data management User entitlements
Application Configuration
Reference
Architectures
Secure Configurations Security Controls
Documentation Templates 24x7 SecOps
Storage and databases Physical security Regions and AZs
Virtualization security
Customer
Responsibility
Application Systems
23. 1. DEPLOY CLOUD REFERENCE ARCHITECTURE
• Pre-configured architecture that
includes:
• Compliance Automation VPC ---
->
• One or more application VPCs
• Subnets, routes
• NAT Gateways
• Zero-trust access rights (no
discretionary access)
• Application load balancers (with
FIPS-140 compliant encryption)
• All access logged to Cloudtrail
• Encrypted S3 buckets
• IAM, KMS, etc. auto-configured
24. 2. USE PRE-HARDENED OS IMAGES
Center for Internet Security provides
an excellent suite of hardened images
• RedHat
• Windows 2016
• CentOS
• …and more
• Images are pre-hardened to compliance requirements
• Anitian CA adjusts configurations to suit the specific compliance needs
• Documentation included with each AMI
25. 3. DEPLOY AUTHENTICATION STACK
• Deploy and configure AD cluster on
hardened Windows Servers
• Install and configure certificate
authority
• Generate internal certificates
• Deploy group policies (for other
Windows hosts)
• Push certificates, trust rules, and
configurations to hosts
• Populate AD with required service
accounts and generated passwords
• Integrate multi-factor authentication
(Yubikey, Okta, etc.)
26. 4. CODE AND CONFIGURATION MANAGEMENT
Code Repository
• Local, secured repository for automation code
• Version controlled copies of everything
• Integrates into automation stack
Configuration Management
• Manages configurations and updates for CA stack
• Performs some guardrail functions
• Can be extended to app environment
• Autodeploy: console, database
• Autoconfigure: policies
• Push configurations to endpoints
28. 6. BUILD OUT SIEM STACK
• Either Anitian or Splunk SIEM
• Autodeploy and scale:
– Management console
– Forwarders
– Indexers
• Auto-configure:
– Host logging
– AWS Cloudtrail, Cloudwatch logging
– Alerts, reports, dashboards, correlations
– Storage
– Certificate trusts
– Encryption of data at rest
• Application event logging is configured in post deployment
engagement
29. 7. VULNERABILITY MANAGEMENT
• Autodeploy console and scan agents
• Autoconfigure scan profiles, targets, scanning schedules
• Provides required risk-based vulnerability management:
– Reporting for auditors
– Ticketing for internal staff
– Audit trail for audits
– Automated scans
30. 8. PERIMETER DEFENSES
WAF
• Web application firewall for environments that have a
web front-end
• Configured to meet FedRamp (OWASP Top Ten)
• Autoconfigure: policies, logging
NGFW
• For environments with heavy outbound traffic we
deploy a NGFW
• Autodeploy: appliance into transit VPC
• Autoconfigure: policies, logging to SIEM, alerts,
IDS/IPS, webfiltering, etc.
31. 9. IMPLEMENT GUARD RAILS
• Keeps the environment configured
within FedRamp access control
requirements
• Use multiple techniques to monitor:
AWS Config, Lambda functions, SIEM
alerts, Trend Micro, Puppet, and more
• All changes are monitored and logged
to SIEM
• Provides alerts to contacts when a
change will result in a non-compliant
state
• Greatly assists with audit process
32. 10. POST DEPLOYMENT
ENGAGEMENT
Once the Compliance architecture is
deployed, Anitian works with you to:
• Customize policy and procedure
templates
• Setup the application hosting
environment
• Integrate your app(s) and data into
environment
• Help integrate automations
• Fine-tune security controls
• Handle exceptions and remediations
• Knowledge transfer
• Audit stewardship
35. CUSTOMER SUCCESS – SMARTSHEET
This is the fastest FedRAMP ATO – EVER
Compliance environment built and
ready in 60 days
Task Date Completed
Kick-off Call 9.19.2018
Compliance Automation started 9.28.2018, 10:20 AM
FedRAMP Architecture running 9.28.2018, 1:40 PM
Application onboarding begins 10.1.2018
Documentation effort begins 10.1.2018
Gap Assessment complete 10.31.2018
Environment is audit-ready 11.16.2018
3PAO Assessment complete 11.30.2018
Package submitted to FedRAMP PMO 12.19.2018
Government shutdown 12.22.2018
ATO issued March 2019