Liberty Mutual is opinionated about how application teams deliver and deploy code into AWS. Applications must be able to secure all data types, meet security standards, and deploy via automation. Radar is an event-driven, rules-based service for validating and remediating AWS cloud resources, and it ensures that security standards are enforced. In this session, learn about Radar, which is built on AWS and designed to ensure compliance across hundreds of AWS accounts in 14 regions while providing flexibility for rule variation. Whether risks are prevented during continuous integration or detected upon deployment and remediated, the goal is the same: all policy is enforced at the earliest moment of risk.

1. © 2019,Liberty Mutual Insurance Company
Presenting Radar: Validation and
remediation of AWS cloud resources
Jason Mahosky
Technologist
Secure DevOps Platforms
Liberty Mutual Insurance
Twitter: @jmahosky
G R C 3 4 3
Jai Schniepp
Director of Product
Secure DevOps Platforms
Liberty Mutual Insurance
Twitter: @jebbstudio

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How we use AWS
▪ 14 regions
▪ 157 accounts
▪ 187 VPCs
▪ 6,795 Amazon EC2 instances
▪ 2,139 Amazon RDS instances

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How many of you have
unencrypted S3 buckets
in your environment?

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Who has instances that have been running since 2015?

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Anyone have access keys
in use older than 90
days?

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Do you know the risk profile of your entire AWS footprint?

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Does the security team need to be the department of no?

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security documented everything.

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“Dance like no one is
watching. Encrypt like
everyone is.”
– Werner Vogels

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
One of the greatest concerns security
teams have in moving to developer-
managed infrastructure is the
possibility of well-intentioned
developers implementing
misconfigurations that could expose
systems or data to enhanced risk.

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating policy enables teams to scale.

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
We are enforcing
security policy—as code.
Prevent
Detect
Correct
Remediate
Enforce
Visualize

13. © 2019,Liberty Mutual Insurance Company
s3-encrypted:
action: enableEncryption
remediate-report: true
trigger-events:
- name: 'CreateBucket'
- name: 'DeleteBucketEncryption'
Policy as code

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Radar
▪ Rules engine
▪ Declarative
▪ Event-driven
▪ Active reporting

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Radar architecture
Account
Region Y
Cloud
Account
Region X
Region X
Region Y
Region Y
Region Y

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy coverage
?

17. © 2019,Liberty Mutual Insurance Company

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Radar forecast
▪ Rules
▪ Operational excellence
▪ Alternatives

19. Thank you!
© 2019,Liberty Mutual Insurance Company