Security And Compliance in AWS Cloud

View Show Notes and Transcript

Episode Description

What We Discuss with AJ Yawn:

  • How is Compliance different in a Hybrid world?
  • For anyone who used to audit on-premise, is it difficult to audit cloud environments?
  • Do Auditors need to be technical like Cloud Engineer to be successful as an auditor in Cloud?
  • Do Auditors need to be Certified Architect in Cloud?
  • How does compliance scale from a startup to an enterprise?
  • Where can auditors go to know more about doing Audits on Cloud?
  • And much more…

THANKS, AJ Yawn!

If you enjoyed this session with AJ Yawn, let him know by clicking on the link below and sending him a quick shout out:

Click here to thank AJ Yawn on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hi AJ.

AJ Yawn: [00:00:01] Hey, what’s going on Ashish? How are you?

Ashish Rajan: [00:00:03] Good how are you going?

AJ Yawn: [00:00:05] I’m great, man. I’m great. It’s another beautiful day here in Miami, so I can’t complain.

Ashish Rajan: [00:00:10] Dude. so jealous of you , I wanted to start, with something that I, is the tradition, I hope you have your glossy gloss ready. Ah, Cheers. Cheers. .

What kind of Wine,is it?

AJ Yawn: [00:00:23] So, I like Malbecs

. Yeah. I, I’m a big wine guy. I really like red wine. , it started a while ago. I have a basketball background. so I follow obviously like NBA and LeBron and Carmelo and. Dwayne way, they, they they’re really big into wine and they did a whole article about how wine has helped them in their careers.

And I just kind of jumped all over it, and, and loved wine and drink a lot of it.

Ashish Rajan: [00:00:45] Oh, right. Okay, cool. well I think we should, definitely talk some more wine after we do this quickly. for people who don’t know AIJ apart from basketball and wine, who is AJ and what’s his path into [00:01:00] cybersecurity?

AJ Yawn: [00:01:01] Yeah, so, I started in cybersecurity, like a lot of people, I think that I’ve noticed lately in the U S and the U S aren’t in the U S military.

where I served in the U S army for about six years, ultimately hurting the rank of captain and working really in like a technology officer role where I was responsible for everything, technically, anything technologically related on for the unit, whether it was. Setting up the network to setting up our tactical radios to fire our missiles.

which was that I got exposed to a lot and learned a lot. so I started in the army. I left the army about four years ago and went into cyber security consulting. And that’s where I really jumped into cloud security, really learned a lot about cloud security.

I was able to work with some of the larger cloud service providers and larger just service providers in general, to help them solve their class security problems really helped them, understand how to either migrate an acquisition to the cloud or just. New ways to secure, their cloud environment and do use native services to do that.

So, my path started in the army and then into cybersecurity consultant, I got obsessed with AWS [00:02:00] and the cloud. And then kind of haven’t looked back.

Ashish Rajan: [00:02:01] from rocket launching all the way into our cyber security, that’s a really interesting, and I find it really fascinating and I’m pretty sure you’ve heard this before as well.

Like a lot of ex military folks seems to go into cyber security and , I’ve asked everyone that reason. I’m sure you have your reason as well. so quickly, if you don’t mind me asking you this question as well, why cyber security after launching rockets and missiles?

AJ Yawn: [00:02:25] I think it’s two reasons.

I think one, the veteran community, there’s this filled with comradery and looking out for each other and a lot of us have made it into the cyber security field and we’re reaching back to get more veterans into the field because we see how much potential and how much growth there is here. And the other thing is, I think cybersecurity is all about solving problems.

And being a great problem solver. And that’s what we did in the military. Whether no matter what your job was, you were constantly solving problems for the first day joined. so I think that that mentality translates well to cybersecurity, but I really think, especially in the U S it goes back to the, the mentors and the, the community that’s constantly bringing vets [00:03:00] up.

Ashish Rajan: [00:03:01] . I love that about that community when I’ve met so many, folks, it’s not even funny that like, everyone has put like some kind of military background, I’m like, Oh, wow. Yeah. I’m not surprised you’re in cyber security, with the. Security and compliance. Right? What I wanted to start with I usually ask the question, cloud security. What does that mean for people?

But I can kind of want you to ask this the other way around. What does compliance in cloud mean for you?

AJ Yawn: [00:03:25] Yeah. So, the first thing that comes to mind is shared responsibility. and hopefully in the future, it means security, which I don’t think a lot of people think compliance and security will we’ll get into that.

but I think about shared responsibility and it’s the cloud providers and the organizations hosting their data on the cloud, holding up their end of the bargain. Right. the cloud providers are. Doing the physical security and environmental controls that they agreed to do, and the organizations have their own responsibilities associated with the data and services and, any kind of compute equipment that they are using in the cloud.

So both organizations holding up their end of the bargain is really what compliance in the cloud is all [00:04:00] about.

Ashish Rajan: [00:04:01] . And, for people who don’t know shared responsibility, what is shared responsibility.

AJ Yawn: [00:04:05] Yeah. Great question. So, essentially, you know, there’s the saying that is pretty common in the cloud industry where the cloud providers, your AWS, your Azure is your GCPs of this world.

They’re responsible for security of the cloud. They’re responsible for the physical controls, the environmental controls. So you no longer have to actually worry about hiring security guards or cameras or setting all that up because the cloud providers take care of that for you in a traditional, like infrastructure as service.

set up and the organization. So you and I, the customers are using the cloud. You’re responsible for the security in the cloud. You’re responsible for your data. You’re responsible for making sure that outside threats can not get in. And that’s really what the shared responsibility model is. It’s a clear line between what are the cloud providers responsible for and what are the organizations responsible for an understanding that at its core is really the foundation for compliance in the cloud.

Ashish Rajan: [00:04:58] And to your point about [00:05:00] shared responsibility, is that different in a hybrid world where I’ve got on prem and I’ve got , I could be a cloud built, like I’ve only started in cloud every day. Like every day I’ve been drinking the AWS Koolaid or someone who’s the enterprise basically has on-prem for 20 plus years and suddenly some parts of have started moving over to a cloud.

So is that different over there?

AJ Yawn: [00:05:23] Yeah, , it’s definitely different. And, it’s challenging just to be honest. when you move into that hybrid space, it’s challenging for the organization and it’s challenging for your auditor’s. because in the hybrid space, if you’re, if you have on prem, you are responsible for those physical controls, you are responsible for those environmental controls.

You are responsible for a lot of The controls that AWS and Azure and GCP had, are taking over for you in the cloud. And from an audit perspective, now your auditors have to, assess both environments, right? They’re not going to assess the physical security controls in AWS, but on prem. Now they have to come in and make sure that you’re doing the physical security things necessary to meet your [00:06:00] different compliance standards.

So, it’s definitely challenging. And normally when I encounter an organization running hybrid on prem cloud environment, I try to unpack why. I, I tried to figure out like, what’s going on and why you’re doing this because, it just adds complexity and challenges and, and generally there’s some misconception or fear behind moving that last piece of data or that last service to the cloud.

They think they can’t do it for whatever reason. And, once you’re able to overcome that, they see the benefits of just going into a completely cloud environment.

Ashish Rajan: [00:06:28] . it’s.

Complexity and the scope as well. Probably people want to limit the scope of the compliance to be either just cloud or I guess probably you want to have your best foot forward for auditing.

I have some, might’ve only start with the cloud. , not that I would say auditing in cloud is easier or difficult. It based on the person as well, you deal with. And especially the reason I call that out because I feel when you do compliance in cloud is different to how you say, for example, if I’m.

And I’m thinking of some of the folks that I’ve spoken [00:07:00] to, in the audience, who’ve come from an auditing background where they’ve audited say done like a SOC two, SOC three or an ISO 27,001 for, for an on prem world. And now suddenly they’re seeing a lot more of AWS Azure, Google cloud. Now what does this mean for them?

Like when they’re looking at cloud, should they be approaching it differently? Like what should they be doing?

AJ Yawn: [00:07:22] Yeah, they, you know, definitely should be approaching it different. But I think really with, cloud computing and especially compliance in the cloud security at its core, it’s the same, like a SQL database on prem and a SQL database in the cloud.

They’re both SQL databases. how you go about that? Getting the evidence, how you go about collecting the evidence? that’s the difference and that’s where the auditors have to approach things differently. I’ll give you a very two very quick examples of how you approach things differently in the cloud.

Right? I’m going to talk about AWS, just cause that’s what I, what I know and what I’ve kind of carved my career out in, but, there’s two reports on AWS that every auditor, as soon as you go and perform an audit on AWS, you should [00:08:00] generate and you should ask your clients to generate. One is the, IAM credential report and the other is the trusted advisor report.

and the IAM credential report is a report. That’s going to give you. Data about , who are the users? do they have MFA enabled when’s the last time they changed their password? When’s the last time they switched, they rotated their access keys. all these other information, you getting information about the root account.

This is information that would probably take you 30, 40, 50 pieces of evidence in the traditional world. You’re asking for screenshots out of Ady. You’re asking for screenshots from the MFA tool. You’re, you’re asking for all this information that would, it took a lot of different pieces of evidence and I’m sure these auditors in the traditional environment, they know to go yeah.

Ask for screenshots and that’s for all these other things, but. In AWS. The easiest thing to do is get that I am credentialed report. You now answered about seven or eight questions with one report that every customer has available. If you go to the IAM console, it’s right there on the left side, it says credential report.

You can download it. and it’s a great report that you can alleviate a lot of these evidence requests. So if you’re in an organization, generate the crunch report and give it to your auditors, whether [00:09:00] they know what to do with it or not, because it’s going to help you out a lot, when it comes to the evidence request and then trusted advisor to another one, especially the buyer’s going to tell them.

Provide security group as three buckets stuff, RDS stuff. Are you already S instances in multimodal abilities on all of this information that your auditors are eventually going to ask for? And if the auditors know this, you know, it’s easy to get, and that’s why the beauty of the cloud, when it comes to compliance is like there’s so many tools.

I see somebody here has a question about services that we can look at as well, but. There’s so many tools and services out there that generate the information that you need in an audit that you just go get that from there instead of doing it the traditional way. And that’s the biggest difference is understanding how to obtain the evidence and understanding how to test things differently in the cloud.

Ashish Rajan: [00:09:41] Yeah. And I think to your point about the question that’s asked by Arun,over here, cause he’s kind of touched on the same thing where they’re all these services and. could. That’d be more simple than adjust instead of looking at all the services. I think I, I mean, this is my opinion, but know yours as well.

Then I feel like all those services are more from a [00:10:00] monitoring and I guess an incident response, like you’re going into that territory. You’re not going into an audit territory with those services. So is that right? Or is that a different way to look at it?

AJ Yawn: [00:10:10] Well, I think you’re right. But I also think, you know, I seen in, you know, environments where organizations use a lot of those services.

And if you just look at what a ruined, just post posted there, I’m looking at that. And you’re testing a lot of the technical controls that are needed in most compliance frameworks when it comes to, you know, that’s now there was actually a report that recently came out that I posted about that guard duty had a third party test to verify that it can meet PCI requirements as an intrusion detection tool.

So now guard duty actually does meet to be an intrusion detection. It’s also, if you’re using that, you check the block off of many, many different frameworks, but, I, I think, you know, for, from an audit perspective, yeah. You’re not going to give your auditors access to that. Cause most of them won’t know what those tools are.

Right. They won’t know what to do, but using those tools in the manner that those tools can be used to their full capacity, you’re going to make your audit so [00:11:00] much easier. so much easier because you can provide those tools are doing a lot of the testing for your auditors, essentially inspector then is if you run inspector on it, regular cycle, we’ll just take two tools from there really quick.

Explain cutouts changes the scope of an audit patch management really important in a all frameworks. Talk to ISO high trust HIPAA. Everybody concerns about patch management. If you’re using inspector and you’re using systems manager, you can run into vector scan on a monthly basis, collect vulnerabilities, run systems manager, just to perform these updates on a regular basis.

You did maintenance windows, and now you, you, you, you validated to controls. Performing vulnerability scans. And you’re remediating those vulnerabilities from those scans and, and it’s all automated. You set it up once and it does it every time. And now your auditor just needs to go in and make sure that those things are done.

They don’t need to collect the vulnerability reports from every single scan that you wouldn’t traditionally have done in the background and in the older days. So that’s again, where you go from providing a ridiculous amount of evidence when it comes to. On [00:12:00] scan and your auditor is looking through this stuff.

They have no clue what they’re looking at. So you go and use these tools on AWS. And now you’re just showing configurations. It takes about a minute to show. just really changes the game when it comes to how you provide an evidence here.

Ashish Rajan: [00:12:12] I must say any auditors who are listening to this, they’re basically they are taking deep breaths at the moment.

They’re like, what is AJ on about and what is he doing? just so I hope that answers your question around by a good point.

AJ Yawn: [00:12:23] I just wanted to

Ashish Rajan: [00:12:25] start with this as well. Right.

AJ Yawn: [00:12:27] That

Ashish Rajan: [00:12:27] I know that people like you and I, or, the folks who are quite, I wouldn’t say we are quite technical.

We are very, just good technical enough to be dangerous. I’ll probably talk to myself. I think, I don’t think I’m like the best engineer out there. I know a bit of Python. I can be a bit dangerous with Python, but I I’m not

AJ Yawn: [00:12:44] like

Ashish Rajan: [00:12:45] i can’t. Build enough that I’ll just build a whole AWS environment from scratch without Googling.

I probably still need to do a lot of Google and I’ll eventually get there, but , , I’ll take some time. So does, does this mean that the auditors who are [00:13:00] listening to this who probably have done hive or three? Not a hybrid, but non prem world. They’re going into cloud and like, Oh shit. The scene’s like AIG, I have to learn all these, like how many services did Aaron list at about 10 and then two 47 services in general and AWS, like, right.

I’m basically spending each day of my life. Just looking at all these services. What they do, is that what my future is as an orator?

AJ Yawn: [00:13:24] No, no, not at all. I think that’s the misconception and I’m like you, like, I don’t consider myself overly technical. I thought it was always strange when people would say I’m a technical auditor could because.

I don’t think I’m that technical. I think, you know, the cloud security engineers of this world, those folks that are doing that stuff every day, they’re super technical. And I don’t think an auditor needs to get to that level if you’re at that level and you want an audit, you’d be great. but you don’t have to know that much.

I think the important thing to know is just being able to know what the services do and how they can address compliance frameworks. That’s the most important part is understanding how to. Provide recommendations as well. Right. Being able to say like, Hey, [00:14:00] you’re using this service, you should use it yeah.

In this manner. and you have to know the tools, at an not an intimate level, you don’t have to be a deep security expert, but you just gotta know a little bit about the services, know the terminology, be able to speak the language. Don’t ask them to show you their servers, ask them to show you they’re easy.

Two instances, you know, that type of. communication, alleviates a lot of that adversarial relationship between the auditors and the client. When the, when the client realizes that, you know, a little bit about the technology and you understand some of their challenges, they’re going to trust you a little bit more to show you more.

But if they know they’re talking to someone that doesn’t know the difference between a security group and the BP and a VPC, They’re going to just turn off and they’re not going to, they’re not going to sit there and want to develop, or you think about a developer spending time with an auditor they’re really busy.

And now they have to explain to this auditor what AWS is and how the shared responsibility model works. So that’s the basics that every auditor should have, you know, they should, you know, cloud practitioners, a great entry level cert, it’s not for technical folks. And I think that’s assert that gives you the basic information [00:15:00] about what the services are and what they do.

And being able, you know, Most of the time we think of audits as like a check, right? It’s like I’m coming in a N N yeah. To make sure that they do X, Y, and Z, but you know, it’s a partnership. Your clients are going to look for you for recommendations on how to do things the right way. And if you are not aware of the technology, you’re not aware of how to use some of these services.

You can’t provide those recommendations, right. doesn’t require to be super technical. you can do a lot of things on AWS without knowing how to code. you can understand a lot of things without knowing how to code. It just takes a little bit more research to understand, like you said, the difference between what you were doing in the, on prem world and now in the cloud world.

Ashish Rajan: [00:15:37] I think the simple way to explain this is this is the example that I tell people that, you know, a lot of us, a lot, a lot of us were not taught. What are the kinds of services are on LinkedIn or fake Facebook, but we all picked up. We all know how to send messages on LinkedIn. We all know how to do posts on LinkedIn.

And, I’m not writing a Python code behind it. I just test the service and like, Oh, this is [00:16:00] how it works. You make a mess, you make a few mistakes, but you learn along the way and you kind of. You know, that becomes your learning curve and then you move forward. I feel like it’s very similar from an auditing perspective as well.

The AWS landscape, it may sound scary or the cloud landscape may sound scary, but once you kind of try the dabbing into what are these really doing, you can always map them back to say an on prem world. which a lot of us will be coming in unless you’re super young. And this is the first thing you’re doing.

Yeah. You’re really lucky. I’ll tell for myself that, I’ve seen both the worlds of ordered, hardware as well from a data center and waited 30, 40 days, I think, 40 days, 40 days for the quickest for me, from memory that was like, Oh, it’s just so fast, 40 days. , and I think I was told that that’s been expedited.

Like, coming from that world, the whole AWS world where I just need to swipe a credit card and it takes only a couple of seconds before I have the opportunity to start a server and everything. It’s [00:17:00] just that a bit of, a bit of a learning curve. They should be open to that. I think that’s kind of what we’re trying to message over here, right?

AJ Yawn: [00:17:05] Yeah. So you, you just have to get over the. The fact that you don’t know and then just be willing to go and learn. I think, you know, we struggle in the cybersecurity industry a lot. You hear about imposter syndrome and people struggling. Ostrich syndrome. And, I still do it to this day. I was participant in an AWS security specialty, exam writing workshop, and I was super nervous going in.

I was, I don’t know, along with the, everybody in here, there was people from AWS. There was people that were like CTOs that companies. I was like, they all know way more than me and I, but then I started to realize that sit back, like, okay, like, Even if they do know more than you, you’re going to learn from this and putting yourself out there is worth it because you may be able to benefit someone else.

So like, I think auditors have to get over that imposter syndrome and realize that, you know, you’re a trusted party, you’re a trusted advisor for your clients. So it’s not only your responsibility to yourself to learn more and to get better, but to your client, you should want to, so you can provide a better service to them.

Ashish Rajan: [00:17:58] Yeah, hundred percent. [00:18:00] And, just took me touching on some of the comments coming in as well. Amara mentioned the fun part to me about AWS security that most people complain about is understanding what you’re responsible for from a security standpoint, knowing that is 90% of the job. That is so true.

AJ Yawn: [00:18:13] Yeah. If you, if you just, if you imagine the amount of people that I talked to that tell me that because they’re hosted on AWS, there’s their SOC two compliant or HIPAA compliant. It’s. It’s through the roof and I’m like, that’s not how this works. You have to understand that you have responsibility. That shared responsibility model is so important.

Ashish Rajan: [00:18:33] Yeah. And to your point about, we keep hammering about shared responsibility model on AWS, but it doesn’t really change between different clouds. So it does it.

AJ Yawn: [00:18:42] No. Yeah. All across the board, they all call it the same thing. It’s shared responsibility model from the, from Google cloud to Azure. There’s always that line of responsibility where at the end of the day, everybody just needs to be.

I understand that you’re responsible still for your data. You’re still responsible to protect your data. The cloud’s not going to do that. Even if you go to a. [00:19:00] A platform as a service model, you still are responsible for protecting stuff. You still have your own requirements there. And that’s the part that, like Amar said, like that’s 90% of the job.

If, if the auditors understand the shared responsibility model can go in with a clear distinction of what the cloud takes care of and what the organization takes care of that, you know, there’s not going to be some of those questions that you scratch your head at. Like, did he just ask me. Our security and our us East one region.

Like those questions will happen anymore. It’s relationships in the audit world, too. You have to be able to build that relationship between you and your customer, understanding possibility models, how you do that.

Ashish Rajan: [00:19:36] Yep. And I’ve got a question and I don’t know if he’s related, but Anthony, more of a statement tools and to have, and she goes, make it suck less.

This is good stuff. That is so true. All I hear those tools, tools, tools, tools. It’s not a relation. I’m assuming.

AJ Yawn: [00:19:53] Yeah, there is. That’s my older brother, actually.

Ashish Rajan: [00:19:55] Oh, there you go. Helo! Older brother. nice for her to join us. [00:20:00] and I’ve got a comment from they saying automation is a key for us to catch up with DevOps or good, dr.

Abdulla as well, Hey. Oh, a cheeky comment. David O’Brien is the order. Then a case, a certified architect then.

AJ Yawn: [00:20:15] maybe, you know, because I, I realized that that word architect in the industry, you know, it covers a lot wide range of people, right? You hear about cloud security architects, and sometimes those folks are actually configuring things.

And sometimes they’re just talking about stuff, and maybe, you know, auditors are, should be considered that that might force you to kind of think about things a little bit differently if you consider yourself an architect and they’re actually, going in, but I think that might scare a few. Our auditor’s away.

Ashish Rajan: [00:20:43] They just dropped off after the deadline. That’s it? This is not my future. I would not let people get into cloud again. maybe we can make this easy for them before the jump off this feed, I guess. if they want to start off with, and I think you mentioned two [00:21:00] examples already where. You spoke about, IAM credentialed report as well as the trusted advisor.

What are some of the easy things that they can knock off? A let’s just focus on AWS for the moment. What are some of the easy things they can knock off if they’re listening to this? Okay. I’ll go to things. Anything else that they should be looking at to start building those foundations? We can probably tackle.

Maybe we can tackle the country. Let me start first and then go on to the auditor side. Like as a company we’ll starting off today. And I know in the audience, we have a few stars as well. What can they be doing to begin with some of the basic foundation stuff and former auditor perspective who will be coming in?

What can they be looking at? Like, Oh, let’s just, can, can you approach it like that?

AJ Yawn: [00:21:43] Yeah. So let’s start with the, let’s start with the company. So you’re just getting started. and we won’t go too deep into this, but the company should AWS organizations. that’s one of my best pieces of advice that you can give to any organization.

Starting on AWS is use AWS organizations [00:22:00] segment out your environments, segment out all of your accounts and use some of the security features there, which we can have a whole session on AWS organizations and multi setups. but just to make sure that you’re. You’re doing the right things and you’re, you’re checking for the things that really matter.

a trusted advisor report. It’s free. It doesn’t require a setup. If you are on a business or develop a support plan, you have access to all of the checks. So we can talk a little bit deeper about trusted advisor, trusted advisor starts out where you, most people think of it as like a cost optimization tool, which is going to provide you like you should save money here, but there’s actually a security check in there.

And every account free to your account comes with six security checks. Six core security checks is with AWS cause it, and that includes things as S three bucket public access. How many times have we seen, breaches in the news about S three buckets getting breached and trusted advisor is telling you.

When those things are that’s, that’s their, security groups. Do you have security groups that are allowing open access to the world over port 22 or 33, 89 or [00:23:00] 1433? All these ports that you’re going to do, management type activities are these open to the world. And that’s another trusted advisor check.

Do you have MFA enabled on your route account? All of these basic hygiene security things that you need to do? trusted advisor will let you know, so you can set up alert from trusted advisor, but yeah. Also just, you know, constantly monitor that because it’s picking up things globally. one of the things that I, I found that organizations don’t do well when they first start on AWS, I understand the difference between a global service and a regional service.

and, and knowing that when you’re in the easy to console, if you look up in the upper, right, it’s going to say what region you’re in. But if you go to a trusted advisor, if you go to IAM or you look up in the upper, right. It’s going to say global, which means that it’s going to take a look at all of your resources across your account.

So we’ve heard in the past of, of customers having, somebody gained access to their account and stood up like a Bitcoin mining thing and like another region that they weren’t using. And they’re based out of the U S and they have like an APS one. Some bunch of ECQ instances running and they get this ridiculous bill.

You can alleviate that by using [00:24:00] trusted advisor because you’ll see, why do I have 34 instances over in the AP East region that I’ve never been in before? so, you know, I would, I would encourage organization to. Look at trusted advisor, just to make sure I’m there. Some of those things, yeah, these are, are, are, are verified.

And that’s one that doesn’t require any setup. That’s the reason why I’m harping on trusted advisor, because it doesn’t require you to know anything about any services. It’s just going to give you these basic checks. and the other thing is identity and access management. You have to do that right. you have to get am, right?

When you first log into the IAM console, there’s going to be this big pop up and it’s gonna be five core things you need to do, like set a password policy enable MFA. there’s a few other things that enablement of MFA on Rue created user just five basic things that AWS says you must do on this account.

Do that, start there. So like this is, it makes it so easy, right? To do things the right way. At least from the beginning, I am trusted advisor start there. And then from there you’ll be able to expand out. as three is such a big thing on, on AWS and then an easy access [00:25:00] point from a breach perspective.

so I think, you know, Make sure you’re doing the right things to protect your S three buckets. I, I, she did the video a few months ago about how you can, and this is for the auditors that are not technical. I, I did a video, a 20 minute video that shows how you can automatically remediate any public as three buckets without writing a line of code.

You can just click through the console and do it using AWS config, and, and using their automatic remediation steps. And I did a quick video that I’ll, I’ll try to find and share with you Ashish. It’s looking into something like that to where you can take away some of these things. That thing only cause breaches for large organizations, like the capital ones of this world, that you can alleviate from your company immediately.

Imagine you move to the cloud. And the first thing you do is tell your boss, Hey, we’ll never have any public buckets. We won’t have that problem that then you see in the news we’ll never have, and it takes 20 minutes without knowing how to code. So the non technical folks can take care of that. I’ll pause.

Before we go to the auditor, cause it looks like we have some good. Like organization type questions and then

Ashish Rajan: [00:25:55] we’ll. I think so. Yeah. I think so. As well as the first one was, is there a recommended [00:26:00] time frame between doing cloud audits? If it can be automated, does it make sense to do it frequently as you can?

And that’s because

AJ Yawn: [00:26:07] again, that’s a great question. So it really depends on what those audit. Standards or frameworks that you’re being evaluated against. Most of the standards out there require an annual audit. if you think about SOC2, you’re a SOC2 report is looking back in time. It’s looking at your last 12 months.

So every year you’re going to have to refresh that, where, similar like ISO 27,001, there’s required to do annual activity. So automating this. It makes it a lot easier from a maintenance perspective, you don’t have to worry about whether or not your controls are operating because you already made sure they are.

another very simple thing to do on AWS is a forced MFA policy where you can put an, I am policy for every user. That means if they don’t. Sign in with MFA, they get put in a group that essentially only allows them to re enable MFA. So the only thing they can do is enable MFA and then what’s enabled MFA.

They can go out and do whatever they were doing. But something as simple as that, now you don’t have to worry about the MFA control [00:27:00] anymore. And for the rest of the time that you’re on AWS, that goes away. so, you know, I think automation makes it easier to, to manage it, but you still are. Most frameworks are gonna have to do it annually.

that’s just the way.

Ashish Rajan: [00:27:10] Yeah. And I think to your point, the timeframe is still dependent on The kind of certification you’re looking at as well. Right? Because then you would still have to bring in an external loiter at that auspicious day on that year of, I guess, that, that doesn’t go away.

It’s just that more, you are being proactive about it. I think that’s how we, that’s the way I see it. Thanks for that question. You and Jay, I think hopefully that answers your question. I did want to, quickly point that out as well, that even with the timeframe and doing continuous, do you feel like it changes.

It’s a change of mindset as well, because, and coming from a, from an ISO perspective, I remember having conversations with people like, why the hell am I doing this activity manually? Even that, that flick of a switch to, like, can this be automated? Like the question for some people like.

I don’t know. I [00:28:00] never tried. I’m like, can we look at if it can be automated? Yeah. I would definitely encourage people. Even every task that you see, whether what kind of compliance it is. Just trying to take a moment and just ask yourself that question.

AJ Yawn: [00:28:12] Yup. Yeah, I think, I mean, I’m naturally lazy. So like I always look to automate things, but I think it does change that mindset.

And if you, if you’re thinking, I think just thinking through, like, when you were hired from whatever position you were hired, you were not hired to do repeat a task. You were re you were hired to think and to use your brain and to like they hired you because of what you know. So if you’re bogged down doing these repeated tasks, you’re not getting, you’re not doing the things that you were hired to do.

right. So automating allows you to get back to thinking and innovating and doing all the things you were actually hired to do. So that’s, you know, I, I agree with you, like always be thinking that, you know, how can I automate this? That’s the best way to look at most things in security, honestly.

Ashish Rajan: [00:28:49] . Or you can just find a company where you just, they just hired her to do the same thing again and again, and you can automate it, but you tell them that you’re doing this again.

And again, Exactly.

AJ Yawn: [00:28:59] And you do a lot of [00:29:00] gall meantime.

Ashish Rajan: [00:29:02] That’s right. I’ve got another question from Arun over here. How’s the guard duty findings different from trusted advisor report, I think. Oh yeah. Recently they’ve started adding sq protection too as well. So is there any comments on

AJ Yawn: [00:29:14] that? Yeah, the guard duty, new S3 stuff is really great.

the difference is guard duties is, is going to be a little bit more active and then have some alerting in their trusted advisor. You can’t set like an individual alert for a specific check. You can only get like weekly reports. So guard duty is going to kind of do some more active monitoring. It goes back to being that intrusion detection system.

And then I think if you’re, if you’re getting into the spot of AWS where you’re starting to use the guard duty config inspector, some of those tools. You should turn on security hub. security hub is an amazing service that I, that I just recently started to get really deep into, to learn. And it collects all of these findings from these different services, like a guard duty and will perform alerting remediation, kind of collect all in one spot.

and, and do a lot of the work for you from a, from a management perspective. So yeah, if you’re starting to use [00:30:00] guard duty, you know, trusted advisor becomes less of a need because you’re doing more, more. consistent monitoring versus trusted advisors, kind of like that holistic view you can come in and it’s great for auditors because it doesn’t require them to get access.

You can just give them a quick snapshot into what your environment is. but if you’re using guard duty, like it it’s way better to use that than trusted advisor for us.

Ashish Rajan: [00:30:20] also, because GuardDuty is a paid service as well, which I, it’s just really interesting. it’s. But cheeky as well. You all? Cause I think the way they introduce the service initially, Oh yes.

Use it for free. And he’s like, Oh shit, doesn’t pay money for this now. Like, Oh, I should probably. But your point being a paid service, the differences obviously stark differences there. That’s what they put more effort into guard duty than trusted advisor, I guess. But it’s a great, great baseline to start with.

Then once you start paying, you probably should want to just jump on the next one, I guess.

AJ Yawn: [00:30:49] Exactly. I’ve

Ashish Rajan: [00:30:50] got another question from David. who from the, is there a company mandate to check these services? That’s pretty much what the questions are. It was in an organization. Is there one [00:31:00] that, or is there one that you see.

AJ Yawn: [00:31:02] No, I don’t. I’m the best organism patients that I’ve seen, use these tools. They use it in an automated fashion. they use it, they, they configure them in a manner to where, you know, I have to think about them. So they’re using config to go out there and check that certain things are happening and that in the old days you would use like Lambda function to help remediate that.

But now you can do some automatic remediation, but I. I think if less, unless you have one of those really skilled cloud security architects, they’re not going to immediately go and start checking these. You’d be surprised at how many times I talked to engineers and they didn’t even know about trusted advisor because as David has mentioned in like, they don’t, they don’t necessarily care.

They’re doing it on their own. They’re, they’re managing it. their, their security vulnerabilities in a different way using like infrastructure as code or some other kinds of vulnerability management. So they’re not thinking about things from the cloud perspective. but that’s where you, you get to use some of these tools that are built.

The reason why I harp on AWS native security tools, because they were built for AWS for your services. So find [00:32:00] things in a manner that you may, if you’re using a third party tool, you know, you might still get it. You know, you might still get the information, but this tool was specifically built to help you on AWS.

Why not take a look at it? And use it. so I think hopefully as more organizations become familiar with the tools, and the adoption increases that it becomes regular to check. I think security hub is one of those tools that will increase adoption of a lot of the other security services, because it finally brings it all together.

you can have guard duty in there, may inspector config, all of these different services reporting into one spot and, and performing checks against different compliance frameworks. It’s a really great service that I think is going to increase native AWS security service adoption.

Ashish Rajan: [00:32:37] . Perfect. And that’s a great way to answer that as well.

I think I’ve got another, which is kind of like a similar vein from Nick. Yeah. What advice can you give for organization preparing for an audit against specific compliance frameworks prior to audit itself? Should they self document controls against the framework to show readiness internally? Should they consult a third party order?

What do you think.

AJ Yawn: [00:32:58] Yeah, that’s such a great question, Nick. I, [00:33:00] you know, it depends on the staff. I’m sorry for giving all these auditor, it depends answers, but

Ashish Rajan: [00:33:05] like you spoke like true consultant there,

AJ Yawn: [00:33:07] right? The business you can’t commit. Right. it really depends on the staff. If you have individuals that have background.

In these frameworks and they actually went through audits before maybe they came from a firm before that were doing audits. Let them self documented, self obsessed, because they know what you’re looking for. But if this is your first time ever going after a SOC2, don’t try to tackle that on your own.

You’re going to do things that you don’t have to do. You’re going to. knock your head against the wall because you’re trying to solve a problem that might not happen, actually be a problem. I think that’s when you consult a third party for our readiness assessment and, you know, the readiness assessments, generally, they’re geared towards giving you the answers to the test.

and you know, there’s, there’s ways that you can do that. You can go to the same firm that is going to ultimately issue your report. So if you know, you’re going to go with expert to do your SOC two, you probably should consult with them to do the readiness. Assessment. they’re not going to be able to actually implement things for you because there is independence from an audit perspective, but they can provide records and , you kind of want to get the recommended [00:34:00] from the person that’s going to do your audit.

You don’t want to get it from another person. And then you go to a different person for the audit and they’re like, well, you gotta do this differently. but you know, I would, I would, I would look at that. I think the I’m not a fan of honestly, of the readiness industry in the compliance space. I think, you know, in the compliance space, we know the interest of the test.

We know what you’re supposed to do for a SOC two. We know what’s supposed to do for an ISO 27,001, but we guard all this information. We hold it back and make people pay a lot of money for it. And I, I truly don’t understand it. And there’s probably a hopefully, audit firms on the line. Aren’t too mad at me for saying that

Ashish Rajan: [00:34:31] I was going to say, I think we just dropped off.

AJ Yawn: [00:34:34] I just, you know, we, we gate a lot of stuff in the cybersecurity industry. There’s a lot of FID, out there on, in the space that I know we can, we can do better at. So. you know, maybe find another thing you can do with readiness is fine. like , a freelance consultant or somebody to help you out.

That has some experience that will probably be a little bit cheaper than going to a third party and paying thousands of dollars. But I think if you don’t have boils down, if you don’t have the experience internally, don’t, don’t try to do a self doc out at [00:35:00] yourself. You’re going to spin your wheels. And you may not know some of the nuances that are involved and that’s when you need to get a third party.

Ashish Rajan: [00:35:06] Yeah. And I think you hit it on the nail with that one as well, because. Being a security person. it’s always easily, Oh, I I’ll get the standard. Like I’m, it cannot be that difficult, but I think it’s kind of like the, the calm that your elder brother made about tools, tools, tools, where you can spend the time and not focused on something that may be important for your company.

And just focus on this for months reading through the documentation, finding out what’s relevant, or you could just pay someone , . .

AJ Yawn: [00:35:35] , that’s spot on. And then like the other thing is like, you can do all that reading and then you go out and do something, change your environment because you misread or a standard.

so I can talk to this. There’s a really good example here. There’s a, criteria CC six dot eight. that talks about preventing malicious software and. Most organizations, our modern architectures are using Linux. They’re using like a defense in depth strategy. So they’re not installing Avi on their machines on their easy two instances anymore.

They’re just not doing [00:36:00] that. But if you’re just an auditor reading CC six dot eight, or just an internal person, you’re like, Oh, now I have to install AV on all my machines. You go out and buy this AV license and all this other stuff. And then the auditor, you actually didn’t even need to do that. and you get in trouble as you start spending money because you think you’re addressing a standard and.

You didn’t even have to. so like that I’m with you, like don’t try to do it yourself.

Ashish Rajan: [00:36:24] Oh, fine. I mean, it’s not just find a cheaper partner, I guess, to your point, you don’t have to go for the most expensive. I’m gonna dish on the big, big falls here, but I’m just saying. There are a lot of other, other people out there as well.

it doesn’t have to be a really expensive exercise just

AJ Yawn: [00:36:40] saying, yeah,

Ashish Rajan: [00:36:41] I’ve got a few more questions here. Or David does your, does a point in time annual check in the cloud even makes sense.

AJ Yawn: [00:36:49] Oh,

here, these questions are amazing. so this is really good. so. Yes. And, I’ll, I’ll, I’ll give me, I’ll give the yes, first. so, and [00:37:00] I’m going to take it from a SOC two perspective in a SOC two world. There’s a SOC two type one report, which is a point in time report. It’s a report, that talks about the suitability of designing your controls.

Essentially. Do you have controls in place? do you do background checks or do you do vulnerability scans? And that report is usually what happens at the beginning of an organization going through their compliance journey. So they do a SOC two readiness. The next thing they do is SOC two type one, because it’s less requirement from an evidence perspective.

It’s a little bit easier to complete because you’re not providing evidence over six or 12 months. You’re only providing an example pieces of evidence. You’re showing an example, S3 bucket or an example, RDS instance, that’s encrypted instead of showing all of them. So it’s a lot easier for an organization to go from.

Nothing to a SOC two type one. And what that does, it allows you to go give that report to your customers? Cause that’s ultimately what the compliance report is for right to go get business. And that allows you to go give that report to your customers without waiting the long, 12 months for the full audit.

does it actually mean anything? Not really. [00:38:00] because it’s a point in time, again, like your SOC 2 type one report would say, if we were doing this today, what’s today, September 19th. It would say as of September, 1922. So tomorrow you’re a SOC 2 type one is no longer valid because your controls were in place as of September 19th, 2020.

When you do the SOC 2 type twos, when you do ISO 27,000 ones, when you do high trust, all of these frameworks, they have a requirement to report on credit controls over a period of time. And your auditor should be asking for evidence for that period of time. They should ask for evidence. if you’re on a quarterly basis for vulnerability scans, they should ask for at least two quarters of your vulnerability, scan, evidence, and remediation evidence to cover that period of time.

And that gets into how you’re testing, operational effectiveness, making sure that your control are actually operating over a long period of time is, really what the real audits. Makes sense for us. So yes, they make sense if you’re starting David. if you’re starting out doing a SOC two type one is a great way to get a report customer’s hand and, and, and [00:39:00] prove to them that you’re on the right path, but you need to, they’re going to expect that you’re doing the type two next, that shows over a period of time and it shows in testing over that period of time.

Ashish Rajan: [00:39:09] Yeah, but this doesn’t get me to be the people that, you know, what’s the difference between SOC SOC one, SOC two or even the type one type two is, well, they’re like, Oh, he has a report. That’s all I get about it. Let’s move on. Like job done. Tick, move on. That could

AJ Yawn: [00:39:22] happen as well. Absolutely. Sometimes I’ve seen that where organization provided the SOC two type one and they thought their customer was going to want to talk to, and they didn’t even ask for it.

So they’re like, we’re not going to do a type two because they didn’t actually care.

Ashish Rajan: [00:39:35] That’s right. So before you jumped down the whole gamut of type one type two, just, just do type one and see how far you get. Oh, I’m on my way to do the Type2. No, not as a professional advice, but you know, you should do what the customers ask.

That’s what I’m saying. Right? I’ve got another question from dr. Abdulla with regards to shed. So I was security to sponsor. Does the cloud customer get advised by the cloud [00:40:00] provider? Ooh, cloud cyber security solutions are not currently being applied so that the customer can implement them

AJ Yawn: [00:40:06] once you pay them.

Ashish Rajan: [00:40:08] Yeah, I wish they were, I wish really, I really wish they were. Cause you think you would think that when you spend so much money on AWS, Azure and Google cloud, they will come and tell you. What do you need to be doing and not have yet? Yeah. Sorry. I’ll let you answer it. I’ve just got my own emotions and modern

AJ Yawn: [00:40:26] I’m with you.

I think AWS is getting better. I remember a few years ago, it was really easy when you created the S three bucket, it automatically was public. And I was like, man, come on, like, you guys are guys ready. Like, you’re just going to make this really difficult for people to do the right thing. But now when you create a bucket is automatically private.

And if you try to make it public, you get all these warnings and then even try to change it from private to public, you have to type in confirm. So like they make it, they’re making it a little bit harder to do the things, but I mean, I’m with you doctor. Like I wish. They did more when you signed up, the thing is they have the free tier and it’s so [00:41:00] easy to get started on AWS without talking to anybody.

And it’s probably not worth it from them from the big cloud provider perspective to have a dedicated account manager. Yeah. Every single person that creates an account. So you kind of have to pay a little bit to get into that upper tier. You get it in the enterprise or business support plan. you’ll be able to get access to some folks to explain things.

I will say this though, from the folks in the startup space, if you don’t have, like AWS activate credits, I would look into those because oftentimes you can get free business or free developer support plans through just being a startup, being a new organization, or a nonprofit as well. There’s a lot of resources out there where you can get access to these enterprise and developer support plans.

By using free AWS activate credits from like third parties, out there for nonprofits, there’s a website called tech soup.com where you can sign up and get some of those credits. It’s a really great way to get some of this advice that the doctor here is asking about.

Ashish Rajan: [00:41:51] Perfect. And of course another supporter of FUD is definitely out there.

You’re right. Neon. There is a lot of FUD out there, man. I’m glad we were [00:42:00] this, this demystifying, our FUD and the need for having a FUD at all. maybe we can change gears. I mean, we kind of went into the specifics quite, a bit keen to know how does this work at scale? Thank you. You know, we spoke about from a startup perspective, you can, this is what you can start.

You can, if you want, you can have your documentation. How do you scale this? say from a startup tomorrow I’m running and I know I’m turning into a Facebook tomorrow. how do I get that maturity scale? Like how, how have you seen this done well from a maturity perspective?

AJ Yawn: [00:42:30] Yeah, I’ve seen, I’ve seen it done really well and really poorly.

So really poorly is where you don’t. Thank you need more than one AWS account. If you’re a startup and you only have one AWS account, right? You’re running everything in there. You’re doing Institute, you’re doing your development, you’re doing your deployment and you’re doing it in one account. I don’t care if it’s separate regions.

You’re not thinking about the future because even from a secure, not even from a security perspective, each account comes with service limits. so there’s, you’re going to reach a limit at some point, if you can. I wrote to Facebook tomorrow. So you [00:43:00] should, the first thing that, the way that I’ve seen this done right, is from a startup perspective is they we’re in a multi account setup from the beginning with AWS organizations and using service control policies.

So if you set this up right from the beginning, you can essentially create these little bubble of accounts that only can do very specific things. if the audience isn’t familiar with AWS organizations, it’s a way to organize it. Multiple accounts on AWS and service control policies allow you to essentially put guard rails around these accounts.

So, if you think about a security account where you’re sending all of your logs, you have security hub running and you really only need an all your logs from your accounts are coming in there. And you really only need S3 and security hub. You can put a service control policy around that account to where you can’t do anything.

If somebody tries to go to the to console, to spin up an instance, they can’t do it. because the service control policy doesn’t allow it. And then you can do the same for your user accounts. You can have like a user pool account, you can have a management plan account, you can have your development, staging product, all of these things segmented out where you really limit it.

What’s going on. The thing I talked about [00:44:00] earlier, where Bitcoin mining in a random region, service control policies gets rid of that. because you can limit to where you can limit by region. You can say, I only want people to be able to access resources and services in this region or in these regions, which essentially eliminates if anybody was able to actually get into another region.

And that goes back to you and using the setup goes to your episode last week. which is why this class security podcast is so great because you cover topics that matter and kind of build on each other where you guys, you and, Alexandra was talking about, cross account access and AWS organizations requires the cross account access set up for you to use these roles, to switch into these accounts.

So if anybody here hasn’t listened to that episode, a lot of what I’m saying will make sense. Once you listen to what Alexandra and the she’s talked about with cross account access perspective, but, I would say, you know, from the beginning to do this, to do this at scale you need, we use AWS and organizations.

You need to do a multi account setup, and that allows you to essentially create the framework to grow your organization without having to rearchitect a lot. What happens that I’ve [00:45:00] seen in the past is an organization experienced some growth. They just got around the funding and now everything’s changed.

They’re starting to work with enterprise customers there. They have to rearchitect everything, but they wouldn’t just set it up right from the beginning. It would have been as simple as kind of just spinning up new. Replicas of these accounts and in these separate little environments that you’ve set up.

So if you’re on AWS and you don’t have AWS organizations set up, even if you don’t think you’re going to, even if you don’t think you’re going to scale, just go ahead and use AWS organizations to start to segment things out and, and do it the right way there.

Ashish Rajan: [00:45:32] And I think that’s a great point.

Thanks for the shout out as well, by the way, doofy do check out the, Shandra episode. as I say in Portuguese or, I mean, he’s happy with Alex, if he’s listening, I did want, I mentioned something really interesting. So the consulting work that I’ve done for some of the smaller, medium sized businesses and startups one, and you touched on this really well.

you know how a lot of us encourage people to go for multiple AWS accounts. I started listening to it kind of things. Is there [00:46:00] additional cost associate?

AJ Yawn: [00:46:01] Like why would I go for, it was going to cost me more.

Ashish Rajan: [00:46:04] so I’ll let you answer this. Is there an additional cost if I try and scale with multiple accounts?

AJ Yawn: [00:46:10] Yeah, no, you’re going to get charged for what you’re using. Same way. If you wouldn’t want to count, and then you don’t have to. The thing that I’ll all start ups are worried about is now, do I have to manage the seven different bills if I create all these accounts? So as soon as you set up. Realizations, you can set up consolidated billing, and that’s what you should do.

You should have a billing account. Your CFO does not need access to the production account. There’s no reason your, your, any of your finance people need to be in your production account. imagine there, you know, some of the nontechnical people are, and this isn’t their fault. They just don’t know. But they’re the worst.

When it comes to cyber security, they’re going to do the bad things. They’re gonna click the fishing links. They’re going to share their AWS credentials, whatever it is. So you don’t want their account to be where your customer data lives. You want their account to be in a separate billing account, which you can do with AWS organizations, but you consolidate the billing.

it’s not, you’re not going to get charged for using multiple accounts. It’s all going to go into one place and you can even set service [00:47:00] control policies around the number of resources that are spinning up. You can set some billing alerts to stop people from exceeding a certain amount. And if they try to exceed a certain amount, you can shut that down using AWS organizations, and a lot of the security services that we mentioned earlier, all integrate with AWS organizations as well.

So you can. In Security hub, you create a master, right? And then you had an invite member account. So all of your accounts now report to one security hub. You don’t have to manage eight security hubs. AWS encourages people to set up these multiple accounts setups, and then they set. They, they provide a way for you to manage it in one account.

Which is great because you know, startups, you don’t need to manage eight, nine, 10 accounts. You set this up, it takes a little bit to set up. Definitely not easy. I won’t say that. but once you set it up, when you set it up the right way, it’s so easy to scale. And also it’s gonna help you sleep at night.

Like you’re, you’re, you’re gonna know that certain things can not happen in your environment. And that’s really what you want.

Ashish Rajan: [00:47:52] Yeah. And I think resources from AWS as well on this space. And, it definitely was hard checking them out. It doesn’t take that [00:48:00] long. Usually most of the videos talk about how you can set up multiple account.

and, I do want to mention the other end of multiple accounts. As Paul has mentioned over here, multi account is a start, but unfortunately there are too many logs. Thing that they kept killing it because they have multiple accounts, like, Hmm. Yeah. That’s yeah. That’s the other extreme I’ve got, it’s calling same thing that happened with dev ops when people started using DevOps like, Oh, for Jenkins, but they’re not really using Jenkins.

That’s our DevOps one for the same thing as well. Oh, I’ve got a fellow Brazilian here. Hey, welcome man. Now kind of the tried become come of the gamut from where does one start? Where does the maturity look like? And, I think a lot of people are pumped. The order does have left already, so we can talk more, talk more freely.

Also the big follower does have left the others who want us to learn. So here they are. The one question that I’m pretty sure that they’re looking for as well as that, is there some kind of [00:49:00] a training or certification that they can be tackling with this or to make them, I guess no cloud practitioner certificate or something on the other that they can go for a, that gives them an insight or should they be going to AWS documentation?

Yeah.

AJ Yawn: [00:49:14] Yeah, I think, if you’re an auditor and you’re sitting out there and you’re like, okay, I get it. I need to know more about the technology. I need to know more about what services my customers are using. don’t try to go out and learn more about how to audit the cloud. Don’t go out and learn and get an audit cert for the cloud.

Go out and learn about the cloud. Learn about the technology, because again, you’re a partner and they’re going to ask you to provide guidance. I might advice and provide, help. Right? And they’re going to. I’m need you to understand these services. It doesn’t matter if you understand the standard. I don’t, it doesn’t matter if you know, and SOC2 CC six, six is about protecting outside sources.

That doesn’t matter if you don’t know that security groups apply to , that’s where you have to get to. And you’ll, you know, that if you’re an auditor, you probably know the standard. And if you don’t know the [00:50:00] standard in the audit world, guess what? You’re going to audit every week. You’re going to do the same thing all the time.

You’re going to keep automating people. You got a chance to get very far with the standards. So learn the technology. I would say. I really love AWS cloud practitioner. I think it’s a great start. And I think that even though it’s really AWS focus, the concepts apply across all the other cloud providers.

I don’t know the equivalent on the Azure GCP side, but I’m sure they have an entry level cert, but I would say. Pick a cloud provider learn the basics of the terminology and that’s where I would start. Yeah. But there, there are resources out there from an audit perspective. If you kind of check that block, cloud security Alliance is great.

they’re known as CSA, and you’ve probably heard of like CSA star assessments. I would look into the cloud security Alliance from a resource perspective of learning how to do these audits. because they have a couple of things. They have this cert called the CCS K, which is the certified cloud security knowledge, I believe, exam really great start that tells you the basic about stuff we’ve been talking about here, shared responsibility, how to understand different threats in the cloud.

and then they also are coming out with this new sir called the CCA [00:51:00] K and it’s the certified cloud oddity knowledge cert. which is going to be focused on how to audit the cloud. And they’re probably, I think it’s coming out in October where they’ll probably release like an initial exam for people to look into.

So they do a lot of work where they focus on the, how to audit and how to secure cloud specifically. it’s, it’s really a standard that’s, that’s specific to the cloud and what’s cool about it is their framework. They have this cloud controls matrix, and it, they map it to all of the standards they map.

It’s a fed ramp, this to ISO, to SOC2. So you can see, okay, this requirement around static code analysis is covered in all these other frameworks. So if I was looking into how to do something in the cloud, wanting to understand more about how these concepts relate to different frameworks, CSA cloud security Alliance is a really great resource, to, to, to go to and learn from I SACA, the, the organization that does the scissor, they have a nice talk that AWS audit God.

And if you’re an auditor, And you’re going to a client and you’re there in AWS. Go to ISACA get this AWS [00:52:00] audit God and just read it. When you go out to your client and they they’re talking about three groups, read what I soccer says, because they literally tell you where to go in the console, what to click on what to look for.

They tell you everything it’s laid out. And if you can read, you can audit on AWS by using this eye socket, AWS guy. God. So, those are a few resources that I’ve used in the past that have helped me at time. and, and again, like all of this information is out there. Like you were saying, the chiefs, like you can just go read the AWS documentation.

They do a great job of understanding it. One resource I would look at for all auditors is the security pillar and AWS. They have the AWS, well, architected framework, go read the security pillar white paper. I think it’s like 26 pages or so read it before bed or something. If you’re a nerd like me, but just that tells you the basics of how to set up the clouds, like there’s information out there.

But, all of that comes back to, for me, at least my opinion, it’s the technology learn the technology, the standard stuff will work out because at the end of the day, these compliance standards are saying the same thing. they’re all saying the same thing they’re saying to use MFA use privileged act, privilege, access management, role based, access [00:53:00] control, all these different things that they’re just framing up differently based off of the standard, but it’s all the same.

So if you understand the, that you’ll be able to do the

Ashish Rajan: [00:53:07] audit. That’s a, that’s an awesome answer, man. I think I’ll mind take some of those links from you as well, so they can add it in the show notes. and I think I’ll go ahead. Some of those comments coming up and you mentioned starting coordinates, as I just looked at Paul’s comment said he has used us on IQ, man.

He’s DevSecOps someone else has a dev ops as a middle name. And well, there you go. Nick is pre you should preach. Now you were in a flow there, so definitely you should start preaching, man.

AJ Yawn: [00:53:37] Yeah.

Ashish Rajan: [00:53:38] I, I know this is kind of like towards the tail end of our show as well now. So I’ve got some fun questions for you.

won’t be too many. the first one, what do you spend most time on me in not working on cloud or tech?

AJ Yawn: [00:53:51] my kids, a

Ashish Rajan: [00:53:53] kid.

AJ Yawn: [00:53:55] I spend all my time with my kids. I have a four year old and a two year old. So. they take up [00:54:00] most of my life. and I love it. Like, I, I love being a dad. It changed my life, but it’s been amazing.

So like, if I’m not, doing anything with it related to the cloud, I’m doing something goofy with them.

Ashish Rajan: [00:54:09] that was awesome. and yeah, I love the fact that. Everyone can be an adult kid with their own kids, because, well, I mean, the kids don’t understand the adults want anyways. Right. So that’s pretty awesome that you get to do that.

What is something that you’re proud of, but it’s not on your social media?

AJ Yawn: [00:54:27] Ooh, that’s a, that’s a tough one. definitely my, my kids as well there, but, I think, you know, one thing that I, that’s not on my social media is some of the things that I overcame to get to where I had to. So for example, if you could look at my LinkedIn, you can see, I play basketball at Florida state, but what most people don’t know is I broke both my ankles.

none of the same one after the other lost my scholarship, ended up, joining the military and then ended up getting my scholarship back all through this long windy journey. Of of trying to become a division one college athlete. So, I didn’t let, and that’s kind of been my mentality [00:55:00] in life throughout is like, if I didn’t let two broken ankles stopped me from becoming a division one college athlete, there’s really not much else that should stop me from doing what I want to do, but that’s just one thing, right.

There is like, I have a lot of stories of perseverance and things that are just ridiculous that I, that I, was fortunate enough to overcome, overcome, but, it’s not on my social media. Oh, wow,

Ashish Rajan: [00:55:18] man, dude, bro, baby boy angles or ankles is like chief and considering basketball is all about jumping 20 and running like Oh, good on you for coming out of it, man.

I think. And sounds like all positive as well.

AJ Yawn: [00:55:31] Yeah, it worked out.

Ashish Rajan: [00:55:32] Yeah. And now you’re now you’re an AWS cloud certified person as well. So it’s even more awesome. Final question. What’s your favorite cuisine or restaurant that you can share?

AJ Yawn: [00:55:43] Ooh. so I live in Miami, so, and, and my wife is Dominican, so I love Latin food and American food.

So there’s a Dominican dish called Saint culture, which is essentially like a big soup. and it has all kinds of meat in there and vegetables and it’s, it’s [00:56:00] amazing. So my favorite dishes, scent culture. So I would encourage anybody to look it up. If you come to Miami, I’ll have my, my mother-in-law make you some, she makes it.

Great then coach as a she’s when you come visit.

Ashish Rajan: [00:56:11] yeah. Yeah, for sure, man, like Russell saying coach, it was like this big bowl of soup. Do you have it with bread or do you just like, just gobble up the soup?

AJ Yawn: [00:56:19] generally with like rice, the Latin side, like you put it on a little bit of rice, or a lot of rice depending on how you like it, but yeah.

it’s, it’s really good.

Ashish Rajan: [00:56:27] You made me hungry, man, but thanks so much for coming in, man. where can people find you if they have any follow up questions?

AJ Yawn: [00:56:34] Yeah, LinkedIn. right now that’s my only social network. I’m not on Twitter, Instagram, anywhere else. I’m kind of just on, on LinkedIn, but, yeah, like then find me, reach out to me.

I, I spent a lot of time talking with people from LinkedIn. So, if you write me and you want advice, hop on a call with you, hop on a zoom and we’ll chat and now. be able to help you out as much as I can. This Corona virus has made the world smaller in some phase because we all got stuck at home. So we went to our computers and now we’re all [00:57:00] talking.

I met some amazing people like Nicholas. I consider him a friend and we chatted him many, many times through LinkedIn. So, you know, reach out to me on LinkedIn. I’m happy to meet with anybody and just chat. I obviously, I love talking about AWS, so. If you guys are talking about cloud and auditing, like reach out to them,

Ashish Rajan: [00:57:16] the auditor’s just like reach out to AIJ and, he will make your life easy and ready to start.

Cool. Awesome. thanks for coming in, man. I think I really appreciate it and I’m pretty sure a lot of auditors listening to this would appreciate as well. Thanks for answering all the questions that came in through. and, just so thank a lot of, thank you for coming in as well. Paul’s just mentioned Paul hand, after drop off, but thanks for coming in Paul, but.

I it’s been. Yeah, I think it’s been really interesting to hear the, you don’t really have to be super technical to be an artist. And that’s the one piece I would just take back, just learn a bit about the cloud, the same way you’ve learned about Facebook and LinkedIn. There was no manual for it. You just had to go and pick it up.

And that was, that was it. but dude, thanks so much again. And I can’t wait to have you back in again for more, I guess [00:58:00] more amazing things in AWS and auditing and cloud.

AJ Yawn: [00:58:04] . Yeah. We’ll definitely have to do this again in the near future. I have some exciting things I’m working on that, you know, I think your audience would like, so w we’ll have to, I definitely appreciate that opportunity, Ashish.

This is, this is awesome.

Ashish Rajan: [00:58:14] No problem, man. Thanks for coming in.

No items found.