O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Rackspace: Best Practices for Security Compliance on AWS

2.366 visualizações

Publicada em

Rackspace provides a comprehensive set of tooling and expertise on AWS that further unlocks your ability to secure your environment efficiently and cost effectively. The dynamic environment of data, applications, and infrastructure can pose challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a scalable security solution to ensure their data is safe, secure, and stable. In this webinar, Brad Schulteis, Jarret Raim and Todd Gleason will discuss the topic of security control requirements on AWS through the lens of three common compliance scenarios: HIPAA, PCI-DSS, and generalized security compliance based on the NIST Risk Management Framework. Watch our webinar to learn how Rackspace combines AWS and security expertise with tools like AWS CloudFormation, AWS CodeCommit and AWS CodeDeploy to help customers meet their security and compliance needs.

Join us to learn:
• Best practices for securely operating workloads on the AWS Cloud
• Architecting a secure environment for dynamic workloads
• How to incorporate Security by Design principles to address compliance needs across 3 use cases: HIPAA, PCI-DSS and generalized security compliance based on the NIST Risk Management Framework

Who should attend: Directors and Managers of Security, IT Administers, IT Architects, and IT Security Engineers

Publicada em: Tecnologia
  • Seja o primeiro a comentar

Rackspace: Best Practices for Security Compliance on AWS

  1. 1. Rackspace: Best Practices for Security Compliance on AWS Brad Schulteis, CISSP, CCSP, Sr. AWS & Security Architect, Fanatical Support for AWS, Rackspace Jarret Raim, Director, Managed Security, Rackspace Sai Reddy Thangirala, Solutions Architect, Amazon Web Services
  2. 2. Agenda AWS Security Overview Security By Design Overview – What is it? Four phases of Security by Design with use cases  Phase 1 - Understand your requirements  Phase 2 - Build a secure environment that fits your requirements and implementation  Phase 3 - Enforce the use of the templates  Phase 4 - Perform validation activities Active security for advanced cyber threats A complete security solution: AWS Infrastructure + Security by Design + Active security monitoring
  3. 3. $6.53M 56% 70% Your data and IP are your most valuable assets https://www.csid.com/resources/stats/ data-breaches/ Increase in theft of hard intellectual property Of consumers indicated they’d avoid businesses following a security breach Average cost of a data breach http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html https://www.csid.com/resources/stats/ data-breaches/
  4. 4. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? AWS can be more secure than your existing environment Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication
  5. 5. The AWS infrastructure is protected by extensive network and security monitoring systems:  Network access is monitored by AWS security managers daily  AWS CloudTrail lets you monitor and record all API calls  Amazon Inspector automatically assesses applications for vulnerabilities Constantly monitored
  6. 6. The AWS infrastructure footprint protects your data from costly downtime  35 Availability Zones in 13 regions for multi-synchronous geographic redundancy  Retain control of where your data resides for compliance with regulatory requirements  Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53 Highly available
  7. 7. AWS enables you to improve your security using many of your existing tools and practices  Integrate your existing Active Directory  Use dedicated connections as a secure, low-latency extension of your data center  Provide and manage your own encryption keys if you choose Integrated with your existing resources
  8. 8. Key AWS Certifications and Assurance Programs
  9. 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption AWS and you share responsibility for security
  10. 10. Security on AWS Security ‘of’ the cloud Security ‘on’ the cloud Navigator Rackspace consults and provide best practices. Customer implements. Aviator Rackspace implements best practices on behalf of the customer. Identity & access management Workload security Data encryption Security logging Cloud Infrastructure Compute Storage Network Rackspace Managed Security People CSOC 24x7x365 support Shared expertise Product Best-of-breed technology Host security Network security Advanced analytics Process Immediate response Detect faster Remediate faster Managed security & compliance assistance Actively Securing Your Environment Building A Secure Environment Secure Foundation Fanatical Support for AWS SaaSPaaSIaaS
  11. 11. noun | se·cu·ri·ty | səˈkyo͝ orədē  The state of being free from danger or threat  Procedures followed or measures taken to ensure the safety of an IT system  Illusory restrictions bolted on post- implementation to satisfy a regulatory requirement What is security?
  12. 12. What is Security by Design (SbD)?  Modern, systematic security assurance approach  Formalizes AWS account design, automates security controls and streamlines auditing  Provides control insights throughout the IT management process Security works best when it is ubiquitous and automatic
  13. 13. Why is this important? The dynamic environment of data, applications, and infrastructure poses challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a reliable security solution to ensure their data is safe, secure, and stable. Confidentiality Integrity Availability
  14. 14. Four Phased Implementation SbD approach Understand your requirements Build a “secure environment” that fits your requirements 1 Enforce the use of the templates Perform validation activities 2 3 4
  15. 15. Security Controls  Access  Audit  Config Mgmt  Contingency Plans Data Classification  Data Type  Data Impact  Data Sensitivity Data Usage  Storage  Retention  Processing  Sharing Regulations  Governmental  Organizational  Individual #1: Understand your requirements
  16. 16. Data Classification  What data do I have?  What is its intended use?  Which do I need to protect?  Who am I protecting it from? Security requirements Data Usage  What can I do with the data?  Where can I process it?  How should it be accessed?  Can and when should I destroy it? Regulations  Am I bound by legal restrictions?  Do I need a 3rd party auditor?  Must I obtain a certification?  Must I leverage a specific framework Security Controls  Who can access the environment?  How are access requests audited?  How are changes controlled?  How do I detect improper access?
  17. 17. Security Controls  Enforce the use of HTTPS Elastic Load Balancers (ELBs) with compliant w/TLS Policies  Enforce the use of encrypted (HTTPS) Amazon S3 connections Regulations  4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission Data Usage  Encrypt transmission of cardholder data across open, public networks (Req #4) Data Classification  Cardholder Data (CHD) Understand your requirements example PCI-DSS
  18. 18. #2: Build a “secure environment” What are the different options for securing your environment?  Service Selection  Encryption  Network Segmentation  User Permissions  Authorized OS Images  Resource Protection  Logging What is the appetite for risk?  Each choice comes with trade-offs
  19. 19. Establish “blueprint” architectures to allow workload owners as much autonomy as possible while automating enforcement Create Modularized Templates  Use nested stacks, e.g. • Main • Network • Compute • Data • Permissions and Logging configuration  Use parameters whenever possible  Use stack policies to protect running resources  Use IAM policies to restrict the permissions of users Balancing security requirements with agility
  20. 20. NIST 800-53 What are the different options for securing your environment? Build a secure environment example What is the appetite for risk?  Each choice comes with trade-offs  Authorized OS Images  Resource Protection  Logging  Service Selection  Encryption  Network Segmentation  User Permissions
  21. 21. Build a secure environment example NIST 800-53 CM-7a | LEAST FUNTIONALITY  Configure the information system to provide only essential capabilities The AWS CloudFormation templates that are used to deploy this architecture pre- configure it to provide only essential capabilities for a multi-tiered web service. https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
  22. 22. NIST 800-53 Configure the information system to provide only essential capabilities There will never be ANY additional resources that were not essential parts of the application. { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Provides only resources directly required for the application” "Resources": { "rRDSInstanceMySQL": { "Type": "AWS::RDS::DBInstance", ... }, "rAutoScalingGroupApp": { "Type": "AWS::AutoScaling::AutoScalingGroup", "DependsOn": "rRDSInstanceMySQL", ... }, "rELBApp": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "DependsOn": "rAutoScalingGroupApp", ... }, ... } https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
  23. 23. Build a secure environment example NIST 800-53 SC-7B | BOUNDARY PROTECTION  Implement subnetworks for publicly accessible system components that are logically separated from internal organizational networks This architecture features subnetworks for publicly accessible system components that are logically separated from internal private subnetworks via AWS security groups, refined routing tables, and NACLs. https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
  24. 24. "ProductionVpcTemplate": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": { "Fn::Join": ["", [{ "Fn::FindInMap": ["CustomVariables", "vTemplateUrlPrefix", "Value"] }, "templates/template-vpc-production.json"]] }, "TimeoutInMinutes": "20", "Parameters": { "pRegionAZ1Name": {"Ref":"pAvailabilityZoneA"}, "pRegionAZ2Name": {"Ref":"pAvailabilityZoneB"}, "pProductionVPCName": "Production VPC", "pBastionSSHCIDR": "0.0.0.0/0", "pDMZSubnetACIDR": "10.100.10.0/24", "pDMZSubnetBCIDR": "10.100.20.0/24", "pManagementCIDR": "10.10.0.0/16", "pAppPrivateSubnetACIDR": "10.100.96.0/21", "pAppPrivateSubnetBCIDR": "10.100.119.0/21", "pDBPrivateSubnetACIDR": "10.100.194.0/21", "pDBPrivateSubnetBCIDR": "10.100.212.0/21", } } } NIST 800-53 Implement subnetworks for publicly accessible system components that are logically separated from internal organizational networks https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
  25. 25. #3: Enforce the use of templates Life is about choices  What if the ONLY choices are “pre-approved templates?  Templates that guarantee ALL configurations comply with your organization’s security standards
  26. 26. AWS CloudFormation  Templates that automate the deployment and configuration of all AWS compute, network, storage and other services to your exact specifications  Stack policies control who can modify what and how Amazon Machine Image (AMI)  “Gold image” templates for the root (OS) volume of an instance  Launch permissions control who can use the AMI to launch instances AWS CodeDeploy  Optional for fully automating custom code deployment as well Key services
  27. 27. #4: Perform Validation Activities 100% Audit-Ready  Environments deployed from templates are audit-ready  Rules defined within the templates are the baseline for comparison 100% Audit Coverage  Auditing itself is configured and enabled via template  Auditing it performed continuously and in real-time  Properly scoped permissions prevent and detect attempts to tamper with or disable auditing 100% Visibility  Audit information captures the state of all deployed resources 100% Remediation  Non-compliant resources are flagged and alerts are generated  These alerts can be used to trigger actions such as quarantining the offending resource 100% Completely complete
  28. 28. AWS Config  Point-in-time current settings of your architecture  Execute a sweeping check of controls across the environment  Detects when a resource configuration differs from an expected state (the template from step 3) in real-time and flags the resource as noncompliant AWS CloudTrail  Records AWS API calls for your account  Quickly and easily take immediate action for API activity Amazon CloudWatch  Sends notifications of alarms and conditional breaches Key services
  29. 29. Security Controls  Restrict the use of unauthorized services w/ IAM Policies  Use Config to detect any unauthorized services in a HIPAA VPC Regulations  There are nine HIPAA- eligible services today, including DynamoDB, EBS, EC2, Amazon EMR, ELB, Glacier, Amazon RDS [MySQL and Oracle], Redshift, and S3. Data Usage  Customers should only process, store and transmit PHI in the HIPAA-eligible services defined in the BAA. Data Classification  Protected Health Information (PHI) Perform validation activities example HIPAA
  30. 30. Automate all the (secure) things  Secure and automated methods reduce human errors which lead to non-compliance  Secure configurations should be automatic, and therefore simple to achieve  Fine-grained access control is easier when it happens automatically  With all of the automatically generated audit logs, it would be impossible to look in retrospect – automate alerting of compliance related events and know in real-time
  31. 31. It’s a multi-cloud world
  32. 32. Security is a business enabler How do we enable the business while reducing risk? Embrace the rate of change of the business.
  33. 33. Its truly about the people and process Technology Alone Will Not Succeed Deep Human Expertise Leading Technologies Threat Intelligence 24x7x365 Remediation Lower TCO @
  34. 34. A security strategy for the new normal  Prioritize your data and understand its business value  Abandon the traditional reactive posture triggered by alerts  Enable immediate action to protect data and minimize business impact Our Security Approach Rapid Detection Rapid Response Deep Expertise
  35. 35. Security on AWS Security ‘of’ the cloud Security ‘on’ the cloud Navigator Rackspace consults and provide best practices. Customer implements. Aviator Rackspace implements best practices on behalf of the customer. Identity & access management Workload security Data encryption Security logging Cloud Infrastructure Compute Storage Network Rackspace Managed Security People CSOC 24x7x365 support Shared expertise Product Best-of-breed technology Host security Network security Advanced analytics Process Immediate response Detect faster Remediate faster Managed Security & Compliance Assistance Actively Securing Your Environment Building A Secure Environment Secure Foundation Fanatical Support for AWS
  36. 36. Some parting advice…  Understand your data protection requirements  Your needs dictate your security strategy but…  AWS makes it easier; make secure decisions your default where it makes sense Useful Links AWS Security Best Practices CIS Amazon Web Services Foundations
  37. 37. Thank you! To learn more, please visit us at rackspace.com/aws or follow our blog at blog.rackspace.com/aws
  38. 38. Questions & Answers

×