O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

(SEC303) Architecting for End-To-End Security in the Enterprise

7.689 visualizações

Publicada em

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

Publicada em: Tecnologia

(SEC303) Architecting for End-To-End Security in the Enterprise

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hart Rossman, AWS Principal Security Consultant Bill Shinn, AWS Principal Security Solutions Architect October 2015 SEC303 Architecting for End-to-End Security in the Enterprise
  2. 2. What to expect from this session • Learn patterns for integrating AWS adoption into your security program • Provide a “Day 1” approach to each AWS account • Highlight the top security patterns used by the most mature AWS customers
  3. 3. Patterns adopted by highly successful security programs Security program Security as code Minimum security baseline Asset management Security management layer
  4. 4. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  5. 5. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  6. 6. Security program – Framework Directive Preventive Detective Responsive
  7. 7. Security program – Foundations Control framework Roles and responsibilities Risk register and security metrics
  8. 8. Security program – Ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  9. 9. Capability Principle Action Directive Infrastructure as code Skill up security team in code and automation, DevSecOps Design guardrails not gates Architect to drive toward good behavior Preventive Use the cloud to protect the cloud Build, operate, and manage security tools in the cloud Stay current, run secure Consume new security features; patch and replace frequently Reduce reliance on persistent access Establish role catalog; automate KMI via secrets service Detective Total visibility Aggregate AWS logs and metadata with OS and app logs Deep insights Security data warehouse with BI and analytics Responsive Scalable incident response Update IR SOP for shared responsibility framework Forensic readiness Update workloads to support forensic readiness and containment Security program – Enterprise security strategy • AWS CAF components help organize • Principles driving transformation of security culture • Realized by taking specific actions and measuring progress
  10. 10. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance and Risk Business Security Operations Compliance Product and Platform Teams Enterprise Security Security program: Extending the Shared Responsibility Model through Partners PartnerEcosystem: Technology PartnerEcosystem: Services
  11. 11. Security program – Account Governance – New Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  12. 12. Security Program – Account Governance – Existing Accounts AWS Config AWS CloudTrail InfoSec’s Cross- Account Roles AWS Account Credential Management (“Root Account”) Federation AWS Account Ownership AWS Account Contact Information AWS Sales and Support Relationship Baseline Requirements
  13. 13. Security program: Account governance – metrics
  14. 14. Demo 1. Cross-account roles 2. Measuring CloudTrail status
  15. 15. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  16. 16. Security As Code: Using AWS CodeDeploy Imaging instance memory: LiME - https://github.com/504ensicslabs/lime AWS CodeDeploy:
  17. 17. Security as code 1. Use the cloud to protect the cloud 2. Security infrastructure should be cloud aware 3. Expose security features as services via API 4. Automate everything so everything scales
  18. 18. Security as code: Innovation, stability, & security Business Development Operations Build it faster Keep it stable Security Protect it
  19. 19. Security as code: A shorter path to the customer Requirements Gathering Release Automated Build and Deploy Some learning Minimal learning Lots of learning
  20. 20. Security as code: Deploying more frequently lowers risk Smaller effort “Minimized risk” Frequent release events: “Agile methodology” Time Change Rare release events: “Waterfall methodology” Larger effort “Increased risk” Time Change
  21. 21. Security as code: Agile user stories 1. Epics vs. stories An epic is delivered over many sprints; a user story is delivered in one sprint or less. Icebox backlog  sprint 2. Product owner The product owner decides the priority of each story, is responsible for accepting the story, and is responsible for defining the detailed requirements and detailed acceptance criteria for the story.
  22. 22. Security as code: Agile user stories 3. Persona (or role) A persona/role is a fictitious user or actor within or of the system. 4. Acceptance criteria What does good look like? How will we know? 5. Summary format Every story should have the same summary format: As a (persona/role) I want (function) so that (benefit).
  23. 23. Responsibility & Accountability Own it. Govern it. Not my monkeys; not my circus. Operating with Shared Responsibilty How do I know? Do I carry a pager for this service? Do I make the rules? Should I be consulted or informed?
  24. 24. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  25. 25. Evolution of compliance at AWS AWS certifications Customer enabler docs Customer case studies Security by Design tech (SbD) AWS CloudTrailAWS CloudHSM AWS IAM AWS KMS AWS Config
  26. 26. Security by Design - SbD Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process. AWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config
  27. 27. What you do in any IT Environment • Firewall rules • Network ACLs • Network time pointers • Internal and external subnets • NAT rules • Gold OS images • Encryption algorithms for data in transit and at rest Golden Code: Security Translation to AWS AWS JSON translation Gold Image, NTP and NAT Network ACLs, Subnets, FW rules
  28. 28. SbD: The Next Big Thing in IT GRC AWS provides Governance, Risk, and Compliance teams: 1. The right SbD tech - AWS 2. SbD Whitepaper 3. AWS GoldBase 1. Security controls implementation matrix 2. Architecture diagrams 3. AWS CloudFormation templates - industry compliance templates for PCI, NIST 800-53, HIPAA, FFIEC, and CJIS 4. User Guides and deployment instructions 4. AWS Config Rules – auditing 5. AWS Inspector – advanced in-host security and audit 6. Training AWS CloudTrailAWS CloudHSM AWS IAM AWS KMS AWS Config
  29. 29. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Security management layer Asset management Minimum security baseline
  30. 30. Demo Cross-account asset attributes
  31. 31. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  32. 32. Peer Review • Shared infrastructure security services moved to VPC • 1-to-1 peering = App isolation • Security groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints Company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company dev Internal company QA AD, DNS Monitoring Logging • Security groups still bound to single VPC Security management layer using VPC peering
  33. 33. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  34. 34. Ubiquitous encryption AWS CloudTrail AWS IAM EBS RDS Amazon Redshift S3 Glacier Encrypted in transit and at rest Fully auditable Fully managed keys Restricted access
  35. 35. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  36. 36. Reduced reliance on long-term, privileged access • AssumeRole and GetFederationToken APIs calls baked into the heart of developer behavior, federation, cross-account governance • Just-in-time access. Use APIs to only open up the network for management when necessary. Change and break/fix ticketing executes scripts to build bastions or open up Security Groups upon approval or stage.
  37. 37. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  38. 38. Ubiquitous logging: Log flow Raw logs Permissions Amazon EMR Amazon Glacier Amazon Redshift Amazon S3 Write to S3 Parse in EMR and upload to Amazon Redshift Amazon EC2 instances Analyze with standard BI tools Archive to Amazon Glacier AWS CloudTrail Encrypted end to end!
  39. 39. Ubiquitous logging: What are we looking for? • Unused permissions • Overuse of privileged accounts • Usage of keys • Anomalous logins • Policy violations • System abuse …. • Collect data once, many use cases
  40. 40. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  41. 41. Version Control CI Server Package Builder Deploy ServerCommit to repoDev Pull Code AMIs Send build report to dev and stop everything if build failed Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo AWS CloudFormation templates for Env Generate DevOps DevSecOps Security Repository Vulnerability and pen testing •Security Infrastructure tests •Security unit tests in app
  42. 42. Version Control Build/ compile code Dev Unit test app code IT Ops DR Env Test Env Prod Env Dev Env Application Write app code Infrastructure CloudFormation tar, war, zip yum, rpmDeploy app Package application Deploy application only Deploy infrastructure only AMI Build AMIs Validate templates Write infra code Deploy infras Automate deployment Artifact Repository Continuous integration/deployment and automation for security infrastructure
  43. 43. Building DevSecOps teams • Make DevOps the security team’s job. • No siloed/walled off DevOps teams. • Encourage {security} developers to participate openly in the automation of operations code. • Embolden {security} operations participation in testing and automation of application code. • Take pride in how fast and frequently you deploy.
  44. 44. Patterns adopted by highly successful security programs Ubiquitous encryption Just-in-time access Ubiquitous logging DevSecOps Security services and API Security program Security as code Minimum security baseline Asset management Security management layer
  45. 45. Security as code: Architectural elements Shared Responsibility Model Identity and Access Control Logging and Monitoring Infrastructure Security Data Protection Secure Continuous Integration/Continuous Delivery Toolchain Configuration and Vulnerability Analysis Big Data and Predictive Analytics
  46. 46. Getting Started Story: As a security analyst I want to monitor interactions with AWS API so that we can baseline user behavior Sprint 1: Enable AWS CloudTrail globally Story: As a security operations team member I want to take action on AWS CloudWatch alarms so that we respond responsibly Sprint 2: Integrate alerting into security workflow & ticketing
  47. 47. Strategy and Value Domain Why to invest? Why change? How to measure success? Process Domain How to structure cloud programs? How to ensure quality of delivery? People Domain What skills and capabilities are required? How to compose migration team? Maturity Domain What are the priorities? When to deliver solutions? Platform Domain How to design foundations? How to migrate workloads? Operating Domain What are key ops capabilities? What is the new ITSM cycle? Security Domain Will risk increase? Can we run cloud secure and compliant? AWS Cloud Adoption Framework
  48. 48. AWS Marketplace Network/Security Partner Ecosystem Infrastructure Security SECURITY Logging and Monitoring Identity and Access Control Configuration and Vulnerability Analysis Data Protection Network Infrastructure SaaS SaaS SaaS
  49. 49. Remember to complete your evaluations!
  50. 50. Thank you!
  51. 51. Related Sessions

×