My SACON.IO conference presentation about how to architect secure IaaS/PaaS services.
Presentation mostly uses AWS examples, but relevant also to Azure / GCE and similar services.
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Architect secure cloud services.
1. SACON
SACON International 2017
Moshe Ferber
CSA Israel
@Ferbermoshe
India | Bangalore | November 10 – 11 | Hotel Lalit Ashok
Architecting secure cloud services
2. SACON 2017
About myself
Information security professional for over 20 years
Founder, partner and investor at various cyber initiatives and startups
Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)
Founding committee member for ISC2 CCSP certification.
CCSK Certification lecturer for the Cloud Security Alliance.
Member of the board at Macshava Tova – Narrowing societal gaps
Chairman of the Board, Cloud Security Alliance, Israeli Chapter
5. SACON 2017Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility
The shared responsibility model
6. SACON 2017
The CISO Challenge
How to build secure
applications
How to correctly evaluate your
provider
IaaS/PaaS SaaS
9. SACON 2017
Architecting for availability
US WEST
Region
AZ1 AZ2
AZ3 AZ4
Singapore
Region
AZ1 AZ2
AZ3
Mumbai
Region
AZ1 AZ2
Regions vs. Availability Zones
10. SACON 2017
Architecting for availability
DB
Mumbai AZ-1
DB DB
Internet
Load Balancer
Redundancy in one region
Mumbai AZ-2
WWWWWW WWW
Mumbai AZ-3
11. SACON 2017
Architecting for availability
DB
US-EAST1
DB DB
External CDN
US-EAST2 2nd provider
Redundancy in multiple regions/clouds
WWWWWWWWW
12. SACON 2017
Architecting for availability
• CDN providers can add resiliency, flexibility & redundancy
• Look for vendors who can add functionality:
DDOS protection
Web application firewall
Load Balancing
DNS management
13. SACON 2017
Architecting for network separation
Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1
DB
WWW WWWWWW
DBDB
Understanding VPC (Virtual Private Cloud) / Virtual Network
DB
WWW WWWWWW
DBDB
VPC A: Production
VPC B: Test
14. SACON 2017
DB Subnet MNGT subnetWeb SUBNET
WWW
WWW
Understanding VPC (Virtual Private Cloud) / Virtual Network
WWW
Router
DB
DB
DB
MQ
Monitoring
Logs
Production VPC 192.168.0.0
192.168.2.0192.168.1.0
203.0.115.0
192.168.3.0
Architecting for network separation
15. SACON 2017
Understanding VPC (Virtual Private Cloud) / Virtual Network
VPC is logical grouping of subnets &
instances, virtualizing physical data
center features
Architecting for network separation
16. SACON 2017
Understanding Security groups
Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1
WWW WWWWWW
DBDB DB
Security Group: web-servers Allow: 80/443
Security Group: DB-servers Allow: 3306 (MYSQL)
Architecting for network separation
17. SACON 2017
The advantages of Micro Segmentation
Architecting for network separation
Traditional Micro segmentation
19. SACON 2017
Architecting for network separation
Test VPC
Router
WWW
Application
DB
Internet
Production VPC
WWW
Application
DB
NAT
Gateway
Corporate
network
VPN
Access VPC
Bastion
Host
S3 EndPoint
20. SACON 2017
Web Application Firewall options
Architecting for application separation
3rd party as a
service
Internal
Provider
service
WAF Proxy
inside cloud
WAF client on
web instances
21. SACON 2017
Build application separation
Architecting for application separation
Utilize MQ services
to separate
application
components
Use API Gateways
& Serverless
functions
22. SACON 2017
Architecting for application separation
Front End
Back End
Queue
Service
S3 Storage
Serverless
Function
ApplicationServices
24. SACON 2017
Limiting blast Radius
Root Account
IAM Admin Security
Auditor
Billing
Admin
Super Admin
Service 1
Admin
Service 2
Admin
25. SACON 2017
Limiting blast Radius
Organization
Production
account
Test Account MNGT
Account
Production VPC
WWW
Application
DB
NAT
Test VPC
WWW
Application
DB
NAT
MNGT VPC
WWW
Application
DB
NAT
26. SACON 2017
Understanding storage options
Architecting for data security
Volume Storage
• Attached to a single
instance
• Not shared, accessible
only from the instance
• Useful in storing
instance OS
environment ,
application binaries ,
DB files and anything
instances need to
operate
Object Storage
• Provider managed
• Files are placed in
buckets
• Versioning & meta data
kept for all objects
• Files are accessible by
API or HTTP
• Independent from AZ
or instances
dependencies
• Useful for storing static
applications data,
backups, source code
and config files
Database service
• Provider managed
• Files are accessible by
DB API
• Vary between different
services: (structured,
unstructured and
more)
• Usually customer has
no access to underlying
DB infrastructure
CDN
• Cloud provider
proprietary service or
external 3rd party
services
• Provide flexibility and
resiliency
• Useful in serving static
content at late latency
• Usually accompanied
by additional services:
WAF, DDOS protection,
Load balancer…
27. SACON 2017
Volume storage
Architecting for data security
Backups
• Usually snapshots
• Customer
responsibility to keep
snapshots
inaccessible
• Don’t keep
application secrets
on disk
Redundancy
• Not redundant
• Access is made by a
service on the
instance OS (web
service I.e)
• If service fails, no
access
Encryption
• Storage encryption
with provider service
(i.e. AWS KMS, Azure
keyvault)
• Or OS Level
encryption software
(i.e. truecrypt,
bitlocker)
28. SACON 2017
Object storage
Architecting for data security
Backups
• Keeps versioning
system of files
• External backups
are recommended
(explore provider
services)
Redundancy
• Availability is
responsibility of
the provider
• Increased
availability can be
achieved by
replicating to other
regions
Encryption
• Service side:
Storage encryption
with provider
service (i.e. AWS
KMS, Azure key
vault)
• Or Client side using
provider SDK
29. SACON 2017
Database Storage (Database as a service)
Architecting for data security
Backups
• Automated backups
are made by provider
• External exports and
backups should be
made periodically,
just as any other
database
Redundancy
• Availability is
responsibility of the
provider but managed
by customer
• Architect multiple AZ
Encryption
• Service side: Storage
encryption with
provider service
usually at the
database level
• TDE can be used here
as well to encrypt at
table/ column level
30. SACON 2017
Encryption
Architecting for data security
OS
Storage
DB
Application
Encryption Layer
TDE
Storage Encryption
Full Disk Encryption Software
KMS
HSM
Virtual
instance
KEYS
31. SACON 2017
A r c h i t e c t i n g f o r C I / C D
Source: Cloud Security Alliance Guidelines
32. SACON 2017
A r c h i t e c t i n g f o r C I / C D
Source : AWS Security best practices
33. SACON 2017
A r c h i t e c t i n g f o r L o g M a n a g e m e n t
Portal Logs
• Cover API &
GUI access
Traffic Logs
• Network
traffic inside
VPC
Instances Logs
• Extracted
just like
traditional
OS
34. SACON 2017
A r c h i t e c t i n g f o r M o n i t o r i n g
Cloud Trail
S3
SIEM
Agent
Cloud WATCH
(Rules & Alerts)
SNS
(notifications)
VPC Flow Logs
OS Logs