This document discusses automating security operations on AWS. It begins by noting the large costs of data breaches and intellectual property theft for businesses. It then discusses how AWS can provide more security than an on-premises environment through features like automated logging and monitoring, simplified access controls, and encryption. The document emphasizes that security is a shared responsibility between AWS and the customer, with AWS securing the underlying cloud infrastructure and customers securing their applications and data. It provides examples of AWS security certifications and programs. Finally, it discusses how security automation is key to keeping up with the scale of cloud infrastructure and software delivery.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Automating your AWS Security Operations
1. Automating Security Operations on
AWS
Pat McDowell Solutions Architect at AWS
Tim Prendergast CEO and Co-Founder at Evident.io
Shannon Lietz DevSecOps Leader at Intuit
2. $6.53M 56% 70%
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
Your data and IP are your most valuable assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/
3. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS can be more secure than your existing
environment
4. AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data Encryption
5. Constantly monitored
The AWS infrastructure is protected by
extensive network and security monitoring
systems:
• Network access is monitored by AWS
security managers daily
• AWS CloudTrail lets you monitor
and record all API calls
• Use VPC Flow Logs to monitor and analyze
network traffic to your instances
6. Highly available
The AWS infrastructure footprint protects
your data from costly downtime:
• 33 Availability Zones in 12 regions for
multi-synchronous geographic redundancy
• Retain control of where your data resides
for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53
7. Integrated with your existing resources
AWS enables you to improve your security
using many of your existing tools and
practices:
• Integrate your existing Active Directory
• Use dedicated connections as a secure,
low-latency extension of your data center
• Provide and manage your own encryption
keys if you choose
11. You are responsible for protecting your data/assets
Customer Data
Applications Identity
Access
Management
OS Network Firewall
Client-side
Encryption
Server-side
Encryption
Network Traffic
Protection
Compute Storage Networking
AWS Global Infrastructure
(Regions, Azs, Edge Locations)
AWS: Security of the Cloud
Customer: Security on the Cloud
12. You have a huge quantity of intelligence to process
This is just a SUBSET of an average company’s data flows
Amazon Elasticsearch
20. Evident Security Platform (ESP)
Built by cloud pioneers from Adobe,
AWS, and Netflix
Agentless deployment (<5 mins)
Continuous security scanning &
alerting across several AWS Services
Aligns your Security and DevOps
teams on protecting cloud assets
Tracks security state to support audit,
compliance, and incident response
needs
21. Leader in Cloud Security
Automation & Innovation
Leader in DevSecOps
+
Evident & Intuit
23. The Context… Cloud Security Operations
Imagine:
Software defined security
Thousands of changes a day
The biggest “big data” problem
MeanTimetoResolution(MTTR) 6 months
Fast MTTR…
the final frontier
24. So what hinders “secure” innovation @ speed & scale?
1. Manual processes & meeting culture
2. Point in time assessments
3. Friction for friction’s sake
4. Contextual misunderstandings
5. Decisions being made outside of value creation
6. Late constraints and requirements
7. Big commitments, big teams, and big failures
8. Fear of failure, lack of learning
9. Lack of inspiration
10. Management and political interference (approvals, exceptions)
35. Account Sharding is a new control!
Splitting cloud workloads into
many accounts has a benefit.
Accounts should contain less
than 100% of a cloud workload.
Works well with APIs; works
dismal with forklifts.
What is your appetite for risk?
Cloud Workload Templates
Cloud Provider Network
33 % 33 % 33 %
Attacker
Cloud
Account
Cloud
Account
Cloud
Account
36. Long live APIs…
Everything in the cloud should be an
API, even Security…
Protocols that are not cloudy should not
span across environments.
If you wouldn’t put it on the Internet then
you should put an API and
Authentication in front of it:
– Messaging
– Databases
– File Transfers
– Logging
Cloud Provider Network
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
User
Routing
Data
Replication
Application
Gateway
File
Transfers
Log Sharing
Messaging
My API
37. Host-Based Controls
Shared Responsibility and Cloud
require host-based controls.
Instrumentation is everything!
Fine-grained controls require
more scrutiny and bigger big data
analysis.
Agents & Outbound Reporting to
an API are critical
Tested machine image…
Tested instances...
Tested roles...
Tested passwords...
New instance created…
Instance 12345 changed…
User ABC accessed Instance 12345...
B
Instance
Cloud Provider Network
Instance
38. Don’t Hug Your Instances…
Research suggests that you should replace your
instances at least every 10 days, and that may not
be often enough.
Use Blue/Green or Red/Black deployments to
reduce security issues by baking in patching.
Make sure to keep a snapshot for forensic and
compliance purposes.
Use config management automation to make
changes part of the stack.
Refresh routinely; refresh often!
10DAYS
39. Overcoming Inconvenience
Use built-in transparent encryption
when possible.
Use native cloud key management
and encryption when available.
Develop back up strategies for
keys and secrets.
Apply App Level Encryption to help
with SQL Injection and preserving
Safe Harbor.
Use APIs to exchange data and
rotate encryption.
40. Migrating Security to the Left where it can get built-in
design build deploy operate
How do I secure
my app?
What
component is
secure enough?
How do I secure
secrets for the
app?
Is my app
getting
attacked? How?
Typical gates for
security
checks & balances
Mistakes and drift often happen
after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakes
Happen during design
Security is a Design Constraint
faster security feedback loop
41. Use Cloud Native Security Features...
Cloud native security features are
designed to be cloudy.
Audit is a primary need!
Configuration and baseline checks
baked into a Cloud Provider’s
Platform help with making decisions
and uncovering risks early in the
Continuous Delivery cycle.
Be deliberate about how to use
built-in security controls and who
has access.
44. Red Team, Security Operations & Science
API Key Exposure -> 8 hrs
Default Configs -> 24 Hrs
Security Groups -> 24 Hrs
Escalation of Privs -> 5 D
Known Vuln -> 8 Hrs
45. Cloud Security Disaster Recovery & Forensics is a
different animal…
Regional recovery is not enough
to cover security woes.
Security events can quickly
escalate to disasters.
Got a disaster recovery team?
Multi-Account strategies with
separation of duties can help.
Don’t hard code if you can help it.
Encryption is inconvenient, but
necessary…
Cloud
Workload
Templates
Disaster
Templates
Cloud Provider Network
50 % 50 %
Cloud Account Cloud Account Cloud Account
50 %
Cloud Account
50 %
46. Compliance Operations as Continuous Improvement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
47. Code can solve the great divide
Paper-resident policies do not
stand up to constant cloud
evolution and lessons learned.
Translation from paper to code
can lead to mistakes.
Traditional security policies do
not 1:1 translate to Full Stack
deployments.
Data Center
• Choose strong passwords
• Use MFA
• Rotate API credentials
• Cross-account access
Page 3 of 433
Cloud Provider Network
• Lock your doors
• Badge in
• Authorized personnel only
• Background checks
EVERYTHING
AS CODE
49. Speed & Ease can increase security!
Fast remediation can remove attack path
quickly.
Resolution can be achieved in minutes
compared to months in a datacenter
environment.
Continuous Delivery has an advantage of
being able to publish over an attacker.
Built-in forensic snapshots and
blue/green publishing can allow for
systems to be recovered while an
investigation takes place.
APP APP
DB DB
APP
DB
ATTACKED FORENSICSRECOVERED
50. This could be your MTTR…MeanTimetoResolution(MTTR)
6 months
51. Get Involved and Join the Community
devsecops.org
@devsecops on Twitter
DevSecOps on LinkedIn
DevSecOps on Github
RuggedSoftware.org
Compliance at Velocity
Notas do Editor
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.
As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.
As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
We are also certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards.
Top Row (left to right)
ISO 27001 Information Security Management
ISO 9001 Quality Management Systems Requirements
American Institute of Certified Professional Accounts (SOC 1, SOC 2, SOC 3 reports)
Payment Card Industry Data Security Standard (PCI-DSS)
Federal Information Security Management
Cloud Security Alliance
Middle Row:
TUV Trust IT – independent certification body for the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT Grundschutz)
UK G-Cloud Digital Marketplace
HIPAA (Health Information Portability and Accountability Act)
Federal Information Processing Standards 140-2
Americans with Disabilities Act Section 508
Motion Pictures of America Association
Bottom Row:
US International Traffic in Arms Regulations
Department of Defense Cloud Security Model
Criminal Justice Information Systems (CJIS) Security Policy
Federal Risk Authorization Management Program (FedRAMP)
Australian Information Risk Assurance Program
US Department of Education (FERPA)
<FOR MORE IN DEPTH QUESTIONS REFER THE CUSTOMER TO http://aws.amazon.com/compliance FOR MORE DETAILS>