The Lean Cloud for Startups with AWS - Architectural Best Practices & Automating your Infrastructure
Automating your AWS Security Operations
-
Upload
evidentio -
Category
Technology
-
view
301 -
download
1
Transcript of Automating your AWS Security Operations
Automating Security Operations on AWSPat McDowell Solutions Architect at AWSTim Prendergast CEO and Co-Founder at Evident.ioShannon Lietz DevSecOps Leader at Intuit
$6.53M 56% 70%Increase in theft of hard
intellectual property Of consumers indicated they’d avoid businesses
following a security breach
Average cost of adata breach
Your data and IP are your most valuable assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?
Automating logging and monitoring
Simplifying resource access
Making it easy to encrypt properly
Enforcing strong authentication
AWS can be more secure than your existing environment
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer applications & content You get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
YouInventory & Config Data Encryption
Constantly monitoredThe AWS infrastructure is protected by extensive network and security monitoring systems:
• Network access is monitored by AWS security managers daily
• AWS CloudTrail lets you monitor and record all API calls
• Use VPC Flow Logs to monitor and analyze network traffic to your instances
Highly availableThe AWS infrastructure footprint protects your data from costly downtime:
• 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy
• Retain control of where your data resides for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
Integrated with your existing resourcesAWS enables you to improve your security using many of your existing tools and practices:
• Integrate your existing Active Directory
• Use dedicated connections as a secure, low-latency extension of your data center
• Provide and manage your own encryption keys if you choose
Key AWS Certifications and Assurance Programs
+
Security Automation is a key differentiator for cloud companies
You are responsible for protecting your data/assetsCustomer Data
Applications Identity Access Management
OS Network Firewall
Client-side Encryption
Server-side Encryption
Network Traffic Protection
Compute Storage Networking
AWS Global Infrastructure (Regions, Azs, Edge Locations)
AWS: Security of the Cloud
Customer: Security on the Cloud
You have a huge quantity of intelligence to process
This is just a SUBSET of an average company’s data flows
Amazon Elasticsearch
The Human ChallengeHumans have finite scale…
…Then we turn to automation.
Security breach
Why automate Security?
We’re less than one million security professionals short of “equilibrium” and lagging…
No matter how good your process is, Alert Fatigue will trump it…
Why automate Security?Alert Psychology proves that fatigue destroys process
As infrastructure and software delivery accelerate, there is no alternative.
The fallacy of choice…
Security
DevOps
Trust
Security Automation is good for everyone DevOps builds Value Security builds Trust Customers / businesses need Trust and Value
Evident Security Platform (ESP) Built by cloud pioneers from Adobe,
AWS, and Netflix Agentless deployment (<5 mins) Continuous security scanning &
alerting across several AWS Services Aligns your Security and DevOps
teams on protecting cloud assets Tracks security state to support audit,
compliance, and incident response needs
Leader in Cloud SecurityAutomation & Innovation
Leader in DevSecOps
+
Evident & Intuit
Cloud Security Operations“boldly go where no human has gone before…”Shannon Lietz DevSecOps Leader at Intuit@devsecops
The Context… Cloud Security OperationsImagine: Software defined security Thousands of changes a day The biggest “big data” problem
Mea
n Ti
me
to R
esol
utio
n (M
TTR
)6 months
Fast MTTR…the final frontier
So what hinders “secure” innovation @ speed & scale?
1. Manual processes & meeting culture2. Point in time assessments3. Friction for friction’s sake4. Contextual misunderstandings5. Decisions being made outside of value creation6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10. Management and political interference (approvals, exceptions)
SECURITY IS LAST MINUTE
UNPLANNED, UNSCHEDULED
WORK… BUMMER!!!!
In the Cloud,
Everything is Code
Let’s switch some things around…Data Center
NetworkServers
Virtualization
Operations
Platforms
Buyer IdentifierCloud Account(s)
Virtual IP AddressesContainerization
Appliances
Storage
Security Features
ApplicationsEphemeral Instances
Scale on DemandIAAS, PAAS, SAAS
Resource TestingBuilt-In Security
Long-Term ContractsPartner Marketplaces
Slow-ish Decisions
Experiments
Software Defined Security Requires significant intimate knowledge, context &
understanding Critical Cloud Security Operations Elements:
– Zoning & Blast Radius Containment– Instrumentation & Monitoring to create the feedback loop– Security as Code Platform (Whitelisting, Encryption,
Authorization)– API Catalog & Testing for the Full Stack– Asset Inventory & Hardened Baselines [Software,
Services, Components, etc.]
The Basic Cloud ModelCloud Provider Network
Backbone
Cloud Platform (Orchestration)
Network Compute Storage
Cloud Account(s)
Load Balancers
ComputeInstances
VPCs
Block Storage
Object Storage
RelationalDatabases
NoSQLDatabases
Containers
ContentAcceleration
Messaging Email
Utilities
Key Management
API/Templates
Certificate Management
PartnerPlatformInternet
Backbone
Developers have lots of options…
Reality…
Data Center
Cloud Provider Network
Internet
Cloud Provider Network
Data Center
Cloud Provider Network
Cloud Provider Network
Cloud Provider Network
And Attackers also have lots of options…
Victims
Attackers
Shift controls & mindset
SecurityMonitoring
Cloud Security Operations in the Cloud…Monitor & Inspect Everything
insightssecurityscience
securitytools & data
Cloud accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel continuous response
security feedback loop (speed matters)
What’s this look like in practice?
Etc…Etc…Etc…
Account Sharding is a new control! Splitting cloud workloads into
many accounts has a benefit. Accounts should contain less
than 100% of a cloud workload. Works well with APIs; works
dismal with forklifts. What is your appetite for risk?
Cloud Workload Templates
Cloud Provider Network
33 % 33 % 33 %
Attacker
Cloud Account
Cloud Account
Cloud Account
Long live APIs… Everything in the cloud should be an
API, even Security… Protocols that are not cloudy should not
span across environments. If you wouldn’t put it on the Internet then
you should put an API and Authentication in front of it:– Messaging– Databases– File Transfers– Logging
Cloud Provider Network
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
User Routing
Data Replication
ApplicationGateway
File Transfers
Log Sharing
Messaging
My API
Host-Based Controls Shared Responsibility and Cloud
require host-based controls. Instrumentation is everything! Fine-grained controls require
more scrutiny and bigger big data analysis.
Agents & Outbound Reporting to an API are critical
Tested machine image…Tested instances...Tested roles...Tested passwords...
New instance created…Instance 12345 changed…User ABC accessed Instance 12345...
B
Instance
Cloud Provider Network
Instance
Don’t Hug Your Instances… Research suggests that you should replace your
instances at least every 10 days, and that may not be often enough.
Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.
Make sure to keep a snapshot for forensic and compliance purposes.
Use config management automation to make changes part of the stack.
Refresh routinely; refresh often!
10 DAYS
Overcoming Inconvenience Use built-in transparent encryption
when possible. Use native cloud key management
and encryption when available. Develop back up strategies for
keys and secrets. Apply App Level Encryption to
help with SQL Injection and preserving Safe Harbor.
Use APIs to exchange data and rotate encryption.
Migrating Security to the Left where it can get built-in
design build deploy operate
How do I secure my app?
What component is
secure enough?
How do I secure secrets for the
app?
Is my app getting
attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Security is a Design Constraint
faster security feedback loop
Use Cloud Native Security Features... Cloud native security features are
designed to be cloudy. Audit is a primary need! Configuration and baseline checks
baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.
Be deliberate about how to use built-in security controls and who has access.
Secure Baselines & Patterns help a lot!
Security Monitoring
Egress Proxy CFn Template
Bastion CFn Template
Secure VPC CFn Template
CloudTrail CFn Template
SecretsBundle
MarketPlace
templates resourcespatterns services
Fanatical Security Testing
static
UX & Interfaces
Micro Services
Web ServicesCode
CFnTemplates
dynamic
BuildArtifacts
DeploymentPackages
Resources
Patterns &Baselines
run-time
SecurityGroups
AccountConfiguration
Real-Time Updates
Patterns &Baselines
Red Team, Security Operations & Science
API Key Exposure -> 8 hrs Default Configs -> 24 Hrs Security Groups -> 24 Hrs Escalation of Privs -> 5 D Known Vuln -> 8 Hrs
Cloud Security Disaster Recovery & Forensics is a different animal… Regional recovery is not enough
to cover security woes. Security events can quickly
escalate to disasters. Got a disaster recovery team? Multi-Account strategies with
separation of duties can help. Don’t hard code if you can help it. Encryption is inconvenient, but
necessary…
Cloud WorkloadTemplates
DisasterTemplates
Cloud Provider Network
50 % 50 %
Cloud Account Cloud Account Cloud Account
50 %
Cloud Account
50 %
Compliance Operations as Continuous Improvement
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
Code can solve the great divide Paper-resident policies do not
stand up to constant cloud evolution and lessons learned.
Translation from paper to code can lead to mistakes.
Traditional security policies do not 1:1 translate to Full Stack deployments.
Data Center
• Choose strong passwords• Use MFA• Rotate API credentials• Cross-account access
Page 3 of 433
Cloud Provider Network
• Lock your doors• Badge in• Authorized personnel only• Background checks
EVERYTHING AS CODE
Security Decision Support
Speed & Ease can increase security! Fast remediation can remove attack path
quickly. Resolution can be achieved in minutes
compared to months in a datacenter environment.
Continuous Delivery has an advantage of being able to publish over an attacker.
Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place.
APP APP
DB DB
APP
DBATTACKED FORENSICSRECOVERED
This could be your MTTR…M
ean
Tim
e to
Res
olut
ion
(MTT
R)
6 months
Get Involved and Join the Community
devsecops.org @devsecops on Twitter DevSecOps on LinkedIn DevSecOps on Github RuggedSoftware.org Compliance at Velocity