AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)
-
Upload
amazon-web-services -
Category
Technology
-
view
115 -
download
0
Transcript of AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eugene Yu – AWS Managing Consultant
Eric Gifford – Cambia Security Architect
Brad Davidson – Cambia Security Engineer
November 29, 2016
SEC305
Scaling Security Resources for
Your First 10 Million Customers
What to expect from the session
• Scale your security and compliance infrastructure
• Agile development with integrated security testing and
validation
• Treating your security as code
How do you scale
your security
resources?
workload
customers
No customer
One workload
workload
customers
security
resources
More customers
More workloads
workload
customers
Security appliances
Bigger boxes
security
resources
More customers
More workloads
workload
customers
More security appliances
Bigger boxes
Increased security staff
workload
customers
security
resources
Scaling is
hard…More customers
More workloads
Security resources must scale to
keep pace with the business.
AWS
CLOUDTRAILAMAZON
INSPECTORAMAZON
VPCAWS WAF AWS IAM
AWS KEY MANAGEMENT
SERVICE
SERVER-SIDE
ENCRYPTION
ENCRYPTION
SDK
WhatsCat™Connecting One Cat at a Time
WhatsCat™
LOL cats »
Application Development
Simple social media
application for Cats
WhatsCat™
LOL cats »
Let’s hope
this mobile app is
successful…WhatsCat™
LOL cats »
WhatsCat TM
Launch Day (0 Cat)
One AWS account
One workload WorkloadAmazon EC2 Instance
Amazon
Route 53
Time to establish
baseline security
Core Security Control
AWS IAM
WorkloadAmazon EC2 Instance
Amazon
Route 53
AWS
IAM
MFA token
Developer
NetworkUser
Core Security Control
Amazon VPC
WorkloadAmazon EC2 Instance
Amazon
Route 53
Core Security Control
Security Groups
WorkloadAmazon EC2 Instance
Amazon
Route 53
Core Security Control
AWS CloudTrail
WorkloadAmazon EC2 Instance
Amazon
Route 53
AWS
CloudTrail
Amazon S3
Core Security Control
Amazon CloudWatch
WorkloadAmazon EC2 Instance
Amazon
Route 53
Amazon
CloudWatch
Cats > 1000
WhatsCat™
Adding a New Feature
Sharing photos with
other Cats
WhatsCat™
LOL cats »
Cat photos »
Resiliency
Multiple Availability ZonesWeb
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
Auto Scaling
Configure Auto Scaling to
scale to handle increased
traffic
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
Data Protection
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
AWS KMS
Amazon
S3
SEC305- Scaling Security Resources for Your
First 10 Million Customers
Presenters:
Eric Gifford – Security Architect
Brad Davidson – Security Engineer
© 2014 Cambia Health Solutions, Inc.
Our story
2424
Our Cause
• Cambia - Born from an inspired idea
• Catalyst -> transform healthcare
• Person-focused & economically sustainable
• Embracing cloud innovation to provide personalized & intuitive experiences
• On AWS: Web applications, micro-services, data lake, data science capabilities
© 2016 Cambia Health Solutions, Inc.
2525
Cloud Security & Automation Principles
• Embrace HIPAA-compliant Cloud & DevOps
• Automation: reduce deviations & risk
• Leverage the shared responsibility model by aligning to serverless and managed services
• Build guardrails, not gates!
• Continuously monitor
© 2016 Cambia Health Solutions, Inc.
2626 © 2016 Cambia Health Solutions, Inc.
2727
Continuously monitor Cloud environments
λ functions to detect non-compliance:
1) MFA disabled
2) Unauthorized region
3) CloudTrail disabled
4) VPC flow logs disabled
And more…
© 2016 Cambia Health Solutions, Inc.
2828
A good start?
Pros
• Simple
• Independent λ functions
Cons
• Customization in each λ
• Lack of context in CloudTrail
events
How to address this?
Keep building!
© 2016 Cambia Health Solutions, Inc.
2929
Decouple & scale
• Move to a 3-tier Lambda
• Design for:
• Efficiency
• Context
• Flexibility
© 2016 Cambia Health Solutions, Inc.
3030 © 2016 Cambia Health Solutions, Inc.
3131
Good enough?
Pros
• Enrich event data for granularity
• Centralize policy/signature database
• Optimize λ for speed
Cons
• Complex to use, support, & maintain
• Need for regression testing
How to turn over to Ops and let them operate?
Keep building!
© 2016 Cambia Health Solutions, Inc.
3232
What’s next for us?
• UI to manage policies, dashboard for reporting
• “Simulation mode” (aka Dry Run)
• Keep enrichment db current
• Integration with ticketing systems
• Apply secure configurations at creation
• VPC Flow Logs + Threat intel?
© 2016 Cambia Health Solutions, Inc.
3333
Demo time!
© 2016 Cambia Health Solutions, Inc.
Cats > 100,000
WhatsCat™
Adding a New Feature
Simple social media
application for Cats
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
Security Infrastructure as Code
Manage security infrastructure
just like your business
workloads
Strong change management
process AWS
CodeCommit
Security Infrastructure as Code
AWS
CodeCommit
Security infrastructure code
• IAM, VPC, Logging,
Application
• Security architecture
document
• Threat modeling analysis
• Security controls document
Security Infrastructure as Code
IAM stack
Infrastructure
stack
Logging
stack
IAM configuration with custom policies, groups,
and roles
VPC, security groups, network ACL, NAT gateway
configuration
AWS CloudTrail, Amazon S3 buckets, and bucket
policies for logging and archive data, Amazon
CloudWatch alarms for security-related CloudTrail
events
Why Security Infrastructure as Code?
Assurance
and visibility
Traceability
and change
management
Knowledge
management
Version and
Source control
Security CI/CD
Pipeline
Integrates and delivers your workloads
Is your most sensitive security workload
Product Release
App Code
Infrastructure Code
Security Code
Security of the CI/CD pipeline
Securing the application starts with securing the pipeline
• Least privilege access
• Logging and monitoring of the pipeline
AWS
IAM
AWS
CloudTrail
Amazon
CloudWatch
Security CI/CD
Pipeline
Security in the CI/CD pipeline
Integrated security testing and validation
• Security unit test
• Vulnerability management
Amazon
Inspector
Security and Compliance
Unit Tests
Security CI/CD
Pipeline
AMI Lifecycle Management
InstancePublic
AMI
Golden
AMI
Launch
instance EC2Configure
instance
Hardened
instance
Bake AMI
Hardening and
configuration
User administration
Operating system
Running
instances
Launch
AWS
Config
AWS
Lambda
Automate AMI
baking
Amazon
Inspector
Amazon
Inspector
Amazon
Inspector
Decommission
Cats > 1million
WhatsCat™
Cats > 1 million
Adding a New Feature
Buy Cat Food feature
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
Buy
Cat Food!
Encrypting
Customer DataElastic Load
Balancing
Amazon
Route 53
AWS KMSDynamoDB
Application
Encrypt using client-side library for DynamoDB in Github
Encrypt data in applications using the AWS encryption SDK in your application
Multi-region Customers
Multi-region Deployments
Amazon
CloudFrontAmazon
CloudFront
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
AWS WAF
Good Cats
Bad Dogs AWS
WAF
Amazon
CloudFront
Elastic Load
Balancing
Amazon
Route 53Amazon
DynamoDB
Application
Amazon RDS
Cats > 10 millionWhatsCat™
• Assess current incident
response processes and
procedures
• Test the cloud incident
response process via a
simulated exercise
Security Incident Response Simulation
A security practitioner's job is
to answer tough questions
Automate the way security
practitioners answer these
questions
WhatsCat™
Thank you!
Remember to complete
your evaluations!
Related sessions
• ARC201 - Scaling Up to Your First 10 Million Users
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC312 - Architecting for End-to-End Security in the
Enterprise
• DEV302 - Automated Governance of Your AWS
Resources