AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Eugene Yu – AWS Managing Consultant

Eric Gifford – Cambia Security Architect

Brad Davidson – Cambia Security Engineer

November 29, 2016

SEC305

Scaling Security Resources for

Your First 10 Million Customers

What to expect from the session

• Scale your security and compliance infrastructure

• Agile development with integrated security testing and

validation

• Treating your security as code

How do you scale

your security

resources?

workload

customers

No customer

One workload

workload

customers

security

resources

More customers

More workloads

workload

customers

Security appliances

Bigger boxes

security

resources

More customers

More workloads

workload

customers

More security appliances

Bigger boxes

Increased security staff

workload

customers

security

resources

Scaling is

hard…More customers

More workloads

Security resources must scale to

keep pace with the business.

AWS

CLOUDTRAILAMAZON

INSPECTORAMAZON

VPCAWS WAF AWS IAM

AWS KEY MANAGEMENT

SERVICE

SERVER-SIDE

ENCRYPTION

ENCRYPTION

SDK

WhatsCat™Connecting One Cat at a Time

WhatsCat™

LOL cats »

Application Development

Simple social media

application for Cats

WhatsCat™

LOL cats »

Let’s hope

this mobile app is

successful…WhatsCat™

LOL cats »

WhatsCat TM

Launch Day (0 Cat)

One AWS account

One workload WorkloadAmazon EC2 Instance

Amazon

Route 53

Time to establish

baseline security

Core Security Control

AWS IAM

WorkloadAmazon EC2 Instance

Amazon

Route 53

AWS

IAM

MFA token

Developer

NetworkUser


Amazon VPC


Amazon

Route 53


Security Groups


Amazon

Route 53


AWS CloudTrail


Amazon

Route 53

AWS

CloudTrail

Amazon S3


Amazon CloudWatch


Amazon

Route 53

Amazon

CloudWatch

Cats > 1000

WhatsCat™

Adding a New Feature

Sharing photos with

other Cats

WhatsCat™

LOL cats »

Cat photos »

Resiliency

Multiple Availability ZonesWeb

instance

Amazon RDS DB

instance

active (Multi-AZ)

Availability Zone

Web

instance

Amazon RDS DB

instance standby

(Multi-AZ)

Elastic Load

Balancing

Amazon

Route 53

Availability Zone

Auto Scaling

Configure Auto Scaling to

scale to handle increased

traffic

Web

instance

Amazon RDS DB

instance

active (Multi-AZ)

Availability Zone

Web

instance

Amazon RDS DB

instance standby

(Multi-AZ)

Elastic Load

Balancing

Amazon

Route 53

Availability Zone

Data Protection

Web

instance

Amazon RDS DB

instance

active (Multi-AZ)

Availability Zone

Web

instance

Amazon RDS DB

instance standby

(Multi-AZ)

Elastic Load

Balancing

Amazon

Route 53

Availability Zone

AWS KMS

Amazon

S3

SEC305- Scaling Security Resources for Your

First 10 Million Customers

Presenters:

Eric Gifford – Security Architect

Brad Davidson – Security Engineer

© 2014 Cambia Health Solutions, Inc.

Our story

2424

Our Cause

• Cambia - Born from an inspired idea

• Catalyst -> transform healthcare

• Person-focused & economically sustainable

• Embracing cloud innovation to provide personalized & intuitive experiences

• On AWS: Web applications, micro-services, data lake, data science capabilities


2525

Cloud Security & Automation Principles

• Embrace HIPAA-compliant Cloud & DevOps

• Automation: reduce deviations & risk

• Leverage the shared responsibility model by aligning to serverless and managed services

• Build guardrails, not gates!

• Continuously monitor


2727

Continuously monitor Cloud environments

λ functions to detect non-compliance:

1) MFA disabled

2) Unauthorized region

3) CloudTrail disabled

4) VPC flow logs disabled

And more…


2828

A good start?

Pros

• Simple

• Independent λ functions

Cons

• Customization in each λ

• Lack of context in CloudTrail

events

How to address this?

Keep building!


2929

Decouple & scale

• Move to a 3-tier Lambda

• Design for:

• Efficiency

• Context

• Flexibility


3131

Good enough?

Pros

• Enrich event data for granularity

• Centralize policy/signature database

• Optimize λ for speed

Cons

• Complex to use, support, & maintain

• Need for regression testing

How to turn over to Ops and let them operate?

Keep building!


3232

What’s next for us?

• UI to manage policies, dashboard for reporting

• “Simulation mode” (aka Dry Run)

• Keep enrichment db current

• Integration with ticketing systems

• Apply secure configurations at creation

• VPC Flow Logs + Threat intel?


3333

Demo time!


Cats > 100,000

WhatsCat™


Simple social media

application for Cats

WhatsCat™

LOL cats »

Cat photos »

Cats near me (4) »

Security Infrastructure as Code

Manage security infrastructure

just like your business

workloads

Strong change management

process AWS

CodeCommit


AWS

CodeCommit

Security infrastructure code

• IAM, VPC, Logging,

Application

• Security architecture

document

• Threat modeling analysis

• Security controls document


IAM stack

Infrastructure

stack

Logging

stack

IAM configuration with custom policies, groups,

and roles

VPC, security groups, network ACL, NAT gateway

configuration

AWS CloudTrail, Amazon S3 buckets, and bucket

policies for logging and archive data, Amazon

CloudWatch alarms for security-related CloudTrail

events

Why Security Infrastructure as Code?

Assurance

and visibility

Traceability

and change

management

Knowledge

management

Version and

Source control

Security CI/CD

Pipeline

Integrates and delivers your workloads

Is your most sensitive security workload

Product Release

App Code

Infrastructure Code

Security Code

Security of the CI/CD pipeline

Securing the application starts with securing the pipeline

• Least privilege access

• Logging and monitoring of the pipeline

AWS

IAM

AWS

CloudTrail

Amazon

CloudWatch

Security CI/CD

Pipeline

Security in the CI/CD pipeline

Integrated security testing and validation

• Security unit test

• Vulnerability management

Amazon

Inspector

Security and Compliance

Unit Tests

Security CI/CD

Pipeline

AMI Lifecycle Management

InstancePublic

AMI

Golden

AMI

Launch

instance EC2Configure

instance

Hardened

instance

Bake AMI

Hardening and

configuration

User administration

Operating system

Running

instances

Launch

AWS

Config

AWS

Lambda

Automate AMI

baking

Amazon

Inspector

Amazon

Inspector

Amazon

Inspector

Decommission

Cats > 1million

WhatsCat™

Cats > 1 million


Buy Cat Food feature

WhatsCat™

LOL cats »

Cat photos »

Cats near me (4) »

Buy

Cat Food!

Encrypting

Customer DataElastic Load

Balancing

Amazon

Route 53

AWS KMSDynamoDB

Application

Encrypt using client-side library for DynamoDB in Github

Encrypt data in applications using the AWS encryption SDK in your application

Multi-region Customers

Multi-region Deployments

Amazon

CloudFrontAmazon

CloudFront

Elastic Load Balancer

DynamoDB

Application

Amazon RDS


DynamoDB

Application

Amazon RDS


DynamoDB

Application

Amazon RDS

AWS WAF

Good Cats

Bad Dogs AWS

WAF

Amazon

CloudFront

Elastic Load

Balancing

Amazon

Route 53Amazon

DynamoDB

Application

Amazon RDS

Cats > 10 millionWhatsCat™

• Assess current incident

response processes and

procedures

• Test the cloud incident

response process via a

simulated exercise

Security Incident Response Simulation

A security practitioner's job is

to answer tough questions

Automate the way security

practitioners answer these

questions

WhatsCat™

Thank you!

Remember to complete

your evaluations!

Related sessions

• ARC201 - Scaling Up to Your First 10 Million Users

• SEC313 - Automating Security Event Response, from

Idea to Code to Execution

• SAC312 - Architecting for End-to-End Security in the

Enterprise

• DEV302 - Automated Governance of Your AWS

Resources

AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)

Technology

Transcript of AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)