AWS Security StrategyEnterprise Security on AWS

Teri Radichel, Cloud Architect | WatchGuard Technologies | @teriradichel

The CIO of the 5th largest bank in the US says they can be more secure in AWS than in their own data center.

Possible?

About That Internet Thing…

You are already using shared infrastructure.

How do you secure it?

Security Policy

Yours.Do you know what it says?Does everybody follow it?

AWS.https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

What’s In Your Network?

Do you really know?

Automated Configuration

AWS facilitatesautomated infrastructure and applicationdeployment via code stored in source control

Automated Event-Driven SecurityAWS makes it easier to automatically react to events that trigger a security response

Points of Discovery and Reaction• Knowns:• Prevent from entering environment• Detect and roll back on entry into environment

• Unknowns:• Baseline normal behavior• React to anomalies – alerts, investigation

Recommendations…• Best Practices• Lessons Learned• Ideas• Tools

Follow IAM Best Practices

Follow Evident IO Best Practices

The Right PeopleCowboy has no well thought out plan or expertise

Mr. No Kills Innovation.He is not open to new ideas.

Analysis Paralysis Kills Productivity

Engineers = expertise + well-designed solutions based on available data

Deployment PipelineDevOps, security, developer and QA teams should all use the same process for AWS deployments.

Add Security Controls at this checkpoint.

Facilitates inventory, audit and compliance.

CICD – Continuous Integration, Continuous Deployment

Automate Everything

From The Start.

Security Automation• Automate Biggest Risks ~ Verizon Data Breach Report• Automated Deployments – CloudFormation, SDKs

- Consider Immutable Infrastructure where possible

• Automated Compliance – AWS Config, AWS Inspector• Automated Security Operations – AWS WAF, 3rd Party Tools• Custom automation – roll your own• Automated Intrusion Detection – Proof of Concept Framework:https://github.com/tradichel/AWSSecurityAutomationFramework

Other Options for SSH and Access Secret Key• IAM Roles for Users and AWS Resources• Cross Account Roles• Active Directory Integration• STS – temporary credentials• Use MFA where possible• Consider CLI, Console and Instance Logins• If using keys, train users that keys are passwords and treat as such

Encryption on AWS• KMS - AWS Key Management Service• CloudHSM - Single Tenant Hardware Security Module• Bring Your Own Key – import from your own key manager or HSM• AWS Certificate Manager - SSL/TLS for encryption in transit

5. Plan Network Carefully.

Internet Access AWS Only AWS to Corporate

security group

security group

security group

security group

security group

security group

Routes: Enforce Traffic Flow. Subnets: Larger. Security Groups: Whitelist.

Avoid ThisSo many holes in your network and running so many agents that you no longer know what is traversing your network anymore and network security is pointless.

Avoid ThisSubnets with almost nothing in them has the potential to exhaust your IP space.

It also becomes unwieldy to manage numerous subnets and security groups.

Use security groups for application specific rules.

Architect for the CloudAvoid Lift and Shift

Costs will be higher

Doesn’t leverage AWS

Possible Security Issues

Fix it later…right.

If you do...keep it in a separate account.

Scalable Dev Ops

Use Process Controls

Technology can’t make your toast. Yet. Use process controls when needed.

Have a Sandbox Account

Tightly secure other accounts. Match production or purpose built.

AWS Monitoring Tools• VPC Flow Logs ~ like Netflow for VPC, not real time• CloudTrail ~ Monitor actions taken on AWS• CloudWatch ~ Any kind of logs, cannot be altered if properly secured• 3rd Party Tools

Teri Radichel, Cloud ArchitectWatchGuard Technologies ~ We are hiring!@teriradichel

Security Certifications and Papers:Http://www.giac.org/certified-professional/teri-radichel/140127

Thank you!