How Xero

Accelerated Security

Innovation on AWS

Hello!

Jeremy Vincent

Solution Architect

Bulletproof

Aaron McKeown

Lead Security Architect

Xero

Neil Ramsay

Cloud Engineer

Bulletproof

What can you expect today?

An overview of:

• Xero

• AWS Migration Project

• AWS Security Principles

• Key Project Learnings

• Bulletproof

• Cloud Security Considerations

• Secure by Design Guidance

Who are we?

• Cloud House merged with Bulletproof in 2016

• First Premier Partner in A/NZ

• ASX listed (ASX:BPF)

• Only Premier Partner in NZ

• End-to-end Cloud services provider.

• 700+ customers

• 16+ years of experience

• We help you disrupt, transform and innovate

Aaron McKeown,

Lead Security Architect

How Xero Accelerated Security on AWS

Beautiful cloud-based

accounting softwareConnecting people with the right numbers

anytime, anywhere, on any device

1450+

Staff globally

$474mraised in capital

$202msub revenue FY16

23m+

businesses have interacted

on the Xero platform

$1trincoming and outgoing

transactions in past 12 mths

450mincoming and outgoing

transactions in past 12 mths

All figures shown are in NZD

2009 2010 2011 2012 2013 2014 2015 2016

Paying subscribers

700,000+

Subscribers globally

Public cloud

migrationImproving data protection

Eliminating scheduled downtime

Maintaining and improving security

Support the next wave of growth

Reducing our per customer cost

Security Considerations

in the Cloud

Approach: AWS Cloud Security

Security is a Journey

High Pace of Innovation with Cloud

Automation is key

How?

AWS Cloud Security

Focus on API Security

Fast rate of change

Cloud native systems with

consistent security capabilities

How?

AWS Cloud Security

Focus on API Security

AWS IAM

Fast rate of changeAWS

CloudFormation

Cloud native systems with

consistent security capabilitiesAWS KMS

AWSCloudTrail

AWSConfig

CloudWatchLogs

CloudWatch Alarms

AWS IAM

How?

Automation

Version

ControlCI Server

Package

Builder

Deploy

ServerCommit to

Git/masterOps

Get /

Pull

Code

AMIs

Distributed Builds

Run Tests in parallel

Staging Env

Test Env

Code

Config

Tests

Prod Env

Push

ConfigInstall

Create

Repo

CloudFormation

Templates for Environment

Generate

Xero AWS Security Overview

Key principles

Repeatable and automated build and

management of security systems

Accelerated pace of security innovation

On-demand security infrastructure that works at any scale

Security as a service

VPN

connectivity

Host

Based

Security

Web

Application

Security

and

Delivery

Shared Key

Management

Services

Security

Operations

and

Consulting

Services

Secure

Bastion

Access

Proxy

Services

AWS Security Guidance

Recommendations

Secure by Design

AWS Cloud Security

Account structure VPC structureService mapping

Key services VisibilityLogging/Monitoring Secure Bastions

Secure by Design

Account Structure

Secure by Design

Account Structure

Billing

Non-Production

Development

Shared Services

UAT

Production

ProductionStaging

Shared Services

Identity

Security

Secure by Design

Service Mapping

Secure by Design

Service MappingNon-Production

Development

Shared Services

UAT

Security

Production

Staging

Shared Services

Production

Identity

AWS IAM

AWS KMS

IAM Roles

IAM Roles

IAM Policy

IAM Policy

Billing

IAM Roles

IAM Policy

AWSCloudTrail

AWSConfig

ConfigS3 Bucket

CloudTrailS3 Bucket

CloudTrailGlacier Vault

ConfigGlacier Vault

IAM Users

CloudWatch Logs CloudWatch Alarms

IAM Groups

SNS Email Notifications

Secure by Design

VPC Structure

Secure by Design

VPC Structure

Production

Shared Services

Internet Gateway

DMZ “Public” Zone

Protected “Private” ZoneRouter

VPCPeering

Secure Bastion

WAF

NGFW

ADFS

Amazon CloudFront

VPCPeering

Production

EC2 Workloads

PKI

AD

Staging

EC2 Workloads

Outbound Proxy

NTP DNS

S3 VPC Endpoint

IPSec VPN Connection

Internet

Servers

AmazonRoute 53

VPC Flow Log

S3 VPC Endpoint

VPC Flow Log

Static AssetsS3 Bucket

VPN Gateway

Corporate Data Center

CustomerGateway

VPN Gateway

BackupS3 Bucket

Secure by Design

VPC Peering

Production

Shared Services

Internet Gateway

DMZ “Public” Zone

Protected “Private” ZoneRouter

VPCPeering

Secure Bastion

WAF

NGFW

ADFS

Amazon CloudFront

VPCPeering

Production

EC2 Workloads

PKI

AD

Staging

EC2 Workloads

Outbound Proxy

NTP DNS

S3 VPC Endpoint

IPSec VPN Connection

Internet

Servers

AmazonRoute 53

VPC Flow Log

S3 VPCEndpoint

VPC Flow Log

Static AssetsS3 Bucket

VPN Gateway

Corporate Data Center

CustomerGateway

VPN Gateway

BackupS3 Bucket

Secure by Design

VPC Endpoints

Production

Shared Services

Internet Gateway

DMZ “Public” Zone

Protected “Private” ZoneRouter

VPCPeering

Secure Bastion

WAF

NGFW

ADFS

Amazon CloudFront

VPCPeering

Production

EC2 Workloads

PKI

AD

Staging

EC2 Workloads

Outbound Proxy

NTP DNS

S3 VPC Endpoint

IPSec VPN Connection

Internet

Servers

AmazonRoute 53

VPC Flow Log

S3 VPC Endpoint

VPC Flow Log

Static AssetsS3 Bucket

VPN Gateway

Corporate Data Center

CustomerGateway

VPN Gateway

BackupS3 Bucket

Secure by Design

Key Services

Secure by Design

CloudTrail

CloudTrail Settings

All Regions (Multi-Region setting)

Log File Integrity Validation

Log File Encryption with KMS

S3 Bucket Policy

Restrict Authorised Users to have Read-Only access

Allow Only the CloudTrail service to have Write access

Day One

AWS KMS

AWSCloudTrail

CloudTrailS3 Bucket

CloudTrailGlacier Vault

S3 Lifecycle Rules

Secure by Design

Config

Config Settings

All Regions (No multi-region setting, so Automate)

Enable All available Resource Types for tracking

S3 Bucket Policy

Restrict Authorised Users to have Read-Only access

Allow Only the Config service to have Write access

Day One

AWSConfig

ConfigS3 Bucket

ConfigGlacier Vault

S3 Lifecycle Rules

Secure by Design

Identity and Access Management (IAM)

Secure by Design

Identity and Access Management (IAM)

AWS IAM

Amazon

EC2

AWS Elastic

Beanstalk

AWS

Lambda

Amazon

CloudFrontAmazon

S3

Amazon

DynamoDB

Amazon

RDS

Amazon

Redshift

Amazon

VPC

Amazon

Route 53

Identity and Access Management

IAM for Identity Account: Authentication

IAM for Identity Account: AWS Console

+

IAM for Identity Account: API

+

IAM for Identity Account: MFA for Humans

IAM Roles

Build

Repair

Audit

Identity

IAM Cross Account Roles

Non-Production

Production

IAM Guard Rails

customer

gateway

VPN

gateway

VPN

connection

CloudTrail Config KMS IAM

IAM Roles: Limited Time Only

Secure by Design

Logging and Monitoring

Logging/Monitoring

APIAWS

CloudTrail

CloudWatch Logs

CloudTrailS3 Bucket

CloudTrailGlacier Vault

Lifecycle Rules

AWS Config Config S3 Bucket

ConfigGlacier Vault

Lifecycle Rules

AWSLambda

CloudWatchAlarms

CloudWatchMetric Filters

SNS Email Notifications

Alarm

Amazon ElasticsearchService

OR

Logging/Monitoring…

OS

Network

Storage Access Logs

Access Logs S3 Bucket

Access LogsGlacier Vault

Lifecycle Rules

S3 Bucket

Access Logs

Access Logs S3 Bucket

Access LogsGlacier Vault

Lifecycle Rules

Amazon CloudFront

CloudWatch Logs

CloudWatch Alarms

CloudWatchMetric Filters

SNS Email NotificationsAmazon EC2

Log Events

Elastic LoadBalancing

Access Logs

Access Logs S3 Bucket

Access LogsGlacier Vault

Lifecycle Rules

VPC Flow Log CloudWatch Logs

CloudWatch Alarms

CloudWatchMetric Filters

SNS Email Notifications

Packets Log Events

Secure by Design

Visibility

• CloudTrail, Config and the AWS Console

provide a lot of great information

• Can be hard to find the needle in the

haystack...

• Enter Netflix OSS Security Monkey

“You can’t secure what you don’t know about…”

Secure by Design

Security Monkey

Security Monkey: Overview

Security Monkey: Overview - Search

Security Monkey: Overview - Resources

Security Monkey: Users with Admin

Security Monkey: Users with Admin

Security Monkey: Users with Admin – What Changed?

Security Monkey: VPCs with IGWs

Secure by Design

Secure Bastions

Challenge

Secure Bastions

RDP/SSH

Internet

Internet

Bastion

Your Data

SQLServer

Pivot

Solution

Secure Bastions: Multi-Factor Authentication

RDP

BastionSecureBastion

HTTPS

Internet

Duo Login to Windows

Duo Login to Windows: MFA Prompt

Duo Login to Windows: Duo Mobile App

Duo Login to Linux

Solution

Secure Bastions: Dedicated

SQL Mgmt

RDP

RDP

SQLServer

SQL ToolsServer

SecureBastion

Solution

Secure Bastions: Restrict Network Egress

RDP

SecureBastion

SQL ToolsServer

RDP

SQLServer

Internet

Solution

Secure Bastions: Restrict EC2 Instance Profiles

RDP

SecureBastion

IAM Role

IAM Policy

TemporaryAWS CredsLogged-in

User

“Secure Bastion”EC2 Instance

Profile

Delete RDS SQL DB

Solution

Secure Bastions: Restrict EC2 Instance Profiles

SQL ToolsServer

TemporaryAWS Creds

Logged-inUser

RDP

SecureBastion

IAM Role

IAM Policy

TemporaryAWS CredsLogged-in

User

“Secure Bastion”EC2 Instance

Profile

Delete RDS SQL DB

Create RDS SQL DB

“SQL Tools”EC2 Instance

Profile

Solution

Secure Bastions: Disposable

7 Days

EBS Snapshot

Forensics

SecureBastion

SecureBastion

“Golden Image”AMI

Deploy

Key learnings

Key learnings

Measure and Test, Monitor Everything

Welcome to the cloud -"Where's my span port"?

Security by Design -What's that?

Communication is Key -Who are your spokespeople?

Final takeaways

Repeatable and Automated build and

management of Security Systems

Accelerated pace of security innovation

On-Demand security infrastructure that works at any scale

What can I do today?

Things you can do right now

User MFA Tokens

AWS

Config

AWSCloudTrail

Things you should consider

NetflixSecurity Monkey

DuoMFA

Granular Roles

Only A/NZ AWS Premier Partner at the Summit

Over 700+ Happy Customers