Let’s Make College Happen

Building a More Secure Cloud Architecture

Jerry ArcherSVP and CSO

Security Guiding Principles in the Cloud

Secure PerimeterMicro-segmentation -- isolating applications and

data with a hardened configuration immune to

attack

Strong abstraction layer from hardware and VM

environment

Restricted visibility into computing environment

Discrete and limited perimeter which can be

subjected to effective monitoring

Continuous Encryption

Encryption of data at rest

Encryption of data in transit

Secure key management-- – leveraging PKI for

transaction functions

Continuous MonitoringReachable attachment points for monitoring

capabilities through comprehensive APIs

Robust monitoring data availability

Easy integration of third party monitoring

capabilities

Resilient Operations

Capable of withstanding attack

Minimal degradation of performance as a result

of environmental failures

Continuous function in the presence of a

ongoing attack

Highly Granular Access Control

Capable highly granular resource allocation

Strong cryptographic identity management

Ubiquitous – users, administrators, applications,

data

Governance, Risk Management, Compliance

Visibility of configurations Readily identify gaps or other weaknesses

Auditable evidence

Ready Incident Response

Broad regulatory and compliance certifications

Hybrid automation and manual response

• VPC is a logically isolated section of AWS cloud using SDNfunctionality

• Complete control over the virtual networking environment• IP address ranges• Creation of subnets, route tables and network gateways.• Supporting both IPv4 and IPv6

• Custom Sallie Mae AWS network configuration (template based)• Front office public-facing subnet for webservers• Backend systems private-facing subnets with no Internet access• Multiple layers of security, including security groups and network

access control lists limiting access• Virtual Private Network (VPN) connection between corporate

datacenter and Sallie Mae VPCs

Basic AWS Building Block: Virtual Private Cloud (VPC)

• Pre-authenticated• Eliminates major vulnerability in TCP/IP• Authentication prior to connection

• Context-aware (granular access control)• Secure access to enterprise applications

• Isolating communications to end-user devices• Enables rapid identification and prevention of network-based

cyberattacks such as denial of service, connection hijacking, and credential theft. Significant improvement in vulnerability management

• Leverages industry standard security capabilities (SAML, PKI, and mutually authenticated TLS)

• SDP Controller functions as a trust broker between the SDP Client and back-end security controls such as Issuing Certificate Authority (CA) and identity provider (SAML)

• An open standard and controller code supported by Cloud Security Alliance (CSA)

Software Defined Perimeter (SDP)

Implementation of the Virtual Enclave (VE) architecture utilizes micro-segmentation to provide customizable, strong logical isolation of Sallie Mae systems and services using software defined security techniques. Meeting all of the essential elements of security in the cloud.

Benefits of this implementation:

• Leverages basic building block of AWS Virtual Private Clouds (VPCs)

• Granular inter/intra VE visibility/access

• Leverage of AWS native encryption within the VE

• Limit client device access (granular access control)

• Enhanced perimeter with Software Defined Perimeter (SDP)

• “Invisibility” of the VE

Sallie Mae Virtual Enclave: Leveraging AWS VPC to Achieve Robust Cloud Security

Perimeter Security

Ready Incident Response

Resilient Operations

Continuous Encryption Log Immutability

Highly Granular Access Control

Governance, Risk and

Compliance

Strong User Authentication

Active DirectoryFederation

WAF, F/W, IPS, IDS, DDoS

ForensicsPreservation

ThreatMonitoring /

Hunting

Machine Learning, UBA

Continuous Compliance Monitoring

Integrated Cloud Security and Architecture with SDPIAM Dynamic

Access Leases

Region Lock

Tamper Protection

Auto-Remediation Non

Compliance

ServiceNow Bastian

Host DMZ

24/7 SOC

Advanced IAAS Endpoint

Protection

Secure Web Gateway (Egress) –Malware, Content,

DLP inspection

Centralized Egress

Endpoint