© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Sandage, Sr. Security Partner Strategist

Vidhya Krishnamoorthy, Sr. Engineer, DevOps, VeriFone

July 13, 2016

Compliance in the Cloud Using

Security by Design

Problem Statement

Increasing complexity (mobility, system connectivity)

causes increasing difficulty in managing risk and security

and demonstrating compliance.

Current State – Technology Governance

Policies

Procedures and Guidelines

Standards

Issues – Technology Governance

The majority of technology governance processes relies

predominantly on administrative and operational security

controls with LIMITED technology enforcement.

Assets

ThreatVulnerability

Risk

AWS has an opportunity to innovate and

advance Technology Governance Services.

Flexibility and Complexity

What is the regulatory

requirement?

What's in-scope or out-

of-scope?

How to verify the

standards are met?

Security by Design

Security by Design (SbD) is a security

assurance approach that formalizes AWS

account design, automates security controls,

and streamlines auditing.

Instead of relying on auditing security

retroactively, SbD provides security control

built in throughout the AWS IT management

process.

Identity & Access

Management

CloudTrail

CloudWatch

Config Rules

Trusted Advisor

Cloud HSMKey Management

Service

Directory Service

Security by Design - Design Principles

• Build security in every layer

• Design for failures

• Implement auto-healing

• Think parallel

• Plan for Breach

• Don't fear constraints

• Leverage different storage options

• Design for cost

• Treat Infrastructure as Code

• Modular

• Versioned

• Constrained

Developing new risk mitigation capabilities, which go beyond global security frameworks,

by treating risks, eliminating manual processes, optimizing evidence and audit ratifications

processes through rigid automation

SbD - Eco-system

Security by Design (SbD)

AWS CloudFormation

AWS Config Rules

Amazon Inspector

SbD - Modernize Tech Governance (MTG)

Why?

Complexity is growing, making the old way to

govern technology obsolete

You need automation that AWS offers to manage

security

Goal - Modernize Tech Governance (MTG)

Adopting “Prevent” controls, making

“Detect” controls more powerful and

comprehensive

SbD - Modernizing Technology Governance (MTG)

1.2 Identify Your Workloads Moving to

AWS

2.1 Rationalize

Security Requirements

2.2 Define Data

Protections and Controls

2.3 Document

Security Architecture

3.1 Build/deploy

Security Architecture

1. Decide what

to do (Strategy)

2. Analyze and

Document

(outside of AWS)

1.1 Identify Stakeholders

3. Automate,

Deploy & Monitor3.2 Automate

Security Operations

4. Certify

3.3 Continuous

Monitor

4.1 Audit and Certification

3.4 Testing and

Game Days

SbD – Rationalize Security RequirementsAWS has partnered with CIS Benchmarks to create consensus-based, best-practice security

configuration guides that will align to multiple security frameworks globally.

https://www.cisecurity.org/

The Benchmarks are:

• Recommended technical control

rules/values for hardening operating

systems, middle ware and software

applications, and network devices

• Distributed free of charge by CIS in .PDF

format

• Used by thousands of enterprises as the

basis for security configuration policies and

the de facto standard for IT configuration

best practices.

SbD – AWS CIS Benchmark Scope

Foundational Benchmark

CloudTrail

Config & Config

Rules

Key Management

Service

Identity & Access

ManagementCloudWatch

S3

SNS

Three-tier Web Architecture

EC2Elastic Load

BalancingVPC

Direct Connect

Amazon Elastic

Block Store

Cloud HSM Glacier Route 53VPN

Gateway

CloudFront

Define Data Protections and Controls

Document Security Architecture

https://getcompliant.allgress.com/gc

Business Case: VeriFone Commerce Platform

• Global leader in secure POS solutions

• Commerce Portal: Secure B2B App Marketplace and

Developer Platform enabling merchants to customize the

point of sale through innovative apps that provide

customers with rich, contextual experiences in store

S3 CodeDeployCloud

FormationKMS

Note: All tiers are designed

for auto-scaling, automated

Multi-AZ failover

CloudHSM CloudTrail

Security Considerations

● Multiple AWS accounts

● VPC, private subnets for application servers and RDS

● Minimal network perimeter (Only SSL Terminating Reverse Proxy in DMZ)

● Tightened Security Groups - fine grained rules for ports and CIDRs

● Immutable Docker containers, CloudTrail, Log aggregation using Splunk

● Compliance with “All code stays on-premises”

Security Considerations (Contd)

● CIS-benchmarked AMIs

● Hardened Linux/Software

● KMS-based secret management

● Two-factor authentication on AMIs

● Advanced user and key management using LDAP. Elimination of ec2-user

● HSM for secure data/keys

Secure Code Delivery Pipeline

Dev

Code +

Dockerfil

e

S3/KMS

Pro

d

Code

Docker Image

Other Benefits

Availability: HA with Multi-AZ solution

Auto-Scaling

Innovation: Infrastructure as Code

Agility and Flexibility

Ansible-based config management

Dockerfiles for software provisioning

Full CI/CD

Next Steps

• Continue Security by Design approach – AWS WAF for

firewall

• Enhance User Management - LDAP authentication/SSO

approaches

• EC2 Run Command/Opsworks for operations

• ECS for Docker and ECR for Docker Registry

Partnership

• Established a AWS/DevOps philosophy at Verifone

• Architected/Implemented foundation layer for the

Verifone solution

• Built a POC that provided security with agility

SbD – Automate Security Operations

Automate deployments, provisioning, and configurations of

the AWS customer environments

CloudFormation Service CatalogStack

Template

Instances AppsResourcesStack

Stack

Design Package

Products Portfolios

DeployConstrain

Identity & Access

Management

Set Permissions

AWS CloudTrail

EMR Kinesis VPC ELB S3 Lambda

AWS ConfigAWS CloudWatch

IoT

Other

Services

Add-on for AWS

Splunk App for AWSExplore Analyze Dashboard Alert

Use Cases for AWS:

Security Intelligence (Cloudtrail, Cloudwatch, VPC)

Operational Intelligence (CloudWatch, ELB, etc.)

DevOps Intelligence (CloudWatch, Lambda)

Big Data Insights (Kinesis, EMR, IoT, S3)

Continuous Monitor – Splunk

AWS CloudTrail

Resource Activity

Splunk App for AWS – Visualize & Monitor

AWS CloudTrail

User Activity

SbD - Modernizing Technology Governance (MTG)

Automate

Governance

Automate

Deployments

Automate Security

Operations

Continuous

Compliance

Closing the Loop

SbD - Modernizing Technology Governance

Result: Reliable technical implementation and enforcement

of operational and administrative controls

AWS Resources

Amazon Web Services Cloud Compliance

• https://aws.amazon.com/compliance/

SbD website and whitepaper – to wrap your head around this

• https://aws.amazon.com/compliance/security-by-design/