Compliance in the Cloud Using Security by Design
-
Upload
amazon-web-services -
Category
Technology
-
view
800 -
download
1
Transcript of Compliance in the Cloud Using Security by Design
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tim Sandage, Sr. Security Partner Strategist
Vidhya Krishnamoorthy, Sr. Engineer, DevOps, VeriFone
July 13, 2016
Compliance in the Cloud Using
Security by Design
Problem Statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.
Issues – Technology Governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with LIMITED technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance Technology Governance Services.
Flexibility and Complexity
What is the regulatory
requirement?
What's in-scope or out-
of-scope?
How to verify the
standards are met?
Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service
Security by Design - Design Principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for Breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as Code
• Modular
• Versioned
• Constrained
Developing new risk mitigation capabilities, which go beyond global security frameworks,
by treating risks, eliminating manual processes, optimizing evidence and audit ratifications
processes through rigid automation
SbD - Modernize Tech Governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete
You need automation that AWS offers to manage
security
Goal - Modernize Tech Governance (MTG)
Adopting “Prevent” controls, making
“Detect” controls more powerful and
comprehensive
SbD - Modernizing Technology Governance (MTG)
1.2 Identify Your Workloads Moving to
AWS
2.1 Rationalize
Security Requirements
2.2 Define Data
Protections and Controls
2.3 Document
Security Architecture
3.1 Build/deploy
Security Architecture
1. Decide what
to do (Strategy)
2. Analyze and
Document
(outside of AWS)
1.1 Identify Stakeholders
3. Automate,
Deploy & Monitor3.2 Automate
Security Operations
4. Certify
3.3 Continuous
Monitor
4.1 Audit and Certification
3.4 Testing and
Game Days
SbD – Rationalize Security RequirementsAWS has partnered with CIS Benchmarks to create consensus-based, best-practice security
configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The Benchmarks are:
• Recommended technical control
rules/values for hardening operating
systems, middle ware and software
applications, and network devices
• Distributed free of charge by CIS in .PDF
format
• Used by thousands of enterprises as the
basis for security configuration policies and
the de facto standard for IT configuration
best practices.
SbD – AWS CIS Benchmark Scope
Foundational Benchmark
CloudTrail
Config & Config
Rules
Key Management
Service
Identity & Access
ManagementCloudWatch
S3
SNS
Three-tier Web Architecture
EC2Elastic Load
BalancingVPC
Direct Connect
Amazon Elastic
Block Store
Cloud HSM Glacier Route 53VPN
Gateway
CloudFront
Document Security Architecture
https://getcompliant.allgress.com/gc
Business Case: VeriFone Commerce Platform
• Global leader in secure POS solutions
• Commerce Portal: Secure B2B App Marketplace and
Developer Platform enabling merchants to customize the
point of sale through innovative apps that provide
customers with rich, contextual experiences in store
S3 CodeDeployCloud
FormationKMS
Note: All tiers are designed
for auto-scaling, automated
Multi-AZ failover
CloudHSM CloudTrail
Security Considerations
● Multiple AWS accounts
● VPC, private subnets for application servers and RDS
● Minimal network perimeter (Only SSL Terminating Reverse Proxy in DMZ)
● Tightened Security Groups - fine grained rules for ports and CIDRs
● Immutable Docker containers, CloudTrail, Log aggregation using Splunk
● Compliance with “All code stays on-premises”
Security Considerations (Contd)
● CIS-benchmarked AMIs
● Hardened Linux/Software
● KMS-based secret management
● Two-factor authentication on AMIs
● Advanced user and key management using LDAP. Elimination of ec2-user
● HSM for secure data/keys
Other Benefits
Availability: HA with Multi-AZ solution
Auto-Scaling
Innovation: Infrastructure as Code
Agility and Flexibility
Ansible-based config management
Dockerfiles for software provisioning
Full CI/CD
Next Steps
• Continue Security by Design approach – AWS WAF for
firewall
• Enhance User Management - LDAP authentication/SSO
approaches
• EC2 Run Command/Opsworks for operations
• ECS for Docker and ECR for Docker Registry
Partnership
• Established a AWS/DevOps philosophy at Verifone
• Architected/Implemented foundation layer for the
Verifone solution
• Built a POC that provided security with agility
SbD – Automate Security Operations
Automate deployments, provisioning, and configurations of
the AWS customer environments
CloudFormation Service CatalogStack
Template
Instances AppsResourcesStack
Stack
Design Package
Products Portfolios
DeployConstrain
Identity & Access
Management
Set Permissions
AWS CloudTrail
EMR Kinesis VPC ELB S3 Lambda
AWS ConfigAWS CloudWatch
IoT
Other
Services
Add-on for AWS
Splunk App for AWSExplore Analyze Dashboard Alert
Use Cases for AWS:
Security Intelligence (Cloudtrail, Cloudwatch, VPC)
Operational Intelligence (CloudWatch, ELB, etc.)
DevOps Intelligence (CloudWatch, Lambda)
Big Data Insights (Kinesis, EMR, IoT, S3)
Continuous Monitor – Splunk
AWS CloudTrail
Resource Activity
Splunk App for AWS – Visualize & Monitor
AWS CloudTrail
User Activity
SbD - Modernizing Technology Governance (MTG)
Automate
Governance
Automate
Deployments
Automate Security
Operations
Continuous
Compliance
Closing the Loop
SbD - Modernizing Technology Governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls
AWS Resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper – to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/