Fast or and secure: Accelerating your business with security...© 2018, Amazon Web Services, Inc. or...
Transcript of Fast or and secure: Accelerating your business with security...© 2018, Amazon Web Services, Inc. or...
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fast or and secure:Accelerating your business with securityRubén Ruiz, Enterprise SA Manager, AWS
Javier Sanz Enjuto, Security Architecture, BBVA
October 2018
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Session expectations
• AWS and Compliance Standards
• Multi-Account environments
• AWS Services / features helping you move faster
• BBVA Security Architecture
• Recap
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS and compliance standards
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared responsibility model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Compliance Standards
Certifications &Attestations Laws, Regulationsand Privacy Alignments & Frameworks
Cloud Computing Compliance Controls
Catalogue (C5)DE 🇩🇪CISPE EU 🇪🇺CIS (Center for Internet Security) 🌐
Cyber Essentials Plus UK 🇬🇧EU Model Clauses EU 🇪🇺CJIS (US FBI) US 🇺🇸
DoD SRG US 🇺🇸FERPA US 🇺🇸CSA (Cloud Security Alliance) 🌐
FedRAMP US 🇺🇸GLBA US 🇺🇸Esquema Nacional de Seguridad ES 🇪🇸FIPS US 🇺🇸HIPAA US 🇺🇸EU-US Privacy Shield EU 🇪🇺IRAP AU 🇦🇺HITECH 🌐FISC JP 🇯🇵ISO 9001 🌐IRS 1075 US 🇺🇸FISMA US 🇺🇸ISO 27001 🌐ITAR US 🇺🇸G-Cloud UK 🇬🇧ISO 27017 🌐My Number Act JP 🇯🇵GxP (US FDA CFR 21 Part 11) US 🇺🇸ISO 27018 🌐Data Protection Act – 1988 UK 🇬🇧ICREA 🌐
MLPS Level 3 CN 🇨🇳VPAT / Section 508 US 🇺🇸IT Grundschutz DE 🇩🇪MTCS SG 🇸🇬Data Protection Directive EU 🇪🇺MITA 3.0 (US Medicaid) US 🇺🇸
PCI DSS Level 1 💳Privacy Act [Australia] AU 🇦🇺MPAA US 🇺🇸
SEC Rule 17-a-4(f) US 🇺🇸Privacy Act [New Zealand] NZ 🇳🇿NIST US 🇺🇸SOC 1, SOC 2, SOC 3 🌐 PDPA - 2010 [Malaysia] MY 🇲🇾Uptime Institute Tiers 🌐
PDPA - 2012 [Singapore] SG 🇸🇬Cloud Security Principles UK 🇬🇧PIPEDA [Canada] CA 🇨🇦
🌐 = industry or global standard Agencia Española de Protección de Datos ES 🇪🇸
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Artifact service
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Frameworks and assets
• CIS Benchmarks• Foundation• 3-Tier Web
• Enterprise Accelerator• NIST 800-53• PCI-DSS• (HIPAA)
• All are predicated on single-account environments
• All can benefit from extending with Organizations SCPs and further new features
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Setting the Multi-Account context
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hopefully you heard of…
DeveloperSandbox
Dev Pre-Prod
BU/Product/Resource Accounts
Developer Accounts
Security
AWS Organizations
Organization Accounts
Shared Services
Organization Master Account
Billing Tooling
Amazon CloudFormationStackSets
Sandbox
Direct Conn. Account
Internal Audit
ExternalData center
Logging
Prod
SharedServices
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Account-level isolation
What needs segregation from what?
• Read access to Billing and Log records from everyone, except Auditors and Security • ...and even then, access should be limited to appropriate cases • consider evidential weight
• Different environments: Prod from Dev, Test and Staging
• Compliance in-scope from out-of-scope • auditors need to see a hard scope boundary • you will want to keep in-scope as small as possible • use both AWS Accounts and VPCs for this
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Services helping you move faster
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
• Enables you to control who can do what in your AWS account
• Splits into users, groups, roles and permissions
• Control• Centralized• Fine-grained
• Security• Secure (deny) by default
IAM
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Federation considerations
• Federation helps drain Personally Identifiable Information (PII) from IAM • Use group-to-group or group-to-role mappings• There’s (normally) no PII in “o=foo,ou=bar,dc=baz” elements of a DN• See https://aws.amazon.com/blogs/aws/in-country-storage-of-personal-data/
• “Jump Account” versus “Direct IAM federation in each account”• Eventual number of accounts?• Size and complexity of jump account IAM policy (all cross-account IAM Roles in one place…)• Ability to provision and modify IAM Roles with multi-account AWS CloudFormation Stacks• We already have a single point of log aggregation…
• Direct federation therefore scales better• If you don’t know how many accounts you’re going to have, federate directly to each account from Day 1
• …but what’s in your IdP?• Recommend a separate master directory from your corporate master, with limited-scope replication, 1-way trust, whatever filtering proxies
your compliance requirements and risk appetite need• Only have groups in your IdP who will be building environments in AWS!
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Policy Contraints - RequestedRegion
AWS IAM now enables simplified permissions management by allowing you to use a single IAM policy condition across all AWS services to control access to specific regions.
By adding the new global condition key ‘aws:RequestedRegion’ in the condition element of your IAM policy, you can control access to the regions in which an IAM principal (user or role) can perform AWS actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": ”EC2InEU",
"Effect": "Allow",
"Action": [ "ec2:*" ],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": [
"eu-west-1",
"eu-central-1",
"eu-west-3”
]}}
}
]
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers want to do?
Use AWS account
boundaries for isolation
Centrally manage policies
across many accounts
Delegate permissions, but
maintain guardrails
See combined view of all
charges
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Organizations
Control AWS service use across accounts
Policy-based Management for Multiple AWS Accounts
Consolidate billing and usage reporting
Automate account creation
AWSOrganizations
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible.- Define the list of APIs that are allowed – whitelisting.
- Define the list of APIs that must be blocked – blacklisting.
• Cannot be overridden by local administrator.
• Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions.
• Necessary but not sufficient.
• IAM policy simulator is SCP aware.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Organizations SCP is different from IAM?
• Create groups of AWS accounts with AWS Organizations.
• Use Organizations to attach SCPs to those groups to centrally control AWS service use.
• Principals in the AWS accounts can only use the AWS APIs allowed by both the SCP and the AWS IAM policies attached to them.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automating account creation with Organizations…
• Created accounts have root and OrganizationAccountAccessRole at creation time
• OrganizationAccountAccessRole is effectively “admin”
• Create cross-account permissions for it• The ARN is always arn:aws:iam::<new account
ID>:role/OrganizationAccountAccessRole
• Run your account baselining tools with it • …including setting IAM Federation up, where appropriate
• Delete it when done
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automating new account baselining…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best practices – AWS Organizations
1. Monitor activity in the master account using CloudTrail.
2. Do not manage resources in the master account.
3. Manage your organization using the principal of “Least privilege.”
4. Use OUs to assign controls.
5. Test controls on single AWS account first.
6. Only assign controls to root of organization if necessary.
7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization.
8. Create new AWS accounts for the right reasons.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
AWSCloudTrail
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational issues by recording activity that occurred
• Simplify your compliance audits by automatically recording and storing activity logs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config & Config Rules
AWSConfig
• Continuous Recording & Continuous Assessment service
• Tracks configuration changes to AWS resources
• Alerts you if the configuration is non-compliant with your policies
Changing resources
AWS Config
Config Rules
History, Snapshot
Notifications
API Access
Normalized
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudWatch
• Metrics, Alarms, Dashboards, Logs, Events
• CloudWatch Events delivers a near real-time stream of system events
• Create rules to match events and route them to one or more target functions or streams
Amazon CloudWatch
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon EC2 Systems Manager (SSM)
• How do I audit which applications are installed on my EC2 instances?
• How do I ensure that certain blacklisted applications are not installed on my EC2 instances?
Amazon EC2 Systems Manager
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Challenges
Amazon EC2 Systems Manager
• Operate safely and securely at scale
• Map resources to applications and environments
• Diverse set of tools for managing hybrid cloud
• Complex licensing and hard to manage the management infrastructure
• Ability to build custom solutions to meet specific business needs
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Customer Challenges
Amazon EC2 Systems Manager
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager Capabilities
Session Manager
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudFormation
CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across
all regions and accounts.
This file serves as the single source of truth for your cloud environment.
AWSCloudFormation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and
workloads.Amazon
GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Macie
Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes
sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is
being accessed or moved.
Amazon Macie
Accelerating your business with security
October 2018
Javier Sanz Enjuto
Enterprise Security
Security Architecture@BBVA
BBVA
“Tenemos que convertirnos en una
empresa digital lo antes posible”
Francisco González - Group Executive Chairman
23/01/2018
“La estrategia de BBVA está
profundamente ligada a la innovación y el
emprendimiento”
Carlos Torres - Chief Executive Officer
03/10/2018
end 2016
STOP AND
TAKE A LOOK
AROUND
YOU
Exponential increase of compute, data and storage demand will severely challenge our
“production model” ...
Source: BBVA
More and more
interaction with customers
Source: EFMA: “World Retail Banking Report 2015”
But many will not generate
additional revenues
Digital Players operational paradigms show the way forward though our current rate of
adoption is way too slow
(*)
(*) Illustrative proxy of productivity
Our strategy
AutomatedScalable FlexiblePublic
services
Educate &
remediate
People
Philosophy
Architecture principles
Security
embedded
Log and verify
Be a change
enabler
Change your
mind
Think about your business …
358
• Multi-account strategy
Latency Cost Functionality
Think about your business …
• Multi-account strategy
• Cost optimization
• Clients and workloads
• Location
• Cloud adoption
Business
Su
pp
ort
serv
ices
Sh
are
d
serv
ices
Stock
Country
A
Country B
Country
C
Country
...
Billing AuthN/Z Logging Cloud Sec
Security
services
IT
services
SDLC
CICDTransit
Think about your business …
• Multi-account strategy
• Cost optimization
• Clients and workloads
• Location
• Cloud adoption
• Design your account segregation framework
• Define your account typology
LIVE WORK PLAY
Deprecated
Sensitive Data
Non sensitive
Data
AWS
Organizations
Think about your business …
• Multi-account strategy
• Cost optimization
• Clients and workloads
• Location
• Cloud adoption
• Design your account segregation framework
• Define your account typology
Thinking about security…
AWSCloudTrail
AWSConfig
AuditVulnerability
management
Threat
management
Access
management
Amazon CloudWatch
Amazon Inspector
flow logs
bucket access logs
Patch Manager
Amazon Macie
Amazon GuardDuty
permissions
role
MFA token
AWS STS
• Log everything
• Update infrastructure update
• Known your threats
• Keep your data save
• Be aware of credentials
• Real time monitoring
event
(event-based)
Be able to align all the key
elements to provide:
Define cloud security policy
Design security architecture
Develop and deploy your security
controls based on the policy
New account
Security stack deployment
• Account provisioning
• Security services enrollment based on account typology
• Single point for all the security information
Governance Business Security Automation
AWS CloudFormation
Education and remediation platform
Security policy Real timeAnalysis
Non compliancedetection
Notification
Exception Remediation
Risk explanation and
code labs resolution
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Recap
• Embrace the new security culture: Security is everyone’s job
• Do not reinvent the wheel, AWS provides lots of security features and assets to reuse
• Design for multi-account access
• Crawl, Walk, Run / Iteration over perfection
• Services evolve in the time, be flexible to plug/unplug those
• Automation is not an option
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Papers, Blogs, Online Docs
• Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers
• Audit Reports and Compliance Workbooks: https://aws.amazon.com/artifact/
• CIS AWS Benchmarks: https://www.cisecurity.org/benchmark/amazon_web_services/
• Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
• Compliance Center Website: https://aws.amazon.com/compliance
• Security Center: https://aws.amazon.com/security
• Security Blog: https://blogs.aws.amazon.com/security/
• Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Videos
• Automating Security Event Response, from Idea to Code to Execution:
https://www.youtube.com/watch?v=x4GkAGe65vE
• IAM Recommended Practices:https://youtu.be/R-PyVnhxx-U
• AWS Security Checklist: https://www.brighttalk.com/webcast/9019/257297
• Automating Security Event Response: https://www.brighttalk.com/webcast/9019/258547
• Compliance with AWS – Verifying AWS Security: https://www.brighttalk.com/webcast/9019/260695
• Securing Enterprise Big Data Workloads: https://www.brighttalk.com/webcast/9019/261911
• AWS Security Best Practices: https://www.brighttalk.com/webcast/9019/264011
• Software Security and Best Practices: https://www.brighttalk.com/webcast/9019/264917
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!