Fast or and secure: Accelerating your business with security...© 2018, Amazon Web Services, Inc. or...

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Fast or and secure:Accelerating your business with securityRubén Ruiz, Enterprise SA Manager, AWS

Javier Sanz Enjuto, Security Architecture, BBVA

October 2018


Session expectations

• AWS and Compliance Standards

• Multi-Account environments

• AWS Services / features helping you move faster

• BBVA Security Architecture

• Recap

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

AWS and compliance standards


AWS Shared responsibility model


AWS Compliance Standards

Certifications &Attestations Laws, Regulationsand Privacy Alignments & Frameworks

Cloud Computing Compliance Controls

Catalogue (C5)DE 🇩🇪CISPE EU 🇪🇺CIS (Center for Internet Security) 🌐

Cyber Essentials Plus UK 🇬🇧EU Model Clauses EU 🇪🇺CJIS (US FBI) US 🇺🇸

DoD SRG US 🇺🇸FERPA US 🇺🇸CSA (Cloud Security Alliance) 🌐

FedRAMP US 🇺🇸GLBA US 🇺🇸Esquema Nacional de Seguridad ES 🇪🇸FIPS US 🇺🇸HIPAA US 🇺🇸EU-US Privacy Shield EU 🇪🇺IRAP AU 🇦🇺HITECH 🌐FISC JP 🇯🇵ISO 9001 🌐IRS 1075 US 🇺🇸FISMA US 🇺🇸ISO 27001 🌐ITAR US 🇺🇸G-Cloud UK 🇬🇧ISO 27017 🌐My Number Act JP 🇯🇵GxP (US FDA CFR 21 Part 11) US 🇺🇸ISO 27018 🌐Data Protection Act – 1988 UK 🇬🇧ICREA 🌐

MLPS Level 3 CN 🇨🇳VPAT / Section 508 US 🇺🇸IT Grundschutz DE 🇩🇪MTCS SG 🇸🇬Data Protection Directive EU 🇪🇺MITA 3.0 (US Medicaid) US 🇺🇸

PCI DSS Level 1 💳Privacy Act [Australia] AU 🇦🇺MPAA US 🇺🇸

SEC Rule 17-a-4(f) US 🇺🇸Privacy Act [New Zealand] NZ 🇳🇿NIST US 🇺🇸SOC 1, SOC 2, SOC 3 🌐 PDPA - 2010 [Malaysia] MY 🇲🇾Uptime Institute Tiers 🌐

PDPA - 2012 [Singapore] SG 🇸🇬Cloud Security Principles UK 🇬🇧PIPEDA [Canada] CA 🇨🇦

🌐 = industry or global standard Agencia Española de Protección de Datos ES 🇪🇸


The Artifact service


Frameworks and assets

• CIS Benchmarks• Foundation• 3-Tier Web

• Enterprise Accelerator• NIST 800-53• PCI-DSS• (HIPAA)

• All are predicated on single-account environments

• All can benefit from extending with Organizations SCPs and further new features


Setting the Multi-Account context


Hopefully you heard of…

DeveloperSandbox

Dev Pre-Prod

BU/Product/Resource Accounts

Developer Accounts

Security

AWS Organizations

Organization Accounts

Shared Services

Organization Master Account

Billing Tooling

Amazon CloudFormationStackSets

Sandbox

Direct Conn. Account

Internal Audit

ExternalData center

Logging

Prod

SharedServices


Account-level isolation

What needs segregation from what?

• Read access to Billing and Log records from everyone, except Auditors and Security • ...and even then, access should be limited to appropriate cases • consider evidential weight

• Different environments: Prod from Dev, Test and Staging

• Compliance in-scope from out-of-scope • auditors need to see a hard scope boundary • you will want to keep in-scope as small as possible • use both AWS Accounts and VPCs for this


AWS Services helping you move faster


AWS Identity and Access Management (IAM)

• Enables you to control who can do what in your AWS account

• Splits into users, groups, roles and permissions

• Control• Centralized• Fine-grained

• Security• Secure (deny) by default

IAM


IAM Federation considerations

• Federation helps drain Personally Identifiable Information (PII) from IAM • Use group-to-group or group-to-role mappings• There’s (normally) no PII in “o=foo,ou=bar,dc=baz” elements of a DN• See https://aws.amazon.com/blogs/aws/in-country-storage-of-personal-data/

• “Jump Account” versus “Direct IAM federation in each account”• Eventual number of accounts?• Size and complexity of jump account IAM policy (all cross-account IAM Roles in one place…)• Ability to provision and modify IAM Roles with multi-account AWS CloudFormation Stacks• We already have a single point of log aggregation…

• Direct federation therefore scales better• If you don’t know how many accounts you’re going to have, federate directly to each account from Day 1

• …but what’s in your IdP?• Recommend a separate master directory from your corporate master, with limited-scope replication, 1-way trust, whatever filtering proxies

your compliance requirements and risk appetite need• Only have groups in your IdP who will be building environments in AWS!

https://aws.amazon.com/blogs/aws/in-country-storage-of-personal-data/


IAM Policy Contraints - RequestedRegion

AWS IAM now enables simplified permissions management by allowing you to use a single IAM policy condition across all AWS services to control access to specific regions.

By adding the new global condition key ‘aws:RequestedRegion’ in the condition element of your IAM policy, you can control access to the regions in which an IAM principal (user or role) can perform AWS actions.

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": ”EC2InEU",

"Effect": "Allow",

"Action": [ "ec2:*" ],

"Resource": "*",

"Condition": {"StringEquals": {"aws:RequestedRegion": [

"eu-west-1",

"eu-central-1",

"eu-west-3”

]}}

}

]

}


What do customers want to do?

Use AWS account

boundaries for isolation

Centrally manage policies

across many accounts

Delegate permissions, but

maintain guardrails

See combined view of all

charges


AWS Organizations

Control AWS service use across accounts

Policy-based Management for Multiple AWS Accounts

Consolidate billing and usage reporting

Automate account creation

AWSOrganizations


Service Control Policies (SCPs)

• Enables you to control which AWS service APIs are accessible.- Define the list of APIs that are allowed – whitelisting.

- Define the list of APIs that must be blocked – blacklisting.

• Cannot be overridden by local administrator.

• Resultant permission on IAM user/role is the intersection between the SCP and assigned IAM permissions.

• Necessary but not sufficient.

• IAM policy simulator is SCP aware.


How Organizations SCP is different from IAM?

• Create groups of AWS accounts with AWS Organizations.

• Use Organizations to attach SCPs to those groups to centrally control AWS service use.

• Principals in the AWS accounts can only use the AWS APIs allowed by both the SCP and the AWS IAM policies attached to them.


Automating account creation with Organizations…

• Created accounts have root and OrganizationAccountAccessRole at creation time

• OrganizationAccountAccessRole is effectively “admin”

• Create cross-account permissions for it• The ARN is always arn:aws:iam::<new account

ID>:role/OrganizationAccountAccessRole

• Run your account baselining tools with it • …including setting IAM Federation up, where appropriate

• Delete it when done


Automating new account baselining…


Best practices – AWS Organizations

1. Monitor activity in the master account using CloudTrail.

2. Do not manage resources in the master account.

3. Manage your organization using the principal of “Least privilege.”

4. Use OUs to assign controls.

5. Test controls on single AWS account first.

6. Only assign controls to root of organization if necessary.

7. Avoid mixing “whitelisting” and “blacklisting” SCPs in organization.

8. Create new AWS accounts for the right reasons.


AWS CloudTrail

AWSCloudTrail

• Increase visibility into your user and resource activity

• Discover and troubleshoot security and operational issues by recording activity that occurred

• Simplify your compliance audits by automatically recording and storing activity logs


AWS Config & Config Rules

AWSConfig

• Continuous Recording & Continuous Assessment service

• Tracks configuration changes to AWS resources

• Alerts you if the configuration is non-compliant with your policies

Changing resources

AWS Config

Config Rules

History, Snapshot

Notifications

API Access

Normalized


AWS CloudWatch

• Metrics, Alarms, Dashboards, Logs, Events

• CloudWatch Events delivers a near real-time stream of system events

• Create rules to match events and route them to one or more target functions or streams

Amazon CloudWatch


Amazon EC2 Systems Manager (SSM)

• How do I audit which applications are installed on my EC2 instances?

• How do I ensure that certain blacklisted applications are not installed on my EC2 instances?

Amazon EC2 Systems Manager


Customer Challenges


• Operate safely and securely at scale

• Map resources to applications and environments

• Diverse set of tools for managing hybrid cloud

• Complex licensing and hard to manage the management infrastructure

• Ability to build custom solutions to meet specific business needs


Customer Challenges



AWS Systems Manager Capabilities

Session Manager


AWS CloudFormation

CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across

all regions and accounts.

This file serves as the single source of truth for your cloud environment.

AWSCloudFormation


Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and

workloads.Amazon

GuardDuty


Amazon Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes

sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is

being accessed or moved.

Amazon Macie

Accelerating your business with security

October 2018

Javier Sanz Enjuto

Enterprise Security

Security Architecture@BBVA

BBVA

“Tenemos que convertirnos en una

empresa digital lo antes posible”

Francisco González - Group Executive Chairman

23/01/2018

“La estrategia de BBVA está

profundamente ligada a la innovación y el

emprendimiento”

Carlos Torres - Chief Executive Officer

03/10/2018

end 2016

STOP AND

TAKE A LOOK

AROUND

YOU

Exponential increase of compute, data and storage demand will severely challenge our

“production model” ...

Source: BBVA

More and more

interaction with customers

Source: EFMA: “World Retail Banking Report 2015”

But many will not generate

additional revenues

Digital Players operational paradigms show the way forward though our current rate of

adoption is way too slow

(*)

(*) Illustrative proxy of productivity

Our strategy

AutomatedScalable FlexiblePublic

services

Educate &

remediate

People

Philosophy

Architecture principles

Security

embedded

Log and verify

Be a change

enabler

Change your

mind

Think about your business …

358

• Multi-account strategy

Latency Cost Functionality



• Cost optimization

• Clients and workloads

• Location

• Cloud adoption

Business

Su

pp

ort

serv

ices

Sh

are

d

serv

ices

Stock

Country

A

Country B

Country

C

Country

...

Billing AuthN/Z Logging Cloud Sec

Security

services

IT

services

SDLC

CICDTransit





• Location

• Cloud adoption

• Design your account segregation framework

• Define your account typology

LIVE WORK PLAY

Deprecated

Sensitive Data

Non sensitive

Data

AWS

Organizations





• Location

• Cloud adoption

• Design your account segregation framework

• Define your account typology

Thinking about security…

AWSCloudTrail

AWSConfig

AuditVulnerability

management

Threat

management

Access

management

Amazon CloudWatch

Amazon Inspector

flow logs

bucket access logs

Patch Manager

Amazon Macie

Amazon GuardDuty

permissions

role

MFA token

AWS STS

• Log everything

• Update infrastructure update

• Known your threats

• Keep your data save

• Be aware of credentials

• Real time monitoring

event

(event-based)

Be able to align all the key

elements to provide:

Define cloud security policy

Design security architecture

Develop and deploy your security

controls based on the policy

New account

Security stack deployment

• Account provisioning

• Security services enrollment based on account typology

• Single point for all the security information

Governance Business Security Automation

AWS CloudFormation

Education and remediation platform

Security policy Real timeAnalysis

Non compliancedetection

Notification

Exception Remediation

Risk explanation and

code labs resolution


Recap


Recap

• Embrace the new security culture: Security is everyone’s job

• Do not reinvent the wheel, AWS provides lots of security features and assets to reuse

• Design for multi-account access

• Crawl, Walk, Run / Iteration over perfection

• Services evolve in the time, be flexible to plug/unplug those

• Automation is not an option


Papers, Blogs, Online Docs

• Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers

• Audit Reports and Compliance Workbooks: https://aws.amazon.com/artifact/

• CIS AWS Benchmarks: https://www.cisecurity.org/benchmark/amazon_web_services/

• Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

• Compliance Center Website: https://aws.amazon.com/compliance

• Security Center: https://aws.amazon.com/security

• Security Blog: https://blogs.aws.amazon.com/security/

• Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/

https://aws.amazon.com/compliance/compliance-enablers

https://aws.amazon.com/artifact/

https://www.cisecurity.org/benchmark/amazon_web_services/

http://aws.amazon.com/govcloud-us

https://blogs.aws.amazon.com/security/

https://aws.amazon.com/blogs/aws/are-you-well-architected/


Videos

• Automating Security Event Response, from Idea to Code to Execution:

https://www.youtube.com/watch?v=x4GkAGe65vE

• IAM Recommended Practices:https://youtu.be/R-PyVnhxx-U

• AWS Security Checklist: https://www.brighttalk.com/webcast/9019/257297

• Automating Security Event Response: https://www.brighttalk.com/webcast/9019/258547

• Compliance with AWS – Verifying AWS Security: https://www.brighttalk.com/webcast/9019/260695

• Securing Enterprise Big Data Workloads: https://www.brighttalk.com/webcast/9019/261911

• AWS Security Best Practices: https://www.brighttalk.com/webcast/9019/264011

• Software Security and Best Practices: https://www.brighttalk.com/webcast/9019/264917

https://youtu.be/R-PyVnhxx-U

https://www.brighttalk.com/webcast/9019/257297







Thank you!

Fast or and secure: Accelerating your business with security...© 2018, Amazon Web Services, Inc. or...

Documents

Transcript of Fast or and secure: Accelerating your business with security...© 2018, Amazon Web Services, Inc. or...