Introduction to Security-Focused Standardized Architecture
Click here to load reader
-
Upload
amazon-web-services -
Category
Technology
-
view
2.362 -
download
1
Transcript of Introduction to Security-Focused Standardized Architecture
Brett MillerAWS Professional ServicesDecember 2015
Introduction to Security-Focused Standardized Architectures (SFSA)
Welcome & Objectives
Understand the purpose and benefits of SFSA
Review contents of the SFSA package
Review common use case scenarios and implementations
Know how to get started using SFSA in your organization
Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when designing for the cloud Making many critical decisions to ensure a secure application when
using the AWS Shared Responsibility Model Mapping security controls to numerous AWS services
− Example: 400 NIST 800-53 Security Controls to 42 AWS Services
Error prone and time-consuming manual configuration of AWS resources
AWS developed SFSA to address major customer challenges when moving to the cloud
Customer Challenges Meeting compliance requirements (NIST,
PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when
designing for the cloud Making many critical decisions to ensure a
secure application when using the AWS Shared Responsibility Model
Mapping security controls to numerous AWS services
− Example: 400 NIST 800-53 Security Controls to 42 AWS Services
Error prone and time-consuming manual configuration of AWS resources
AWS developed SFSA to address major customer challenges when moving to the cloud
AWS Solution: SFSA Standardized for specific use cases Address security/compliance
requirements and AWS best practices
Ready to be pre-approved by customer assessment organizations
Ready to deploy “out of the box” Customizable
Shared Responsibility ModelCustomers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption (File
System and/or Data)
Network Traffic Protection (Encryption /
Integrity / Identity)
DatabaseStorageCompute Networking
Edge Locations
Regions
Avail. ZonesAWS Global
Infrastructure
Customer
Responsible for security ‘in’ the Cloud
Responsible for security ‘of’ the Cloud
AWS
Infrastructure Services Container Services
Abstracted ServicesSecurity ControlsInherited
Hybrid
Shared
Customer Specific
Fully inherited by AWS
AWS provides partial implementation
AWS and customer provides their implementation
Sole Responsibility of the customer
Division of Responsibility changes depending on AWS service
SFSA helps simplify and accelerate your AWS migrations
Benefits Automate system deployments Address security/compliance requirements Follow best practices Decrease deployment time Provide Reusable Documentation
AWS built the SFSA Package to include several key artifacts to meet customer needsPackage Overview CloudFormation Templates Guidance Documentation Security Controls/Requirements Matrix
− NIST SP 800-53 available now− Coming Soon: PCI DSS, CJIS, HIPAA, ISO
27001 Customizable Reference Architecture Diagram
AWS SFSA CloudFormation Stacks
Multiple nested stacks− For different types of workloads− Modular and customizable− Each stack builds a portion of architecture
Each package consists of multiple CloudFormation templates reusable across different use cases
SFSA CloudFormation Stack
2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions
Documentation
Included with every package is a User Guide along with an inventory of resources deployed by the templates
Resource Inventory
User Guide
Security Controls / Compliance Mapping Pre-documents how security controls/requirements are addressed by the
SFSA within the VPC/infrastructure layer− Can be included in a customer’s compliance documentation/SSP− Can be ingested into customer security/compliance databases/workflow tools
Contains additional guidance for each control/requirement Identifies which CloudFormation stack implements the control/requirement Identifies related AWS resources within each stack NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and
other third-party compliance frameworks
Security Controls / Compliance Mapping: Example Matrix
Customizable Reference Architecture
SFSA Use Cases
Base Architectures Examples:− Base IAM Configuration− Base VPC Architecture for Internal VPC
Full Applications Examples: − 3 Tier Linux Web Application− Shared Services VPC with Active
Directory
Before you get started…
Understand use cases and workload types Have a basic understanding of your governance model Have a basic cloud strategy and roadmap Identify relevant security standards or compliance
requirements − Have an organizational appetite to comply with them
As a Baseline for your architectures
Plan and design the Cloud-based infrastructure
Build the infrastructure using AWS components
Application DeploymentDeploy applications using EC2 instances and other services within the cloud infrastructure
SFSA
Plan and design the Cloud-based infrastructure
Build the infrastructure using AWS components
Application DeploymentDeploy applications using EC2 instances and other services within the cloud infrastructure
SFSA
As a Full Application Deployment
How can SFSA be used?
Security Focused Standardized Architectures (SFSA)CloudFormation Intro and Tools
AWS CloudFormation
Basic standard in AWS for automating deployment of resources
CloudFormation Template− JSON-formatted document which describes
a configuration to be deployed in an AWS account
− When deployed, refers to a “stack” of resources
AWS CloudFormation
CloudFormation Template Structure
Describe detailed configuration of a resource in AWS
Include, but not limited to: − IAM Policies, Users, Groups, Roles− VPCs, Subnets, NACLs, Security Groups− EC2 instances, Auto Scaling Groups− RDS Databases, S3 Buckets− Elastic Load Balancers− CloudWatch Alarms− Lambda Functions− Logging (CloudTrail, CW Logs)
SFSA CloudFormation Resources
20+ selectable variables to customize the AWS infrastructure
Variables can be immutable based on organizational requirements
SFSA CloudFormation Parameters
SFSA + Customer Governance Model
Managing SFSA Packages
Templates can be kept under version control Establishes baselines for standard AWS
configurations Organizationally approved architectures can be
stored centrally Mandatory for many third-party security
frameworks
Deployment Options
AWS Console
CLI Deployment− Deployment scripts included with package
AWS Service Catalog− As a Service Catalog “Product”
AWS Management Console
CLI Deployment Scripts
“cfdeploy”− Optional tool included with package to make deployment from CLI easier− Simpler management of standard parameters
cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json --region us-east-1
Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a
SFSA Deployment with AWS Service Catalog
Standardize deployment Allow push-button build of common architectures based on compliance and
use case Provide a self-service model for workload owners
Allows administrators to create and manage approved catalogs of resources (products) that end users can access via a personalized portal
A Service Catalog Product is a deployable CloudFormation template Managed compliance with Service Catalog
− Provide a catalog of pre-built, compliant architectures ready to deploy− Enforce resource tagging− Allow workload owners to deploy resources which normally require higher
levels of IAM permissions than they are given− Separate Portfolios of Products can be used to segment products by
compliance type
AWS Service Catalog
AWS SFSA & Service Catalog
Get started with SFSA
Contact your sales representative/SA AWS Quickstart Deployments (coming soon) Getting Help:
− Whitepapers/User Guides/SAIncluded with the package
− FREE 1 day workshop provided by Solutions Architects or Professional Services
− SOW-based 2-5 day ProServe customization workshopProfessional Services or APN Partner
Email: [email protected]
Additional Resources
AWS SFSA Quick Start Test Drive− https://s3.amazonaws.com/quickstart
-reference/security-compliance/latest/doc/Standard_NIST_800-53_Architecture_on_the_AWS_Cloud.pdf
AWS re:Invent 2015 Videos
(SEC312) Reliable Design and Deployment of Security and Compliancehttps://youtu.be/KtMANvC7_n8
(ISM206) Modern IT Governance Through Transparency and Automationhttps://youtu.be/YYiV_z9D2CE
Questions?