Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
-
Upload
amazon-web-services -
Category
Technology
-
view
29 -
download
0
Transcript of Scaling Security Operations and Automating Governance: Which AWS Services Should I Use?
Deck Guidelines
Using AWS Services to Automate Governance of Security Controls and Remediate ViolationsJanuary 19, 2017Security OpsWhich AWS services do I use?Michael Braendle, [email protected] Product Manager, AWS
2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1
SecDevOps: What?Services and features galore: What do I use?Using relevant services Customer example: Siemens AG - Making it real
Improve your quality of life
What to Expect from the Session
We have this session a the end of the conference because we wanted to showcase some of the new capabilities we just launchedYoull not only learn more about these capabilities, but also see how we can use them2
Whats the problem?
Meet Toby, Software developer
Flexibility,Speed,Low cost,Reliability, ......
Freedom to be creative
.throughout his professional career of 2 full years!Is a do-erWants impact
Meet Joe, Mr. SecurityLeading cloud adoption effortsPart of central cloud security teamManages other infrastructuresDeals with security escalationsDoes not like being in critical pathWants to works smart, but has to work hard
Ultimately responsible for security
Security: A lot going on
Security Policy
Compliance regimesReport compliance
Evangelize cloud within the org and outside
Put out fires
Investigate issues deeply
AWS Tools could helpAWS Config Rules
AWS CloudTrailTrusted AdvisorCloudWatch EventsVPC Flow Logs
AWS WAF
Security Certificate Manager
IAM
Security Certificate Manager
Security: A lot going on
Security Policy
Compliance regimesReport compliance
Evangelize cloud within the org and outside
Put fires out
Investigate issues deeply
Many Many services Many Many features
How do I sustain this?
Joes typical tasksCreate security policiesAssess compliance; help others check for complianceInvestigate and analyze relevant information; fix critical security issues quicklyDeal with escalationsGenerate evidence and reports
Create Policies
Policies in codeTrusted Advisor Best Practice checksGet 35+ checks with zero effortExample: ELBs with missing security groups, S3 Bucket open access permissions, etc.Create an administrator role in each accountAssume admin role to read check status using TA APIsDescribeTrustedAdvisorCheckSummariesDescribeTrustedAdvisorCheckResult
Useful for broadly applicable policies with no specific exceptions
Policies in codeConfig Rules Managed and Custom Rules
Managed Rules Pre-built, but need to turn onTriggered periodically/on changes and apply to specific resourcesModify publishes source on GitHub to customize furtherUseful for resources with specific policies. Flexible.
Policies in code
Custom RulesWrite up your own rules. Ultimate flexibilityPublish your best practices on GitHubAnnotate results to add policy details or tickets
Codify recommendations
Also see:https://github.com/awslabs/aws-config-rules
Create Policies in code
Assess Compliance
Assess complianceAudit assessment is a spot checkPolicies in code Continuous assessmentsSelf service governancePrioritize assessmentsFind an owner for the result
Options for assessing complianceConfig Rules to assess and report configuration complianceAnnotate results with resource ownerCustom Rules integrate with ticketing
AWS Config + InventoryAssess compliance using Config RulesEC2 Systems Manager and AWS Config will captureSoftware Inventory in EC2 instanceFirewall rulesPatch levelApplication version
Inventory Assessment
Create Policies in code
Assessment and Governance
Fix violations quickly
Using Config Rules and CloudWatch EventsUse CloudWatch Events and Lambda triggers to fix thingsCustom Config Rules for remediations in Lambda
Enable traceability and logging for audit
CloudTrail Data Events for S3Act on API activity immediately in CloudWatch EventsData Events for S3Trigger rules that fix the problemTrace invocations and actions in CloudWatch Logs
S3, CloudTrail, CloudWatch Events, Lambda
Create Policies in code
Assessment and GovernanceFix Violations
Deal with Escalations
Security EscalationsLogs, activity data is criticalUse automation to increase surveillance on suspicious activity (e.g. CloudTrail is turned off)
Timely response could be to quarantine SOP should be in code!
Security Escalations: Internal ThreatsReal problem, not paranoiaUse Data to provide transparencyMisconfigurations continues to be threat #1
Create Policies in code
Assessment and GovernanceFix ViolationsDeal with Escalations
Generating Evidence
ReportsWeekly Trusted Advisor reportsArchived CloudTrail activity in S3 (never delete)CloudTrail Lookup for 1 week, CloudWatch Logs for longer term lookupAWS Config Snapshot for broad, point-in-time viewsAWS Config GetResourceConfigHistory>get-resource-config-history --resource-type --resource-id [--later-time ] [--earlier-time ]
Create Policies in code
Assessment and GovernanceFix ViolationsDeal with EscalationsEvidence for AuditAutomate and share: Templatize across accounts, regions, industries
The real world
The Company
Notizen 40
Digital ServicesSmart remote monitoring and data services for maximum reliabilitySiemens AG - MO CS STC SC-SO October 2016
Siemens Mobility Services
As Siemens mobility we develop highspeed, commuter trains metros ,lightrails and also the rail automation and electrification part for mass transportation systems all over the world.41
Rail vehicles deliver large volumes of data but what do we do with it to generate value?
Modern trains send 1 billion data points per year Additionally:Work ordersSpare parts list Geo dataThe basisTurn all thisdataintoinformationund derive actionsThe challenge100% Availability for youSiemens AG - MO CS STC SC-SO October 2016
Our goal is 100% availabilty for the cusotmers fleet42
We provide a common data policy
The collected technical data belongs to the customer.The data will be stored by Siemens or by contracted sub-suppliers of Siemens.Siemens shall fulfill its contractual obligations, e.g. providing cockpit or reports. For other reasons than this, Siemens is not obliged to store the data and is not liable for loss of data (unless this is contracted).However, Siemens is obliged to protect the customers data by applying state-of-the-art security measures to do so.Siemens can use the data for its own purposes during the contract period (right to use). Selling the data is not permitted!Customer may request after the end of the contract that Siemens erases all the data with regards to the customer contract.
Customer owns the data from the assets and Siemens can use itData inputBig data from assetsData analyticsAlgorithmic processesData outputSmart data generated by Siemens ExpertsSiemensCustomerCustomer and Siemens
Siemens AG - MO CS STC SC-SO October 2016
One of our main perquisite is that the data belongs to our customers. We help them with our people expertise and tools to get most out of the data.Notizen 43
1011Railigent The platform to manage your assets smarter
1001
01101010110100011101101000101011010001110110011001101001110110101010101101000110111001101010110100011101101001101010101010110111
001001011
1011010111
011001111
0010010111101001110
ManagementDispatcherMaintenance engineerData visualizationData evaluationData processingData transmissionRailigent ConnectSecure data transmission from sensor to central data storageTurning data into value and enabling Digital Services solutions (Smart Monitoring, Smart Data Analysis and Smart Prediction)Railigent powered by Sinalytics
AdvancedalgorithmsExpertise domainKnow-howBest practisesModularCustomized solution packages:Define reports as you need themScalableFrom basic to advanced solutions:Upgrade your system as neededOpenFits into your environment:Standard interfaces ensure interoperability
Siemens AG - MO CS STC SC-SO October 2016
The railigent platform based on AWS and is full new cloud native approach to get most out of the data.We benefit from the AWS Ecosystem by gaining modular services with high flexibility and scalabilityNotes 44
Governance Tools
AWS Architecture
AWSConfig / rules
Amazon CloudWatchAWSCloudTrail
AWS Trusted Advisor
AWS IAM
AWS KMS
AWSCloudFormationSiemens AG - MO CS STC SC-SO October 2016
Complete Environment deployment is done via CloudFormationWe have 4 Levels in our Account Structure. 1. the Sandbox where all developers can play around an learn2. The dev account for develop in an near production environment3. The test account for pre production tests4. Finally the production account where the customer data is processed.
The dev and test have also access to the production data based on an granular access policy and read-only rights.For Cloud Trail we use the Vault principle as best practice -> store everything in an external account s3-bucket with limited rights
Notizen 45
Topics to Service mappingComliance and Security TopicBasd on ISO 27001 / 27002 an IEC 62443Access Control (9)PPAsset Management (8)PCommunications SecurityPPCompliance (18)PPPP
AWSConfig
AWSCloudTrail
Amazon CloudWatchAWS Trusted Advisor
Siemens AG - MO CS STC SC-SO October 2016
We have an Internal Requirement Database based on classification with shown topics on ISO 27001 and IEC 62443 (industrial automation and control system security )There we have over a 100 requirements for security and operation assigned to the chapters shown on the slide
The numbers in brackets represents the chapters in the ISO
1. For Access Control there are requirements like user management, password complexity and so on.2. For Asset management there is for example an requirement that we always need to know what was running in past and what's running now.3. Communications security demands secure communication over all layers.4. Compliance is more about the process stuff like doing a self-assessment and risk analysis
Notizen 46
Topics to Service mappingComliance and Security TopicISO 27001 / 27002Cryptography (10)PPInformation Security Aspects of Business Continuity Management (17)PPInformation Security Incident Management (16)PPOperations SecurityPP
AWSConfig
AWSCloudTrail
Amazon CloudWatchAWS Trusted Advisor
Siemens AG - MO CS STC SC-SO October 2016
5. Cryptography should be clear, it is about preferred cipher suits and allowed algorithm and how to deal with certificates 6. Information Security Aspects of Business Continuity Management is mainly about to having an IT Disaster Recovery Plan7. Information Security Incident Management how to deal with incidents, think about escalation procedures before something happens.8. And finally Operations Security, know what's running, document everything do change, demand and capacity management. This is for today the most discussed chapter on our side because of were in a transformation from an classic it operations department to an secdevops team.
There are others like Enviromenatal & Physical Controles which i let out because it is fullfiled by AWS directly
Notizen 47
Used AWS Config Rules:Pre defined RulesCustom Rulesencrypted-volumesrds-in-private-subnets3-bucket-logging-enabledadvaced iam policy on diffrent user types cloud-trail-enabledAdvanced security group requirementseip-attachedroot-account-mfa-enablediam-password-policyrds-storage-encryptedrequired-tags
Siemens AG - MO CS STC SC-SO October 2016Good source for star with own rules is:https://github.com/awslabs/aws-config-rules
We use some of the standart rules and are constantly expanding it by custome rules based on the requirments i showed before.
Examples arerds-in-private-subnetadvaced iam policy on diffrent user types Advanced security group requirements
48
Siemens Governance Requirements
AWSConfig
Amazon CloudWatchAWSCloudTrail
AmazonSNS
AWSConfig ruleshttps://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json.Siemens AG - MO CS STC SC-SO October 2016
We have an Default set which is delivered by our global IT department on every deployed account. There for there is an centralized order process for ordering accounts internally.
We have an automated audit process that is established always before the first users access an account full automated by Cloud Watch and Cloud Trial supported by SNS for notifications.
In background you see an example code CloudWatch_Alarms_for_CloudTrail_API_Activity which is also public availible and helps us a lot.
Were tracking every config Change by AWS config and controlling the important things by config rules
As mentioned before the consolidated billing allows us to use the full functionality from Trusted Advisor
Notizen 49
Siemens Governance Requirements AWS Trusted Advisor
flow logs
AWS Trusted Advisor
Siemens AG - MO CS STC SC-SO October 2016
4eyes principle means alway 2 people each time one with an operations view and one with a secuirty view have to look on the reports and notifications coming out of the trusted advisor and our config rules checks
Regular checks are done automatic when new resources are deployed via attached config rules and additionally on an regular time basis by the trusted advisor that 2 layer security checks helps us to gain trust from our info sec department
As next step we have activated flow logs and will now establish additional checks on the data flows.50
Conclusions Security shall be the initial part of the development SecDevOps
Get a clear view what are the requirements, AWS provides a lot of tools to fulfill most of the requirements.
Automation is the key to success. Siemens AG - MO CS STC SC-SO October 2016
Steven Schmidt -> Security should be step Zero
An integrated solution is necessary for an successful development
Very help full for us was -> Excellent Support by AWS ExpertsExcellent Documentation, Whitepapers and Checklists an all points to on major conlusion
Youve heard it all the time on most of the talks but its true Automation is the key.
Notizen 51
Remember to complete your evaluations!
Thank you!