Deck Guidelines

Using AWS Services to Automate Governance of Security Controls and Remediate ViolationsJanuary 19, 2017Security OpsWhich AWS services do I use?Michael Braendle, pprahlad@amazon.comPrincipal Product Manager, AWS

2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

1

SecDevOps: What?Services and features galore: What do I use?Using relevant services Customer example: Siemens AG - Making it real

Improve your quality of life

What to Expect from the Session

We have this session a the end of the conference because we wanted to showcase some of the new capabilities we just launchedYoull not only learn more about these capabilities, but also see how we can use them2

Whats the problem?

Meet Toby, Software developer

Flexibility,Speed,Low cost,Reliability, ......

Freedom to be creative

.throughout his professional career of 2 full years!Is a do-erWants impact

Meet Joe, Mr. SecurityLeading cloud adoption effortsPart of central cloud security teamManages other infrastructuresDeals with security escalationsDoes not like being in critical pathWants to works smart, but has to work hard

Ultimately responsible for security

Security: A lot going on

Security Policy

Compliance regimesReport compliance

Evangelize cloud within the org and outside

Put out fires

Investigate issues deeply

AWS Tools could helpAWS Config Rules

AWS CloudTrailTrusted AdvisorCloudWatch EventsVPC Flow Logs

AWS WAF

Security Certificate Manager

IAM

Security Certificate Manager

Security: A lot going on

Security Policy

Compliance regimesReport compliance

Evangelize cloud within the org and outside

Put fires out

Investigate issues deeply

Many Many services Many Many features

How do I sustain this?

Joes typical tasksCreate security policiesAssess compliance; help others check for complianceInvestigate and analyze relevant information; fix critical security issues quicklyDeal with escalationsGenerate evidence and reports

Create Policies

Policies in codeTrusted Advisor Best Practice checksGet 35+ checks with zero effortExample: ELBs with missing security groups, S3 Bucket open access permissions, etc.Create an administrator role in each accountAssume admin role to read check status using TA APIsDescribeTrustedAdvisorCheckSummariesDescribeTrustedAdvisorCheckResult

Useful for broadly applicable policies with no specific exceptions

Policies in codeConfig Rules Managed and Custom Rules

Managed Rules Pre-built, but need to turn onTriggered periodically/on changes and apply to specific resourcesModify publishes source on GitHub to customize furtherUseful for resources with specific policies. Flexible.

Policies in code

Custom RulesWrite up your own rules. Ultimate flexibilityPublish your best practices on GitHubAnnotate results to add policy details or tickets

Codify recommendations

Also see:https://github.com/awslabs/aws-config-rules

Create Policies in code

Assess Compliance

Assess complianceAudit assessment is a spot checkPolicies in code Continuous assessmentsSelf service governancePrioritize assessmentsFind an owner for the result

Options for assessing complianceConfig Rules to assess and report configuration complianceAnnotate results with resource ownerCustom Rules integrate with ticketing

AWS Config + InventoryAssess compliance using Config RulesEC2 Systems Manager and AWS Config will captureSoftware Inventory in EC2 instanceFirewall rulesPatch levelApplication version

Inventory Assessment

Create Policies in code

Assessment and Governance

Fix violations quickly

Using Config Rules and CloudWatch EventsUse CloudWatch Events and Lambda triggers to fix thingsCustom Config Rules for remediations in Lambda

Enable traceability and logging for audit

CloudTrail Data Events for S3Act on API activity immediately in CloudWatch EventsData Events for S3Trigger rules that fix the problemTrace invocations and actions in CloudWatch Logs

S3, CloudTrail, CloudWatch Events, Lambda

Create Policies in code

Assessment and GovernanceFix Violations

Deal with Escalations

Security EscalationsLogs, activity data is criticalUse automation to increase surveillance on suspicious activity (e.g. CloudTrail is turned off)

Timely response could be to quarantine SOP should be in code!

Security Escalations: Internal ThreatsReal problem, not paranoiaUse Data to provide transparencyMisconfigurations continues to be threat #1

Create Policies in code

Assessment and GovernanceFix ViolationsDeal with Escalations

Generating Evidence

ReportsWeekly Trusted Advisor reportsArchived CloudTrail activity in S3 (never delete)CloudTrail Lookup for 1 week, CloudWatch Logs for longer term lookupAWS Config Snapshot for broad, point-in-time viewsAWS Config GetResourceConfigHistory>get-resource-config-history --resource-type --resource-id [--later-time ] [--earlier-time ]

Create Policies in code

Assessment and GovernanceFix ViolationsDeal with EscalationsEvidence for AuditAutomate and share: Templatize across accounts, regions, industries

The real world

The Company

Notizen 40

Digital ServicesSmart remote monitoring and data services for maximum reliabilitySiemens AG - MO CS STC SC-SO October 2016

Siemens Mobility Services

As Siemens mobility we develop highspeed, commuter trains metros ,lightrails and also the rail automation and electrification part for mass transportation systems all over the world.41

Rail vehicles deliver large volumes of data but what do we do with it to generate value?

Modern trains send 1 billion data points per year Additionally:Work ordersSpare parts list Geo dataThe basisTurn all thisdataintoinformationund derive actionsThe challenge100% Availability for youSiemens AG - MO CS STC SC-SO October 2016

Our goal is 100% availabilty for the cusotmers fleet42

We provide a common data policy

The collected technical data belongs to the customer.The data will be stored by Siemens or by contracted sub-suppliers of Siemens.Siemens shall fulfill its contractual obligations, e.g. providing cockpit or reports. For other reasons than this, Siemens is not obliged to store the data and is not liable for loss of data (unless this is contracted).However, Siemens is obliged to protect the customers data by applying state-of-the-art security measures to do so.Siemens can use the data for its own purposes during the contract period (right to use). Selling the data is not permitted!Customer may request after the end of the contract that Siemens erases all the data with regards to the customer contract.

Customer owns the data from the assets and Siemens can use itData inputBig data from assetsData analyticsAlgorithmic processesData outputSmart data generated by Siemens ExpertsSiemensCustomerCustomer and Siemens

Siemens AG - MO CS STC SC-SO October 2016

One of our main perquisite is that the data belongs to our customers. We help them with our people expertise and tools to get most out of the data.Notizen 43

1011Railigent The platform to manage your assets smarter

1001

01101010110100011101101000101011010001110110011001101001110110101010101101000110111001101010110100011101101001101010101010110111

001001011

1011010111

011001111

0010010111101001110

ManagementDispatcherMaintenance engineerData visualizationData evaluationData processingData transmissionRailigent ConnectSecure data transmission from sensor to central data storageTurning data into value and enabling Digital Services solutions (Smart Monitoring, Smart Data Analysis and Smart Prediction)Railigent powered by Sinalytics

AdvancedalgorithmsExpertise domainKnow-howBest practisesModularCustomized solution packages:Define reports as you need themScalableFrom basic to advanced solutions:Upgrade your system as neededOpenFits into your environment:Standard interfaces ensure interoperability

Siemens AG - MO CS STC SC-SO October 2016

The railigent platform based on AWS and is full new cloud native approach to get most out of the data.We benefit from the AWS Ecosystem by gaining modular services with high flexibility and scalabilityNotes 44

Governance Tools

AWS Architecture

AWSConfig / rules

Amazon CloudWatchAWSCloudTrail

AWS Trusted Advisor

AWS IAM

AWS KMS

AWSCloudFormationSiemens AG - MO CS STC SC-SO October 2016

Complete Environment deployment is done via CloudFormationWe have 4 Levels in our Account Structure. 1. the Sandbox where all developers can play around an learn2. The dev account for develop in an near production environment3. The test account for pre production tests4. Finally the production account where the customer data is processed.

The dev and test have also access to the production data based on an granular access policy and read-only rights.For Cloud Trail we use the Vault principle as best practice -> store everything in an external account s3-bucket with limited rights

Notizen 45

Topics to Service mappingComliance and Security TopicBasd on ISO 27001 / 27002 an IEC 62443Access Control (9)PPAsset Management (8)PCommunications SecurityPPCompliance (18)PPPP

AWSConfig

AWSCloudTrail

Amazon CloudWatchAWS Trusted Advisor

Siemens AG - MO CS STC SC-SO October 2016

We have an Internal Requirement Database based on classification with shown topics on ISO 27001 and IEC 62443 (industrial automation and control system security )There we have over a 100 requirements for security and operation assigned to the chapters shown on the slide

The numbers in brackets represents the chapters in the ISO

1. For Access Control there are requirements like user management, password complexity and so on.2. For Asset management there is for example an requirement that we always need to know what was running in past and what's running now.3. Communications security demands secure communication over all layers.4. Compliance is more about the process stuff like doing a self-assessment and risk analysis

Notizen 46

Topics to Service mappingComliance and Security TopicISO 27001 / 27002Cryptography (10)PPInformation Security Aspects of Business Continuity Management (17)PPInformation Security Incident Management (16)PPOperations SecurityPP

AWSConfig

AWSCloudTrail

Amazon CloudWatchAWS Trusted Advisor

Siemens AG - MO CS STC SC-SO October 2016

5. Cryptography should be clear, it is about preferred cipher suits and allowed algorithm and how to deal with certificates 6. Information Security Aspects of Business Continuity Management is mainly about to having an IT Disaster Recovery Plan7. Information Security Incident Management how to deal with incidents, think about escalation procedures before something happens.8. And finally Operations Security, know what's running, document everything do change, demand and capacity management. This is for today the most discussed chapter on our side because of were in a transformation from an classic it operations department to an secdevops team.

There are others like Enviromenatal & Physical Controles which i let out because it is fullfiled by AWS directly

Notizen 47

Used AWS Config Rules:Pre defined RulesCustom Rulesencrypted-volumesrds-in-private-subnets3-bucket-logging-enabledadvaced iam policy on diffrent user types cloud-trail-enabledAdvanced security group requirementseip-attachedroot-account-mfa-enablediam-password-policyrds-storage-encryptedrequired-tags

Siemens AG - MO CS STC SC-SO October 2016Good source for star with own rules is:https://github.com/awslabs/aws-config-rules

We use some of the standart rules and are constantly expanding it by custome rules based on the requirments i showed before.

Examples arerds-in-private-subnetadvaced iam policy on diffrent user types Advanced security group requirements

48

Siemens Governance Requirements

AWSConfig

Amazon CloudWatchAWSCloudTrail

AmazonSNS

AWSConfig ruleshttps://s3-us-west-2.amazonaws.com/awscloudtrail/cloudwatch-alarms-for-cloudtrail-api-activity/CloudWatch_Alarms_for_CloudTrail_API_Activity.json.Siemens AG - MO CS STC SC-SO October 2016

We have an Default set which is delivered by our global IT department on every deployed account. There for there is an centralized order process for ordering accounts internally.

We have an automated audit process that is established always before the first users access an account full automated by Cloud Watch and Cloud Trial supported by SNS for notifications.

In background you see an example code CloudWatch_Alarms_for_CloudTrail_API_Activity which is also public availible and helps us a lot.

Were tracking every config Change by AWS config and controlling the important things by config rules

As mentioned before the consolidated billing allows us to use the full functionality from Trusted Advisor

Notizen 49

Siemens Governance Requirements AWS Trusted Advisor

flow logs

AWS Trusted Advisor

Siemens AG - MO CS STC SC-SO October 2016

4eyes principle means alway 2 people each time one with an operations view and one with a secuirty view have to look on the reports and notifications coming out of the trusted advisor and our config rules checks

Regular checks are done automatic when new resources are deployed via attached config rules and additionally on an regular time basis by the trusted advisor that 2 layer security checks helps us to gain trust from our info sec department

As next step we have activated flow logs and will now establish additional checks on the data flows.50

Conclusions Security shall be the initial part of the development SecDevOps

Get a clear view what are the requirements, AWS provides a lot of tools to fulfill most of the requirements.

Automation is the key to success. Siemens AG - MO CS STC SC-SO October 2016

Steven Schmidt -> Security should be step Zero

An integrated solution is necessary for an successful development

Very help full for us was -> Excellent Support by AWS ExpertsExcellent Documentation, Whitepapers and Checklists an all points to on major conlusion

Youve heard it all the time on most of the talks but its true Automation is the key.

Notizen 51

Remember to complete your evaluations!

Thank you!