(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Invent 2014
32
Hart Rossman—AWS Principal Security Consultant Bill Shinn—AWS Principal Security Solutions Architect Brent Funk—Boeing, Chief Architect, Commercial Digital Aviation PaaS November 13, 2014 | Las Vegas, NV
-
Upload
amazon-web-services -
Category
Technology
-
view
1.105 -
download
4
description
This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
Transcript of (SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Invent 2014
Hart Rossman—AWS Principal Security Consultant
Bill Shinn—AWS Principal Security Solutions Architect
Brent Funk—Boeing, Chief Architect, Commercial Digital Aviation PaaS
November 13, 2014 | Las Vegas, NV
Organizes and describes the
perspectives in planning, creating,
managing, and supporting a modern
IT service.
Offers practical guidance and
comprehensive guidelines for
establishing, developing and running
AWS cloud-enabled environments.
It provides a structure where business
and IT can work together towards
common strategy and vision,
supported by modern IT automation
and process optimization.
People
Perspective
Process
Perspective
Security
Perspective
Maturity
Perspective
Platform
Perspective
Operating
Perspective
Business
Perspective
013 16 23
5170
167
24
4861
82
159
280
454
0%
5%
10%
15%
20%
25%
30%
35%
40%
0
50
100
150
200
250
300
350
400
450
500
2008 2009 2010 2011 2012 2013 2014
Security Features All Significant Features and Services Percent
Enterprise
Security Program
Reference Architectures
Asset Management
Identity Lifecycle
Management
Ubiquitous Logging
Security Management
LayerDevSecOps
Security Services &
API
Just In Time Access
The Basics
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentC
ust
om
ers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Governance & Risk
Bu
sin
ess
• Culture of security and continual improvement
• Ongoing audits and assurance
• Protection of large-scale service endpoints
Enterprise
Security Operations
Compliance• Lead change
• Audits & assurance
• Protection of workloads, shared services, interconnects
• MSB definition
• Cloud security operations
Product & Platform Teams • MSB customization
• Application/Platform infrastructure
• Security development lifecycle
Ente
rpri
seSe
curi
ty
Extending
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Governance & Risk
Bu
sin
ess
Partners
Security Operations
Compliance
Product & Platform Teams
Ente
rpri
seSe
curi
ty
Extending
Par
tne
r Ec
osy
ste
m
Capability Principle Action
AnticipateInfrastructure as code Skill up security team in code & automation. DevSecOps.
Design guard rails not gates Architect to drive towards good behavior
DeterUse the cloud to protect the cloud Build, operate, and manage security tools in the cloud.Stay current, run secure Consume new security features. Patch and replace frequently. Reduce reliance on persistent access Establish role catalog; automate KMI via secrets service
DetectTotal visibility Aggregate AWS logs and metadata with OS & App logs
Deep insights Security data warehouse with BI & analytics
RespondScalable incident response Update IR SOP for shared responsibility framework
Forensic readiness Update workloads to support forensic readiness and containmentRecover Automate Continuous Integration & Continuous Deployment
E
C
2
E
C
2
Amazon S3
Customers
Distributed
attackers
Distributed
attackers
Amazon
Route 53
Region
Central Account
(Trusted)
SecUser
IAM User
IAM IAMIAM IAM IAM IAM
BU Accounts (Trusting)
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
Centralized Governance w/ IAM Role Catalog
Proprietary:
The information contained herein is proprietary to The Boeing Company and shall not be reproduced or disclosed in whole or in part or used for any reason except when such user possesses direct, written authorization from The Boeing Company.
The statements contained herein are based on good faith assumptions and provided for general information purposes only. These statements do not constitute an offer, promise, warranty or guarantee of performance. Actual results may vary depending on certain events or conditions.
This document should not be used or relied upon for any purpose other than that intended by Boeing.
BOEING is a trademark of Boeing Management Company.
• SOA
– Publish/subscribe model
– Data/Functions/Visualization
– Internal/External services models
• Secure
– VPC Perimeter security
– VPC to VPC Peering
– Intra-VPC security
– Logging and Auditing
• Message Oriented Middleware
– Enterprise Service Bus
– Global Registry
– Global Security
– Load balanced
• Logstash
– Filtering
• Kibana
– Visualization
• ElasticSearch
– Indexing
SQS Queue
Auto Scaling GroupElasticSearch
Auto Scaling GroupKibanaInternal Elastic Load Balancing
Internal Elastic Load Balancing
Auto Scaling GroupReverse Proxy
Auto Scaling GroupLogstash Indexer
HTTP Traffic
HTTPS Traffic
Log Shippingvia
Amazon SQS
CloudWatch Alarm
CloudWatch Alarm
Scale Down
Alarm
Scale Up
Alarm
• Expedited Root Cause
Analysis Activities
– Streaming ingest of log data – every 5
seconds.
– Security tie-ins from application to
networking to infrastructure.
– Dynamic correlation of data within a
single location resulting in quicker RCA
activities.
• Immediate Validation of
Security Incident Remediation
• Allows for Segregation of
Duties for Threat Analysis vs.
Operational
Configuration/Support
Peer Review
• Shared Infrastructure Security
Services moved to VPC
• 1 to 1 Peering = App Isolation
• Security Groups and NACLs still
apply
AWS
region
Public-facing
web app
Internal
company
app #1
HA pair
VPN
endpointscompany data center
Internal
company
app #2
Internal
company
app #3
Internal
company
app #4
Services
VPC
Internal
company
Dev
Internal
company
QA
AD, DNS
Monitoring
Logging• Security Groups still bound to
single VPC
Version
Control
CI
Server
Package
Builder
Deploy
ServerCommit to
Git/masterDev
Pull
Code
AMIs
Send Build Report to Dev
Stop everything if build failed
Staging Env
Test EnvCode
Config
Tests
Prod Env
Push
Config Install
Create
Repo
AWS CloudFormation
Templates for Env
Generate
Security
Repository
Vulnerability
and pen
testing
•Security Infrastructure
tests
•Security unit tests in
app
Pull Push
Source Code
Repository
Baseline
IAM Catalog
Trusting BU Accounts
SecRole
IAM Role
Develop
Review
Test
Approve
CommitRuby
AKID/SAK
1 2
Admin
3
5
STS
Creds
4
Security Program
Reference Architectures
Asset Management
Identity Lifecycle
Management
Ubiquitous Logging
Security Management
LayerDevSecOps
Security Services &
API
Just In Time Access
The Basics
