© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Tim Prendergast

@auxome / @evidentdotio

Security Beyond the Host

Leveraging the power of AWS

to Automate Security and Compliance

Shannon Lietz, Intuit Brett Lambo, Capital One

SEC 320

Of the changes catalyzed by cloud,

security is the most exciting.

Legacy Datacenters

• Big Perimeter

• End-to-End Ownership

• Build it all yourself

• Server-centric approach

• Self-managed Services

• Static Architecture

• De-centralized Administration

The security paradigm shifted

AWS

• Micro-Perimeters

• Own just enough

• Focus on your core value

• Service-Centric

• Platform Services

• Continuously Evolving

• Central Control Plane (API)

Your Role in Securing AWS is Well-Defined

Customer Data

Applications IdentityAccess

Mgmt

OS Network Firewall

Client-side

EncryptionServer-side

EncryptionNetwork Traffic

Protection

Compute Storage Networking

AWS Global Infrastructure

(Regions, Azs, Edge Locations)

AWS: Security of the Cloud

Customer: Security in the Cloud

… but the security technology has lagged

Customer Data

Applications IdentityAccess

Mgmt

OS Network Firewall

Client-side

EncryptionServer-side

EncryptionNetwork Traffic

Protection

Network Appliances

Host-based Agents

IP-based scanners

Log Analytics

DLP & Encryption

Manual Audits

These technologies don’t embrace cloud values…

Host-centric Security Strategies fail in AWS

Protecting the host while

ignoring the services is a bad

decision.

Your most critical data often

lives in S3, Glacier, RDS,

Redshift, and other key

services.

Point solution strategies create focus-lock

Customer Data

Applications IdentityAccess

Mgmt

OS Network Firewall

Client-side

EncryptionServer-side

EncryptionNetwork Traffic

Protection

Compute Storage Networking

AWS Global Infrastructure

(Regions, Azs, Edge Locations)

Appliances don’t scale well

How many of these do I need at various levels of scale?

… and don’t get me started on manual audits!

Freshen the stack

This is all you (no change)

Hasn’t changed much

Cloud-aware Agents

API-driven security

API-driven security

API-driven security

API-driven security + AWS

This is all AWS…

Why the API is so critical

“Imagine the ability to create or destroy an entire datacenter

with just the proper credentials, or a short script.”

- Adrian Sanabria, 451 Group

Advantages to the API

• Authoritative - The ONLY interface to 95% of AWS

• Fast - can be read and manipulated in sub-second time

• Precise – defines the state of infrastructure

• Evolving – continuously improving (Thanks, AWS!)

• Uniform - provides consistency across disparate components

• Automatable - Enables some really, really cool capabilities

Actioning security in the cloud means…

See It

Consume It

Live ItDevelop

Test

Assess

Push

Assess

Observe

Continuous Assesment

Innovate

Capital One

Venture to the CloudBrett Lambo, Sr. Director of Information Security & Risk Management

Michael Shriver, Lead Cloud Security Architect

Zero to Cloud in Five Months

• Capital One is on an aggressive

digital journey.

• Innovation, customer experience,

and time to value are king.

• In November, 2014 we declared

that we would have production

applications in AWS by April 1,

2015.

• This was not a prank.

What were we Thinking?

• We were thinking, “But wait. We’re a bank. With

regulators. With money. With credit cards.”

• We’re lucky though: From the top, Capital One views

security as a fundamental partner of innovation.

• Security had to be faster than the business. We needed

to be there waiting for them.

• How would we secure our data across the full range of

AWS services…not just EC2?

Some Fundamental Considerations

• Lean forward on encryption.

• Require encryption of all EC2, RDS, S3 resources.

• But: Key management is inconsistent or unsupported across

services and DBs.

• We are working with AWS to develop end-to-end crypto and key

management platform.

• Wrote our own REST encryption/tokenization solution.

• Cross between CloudHSM and in-house

• Network and connectivity decisions

• LOB-specific VPCs.

• Creative routing and connectivity

All your Assumptions are Belong to Wrong

• We quickly learned that you

must ask the right questions to

get to the right answers.

• Like most, we began trying to

adapt our existing security kit

to cloud. Oops.

• Conclusion: What we do will

not necessarily change. How

we do it will.

How do

we extend

our DLP to

cloud?

Belgium.

Data + Software > Appliances and Reports

• We have telemetry and data like

never before

• But we learned that we have to

wrangle it

• The promise of automation

• Security and compliance

• Continuous assessment

• Security deployment

• Chef, Cloud Formations Templates

• Enforcement and Remediation

Working through our Build

• Need: Provide dedicated Line of Business (LOB)

environments with centralized control of security

• Limit blast radius (security and operational)

• Account for differences between LOBs

• Variable demand, apps, types of data

• Connectivity and access

• Approach: Shared security model with novel approach to

routing and deployment across VPCs

• Horizontal shared services VPC

• Routing skulduggery

• How do you get there from here?

What’s next?

• Continue to automate

• Support DevOps

• Leverage Open Source

• e.g. Hygieia: Tie together disparate systems and

services to centralize our view and management

• Master operations

Security + Maturity = DevSecOpsShannon Lietz, DevSecOps Leader at Intuit

Continuous Security

Develop• Integrate Secure Components

• Develop attacks as part of the workload

• Style Matters

Test• Implement automated security tests

• Fast failure detection improves workloads

Deploy• Red Team your stack

• Respond and contain quickly!!

Get Rugged -- DevSecOps

OPS

SEC

DEV

AppSec • Security as Code

• Self-Service Testing

• Red Team/Blue Team

• Inline Enforcement

• Analytics & Insights

• Detect & Contain

• Incident Response

• Investigations

• Forensics

Security drives Faster Pipelines

• Use Code Commit, Code Deploy & Code Pipeline

• Push many small changes per day to support fast defect discovery &

remediation

• Restack often (Less than 10 days)

• High performers have better security

Faster Feedback = Continuous Compliance

Boring: PCI DSS1.1.1 – Approve/Test/Detect firewall

changes

Fun: Scan API + Ingest Config/Cloudtrail, trigger fw audits

and revert unapproved changes

Boring: PCI DSS2.2 - Develop & Assure configuration

standards for all system components.

Fun: Track known good CF stacks & AMIs, alert or

neutralize non-compliant/non-approved deploys.

Faster Feedback = Continuous Compliance

Boring: HIPAA 164.312(a)(2)(iv): Implement a method to

encrypt and decrypt electronic protected health information.

Fun: Enforce encryption of all assets with HIPAA or data

classification tags. Continuous enforcement! (KMS!)

Boring: NIST800-53 AC2(12) – Monitors and report

atypical usage of information system accounts.

Fun: Cloudtrail/Config user attribution of use/abuse.

More Fun: Maps to PCI DSS7.1.3, COBIT DS5.4,

ISO17799, and more!

Full Stack Attack

• API KEY EXPOSURE -> 8 HRS

• DEFAULT CONFIGS -> 24 HRS

• SECURITY GROUPS -> 24 HRS

• ESCALATION OF PRIVS -> 5 DAYS

• KNOWN VULN -> 8 HRS

You must apply whole-cloud security

Control Plane

Critical Infrastructure

Core Infrastructure

At the front door…

Core Infrastructure

Apps(ECS, EC2, Beanstalk)

Transport(VPC, ELB, NACLs)

Foundation(Route53, DC, Gateways)

• Eval/Modify SGs dynamically

• Design for blast radius in Transport layers

• Detect and guard Foundation services…

poisoned R53 is game over.

The back door…

Critical Infrastructure

Data(S3, Glacier, RDS)

Management(OpsWorks, CF, Code*)

Identity(IAM, Directory)

• Enforce encryption consistently (KMS)

• Idempotently deploy/replace entire stacks

• Defend identities, tightly scope rights

And the magical portal!

Control Plane (AWS API)

Audit(CloudTrail, Config, 3rd Party)

Respond(Humans, Lambda, Scripts)

• Centrally audit all regions/accounts

• Create security triggers on audit data

• Action a response – page a Human, trigger

Lambda, even auto-remediation scripts.

Next Steps…

1. Watch Shannon’s Session SEC402 when it hits Youtube

2. Visit the Evident.io blog and resource page:

https://evident.io

3. Talk with the Evident team at Booth #814 to dive deeper

4. Find one of your peers here and talk security!

Thank you!

Be sure to visit Evident.io at Booth #814

Remember to complete

your evaluations!