Security and Advanced Automation in the Enterprise
-
Upload
amazon-web-services -
Category
Technology
-
view
434 -
download
2
Transcript of Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise Phil ChristensenSenior Systems Engineer, DevOps Logicworks www.logicworks.net
©2015 Logicworks. All Rights Reserved.
©2015 Logicworks. All Rights Reserved. 2
Agenda
Why automate security?
Best practices during build, maintenance, and monitoring
What can be automated? Automate all the things!
©2014 Logicworks. All Rights Reserved. 3
What’s the problem?
Cloud engineers manage huge, complex systems
Automated deployments encourage adoption of evolving standards
©2014 Logicworks. All Rights Reserved. 4
What’s the problem? Security often has the highest priority during
infrastructure build-out
How to ensure both new and legacy builds gain the benefits of evolving standards?
©2015 Logicworks. All Rights Reserved. 5
Why Automate? Issues w/ Manual Security
Human Error
The limitations of human memory
Inconsistent naming conventions
Time suck as environment grows
Auditors have a lot to dig through
Slower deploys
Manual work = risk
Separate configuration and code
Code it once and maintain templates, not instances
No/limited custom configurations
Ensure historical vulnerabilities continue to be patched
©2015 Logicworks. All Rights Reserved. 6
Why Automate? Basic Principles of SecOps
Best Practices Security and Advanced Automation in the Enterprise
©2015 Logicworks. All Rights Reserved. 7
Infrastructure Buildout
Configuration Management
Iterative Deployment
Process Monitoring
©2015 Logicworks. All Rights Reserved. 8
Best Practices: Architecture Overview
Infrastructure Buildout
Configuration Management
Iterative Deployment
Process Monitoring
©2015 Logicworks. All Rights Reserved. 9
Best Practices: Architecture Overview
©2015 Logicworks. All Rights Reserved. 10
Best Practices: Infrastructure Buildout
CHALLENGES:
Need new, identical environment for every client
Quick turnaround
HIPAA compliance
Many unique security requirements
SOLUTION:
CloudFormation allows us to spin up completely new environment in hours
No manual security group configuration, no AWS Identity and Access Management (IAM) role configuration
Consistent configuration, so updates / security patches are near-simultaneous
“Guaranteed” compliance
Consistent naming conventions
Best Practices: Infrastructure Buildout
©2015 Logicworks. All Rights Reserved. 11
Master CloudFormation Stack
{ "Resources" : { "mao-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "mao-prod", "EnvironmentNetwork": "10.64.100.0/24", "ManagementAZ": "a", "PrimaryAZ": "b", "SecondaryAZ": "c", "KeyPair": "lw-orion", "DhcpDomainName": "orionhealth.com", "DhcpNs1": "10.64.196.246", "DhcpNs2": "10.64.196.246", "DhcpNtp": "10.64.196.246",
"DhcpNetbios": "10.64.196.246", "GatewayAccessCidr": "206.252.134.18/32", "ManagementDefaultGateway": "10.64.100.1", "ManagementPrivateCidr": "10.64.100.0/27", "ManagementPublicCidr": "10.64.100.32/27", "PrimaryPrivateCidr": "10.64.100.64/27", "PrimaryPublicCidr": "10.64.100.128/26", "SecondaryPrivateCidr": "10.64.100.96/27", "SecondaryPublicCidr": "10.64.100.192/26" }
Best Practices: Infrastructure Buildout
©2015 Logicworks. All Rights Reserved. 12
Master CloudFormation Stack "clx-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-prod", "EnvironmentNetwork": "10.64.101.0/24”, ... } } }, "clx-dev" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-dev", "EnvironmentNetwork": "10.64.110.0/24", ... }. } } }}
Best Practices: Infrastructure Buildout
©2015 Logicworks. All Rights Reserved. 13
CloudFormation
COOL TRICKS:
Register static ENIs to enable support for fixed private IPs, simplifying route management
Manage LaunchConfiguration updates and reduce confusion in Auto Scaling groups
Easily test boot process by terminating instances in fixed-size Auto Scaling groups.
WHAT CLOUDFORMATION DOES:
Build network foundation
Configure gateways and access points
Install management services, like Puppet
Allocate Amazon S3 buckets
Attach encrypted volumes
Control and manage access though IAM
Register DNS names with Amazon Route 53
Configure log shipping and retention
©2015 Logicworks. All Rights Reserved. 14
Best Practices: Configuration Management
CHALLENGES:
Quick turnaround, previous MSP suddenly ceased operations
Global presence, end-users mostly in Europe
PCI compliance requirements
SOLUTION:
Most crucial part of an instance lifetime is standard across instances
Continual check-in rolls back non-authorized changes
Living single source of truth on instance configuration
Changes are recorded
Prevents regressions
Best Practices: Configuration Management
©2015 Logicworks. All Rights Reserved. 15
BASH vs. Puppet
BASH
Puppet
Best Practices: Configuration Management
©2015 Logicworks. All Rights Reserved. 16
Puppet
COOL TRICKS:
Functions run on the PuppetMaster, so sensitive AWS API calls can be made from custom Puppet functions so only the PM needs privileges API access
Puppet ‘apply’ can configure assets before a PuppetMaster even exists, making it possible to bootstrap an entire environment from scratch
Puppet’s idempotent design ensures manifests can be re-applied to snapshotted AMIs without issue — save time on boot by saving an interstitial image
STUFF THAT NEEDS TO HAPPEN:
Configure hostnames
Bind instance to central authentication
Require MFA on bastion host
Install NTP, MTA, and other essentials
Install log shipping and monitoring software
Install IDS agents (AlertLogic)
Provision machine for deploy
©2015 Logicworks. All Rights Reserved. 17
Best Practices: Deploy
CHALLENGES:
Agile development process
Catch 22: Auto scaling often, they want instance up quickly w/latest version of software
Make sure instances do not get added to load balancer before they’re ready
SOLUTION:
CodeDeploy ensures that all your instances have the latest software
Simultaneous deployment across auto scaling group maintains HA
Respond to security threats quickly
Jenkins also suitable, but requires custom build scripts for AWS
Best Practices: Deploy
©2015 Logicworks. All Rights Reserved. 18
CodeDeploy Overview
Best Practices: Deploy
©2015 Logicworks. All Rights Reserved. 19
CodeDeploy
STUFF THAT NEEDS TO HAPPEN:
1. Create deployable content and add to AppSpec file and bundle into an archive file 2. Upload the archive file to Amazon S3 or GitHub 3. Provide CodeDeploy with information about which set of instances to deploy the
revision to 4. The Agent polls CodeDeploy to determine what and when to pull the revision
from the S3 bucket or GitHub repository 5. The Agent pulls the revision and starts deploying the contents to that instance,
following the instructions in the AppSpec file
©2015 Logicworks. All Rights Reserved. 20
Best Practices: Monitoring
Customized dashboards
Automated reporting
Trend analysis
First response
Change monitoring w/AWS CloudTrail integration
IAM reporting
Geographic awareness of data
Visibility into key security settings
Cost analysis
Threat Manager (IDS)
Log Manager collects parses, analyses data
Custom reporting
Automate All The Things! Security and Advanced Automation in the Enterprise
©2015 Logicworks. All Rights Reserved. 21
©2015 Logicworks. All Rights Reserved. 22
Automate All The Things
Feature Tool
Security Groups CloudFormation
Network ACL (Firewall) CloudFormation
Subnet Sizing CloudFormation
Naming CloudFormation, Puppet
Authentication Puppet
Encryption CloudFormation (S3), Puppet (GPG)
Anti-Virus Puppet
Hosts/Users Puppet
Software Versions Puppet
Log Shipping / Aggregator Puppet
©2015 Logicworks. All Rights Reserved. 23
Automate All The Things: Security Groups
Inconsistent naming conventions are a bigger security threat than many think.
©2015 Logicworks. All Rights Reserved. 24
Automate All The Things: Encryption
BEST PRACTICES:
Create encrypted Amazon Elastic Block Store (Amazon EBS) volumes to store the most sensitive data
Use S3 bucket policies to force use of server-side encryption
Use Puppet to configure applications to use encrypted storage for sensitive data
Force SSL ciphers and encryption standards across all web hosts
{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid": "DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption": "AES256" } } }]}
©2015 Logicworks. All Rights Reserved. 25
Automate All The Things: Authentication
BEST PRACTICES:
Bind all instances to ActiveDirectory domain control at boot
Install MFA extensions
Import custom root CA certificates into java keystores
Puppet-managed sudo access
MANAGING SECRETS:
Use Amazon EC2 Instance roles to grant limited access to S3 for fetching credentials files.
Pass sensitive parameters into your Puppet classes instead of hard-coding
Use Hiera to configure credentials for each environment dynamically
©2015 Logicworks. All Rights Reserved. 26
Automate All The Things: Authentication
/etc/puppet/hiera.d/production.ymlauthentication::ad_netbios_name: "DOMAIN"
authentication::ad_realm_name: "domain.example.com"
authentication::ad_bind_username: "ec2-bin"
authentication::ad_bind_passwd: "BynbeQuocs"
/etc/puppet/hiera.yaml---
:backends: yaml
:yaml:
:datadir: /etc/puppet/hiera.d
:hierarchy:
- “%{::environment}”
- common
:logger: puppet
/etc/puppet/hiera.d/testing.ymlauthentication::ad_netbios_name: ”TEST"
authentication::ad_realm_name: ”test.example.com"
authentication::ad_bind_username: "ec2-bin"
authentication::ad_bind_passwd: "lymKuaj5"
About Logicworks
©2015 Logicworks. All Rights Reserved. 27
Global leader in enterprise cloud strategy and managed hosting, offering a single provider solution for improving the performance, availability, and security of mission-critical IT systems.
Services:
Enterprise Cloud Strategy
Managed Private Cloud
Security and Compliance
Managed AWS
Trusted advisor for enterprises moving to the cloud
Over 20 years of experience managing complex enterprise IT systems
Premier AWS Partner with dedicated AWS DevOps team
Average architect and engineer experience >20 years
Security and compliance expertise for Healthcare, Financial Services, eCommerce, and Government organizations
Thank you
©2015 Logicworks. All Rights Reserved.
Phil Christensen Logicworks www.logicworks.net
Visit Logicworks’ Booth #217 for more information on AWS Managed Services