• Like

Amazon Web Services Federation Integration Governance Workshop with Layer 7

Uploaded on

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration …

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Shared Responsibility EnvironmentAWS services operate under a model of shared responsibility between the customer and AWS. AWS relieves customer burden by managing physical infrastructure and those components that enable virtualization. An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.  The nature of this shared responsibility provides the flexibility and customer control that permits the deployment of solutions that meet industry-specific certification requirements. For instance, customers have built HIPAA-compliant healthcare applications on AWS (Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper). Control Environment AWS is a unit within Amazon.com that is aligned organizationally around each of the web services, such as Amazon EC2 and Amazon S3. AWS leverages various aspects of Amazon’s overall control environment in the delivery of these web services. The collective control environment encompasses management and employee efforts to establish and maintain an environment that supports the effectiveness of specific controls. The control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s tone and core values at the top. Every employee is provided with the Company’s Code of Business Conduct and Ethics, which sets guiding principles. The AWS organizational structure provides a framework for planning, executing and controlling business operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing, efficiency of operations, and the segregation of duties. Management has also established authority and appropriate lines of reporting for key personnel. Included as part of the Company’s hiring verification processes are: education, previous employment, and criminal checks. The Company follows a structured on-boarding process to familiarize new employees with Amazon tools, processes, systems, policies and procedures. Certifications and AccreditationsAmazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.  AWS plans to continue efforts to obtain industry certifications in order to verify its commitment to provide a secure, world-class cloud computing environment.
  • Point of Slide: to explain VPC's high-level architecture, walking them through the discrete elements of a VPC, and a specific data flow to exemplify 1) data-in-transit security and continued 1) AAA control by the enterprise.AWS (”orange cloud"): What everybody knows of AWS today.Customer’s Network (“blue square”): The customer’s internal IT infrastructure.VPC (”blue square on top of orange cloud"): Secure container for other object types; includes Border Router for external connectivity. The isolated resources that customers have in the AWS cloud.Cloud Router (“orange router surrounded by clouds”): Lives within a VPC; anchors an AZ; presents stateful filtering.Cloud Subnet (“blue squares” inside VPC): connects instances to a Cloud Router.VPN Connection: Customer Gateway and VPN Gateway anchor both sides of the VPN Connection, and enables secure connectivity; implemented using industry standard mechanisms. Please note that we currently require whatever customer gateway device is used supports BGP. We actually terminate two (2) tunnels - one tunnel per VPN Gateway - on our side. Besides providing high availability, we can service one device while maintaining service. As such, we can either connect to one of the customer's BGP-supporting devices (preferably running JunOS or IOS).
  • The HypervisorAmazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The CPU provides four separate privilege modes: 0-3, called rings. Ring 0 is the most privileged and 3 the least. The host OS executes in Ring 0. However, rather than executing in Ring 0 as most operating systems do, the guest OS runs in a lesser-privileged Ring 1 and applications in the least privileged Ring 3. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Instance IsolationDifferent instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
  • The firewall can be configured in groups permitting different classes of instances to have different rules. Consider for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. Here is an example of the commands needed to establish multi-tier security architecture and of course customers could use the AWS Management Console to do the same:# Permit HTTP(S) access to Web Layer from the Entire Internetec2auth Web -p 80,443 -s Permit ssh access to App Layer from Corp Networkec2auth App -p 22 -s Permit ssh access to DB Layer from Vendor Networkec2auth DB -p 22 -s Permit Application and DB Layer Access to appropriate internal layersec2auth App -p $APP_PORT -o Webec2auth DB -p $DB_PORT -o App# Permit Bastion host access for Web and DB Layers from App Layerec2auth Web -p 22 -o Appec2auth DB -p 22 -o App
  • Amazon suggests that all EC2 users cryptographically control their EC2 control traffic, and SSH is the default method for doing so. Some users elect to wrap all their inbound and outbound traffic to their home corporate network within industry standard VPN tunnels. Doing so permits them to control the confidentiality and integrity of their traffic using industry-standard, tested cryptographic components that they control.
  • To understand why there’s all this excitement, it’s helpful to look at analogies of some major changes that have occurred in other industries over time. Here’s a picture of our CEO at the museum of a beer manufacturing facility in Belgium. This is their electric generator that they used over 100 years ago. There was no electric grid or utility industry then. If you wanted electricity, you made it yourself. That probably seemed very natural at the time – but I guarantee you that making their own electricity didn’t make their beer taste any better. Well, a couple decades later, the electric grid sprang up, and companies stopped making their own electricity; that was a fundamental shift in how they consumed one of their major inputs, and this freed them up to focus on things that likely mattered a lot more to their customers – like the beer. We think the chance exists for the company-owned data center to undergo just as fundamental a transformation over the coming years, as companies realize that they don’t necessarily have to be experts in this. People are now starting to glimpse that future, and find it pretty exciting.


  • 1. Amazon Web Services - Federal
    Sri Vasireddy, Federal Solutions Architect
  • 2. AWS Cloud Security Model Overview
    Shared Responsibility Model
    Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance
    Application level security, including password and role based access
    Host-based firewalls, including Intrusion Detection/Prevention Systems
    Encryption/Decryption of data. Hardware Security Modules
    Separation of Access
    Certifications & Accreditations
    Sarbanes-Oxley (SOX) compliance
    ISO 27001 Certification
    PCI DSS Level I certification
    HIPAA compliant architecture
    SAS 70 Type II Audit
    • Pursuing FISMA Moderate ATO
    • 3. Pursuing DIACAP MAC II Sensitive
    • 4. FedRAMP
    Service Health Dashboard
    Network Security
    Instance firewalls can be configured in security groups;
    The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
    Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
    VM Security
    Multi-factor access to Amazon Account
    Instance Isolation
    • Customer-controlled firewall at the hypervisor level
    • 5. Neighboring instances prevented access
    • 6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)
    Support for SSL end point encryption for API calls
    Physical Security
    Multi-level, multi-factor controlled access environment
    Controlled, need-based access for AWS employees (least privilege)
    Management Plane Administrative Access
    Multi-factor, controlled ,need-based access to administrative host
    All access logged, monitored, reviewed
    AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
  • 7. AWS Certifications
    Shared Responsibility Model
    Sarbanes-Oxley (SOX)
    SAS70 Type II Audit
    PCI Data Security Standard compliance
    Working on FISMA A&A
    NIST Low Approvals to Operate
    Actively pursuing NIST Moderate
    ATOs in progress at several agencies
    ST&E and Moderate Controls available now for incorporation into SSP
    Actively pursuing FedRAMP
    Includes DIACAP Mac II Sensitive
    ISO 27001 Certification
    Customers have deployed various compliant applications such as HIPAA (healthcare)
  • 8. Amazon Web Services: Durable & Available
    Note: Conceptual drawing only. The number of Availability Zones may vary
    US East Region
    EU West Region
    US West Region
    GovCloud (US)
    Availability Zone A
    Availability Zone B
    Availability Zone A
    Availability Zone B
    Availability Zone A
    Availability Zone B
    Availability Zone A
    Availability Zone B
    Availability Zone A
    Availability Zone B
    Availability Zone A
    Availability Zone B
    Availability Zone C
    Customer Decides Where the Data Resides
  • 9. Three Services: Better Together
    Elastic Load Balancer
    Auto Scaling
    Server icons courtesy of http://creativecommons.org/licenses/by-nd/3.0/.
  • 10. COOP and DR
    Load Balancer
    Availability Zone - B
    Availability Zone - A
    Auto Scale
    Network IO
    Network IO
    EBS Snapshot
    Amazon S3
    EBS Snapshot
    EBS Snapshot
    Amazon S3
    We Can Do Even Better..
  • 11. AWS Multi-Factor Authentication
    • Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
    • 12. Additional protection for account information
    • 13. Works with
    Master Account
    IAM Users
    • Integrated into
    AWS Management Console
    Key pages on the AWS Portal
    S3 (Secure Delete)
    A recommended opt-in security feature!
  • 14. Users and Groups within Accounts
    Unique security credentials
    Access keys
    MFA device
    Policies control access to AWS APIs
    Deep integration into S3
    policies on objects and buckets
    AWS Management Console now supports User log on
    Not for Operating Systems or Applications
    use LDAP, Active Directory, ADFS, etc...
    AWS Identity and Access Management (IAM)
  • 15. Identity Federation Sample
    Use case:
    Enterprise employee signs with his normal credentials
    Access S3 with enterprise application
    IIS for enterprise authentication against Active Directory
    Client application to access S3
    Read-only access to S3
  • 16. Amazon VPC Architecture
    Customer’s isolated AWS resources
    VPN Gateway
    AmazonWeb Services
    Secure VPN Connection over the Internet
  • 17. AWS GovCloud (US) Access
    AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be:
    U.S. Persons;
    not subject to export restrictions; and
    comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations.
  • 18. AWS Deployment Models
    Amazon Confidential
  • 19. Amazon EC2 Instance Isolation

    Customer 1
    Customer 2
    Customer n
    Virtual Interfaces

    Customer 1
    Security Groups
    Customer n
    Security Groups
    Customer 2
    Security Groups
    Physical Interfaces
    Launching EC2
  • 20. Multi-tier Security Architecture
    AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers
    Web Tier
    Application Tier
    Database Tier
    EBS Volume
    Ports 80 and 443 only open to the Internet
    Engineering staff have ssh access to the App Tier, which acts as Bastion
    Amazon EC2 Security Group Firewall
    Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier
    All other Internet ports blocked by default
  • 21. Network Traffic Confidentiality
    Internet Traffic
    Amazon EC2 Instances
    Corporate Network
    Encrypted File System
    Amazon EC2
    Encrypted Swap File
    • All traffic should be cryptographically controlled
    • 22. Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)
  • 23. Cloud Federation, Integration and Governance
  • 24. Agenda
    The Role of Policy Enforcement in Governing the Cloud
    Layer 7’s Cloud Security and Governance Solution
    Conclusion & Questions
  • 25. Current App Environment
    Internal Apps
    On-Premises IT
  • 26. Move Cloudable App onto Amazon
    Cloud Application
    Internal Service Host
    On-Premises IT
  • 27. Policy Enforcement on Amazon
    Cloud Application
    Virtual PEP
    Internal Service Host
    On-Premises IT
  • 28. Federate Identity
    Cloud Application
    Virtual PEP
    Internal Service Host
    On-Premises IT
    Enterprise Identity Repository
  • 29. API Mediation
    Cloud Application
    Virtual PEP
    Internal Service Host
    On-Premises IT
  • 30. Monitoring
    Cloud Application
    Virtual PEP
    Internal Service Host
    On-Premises IT
  • 31. Putting it all Together for Cloud Governance
    Monitor and Report
    Amazon EC2
    Amazon EC2
    LDAP, SSO, MS AD, STS, etc
    Amazon EC2