Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Amazon Web Services Federation Integration Governance Workshop with Layer 7


Published on

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration …

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Shared Responsibility EnvironmentAWS services operate under a model of shared responsibility between the customer and AWS. AWS relieves customer burden by managing physical infrastructure and those components that enable virtualization. An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.  The nature of this shared responsibility provides the flexibility and customer control that permits the deployment of solutions that meet industry-specific certification requirements. For instance, customers have built HIPAA-compliant healthcare applications on AWS (Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper). Control Environment AWS is a unit within that is aligned organizationally around each of the web services, such as Amazon EC2 and Amazon S3. AWS leverages various aspects of Amazon’s overall control environment in the delivery of these web services. The collective control environment encompasses management and employee efforts to establish and maintain an environment that supports the effectiveness of specific controls. The control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s tone and core values at the top. Every employee is provided with the Company’s Code of Business Conduct and Ethics, which sets guiding principles. The AWS organizational structure provides a framework for planning, executing and controlling business operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing, efficiency of operations, and the segregation of duties. Management has also established authority and appropriate lines of reporting for key personnel. Included as part of the Company’s hiring verification processes are: education, previous employment, and criminal checks. The Company follows a structured on-boarding process to familiarize new employees with Amazon tools, processes, systems, policies and procedures. Certifications and AccreditationsAmazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.  AWS plans to continue efforts to obtain industry certifications in order to verify its commitment to provide a secure, world-class cloud computing environment.
  • Point of Slide: to explain VPC's high-level architecture, walking them through the discrete elements of a VPC, and a specific data flow to exemplify 1) data-in-transit security and continued 1) AAA control by the enterprise.AWS (”orange cloud"): What everybody knows of AWS today.Customer’s Network (“blue square”): The customer’s internal IT infrastructure.VPC (”blue square on top of orange cloud"): Secure container for other object types; includes Border Router for external connectivity. The isolated resources that customers have in the AWS cloud.Cloud Router (“orange router surrounded by clouds”): Lives within a VPC; anchors an AZ; presents stateful filtering.Cloud Subnet (“blue squares” inside VPC): connects instances to a Cloud Router.VPN Connection: Customer Gateway and VPN Gateway anchor both sides of the VPN Connection, and enables secure connectivity; implemented using industry standard mechanisms. Please note that we currently require whatever customer gateway device is used supports BGP. We actually terminate two (2) tunnels - one tunnel per VPN Gateway - on our side. Besides providing high availability, we can service one device while maintaining service. As such, we can either connect to one of the customer's BGP-supporting devices (preferably running JunOS or IOS).
  • The HypervisorAmazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The CPU provides four separate privilege modes: 0-3, called rings. Ring 0 is the most privileged and 3 the least. The host OS executes in Ring 0. However, rather than executing in Ring 0 as most operating systems do, the guest OS runs in a lesser-privileged Ring 1 and applications in the least privileged Ring 3. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Instance IsolationDifferent instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
  • The firewall can be configured in groups permitting different classes of instances to have different rules. Consider for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. Here is an example of the commands needed to establish multi-tier security architecture and of course customers could use the AWS Management Console to do the same:# Permit HTTP(S) access to Web Layer from the Entire Internetec2auth Web -p 80,443 -s Permit ssh access to App Layer from Corp Networkec2auth App -p 22 -s Permit ssh access to DB Layer from Vendor Networkec2auth DB -p 22 -s Permit Application and DB Layer Access to appropriate internal layersec2auth App -p $APP_PORT -o Webec2auth DB -p $DB_PORT -o App# Permit Bastion host access for Web and DB Layers from App Layerec2auth Web -p 22 -o Appec2auth DB -p 22 -o App
  • Amazon suggests that all EC2 users cryptographically control their EC2 control traffic, and SSH is the default method for doing so. Some users elect to wrap all their inbound and outbound traffic to their home corporate network within industry standard VPN tunnels. Doing so permits them to control the confidentiality and integrity of their traffic using industry-standard, tested cryptographic components that they control.
  • To understand why there’s all this excitement, it’s helpful to look at analogies of some major changes that have occurred in other industries over time. Here’s a picture of our CEO at the museum of a beer manufacturing facility in Belgium. This is their electric generator that they used over 100 years ago. There was no electric grid or utility industry then. If you wanted electricity, you made it yourself. That probably seemed very natural at the time – but I guarantee you that making their own electricity didn’t make their beer taste any better. Well, a couple decades later, the electric grid sprang up, and companies stopped making their own electricity; that was a fundamental shift in how they consumed one of their major inputs, and this freed them up to focus on things that likely mattered a lot more to their customers – like the beer. We think the chance exists for the company-owned data center to undergo just as fundamental a transformation over the coming years, as companies realize that they don’t necessarily have to be experts in this. People are now starting to glimpse that future, and find it pretty exciting.
  • Transcript

    • 1. Amazon Web Services - Federal
      Sri Vasireddy, Federal Solutions Architect
    • 2. AWS Cloud Security Model Overview
      Shared Responsibility Model
      Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance
      Application level security, including password and role based access
      Host-based firewalls, including Intrusion Detection/Prevention Systems
      Encryption/Decryption of data. Hardware Security Modules
      Separation of Access
      Certifications & Accreditations
      Sarbanes-Oxley (SOX) compliance
      ISO 27001 Certification
      PCI DSS Level I certification
      HIPAA compliant architecture
      SAS 70 Type II Audit
      FISMA Low ATO
      • Pursuing FISMA Moderate ATO
      • 3. Pursuing DIACAP MAC II Sensitive
      • 4. FedRAMP
      Service Health Dashboard
      Network Security
      Instance firewalls can be configured in security groups;
      The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
      Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
      VM Security
      Multi-factor access to Amazon Account
      Instance Isolation
      • Customer-controlled firewall at the hypervisor level
      • 5. Neighboring instances prevented access
      • 6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)
      Support for SSL end point encryption for API calls
      Physical Security
      Multi-level, multi-factor controlled access environment
      Controlled, need-based access for AWS employees (least privilege)
      Management Plane Administrative Access
      Multi-factor, controlled ,need-based access to administrative host
      All access logged, monitored, reviewed
      AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
    • 7. AWS Certifications
      Shared Responsibility Model
      Sarbanes-Oxley (SOX)
      SAS70 Type II Audit
      PCI Data Security Standard compliance
      Working on FISMA A&A
      NIST Low Approvals to Operate
      Actively pursuing NIST Moderate
      ATOs in progress at several agencies
      ST&E and Moderate Controls available now for incorporation into SSP
      Actively pursuing FedRAMP
      Includes DIACAP Mac II Sensitive
      ISO 27001 Certification
      Customers have deployed various compliant applications such as HIPAA (healthcare)
    • 8. Amazon Web Services: Durable & Available
      Note: Conceptual drawing only. The number of Availability Zones may vary
      US East Region
      EU West Region
      US West Region
      GovCloud (US)
      Availability Zone A
      Availability Zone B
      Availability Zone A
      Availability Zone B
      Availability Zone A
      Availability Zone B
      Availability Zone A
      Availability Zone B
      Availability Zone A
      Availability Zone B
      Availability Zone A
      Availability Zone B
      Availability Zone C
      Customer Decides Where the Data Resides
    • 9. Three Services: Better Together
      Elastic Load Balancer
      Auto Scaling
      Server icons courtesy of
    • 10. COOP and DR
      Load Balancer
      Availability Zone - B
      Availability Zone - A
      Auto Scale
      Network IO
      Network IO
      EBS Snapshot
      Amazon S3
      EBS Snapshot
      EBS Snapshot
      US EAST
      Amazon S3
      US WEST
      We Can Do Even Better..
    • 11. AWS Multi-Factor Authentication
      • Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
      • 12. Additional protection for account information
      • 13. Works with
      Master Account
      IAM Users
      • Integrated into
      AWS Management Console
      Key pages on the AWS Portal
      S3 (Secure Delete)
      A recommended opt-in security feature!
    • 14. Users and Groups within Accounts
      Unique security credentials
      Access keys
      MFA device
      Policies control access to AWS APIs
      Deep integration into S3
      policies on objects and buckets
      AWS Management Console now supports User log on
      Not for Operating Systems or Applications
      use LDAP, Active Directory, ADFS, etc...
      AWS Identity and Access Management (IAM)
    • 15. Identity Federation Sample
      Use case:
      Enterprise employee signs with his normal credentials
      Access S3 with enterprise application
      IIS for enterprise authentication against Active Directory
      Client application to access S3
      Read-only access to S3
    • 16. Amazon VPC Architecture
      Customer’s isolated AWS resources
      VPN Gateway
      AmazonWeb Services
      Secure VPN Connection over the Internet
    • 17. AWS GovCloud (US) Access
      AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be:
      U.S. Persons;
      not subject to export restrictions; and
      comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations.
    • 18. AWS Deployment Models
      Amazon Confidential
    • 19. Amazon EC2 Instance Isolation

      Customer 1
      Customer 2
      Customer n
      Virtual Interfaces

      Customer 1
      Security Groups
      Customer n
      Security Groups
      Customer 2
      Security Groups
      Physical Interfaces
      Launching EC2
    • 20. Multi-tier Security Architecture
      AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers
      Web Tier
      Application Tier
      Database Tier
      EBS Volume
      Ports 80 and 443 only open to the Internet
      Engineering staff have ssh access to the App Tier, which acts as Bastion
      Amazon EC2 Security Group Firewall
      Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier
      All other Internet ports blocked by default
    • 21. Network Traffic Confidentiality
      Internet Traffic
      Amazon EC2 Instances
      Corporate Network
      Encrypted File System
      Amazon EC2
      Encrypted Swap File
      • All traffic should be cryptographically controlled
      • 22. Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)
    • 23. Cloud Federation, Integration and Governance
    • 24. Agenda
      The Role of Policy Enforcement in Governing the Cloud
      Layer 7’s Cloud Security and Governance Solution
      Conclusion & Questions
    • 25. Current App Environment
      Internal Apps
      On-Premises IT
    • 26. Move Cloudable App onto Amazon
      Cloud Application
      Internal Service Host
      On-Premises IT
    • 27. Policy Enforcement on Amazon
      Cloud Application
      Virtual PEP
      Internal Service Host
      On-Premises IT
    • 28. Federate Identity
      Cloud Application
      Virtual PEP
      Internal Service Host
      On-Premises IT
      Enterprise Identity Repository
    • 29. API Mediation
      Cloud Application
      SOAP, REST, or JSON
      Virtual PEP
      Internal Service Host
      On-Premises IT
    • 30. Monitoring
      Cloud Application
      Virtual PEP
      Internal Service Host
      On-Premises IT
    • 31. Putting it all Together for Cloud Governance
      Monitor and Report
      Amazon EC2
      Amazon EC2
      LDAP, SSO, MS AD, STS, etc
      Amazon EC2