Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Enterprise Summit Netherlands - Infosec by Design

1,821 views

Published on

Infosec by Design

Published in: Technology

AWS Enterprise Summit Netherlands - Infosec by Design

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Wednesday Sept 21st, 2016 Information Security by Design in AWS Dave Walker Specialist Solutions Architect, Security and Compliance
  2. 2. Agenda • “Start Here” • Standards and Other Requirements • Control Mapping • The Enterprise Accelerator Initiative
  3. 3. “Start Here”
  4. 4. Industry Best Practices for Securing AWS Resources CIS Amazon Web Services Foundations Architecture agnostic set of security configuration best practices provides set-by-step implementation and assessment procedures
  5. 5. Standards and Other Requirements
  6. 6. AWS Assurance Programs
  7. 7. Compliance Resources https://aws.amazon.com/compliance/resources/
  8. 8. Compliance: How to work with AWS Certifications • “The magic’s in the Scoping” • If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a compliant deployment • …but it won’t be usable for a purpose which touches sensitive data • See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloud”, https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr 1KZpdzukcJvl0e65MqqwycgpkCENmg • Remember the Shared Responsibility Model • “we do our bit at AWS, but you must also do your bit in what you build using our services” • Our audit reports make it easier for our customers to get approval from their auditors, against the same standards • Liability can’t be outsourced…
  9. 9. Compliance: How to work with AWS Certifications • Time-based Subtleties: • PCI, ISO: point-in-time assessments • SOC: assessment spread over time, therefore more rigorous assessment of procedures and operations • (AWS Config allows you to make a path between these, for your own auditors) • FedRAMP: Continuous Monitoring and Reporting – important proof • If a service for defined sensitive data isn’t in scope of an audit report, can this be designed around? • Eg standing up a queue system on EC2 as a substitute for SQS… • Be careful of what elements of a Service are in scope, too… • Metadata is typically “out”
  10. 10. SOC 1 • Availability: • Audit report available to any customer with an NDA • Scope: • AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces • Sensitive data: • N/A • Particularly good for: • Datacentre management, talks about KMS for key management and encryption at rest, discusses Engineering bastions • Downsides: • None
  11. 11. SOC 2 • Availability: • Audit report available to any customer with an NDA • Scope: • AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces • Sensitive data: • N/A • Particularly good for: • Risk assessment considerations, management visibility and process, organisational structure • Downsides: • None
  12. 12. PCI-DSS • Availability: • Audit report available to any customer with an NDA • Scope: • Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect, Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB, Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS, Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF • Sensitive data: • CVV, PAN • Particularly good for: • Forensics cooperation, breach disclosure, explaining Shared Responsibility in depth; also Hypervisor-based instance separation assurance • Downsides: • None (since the August 2015 update, when KMS was added)
  13. 13. ISO 27001 • Availability: • Certificate is public at http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of Applicability is normally not available externally • Scope: • AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces • Sensitive data: • N/A • Particularly good for: • A broad-ranging “backstop” and important “tick box item” – ISMS considerations (see “Technical and Organisational Measures” later) • Downsides: • No detailed audit report available
  14. 14. ISO 27018 • Availability: • Certificate available at https://d0.awsstatic.com/certifications/iso_27018_certification.pdf • Scope: • AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces • Sensitive data: • PII • Particularly good for: • Assurance of protection of PII in AWS environments • Downsides: • No detailed audit report available
  15. 15. Others (and Resources): • ISO 27017: Cloud security recommended practices • ISO 9001: Quality control • UK G-Cloud / CESG Security Principles, gov.uk “Cyber Essentials”: • See me J and our whitepaper at https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_U K_Cloud_Security_Principles.pdf • IT-Grundschutz: Workbook at https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschu tz_TUV_Certification_Workbook.pdf • MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch with AWS Specialist Security and Compliance SAs there as needed, there are also some whitepapers. • EU Data Protection Guidance: https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Prot ection_Whitepaper.pdf
  16. 16. Auditing - Comparison on-prem vs on AWS Start with bare concrete Functionally optional – you can build a secure system without it Audits done by an in-house team Accountable to yourself Typically check once a year Workload-specific compliance checks Must keep pace and invest in security innovation on-prem Start on base of accredited services Functionally necessary – high watermark of requirements Audits done by third party experts Accountable to everyone Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance on AWS
  17. 17. What this means You benefit from an environment built for the most security sensitive organisations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity You always have full ownership and control of your data
  18. 18. The AWS Well-Architected Framework • Increase awareness of architectural best practices • Addresses foundational areas that are often neglected • Consistent approach to evaluating architectures • Composed of: • Pillars • Design principles • Questions
  19. 19. Pillars of Well-Architected Security Reliability Performance Efficiency Cost Optimization
  20. 20. Control Mapping
  21. 21. Why a Mapping of Security Controls? • PCI-DSS • standards for merchants which process credit card payments and have strict security requirements to protect cardholder data. A point- in-time certification. • SOC 1-3 • designed by the “big 4” auditors as an evolution of SSAE16, SAS70 etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation. • ISO 27001 • outlines the requirements for Information Security Management Systems. A point-in-time certification, but one which requires mature processes.
  22. 22. Standards, Controls and Commonality Controls overlap between standards • see eg https://www.unifiedcompliance.com AWS master control list and mappings • 1800+ internal controls • Mappings to external standards • Engage auditors, and…
  23. 23. “Principles Rarely Change, but Implementations Do” • Zeno’s Paradox: Achilles and the Tortoise • Technology (almost) always leads standards • (AWS made 10 feature updates last week – see https://aws.amazon.com/new/ ) • ISO27001, ISO9001, SOC1-3, PCI-DSS (and lots of others) are covered by various AWS services at the infrastructure and container layers – but not all are • The AWS Marketplace is growing…
  24. 24. Encryption & Key Mgmt Server & Endpoint Protection Application Security Vulnerability & Pen Testing Advanced Threat Analytics Identity and Access Mgmt Network Security AWS Marketplace: One-stop shop for security tools
  25. 25. “When I were a Lad…”: Traditional Controls Service networks looked like: Internet gateway Elastic Load Balancing Amazon VPC routerinstances
  26. 26. “When I were a Lad…”: Traditional Controls Management networks looked like:
  27. 27. “When I were a Lad…” Security technologies looked like:
  28. 28. But: AWS security controls are rather more extensive • Can’t readily be reduced to a 2D “onion” • (5 dimensions might about do it…) So, we have tables • And they’re not small…
  29. 29. General Headings: Infrastructure meta-security Host security Network security Logging and Auditing Resilience User Access Control and Management Cryptography and Key Management Incident Response and Forensics “Anti-Malware” Separation of Duty Data Lifecycle Management Geolocation Anti-DDoS
  30. 30. “Can our current Security Functions be mapped onto AWS?” AWS Environment Management Logging and Auditing Asset Management Management Access Control Configuration Management Configuration Monitoring AWS CloudTrail AWS Config, API AWS IAM Web Console AWS CloudFormation AWS OpsWorks CLI API SDKs Amazon CloudWatch
  31. 31. “Can our current Security Functions be mapped onto AWS?” Network AWS to Customer Networks Layer 2 Network Segregation Stateless Traffic Management IPsec VPN Firewall/ Layer 3 Packet Filter IDS/IPS Managed DDoS Prevention Internet and/or Direct Connect Amazon VPC Network Access Control Lists VPC VGW, Marketplace Security Groups AWS CloudTrail, CloudWatch Logs,SNS, VPC Flow Logging Included in Amazon CloudFront
  32. 32. “Can our current Security Functions be mapped onto AWS?” Encryption, Key Management Data-In-Flight Volume Encryption Object Encryption Key Management Dedicated HSMs Database Encryption IPsec or TLS or your own Amazon EBS Encryption Amazon S3 Encryption (Server and Client Side) AWS Key Management Service AWS CloudHSM TDE (RDS / Oracle EE) Encrypted Amazon EBS (with KMS) Encrypted Amazon Redshift
  33. 33. “Can our Current Security Functions be mapped onto AWS?” Data Management Hierarchical Storage Deletion Protection Versioning Archiving Amazon S3 Lifecycle Amazon S3 MFA Delete Amazon S3 Versioning Amazon Glacier (optionally, with Vault Lock)
  34. 34. “Can our Current Security Functions be mapped onto AWS?” Host / Instance Security Traditional Controls Instance Management Incident Management Asset Management Instance Separation Traditional Controls (mostly) Delete-and-promote More alternatives! “What the API returns, is true” PCI Level 1 Hypervisor Dedicated Instances
  35. 35. • For some functions, AWS architecture will take you in a particular direction – for other functions, AWS architecture allows you to do more interesting things than on-premise. • You may get considerable benefit from looking “behind the control” to discern the underlying risk, and mitigate it differently. • Some examples: “Can our Current Security Functions be mapped onto AWS?”
  36. 36. “Familiar functions, made Cloud scale”: • IAM: “RBAC writ large” • Fine-grained privilege • Further access controls • Source IP • Time of day • Use of MFA • Region affected (a work in progress; works for EC2, RDS) • Data Pipeline: “Cron writ large” • (…and now, CloudWatch Events = “cron for Lambda”)
  37. 37. Asset Management, Logging and Analysis: • “What the API returns, is true” • CloudTrail, Config, CloudWatch Logs • “Checks and balances” • S3 append-only, MFA delete • SNS for alerting • Easy building blocks for Continuous Protective Monitoring AWS Config AWS CloudTrail CloudWatch
  38. 38. Logs→metrics→alerts→actions AWS Config CloudWatch / CloudWatch Logs CloudWatch alarms AWS CloudTrail Amazon EC2 OS logs Amazon VPC Flow Logs Amazon SNS email notification HTTP/S notification SMS notifications Mobile push notifications API calls from most services Monitoring data from AWS services Custom metrics
  39. 39. IDS / IPS / WAF: • Host vs network • Everything preventative needs to be inline • IPS / WAF in particular • Unless you wanted to have fun with RST packets • Dealing with autoscaling • Separation of Duty / managed service? • VPC Flow Logging • 2-step Hybrid WAF with AWS WAF, [Alert Logic | Imperva | Trend Micro]
  40. 40. Immutability and Mandatory Access Control: • S3 cross-account sharing, Versioning and MFA Delete • SELinux on EC2 • SELinux enforcing policy can be complicated to write – see eg http://www.tresys.com
  41. 41. Incident Management: • Traditional infrastructure: • Manage and Mitigate? • Pursue and Prosecute? • Cloud gives you a third option: • Replicate, repair, ringfence and redirect • You’re back up and running, with previous environment isolated for forensic examination
  42. 42. The Enterprise Accelerator Initiative
  43. 43. AWS Enterprise Accelerator: ComplianceArchitectures Sample Architecture – Security Controls Matrix Cloudformation Templates 5 x templates User Guide NIST 800-53 and PCI-DSS http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
  44. 44. Education — AWS Security & Compliance AWS Security Fundamentals 3 hour eLearning course Target audience – Security Auditors/Analysts It’s Free J AWS Security Operations 3 day Instructor Lead Training Target audience – Security Engineer/Architects 12 Modules + Labs Self-paced labs available on http://qwiklabs.com https://aws.amazon.com/training/course- descriptions/
  45. 45. Helpful Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/ AWS Audit Training: awsaudittraining@amazon.com
  46. 46. Helpful Videos The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U Encryption on AWS: https://youtu.be/DXqDStJ4epE Securing Serverless Architectures: https://www.youtube.com/watch?v=lKVp8d45HSU
  47. 47. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×