AWS Lunch and Learn - Security

768 views

Published on

Amazon Web Services Lunch and Learn session: How Security works on AWS and how you can architect for it

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
768
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
33
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

AWS Lunch and Learn - Security

  1. 1. How Security Works in AWS & How You Can Architect For It Markku Lepistö Principal Technology Evangelist @markkulepisto
  2. 2. AWS Cloud Security “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL
  3. 3. Visibility –  In the AWS cloud, see your entire infrastructure at the click of a mouse –  Can you map your current network?
  4. 4. Defense in Depth Multi-level security •  Physical security of the data centers •  Network security •  System security •  Data security DATA
  5. 5. Gain access to a world-class security team Where would some of the world’s top security people like to work? At scale on huge challenges with huge rewards So AWS has world-class security and compliance teams watching your back! Every customer benefits from the tough scrutiny of other AWS customers
  6. 6. Build everything on a constantly improving security baseline AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons  
  7. 7. AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons   Client-­‐side  Data   Encryp2on   Server-­‐side  Data   Encryp2on   Network  Traffic   Protec2on   Pla<orm,  Applica2ons,  Iden2ty  &  Access  Management   Opera2ng  System,  Network  &  Firewall  Configura2on   Customer  content   Customers   Let AWS do the heavy lifting for you Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  8. 8. AWS  Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca+ons   Your  own   accredita2on     Meet your own security objectives Your  own   cer2fica2ons   Your  own   external  audits   Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Customers  
  9. 9. AWS  Region   US-WEST (N. California) EU-WEST (Ireland) ASIA PAC (Tokyo) ASIA PAC (Singapore) US-WEST (Oregon) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) GOV CLOUD ASIA PAC (Sydney) You can stay onshore in any location that you need to
  10. 10. You can choose to keep all your content onshore in any AWS region of YOUR choice •  AWS makes no secondary use of customer content •  Managing your privacy objectives any way that you want •  Keep data in your chosen format and move it, or delete it, at any time you choose •  No automatic replication of data outside of your chosen AWS Region •  Customers can encrypt their content any way they choose You always have full ownership and control
  11. 11. You can improve your security with the AWS cloud
  12. 12. Every solution can be resilient and fault tolerant AWS  operates  scalable,  fault  tolerant  services   Build  resilient  solu2ons  opera2ng  in  mul2ple  datacenters   AWS  helps  simplify  ac2ve-­‐ac2ve  resilient  solu2ons   All  AWS  facili2es  are  always  on   No  need  for  a  “Disaster  Recovery  Datacenter”  when  you  can   have  resilience   Every  AWS  facility  managed  to  the  same  global  standards   AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
  13. 13. Every network has fine-grained security built-in AvailabilityZoneA AvailabilityZoneB You control your VPC address range •  Your own private, isolated section of the AWS cloud •  Every VPC has a private IP address space you define •  Create your own subnets and control all internal and external connectivity AWS network security •  AWS network will prevent spoofing and other common layer 2 attacks •  Every compute instance gets multiple security groups - stateful firewalls •  Every subnet gets network access control lists
  14. 14. You can create multi-tier architectures every time VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump host 10.0.4.0/24 EC 2 App Log EC 2 Web Load balancing
  15. 15. Firewall every single compute instance VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump 10.0.4.0/24 EC 2 App “Web servers will accept Port 80 from load balancers” “App servers will accept Port 8080 from web servers” “Allow SSH access only from from Jump Hosts” Log EC 2 Web Load balancing
  16. 16. Enable network access control on every subnet VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump 10.0.4.0/24 EC 2 App Log EC 2 Web “Deny all traffic between the web server subnet and the database server subnet” Load balancing
  17. 17. Control every Internet connection VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway Control Internet routing •  Create Public subnets and Private subnets •  Implement DMZ architectures as per normal best practices •  Allocate static Elastic IP addresses or use AWS- managed public IP addresses Load balancing
  18. 18. Connect in private to your existing datacentres VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Use Internet VPNs or use AWS Direct Connect Your premises Load balancing
  19. 19. You can route to the Internet using your gateway VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Use Internet VPNs or use AWS Direct Connect Your premises Load balancing
  20. 20. Create flexible multi-VPC hybrid environments Your organisation Project Teams Marketing Business Units Reporting Digital / Websites Dev and Test Redshift EMR Analytics Internal Enterprise Apps Amazon S3 Amazon Glacier Storage/ Backup
  21. 21. Every website can absorb attacks and scale out Amazon S3 Distributed attackers Customers Customers Route53 Singapore region CloudFront Your VPC WAFWAF WAFWAF ELB ELB ELB ELB App App App App Auto Scaling Auto Scaling Auto Scaling Auto Scaling
  22. 22.   Encrypt  your  Elas2c  Block  Store  volumes  any  way  you  like   •  AWS  na2ve  EBS  encryp2on  for  free  with  a  mouse-­‐click   •  Encrypt  yourself  using  free  u2li2es,  plus  Trend,  SafeNet  and  other   partners  for  high-­‐assurance  key  management  solu2ons   Amazon  S3  offers  either  server  or  client-­‐side  encryp2on   •  Manage  your  own  keys  or  let  AWS  do  it  for  you   RedshiT  has  one-­‐click  disk  encryp2on  as  standard   •  Encrypt  your  data  analy2cs   •  You  can  supply  your  own  keys   RDS  supports  transparent  data  encryp2on  (TDE)   •  Easily  encrypt  sensi2ve  database  tables   You can encrypt your sensitive information everywhere DBA
  23. 23. Tamper-resistant customer controlled hardware security modules within your VPC •  Industry-standard SafeNet Luna devices. Common Criteria EAL4+, NIST FIPS 140-2 certified •  No access from Amazon administrators who manage and maintain the appliance •  High availability and replication with on-premise HSMs Reliable & Durable Key Storage •  Use for transparent data encryption on self-managed databases and natively with AWS Redshift •  Integrate with applications using Java APIs and AWS SDKs •  Integration with marketplace disk-encryption and SSL You can store your encryption keys in AWS CloudHSM
  24. 24. You can use your own HSMs if you want Your premises Applications Your HSM NATCloudHSM NATCloudHSM Volume, object, database encryption Signing / DRM / apps EC2 SYNC EBS S3 Amazon S3 Amazon Glacier
  25. 25. You can enforce consistent security on your hosts Launch instanc e EC2 AMI catalogue Running instance Your instance Hardening Audit and logging Vulnerability management Malware and HIPS Whitelisting and integrity User administration Operating system Configur e instance You  control  the  configura2on  of  your  EC2   compute  instances  and  can  configure  and  harden   opera2ng  environments  to  your  own  specs Use host-based protection software •  Apply best-practice top 5 mitigation strategies! Think about how you will manage administrative users •  Restrict access as much as possible Build out the rest of your standard security environment •  Connect to your existing services, e.g. SIEM
  26. 26. Old World – Static, Fixed Systems DB1 DB2 App1 App2 Web1 Web2 SW1 SW2 LB1 LB2
  27. 27. “Cloud applications have amorphous, polymorphic attack surfaces.” -Jason Chan Director of Engineering, Cloud Security Netflix
  28. 28. What’s not there is not a hole
  29. 29. Install Only the Packages You Use YOUR CODE CORE SERVICES 3rd PARTY LIBRARIES OPERATING SYSTEM Bare minimum, Just-enough-OS Install & run only the services you use Install only the libraries you use Upgrade & Patch ALL Continuously Each app tier has only its own code
  30. 30. « Cloud Instance is an implementation of a known, good state » Dr Rich Wolski, UCSB
  31. 31. AMIAMIAMI YOUR CODE CORE SERVICES 3rd PARTY LIBRARIES OPERATING SYSTEM YOUR CODE CORE SERVICES 3rd PARTY LIBRARIES OPERATING SYSTEM YOUR CODE CORE SERVICES 3rd PARTY LIBRARIES OPERATING SYSTEM Pre-baked Image Base OS Image + Orchestration
  32. 32. 3rd Party Configuration Mgmt & Orchestration Tools
  33. 33. AWS  OpsWorks   AWS   CloudForma+on   AWS  Elas+c   Beanstalk   DevOps  framework  for   applica+on  lifecycle   management  and   automa+on   Templates  to  deploy  &   update  infrastructure   as  code   Automated  resource   management  –  web   apps  made  easy   DIY  /     On  Demand   DIY,  on  demand   resources:  EC2,  S3,   custom  AMI’s,  etc.   ControlConvenience AWS Services for Application Lifecycle Management
  34. 34. Validate All Inputs Your Code Never Assume Input Validity Strict Checks and Discard API / Interface / Port
  35. 35. Control access and segregate duties everywhere With  AWS  IAM  you  get  to  control  who  can  do   what  in  your  AWS  environment  and  from  where     Fine-­‐grained  control  of  your  AWS  cloud  with  two-­‐ factor  authen2ca2on     Integrated  with  your  exis2ng  corporate  directory   using  SAML  2.0  and  single  sign-­‐on   AWS account owner Network management Security management Server management Storage management
  36. 36. Full visibility of your AWS environment •  CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made Who did what and when and from what IP address •  Support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift •  Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic Get consistent visibility of logs that you can monitor
  37. 37. You get to do all of this in DEVELOPMENT TESTING PRE-PRODUCTION LIVE
  38. 38. Read AWS security whitepapers, tips and good practices •  http://blogs.aws.amazon.com/security •  http://aws.amazon.com/compliance •  http://aws.amazon.com/security •  Risk and compliance, best practices, audit guides and operational checklists to help you before you go live •  Workshop  solu2ons  with  an  AWS  solu2ons  architect,  including  me!   •  Get  free  trials  of  security  from  AWS  Partners  on  the  AWS  marketplace Sign up for AWS premium support •  http://aws.amazon.com/support •  Get help when you need it most – as you grow •  Choose different levels of support with no long-term commitment Further info and how to get AWS support
  39. 39. SHOW MEALREADY !
  40. 40. DEMOS 1.  Use IAM & Multi-Factor Authentication to login to AWS 2.  Create new Amazon VPC in Singapore 3.  IPSEC VPN connect Tokyo office with Singapore VPC 4.  Customize EC2 Instance with minimal footprint, secure config 5.  Control Security Groups
  41. 41. VPN Tunnels   Customer VPN Gateway   Desktop VPC - Singapore •  VPC CIDR Network: 10.100.0.0/16 •  VPC Subnet 1: 10.100.0.0/23 •  VPC Subnet 2: 10.100.2.0/23 •  VPN Type: Dynamic BGP Office – Tokyo •  Office Network: 10.96.24.0/21 •  VPN Gateway IP: 54.92.27.101 Our First Virtual Private Cloud Application Server   Availability Zone BAvailability Zone A
  42. 42. Contact Your AWS Account Manager To discuss your use cases & opportunities to try AWS services Follow us on at @AWSCloudSEAsia Join the AWS User Group at Facebook.com – search ‘AWS User Group Singapore’
  43. 43. Thank  you   Markku  Lepistö  –  Principal  Technology  Evangelist   @markkulepisto  

×