Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Summit Auckland Sponsor presentation - Bulletproof

452 views

Published on

AWS Summit Auckland Sponsor presentation - Bulletproof

Published in: Technology
  • Be the first to comment

AWS Summit Auckland Sponsor presentation - Bulletproof

  1. 1. How Xero Accelerated Security Innovation on AWS
  2. 2. Hello! Jeremy Vincent Solution Architect Bulletproof Aaron McKeown Lead Security Architect Xero Neil Ramsay Cloud Engineer Bulletproof
  3. 3. What can you expect today? An overview of: • Xero • AWS Migration Project • AWS Security Principles • Key Project Learnings • Bulletproof • Cloud Security Considerations • Secure by Design Guidance
  4. 4. Who are we? • Cloud House merged with Bulletproof in 2016 • First Premier Partner in A/NZ • ASX listed (ASX:BPF) • Only Premier Partner in NZ • End-to-end Cloud services provider. • 700+ customers • 16+ years of experience • We help you disrupt, transform and innovate
  5. 5. Aaron McKeown, Lead Security Architect How Xero Accelerated Security on AWS
  6. 6. Beautiful cloud-based accounting software Connecting people with the right numbers anytime, anywhere, on any device
  7. 7. 1450+ Staff globally $ 474mraised in capital $ 202msub revenue FY16 23m+ businesses have interacted on the Xero platform $ 1tr incoming and outgoing transactions in past 12 mths 450m incoming and outgoing transactions in past 12 mths All figures shown are in NZD
  8. 8. 2009 2010 2011 2012 2013 2014 2015 2016 Paying subscribers 700,000+ Subscribers globally
  9. 9. Public cloud migration Improving data protection Eliminating scheduled downtime Maintaining and improving security Support the next wave of growth Reducing our per customer cost
  10. 10. Security Considerations in the Cloud
  11. 11. Approach: AWS Cloud Security Security is a Journey High Pace of Innovation with Cloud Automation is key
  12. 12. How? AWS Cloud Security Focus on API Security Fast rate of change Cloud native systems with consistent security capabilities
  13. 13. How? AWS Cloud Security Focus on API Security AWS IAM Fast rate of change AWS CloudFormation Cloud native systems with consistent security capabilities AWS KMS AWS CloudTrail AWS Config CloudWatch Logs CloudWatch Alarms AWS IAM
  14. 14. How? Automation Version Control CI Server Package Builder Deploy Server Commit to Git/masterOps Get / Pull Code AMIs Distributed Builds Run Tests in parallel Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo CloudFormation Templates for Environment Generate
  15. 15. Xero AWS Security Overview
  16. 16. Key principles Repeatable and automated build and management of security systems Accelerated pace of security innovation On-demand security infrastructure that works at any scale
  17. 17. Security as a service VPN connectivity Host Based Security Web Application Security and Delivery Shared Key Management Services Security Operations and Consulting Services Secure Bastion Access Proxy Services
  18. 18. AWS Security Guidance Recommendations
  19. 19. Secure by Design AWS Cloud Security Account structure VPC structureService mapping Key services VisibilityLogging/Monitoring Secure Bastions
  20. 20. Secure by Design Account Structure
  21. 21. Secure by Design Account Structure Billing Non-Production Development Shared Services UAT Production Production Staging Shared Services Identity Security
  22. 22. Secure by Design Service Mapping
  23. 23. Secure by Design Service Mapping Non-Production Development Shared Services UAT Security Production Staging Shared Services Production Identity AWS IAM AWS KMS IAM Roles IAM Roles IAM Policy IAM Policy Billing IAM Roles IAM Policy AWS CloudTrail AWS Config Config S3 Bucket CloudTrail S3 Bucket CloudTrail Glacier Vault Config Glacier Vault IAM Users CloudWatch Logs CloudWatch Alarms IAM Groups SNS Email Notifications
  24. 24. Secure by Design VPC Structure
  25. 25. Secure by Design VPC Structure Production Shared Services Internet Gateway DMZ “Public” Zone Protected “Private” Zone Router VPC Peering Secure Bastion WAF NGFW ADFS Amazon CloudFront VPC Peering Production EC2 Workloads PKI AD Staging EC2 Workloads Outbound Proxy NTP DNS S3 VPC Endpoint IPSec VPN Connection Internet Servers Amazon Route 53 VPC Flow Log S3 VPC Endpoint VPC Flow Log Static Assets S3 Bucket VPN Gateway Corporate Data Center Customer Gateway VPN Gateway Backup S3 Bucket
  26. 26. Secure by Design VPC Peering Production Shared Services Internet Gateway DMZ “Public” Zone Protected “Private” Zone Router VPC Peering Secure Bastion WAF NGFW ADFS Amazon CloudFront VPC Peering Production EC2 Workloads PKI AD Staging EC2 Workloads Outbound Proxy NTP DNS S3 VPC Endpoint IPSec VPN Connection Internet Servers Amazon Route 53 VPC Flow Log S3 VPC Endpoint VPC Flow Log Static Assets S3 Bucket VPN Gateway Corporate Data Center Customer Gateway VPN Gateway Backup S3 Bucket
  27. 27. Secure by Design VPC Endpoints Production Shared Services Internet Gateway DMZ “Public” Zone Protected “Private” Zone Router VPC Peering Secure Bastion WAF NGFW ADFS Amazon CloudFront VPC Peering Production EC2 Workloads PKI AD Staging EC2 Workloads Outbound Proxy NTP DNS S3 VPC Endpoint IPSec VPN Connection Internet Servers Amazon Route 53 VPC Flow Log S3 VPC Endpoint VPC Flow Log Static Assets S3 Bucket VPN Gateway Corporate Data Center Customer Gateway VPN Gateway Backup S3 Bucket
  28. 28. Secure by Design Key Services
  29. 29. Secure by Design CloudTrail CloudTrail Settings  All Regions (Multi-Region setting)  Log File Integrity Validation  Log File Encryption with KMS S3 Bucket Policy  Restrict Authorised Users to have Read-Only access  Allow Only the CloudTrail service to have Write access Day One AWS KMS AWS CloudTrail CloudTrail S3 Bucket CloudTrail Glacier Vault S3 Lifecycle Rules
  30. 30. Secure by Design Config Config Settings  All Regions (No multi-region setting, so Automate)  Enable All available Resource Types for tracking S3 Bucket Policy  Restrict Authorised Users to have Read-Only access  Allow Only the Config service to have Write access Day One AWS Config Config S3 Bucket Config Glacier Vault S3 Lifecycle Rules
  31. 31. Secure by Design Identity and Access Management (IAM)
  32. 32. Secure by Design Identity and Access Management (IAM) AWS IAM Amazon EC2 AWS Elastic Beanstalk AWS Lambda Amazon CloudFront Amazon S3 Amazon DynamoDB Amazon RDS Amazon Redshift Amazon VPC Amazon Route 53
  33. 33. Identity and Access Management
  34. 34. IAM for Identity Account: Authentication
  35. 35. IAM for Identity Account: AWS Console +
  36. 36. IAM for Identity Account: API +
  37. 37. IAM for Identity Account: MFA for Humans
  38. 38. IAM Roles Build Repair Audit
  39. 39. Identity IAM Cross Account Roles Non-Production Production
  40. 40. IAM Guard Rails customer gateway VPN gateway VPN connection CloudTrail Config KMS IAM
  41. 41. IAM Roles: Limited Time Only
  42. 42. Secure by Design Logging and Monitoring
  43. 43. Logging/Monitoring API AWS CloudTrail CloudWatch Logs CloudTrail S3 Bucket CloudTrail Glacier Vault Lifecycle Rules AWS Config Config S3 Bucket Config Glacier Vault Lifecycle Rules AWS Lambda CloudWatch Alarms CloudWatch Metric Filters SNS Email Notifications Alarm Amazon Elasticsearch Service OR
  44. 44. Logging/Monitoring… OS Network Storage Access Logs Access Logs S3 Bucket Access Logs Glacier Vault Lifecycle Rules S3 Bucket Access Logs Access Logs S3 Bucket Access Logs Glacier Vault Lifecycle Rules Amazon CloudFront CloudWatch Logs CloudWatch Alarms CloudWatch Metric Filters SNS Email NotificationsAmazon EC2 Log Events Elastic Load Balancing Access Logs Access Logs S3 Bucket Access Logs Glacier Vault Lifecycle Rules VPC Flow Log CloudWatch Logs CloudWatch Alarms CloudWatch Metric Filters SNS Email Notifications Packets Log Events
  45. 45. Secure by Design Visibility • CloudTrail, Config and the AWS Console provide a lot of great information • Can be hard to find the needle in the haystack... • Enter Netflix OSS Security Monkey “You can’t secure what you don’t know about…”
  46. 46. Secure by Design Security Monkey
  47. 47. Security Monkey: Overview
  48. 48. Security Monkey: Overview - Search
  49. 49. Security Monkey: Overview - Resources
  50. 50. Security Monkey: Users with Admin
  51. 51. Security Monkey: Users with Admin
  52. 52. Security Monkey: Users with Admin – What Changed?
  53. 53. Security Monkey: VPCs with IGWs
  54. 54. Secure by Design Secure Bastions
  55. 55. Challenge Secure Bastions RDP/SSH Internet Internet Bastion Your Data SQL Server Pivot
  56. 56. Solution Secure Bastions: Multi-Factor Authentication RDP Bastion Secure Bastion HTTPS Internet
  57. 57. Duo Login to Windows
  58. 58. Duo Login to Windows: MFA Prompt
  59. 59. Duo Login to Windows: Duo Mobile App
  60. 60. Duo Login to Linux
  61. 61. Solution Secure Bastions: Dedicated SQL Mgmt RDP RDP SQL Server SQL Tools Server Secure Bastion
  62. 62. Solution Secure Bastions: Restrict Network Egress RDP Secure Bastion SQL Tools Server RDP SQL Server Internet
  63. 63. Solution Secure Bastions: Restrict EC2 Instance Profiles RDP Secure Bastion IAM Role IAM Policy Temporary AWS CredsLogged-in User “Secure Bastion” EC2 Instance Profile Delete RDS SQL DB
  64. 64. Solution Secure Bastions: Restrict EC2 Instance Profiles SQL Tools Server Temporary AWS Creds Logged-in User RDP Secure Bastion IAM Role IAM Policy Temporary AWS CredsLogged-in User “Secure Bastion” EC2 Instance Profile Delete RDS SQL DB Create RDS SQL DB “SQL Tools” EC2 Instance Profile
  65. 65. Solution Secure Bastions: Disposable 7 Days EBS Snapshot Forensics Secure Bastion Secure Bastion “Golden Image” AMI Deploy
  66. 66. Key learnings
  67. 67. Key learnings Measure and Test, Monitor Everything Welcome to the cloud - "Where's my span port"? Security by Design - What's that? Communication is Key - Who are your spokespeople?
  68. 68. Final takeaways Repeatable and Automated build and management of Security Systems Accelerated pace of security innovation On-Demand security infrastructure that works at any scale
  69. 69. What can I do today?
  70. 70. Things you can do right now User MFA Tokens AWS Config AWS CloudTrail
  71. 71. Things you should consider Netflix Security Monkey Duo MFA Granular Roles
  72. 72. Only A/NZ AWS Premier Partner at the Summit
  73. 73. Over 700+ Happy Customers

×