Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Compliance in the Cloud Using Security by Design


Published on

Up-front design of your AWS account can be done in a way that creates a reliably secure and controlled environment no matter how the AWS resources are used. This session will focus on "Secure by Design" principles and show how an AWS environment can be configured to provide a reliable operational security control capability to meet the compliance needs across multiple industry verticals (e.g. HIPAA, FISMA, PCI, etc.). This will include operational reporting through the use of AWS services (e.g. Config/Config Rules, CloudTrail, Inspector, etc.) as well as partner integration capabilities with partner solutions such as Splunk and Allgress for real-time governance, risk, and compliance reporting. Key takeaways from this session include: learning AWS Security best practices and automation capabilities for securing your environment, Automation accelerators for configuration, compliance, and audit reporting using CloudFormation, Config/Config Rules, CloudTrail, Inspector, etc., and ISV integration for real-time notification and reporting for security, compliance, and auditing in the cloud.

Published in: Technology
  • Be the first to comment

Compliance in the Cloud Using Security by Design

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tim Sandage, Sr. Security Partner Strategist Vidhya Krishnamoorthy, Sr. Engineer, DevOps, VeriFone July 13, 2016 Compliance in the Cloud Using Security by Design
  2. 2. Problem Statement Increasing complexity (mobility, system connectivity) causes increasing difficulty in managing risk and security and demonstrating compliance.
  3. 3. Current State – Technology Governance Policies Procedures and Guidelines Standards
  4. 4. Issues – Technology Governance The majority of technology governance processes relies predominantly on administrative and operational security controls with LIMITED technology enforcement. Assets ThreatVulnerability Risk AWS has an opportunity to innovate and advance Technology Governance Services.
  5. 5. Flexibility and Complexity What is the regulatory requirement? What's in-scope or out- of-scope? How to verify the standards are met?
  6. 6. Security by Design Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process. Identity & Access Management CloudTrail CloudWatch Config Rules Trusted Advisor Cloud HSMKey Management Service Directory Service
  7. 7. Security by Design - Design Principles • Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach • Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code • Modular • Versioned • Constrained Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation
  8. 8. SbD - Eco-system Security by Design (SbD) AWS CloudFormation AWS Config Rules Amazon Inspector
  9. 9. SbD - Modernize Tech Governance (MTG) Why? Complexity is growing, making the old way to govern technology obsolete You need automation that AWS offers to manage security
  10. 10. Goal - Modernize Tech Governance (MTG) Adopting “Prevent” controls, making “Detect” controls more powerful and comprehensive
  11. 11. SbD - Modernizing Technology Governance (MTG) 1.2 Identify Your Workloads Moving to AWS 2.1 Rationalize Security Requirements 2.2 Define Data Protections and Controls 2.3 Document Security Architecture 3.1 Build/deploy Security Architecture 1. Decide what to do (Strategy) 2. Analyze and Document (outside of AWS) 1.1 Identify Stakeholders 3. Automate, Deploy & Monitor 3.2 Automate Security Operations 4. Certify 3.3 Continuous Monitor 4.1 Audit and Certification 3.4 Testing and Game Days
  12. 12. SbD – Rationalize Security Requirements AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally. The Benchmarks are: • Recommended technical control rules/values for hardening operating systems, middle ware and software applications, and network devices • Distributed free of charge by CIS in .PDF format • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
  13. 13. SbD – AWS CIS Benchmark Scope Foundational Benchmark CloudTrail Config & Config Rules Key Management Service Identity & Access Management CloudWatch S3 SNS Three-tier Web Architecture EC2 Elastic Load Balancing VPC Direct Connect Amazon Elastic Block Store Cloud HSM Glacier Route 53VPN Gateway CloudFront
  14. 14. Define Data Protections and Controls
  15. 15. Document Security Architecture
  16. 16. Business Case: VeriFone Commerce Platform • Global leader in secure POS solutions • Commerce Portal: Secure B2B App Marketplace and Developer Platform enabling merchants to customize the point of sale through innovative apps that provide customers with rich, contextual experiences in store
  17. 17. S3 CodeDeploy Cloud FormationKMS Note: All tiers are designed for auto-scaling, automated Multi-AZ failover CloudHSM CloudTrail
  18. 18. Security Considerations ● Multiple AWS accounts ● VPC, private subnets for application servers and RDS ● Minimal network perimeter (Only SSL Terminating Reverse Proxy in DMZ) ● Tightened Security Groups - fine grained rules for ports and CIDRs ● Immutable Docker containers, CloudTrail, Log aggregation using Splunk ● Compliance with “All code stays on-premises”
  19. 19. Security Considerations (Contd) ● CIS-benchmarked AMIs ● Hardened Linux/Software ● KMS-based secret management ● Two-factor authentication on AMIs ● Advanced user and key management using LDAP. Elimination of ec2-user ● HSM for secure data/keys
  20. 20. Secure Code Delivery Pipeline Dev Code + Dockerfil e S3/KMS Pro d Code Docker Image
  21. 21. Other Benefits Availability: HA with Multi-AZ solution Auto-Scaling Innovation: Infrastructure as Code Agility and Flexibility Ansible-based config management Dockerfiles for software provisioning Full CI/CD
  22. 22. Next Steps • Continue Security by Design approach – AWS WAF for firewall • Enhance User Management - LDAP authentication/SSO approaches • EC2 Run Command/Opsworks for operations • ECS for Docker and ECR for Docker Registry
  23. 23. Partnership • Established a AWS/DevOps philosophy at Verifone • Architected/Implemented foundation layer for the Verifone solution • Built a POC that provided security with agility
  24. 24. SbD – Automate Security Operations Automate deployments, provisioning, and configurations of the AWS customer environments CloudFormation Service CatalogStack Template Instances AppsResources Stack Stack Design Package Products Portfolios DeployConstrain Identity & Access Management Set Permissions
  25. 25. AWS CloudTrail EMR Kinesis VPC ELB S3 Lambda AWS ConfigAWS CloudWatch IoT Other Services Add-on for AWS Splunk App for AWS Explore Analyze Dashboard Alert Use Cases for AWS: Security Intelligence (Cloudtrail, Cloudwatch, VPC) Operational Intelligence (CloudWatch, ELB, etc.) DevOps Intelligence (CloudWatch, Lambda) Big Data Insights (Kinesis, EMR, IoT, S3) Continuous Monitor – Splunk
  26. 26. AWS CloudTrail Resource Activity Splunk App for AWS – Visualize & Monitor AWS CloudTrail User Activity
  27. 27. SbD - Modernizing Technology Governance (MTG) Automate Governance Automate Deployments Automate Security Operations Continuous Compliance
  28. 28. Closing the Loop SbD - Modernizing Technology Governance Result: Reliable technical implementation and enforcement of operational and administrative controls
  29. 29. AWS Resources Amazon Web Services Cloud Compliance • SbD website and whitepaper – to wrap your head around this •