This document discusses Security by Design (SbD), an approach to formalizing AWS account design, automating security controls, and streamlining auditing. SbD builds security in throughout the AWS management process rather than relying on retroactive auditing. It treats infrastructure as code, is modular, versioned and constrained. The document outlines how SbD can modernize technology governance by adopting preventative controls and making detective controls more powerful and comprehensive through automation.
2. Problem statement
Increasing complexity (mobility, system connectivity)
causes increasing difficulty in managing risk and security
and demonstrating compliance.
4. Issues—technology governance
The majority of technology governance processes relies
predominantly on administrative and operational security
controls with limited technology enforcement.
Assets
ThreatVulnerability
Risk
AWS has an opportunity to innovate and
advance technology governance services.
5. Flexibility and complexity
Single VPC ormultiple VPCs
Public or private
subnets
Who will manage
the keys
AWS Identity and Access
Management (IAM) groups or roles
What is the regulatory
requirement?
What's in scope or out
of scope?
How to verify the
standards are met?
Which AWS
database
6. Security by Design
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
AWS Identity & Access
Management (IAM)
AWS CloudTrail
Amazon
CloudWatch
AWS Config
Rules
AWS Trusted
Advisor
AWS
CloudHSM
AWS Key
Management Service
(AWS KMS)
AWS Directory
Service
7. SbD—design principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat infrastructure as code
• Modular
• Versioned
• Constrained
Security by Design involves developing new risk mitigation capabilities, which go beyond
global security frameworks by treating risks, eliminating manual processes, and optimizing
evidence and audit ratifications processes through rigid automation.
9. SbD—modernizing tech governance (MTG)
Why?
Complexity is growing, making the old way to
govern technology obsolete.
You need automation that AWS offers to manage
security.
11. SbD—modernizing tech governance
1.2 Identify your workloads moving to AWS
2.1 Rationalize
security requirements
2.2 Define data
protections and controls
2.3 Document
security architecture
3.1 Build/deploy
security architecture
1. Decide what
to do (strategy)
2. Analyze and
document
(outside of AWS)
1.1 Identify stakeholders
3. Automate,
deploy, and
monitor 3.2 Automate
security operations
4. Certify
3.3 Continuously
monitor
4.1 Audit and certify
3.4 Test and
have game days
12. SbD—rationalize security requirements
AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security
configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The benchmarks are:
• Recommended technical control rules
and values for hardening operating
systems, middleware and software
applications, and network devices.
• Distributed free of charge by CIS
in .PDF format.
• Used by thousands of enterprises as
the basis for security configuration
policies and the de facto standard for
IT configuration best practices.
20. Closing the loop
SbD—modernizing technology governance
Result: Reliable technical implementation and enforcement
of operational and administrative controls
21. AWS resources
Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper—to wrap your head around this
• https://aws.amazon.com/compliance/security-by-design/
22. Allgress—getting started
1. Engage with Allgress in the field: Contact sales
2. Get started with the Allgress GetCompliant Portal to easily
pull compliance configurations from AWS customer accounts
3. Download the Allgress Module Breakdown
23. Splunk—Getting started
1. Engage with Splunk in the field: aws-splunk-team@amazon.com can
point you in the right direction, and you can request the Splunk
Playbook.
2. Download Splunk>Enterprise.
3. Download and set up the Splunk App for AWS (and supporting TA) to
easily configure Splunk for Config, CloudTrail, CloudWatch metrics,
VPC flog logging, S3, and Billing.
4. Take the self-paced Using Splunk tutorial and look at Splunk>Docs and
Splunk>Apps for more.
5. You can get started quickly with the Splunk search commands, and
then use supporting documentation to advance your skill. Our
Quick Reference Guide becomes an essential tool and cheat sheet.
Other search reference documentation is posted also.