AWS is hosting the first FSI Cloud Symposium in Hong Kong, which will take place on Thursday, March 23, 2017 at Grand Hyatt Hotel. The event will bring together FSI customers, industry professional and AWS experts, to explore how to turn the dream of transformation, innovation and acceleration into reality by exploiting Cloud, Voice to Text and IoT technologies. The packed agenda includes expert sessions on a host of pressing issues, such as security and compliance, as well as customer experience sharing on how cloud computing is benefiting the industry.
Speakers:
Myles Hosford, Security Solutions Architect APAC, AWS
Anthony Hodge, Head, Cloud Engineering and Delivery, Standard Chartered Bank
2. Agenda
• The Problem facing current security programs
• The Solution (or some of it J)
1. Automated Deployment
2. Adopt Industry Best Practices
3. Automated Compliance
4. Automated Incident Response
• Next Steps & Resources
3. The Problem
Evolving & Complex
Threat Landscape
Infrequent Security
Reviews
Heavily Regulated
Control Requirements
Lack of automation
introduces error
4. Financial Institution
• Operating in a number of countries
with many regulators
• Complex / Legacy IT
• Security ‘Debt’ e.g. Patch
Management constantly behind
• Traditional third-party outsourcing
requirements might not be suited for
cloud
The Lay of the Land…
FinTech / Startup
• Probably ‘zero’ regulation but doing
business with regulated financial
institutions
• Moving fast to deliver and iterate the
‘MVP’. Security not the highest priority.
• Must jump through third party due
diligence for Outsourcing. Can be
difficult for small companies with no
certifications.
5. Current Security, Risk & Compliance Teams
Operating as separate functions can no longer exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current SRC
Teams
6. Next-Gen Security, Risk & Compliance Teams
All should be be part of the ‘maker’ team.
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved SRC
Teams
AWS
CodeCommit
AWS
CodePipeline Jenkins
9. Auto Scaling group
DMZ Zone
security group
security group
root volume
data volume
S3
bucket (encrypted
AES256)
logs
Amazon EBS
snapshot
(encrypted at
rest)
EC2 instance
WEB
corporate data center
Auto Scaling group
App Zone
security group
root volume
data volume S3
bucket (encrypted
AES256)
logs
Amazon EBS
snapshot
EC2 instance
APP
DB Zone
AWS
CloudHSM
security group
AWS KMS
Direct Connect
Or
VPN
Internet
HTTP / HTTPS only to
the web-tier
10. What you do in any IT
Environment
Firewall rules
Network ACLs
Network time pointers
Internal and external subnets
NAT rules
Gold OS images
Encryption algorithms for data in
transit and at rest
Golden Code: Security Translation to AWS
AWS JSON translation
Gold Image, NTP
and NAT
Network ACLs,
Subnets, FW
rules
12. Any IP on the
Internet
Telnet, insecure,
clear-text
protocol
CloudFormation. An example: Firewall rule
Mis-configuration detected BEFORE the environment is even built!
14. Foundations
52 checks aligned to AWS Best
Practices
• Root account MFA
• CloudTrail Enabled
• Config & CloudWatch Alarms
CIS AWS Benchmarks
Three-Tier
96 checks aligned to a three-tier
web application
• Encrypt EBS volumes
• Resources are ‘tagged’
• Tight security groups
Bake these controls into your CloudFormation templates
148 security controls by default handed to your development team
15. Self-Assessment
Insert AWS github checker here
CIS AWS Benchmarks
Your audit teams can get hands-on. Be part of the ‘maker’ team by
automating their pre-prod checklists.
18. IT Security Policy & Controls
Nobody reads them
Difficult to enforce
Rarely updated
19. Compliance guideline Action if non-compliance
All EBS volumes should be encrypted Encrypt volumes and alert operations
team
Instances must be from a specific
approved AMI
Terminate instance and notify build
team
Instances must be tagged with
environment type
Flag as non-compliant but take no
further action
AWS Config Rules
20. AWS Config Rules
Internal Controls
MAS/HKMA
Guidelines
Industry best
practice
Bake these compliance checks into your CloudFormation templates
24. Amazon CloudWatch Events
• Respond to state changes automatically
in your AWS resources
• Resources changing state automatically emit
observable events
• Write declarative rules to match events of
interest and then invoke targets to take action
• Events can also be scheduled – “Cron in the
Cloud”
26. Rapid notification of changes
Changes to AWS resources are delivered
to your application in near real-time
React to suspicious, risky, or problematic
situations programmatically, without
having to involve an operator
27. Cloudwatch Events. 30 second response time!
Detect malicious API and
automate response.
If trail.StopLogging {
user.disable
trail.StartLogging
email.security_team
}
Bake these automated response controls into your CloudFormation
templates
28. How do you get started?
AWS Free Security
Training
CIS AWS Security
Foundations
Benchmark
CIS AWS Three-Tier
Web Application
Benchmark
Security / Risk &
Compliance
Whitepapers
29. Conclusion: The Problem
Evolving & Complex
Threat Landscape
Infrequent Security
Reviews
Heavily Regulated
Control Requirements
Lack of automation
introduces error
30. Conclusion: The Solution
Evolving & Complex
Threat Landscape
Infrequent Security
Reviews
Heavily Regulated
Control Requirements
Lack of automation
introduces error
Make security
easy for everyone.
Build it in by
default.
Evaluate security
& compliance
continuously.
Automate
response to scale
Build control
requirements into
CloudFormation
and blueprints for
re-use. Be
Consistent.
To remove human
error, remove
humans J