Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FSV301-Security Anti-Patterns Mistakes to Avoid.pdf

1,997 views

Published on

At AWS, security is job zero. Our infrastructure is architected for the most data-sensitive, financial services companies in the world. We have worked with global enterprises to meet their respective security requirements and have learned that there are best practices and pitfalls to avoid. In this session, we provide a guided tour of governance patterns to avoid – ones that may seem logical at first, but that actually impede your ability scale and realize business agility. We also cover best practices, such as setting up key preventative and detective controls for implementing 360-degrees of security coverage, practicing DevSecOps on a massive scale, and leveraging the AWS services (such as Amazon VPC, IAM, Amazon EMR, Amazon S3, Amazon CloudWatch, and AWS Lambda) to meet the most strict and robust enterprise security requirements.

FSV301-Security Anti-Patterns Mistakes to Avoid.pdf

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Anti-Patterns M i s t a k e s t o A v o i d F S V 3 0 1 K u r t G r a y S o l u t i o n s A r c h i t e c t G l o b a l F i n a n c i a l S e r v i c e s A W S J o n a t h a n B a u l c h D i r e c t o r o f A r c h i t e c t u r e F i d e l i t y I n v e s t m e n t s N o v e m b e r 2 7 , 2 0 1 7
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: A common response to a recurring problem that is usually ineffective and risks being highly counterproductive
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Risks of Security Anti-Patterns Lack of SecOps agility • Slow threat assessments • Can’t patch fast enough • Reactive security posture Lack of business agility • Slow to onboard new customers • Hard to practice true DevOps • Outpaced by disruptors • Rogue dev projects
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. InfoSec Auditing Four Types of Security Anti -Patterns Account Structure Network Design Software Delivery
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. InfoSec Auditing Four Types of Security Anti -Patterns Account Structure Network Design Software Delivery
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Root login: one person’s inbox • Root MFA: that person’s mobile phone • Risk: What if they leave the company? • Only root can edit this. AWS cannot. Anti-Pattern: Personally Owned AWS Accounts
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Root email: team distribution list address • Root MFA: hardware device, in office safe • Contact info: company street address • Phone number: company main number • No one logs into account root! Use IAM only! Best Practice: Group Contacts on All Accounts
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: AWS Account Overcrowding Database Team 7Personalization Team Privileged Admin Analytics Team 1
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Analytics Team 1 Database Team 7 Personalization Team User Profiles Ops Team Capital Markets UX Team New App Dev Team DevSecOpsTeam Random Developer Random Contractor Privileged Admin BU Architect Anti-Pattern: AWS Account Overcrowding
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Risk: Ambiguous Security Boundaries Analytics Team 1 Database Team 7 Personalization Team User Profiles Ops Team Capital Markets UX Team New App Dev Team DevSecOpsTeam Random Developer Random Contractor Privileged Admin BU Architect ? ? ?
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Multi-Account Strategy: AWS Account per Biz Cap Dev Team Analytics Team 1 Database Team 7 DevOps Team Capital Markets UX Team New App Dev Team DevOpsTeam Random Contractor SecOps Auditor BU Architect
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OO Design: Each Biz Cap Team is a Separate Object Capital Markets UX Team Portfolio API Team Monitoring AuthN, AuthZ Data Protection MonitoringAuthN, AuthZ Data Protection REST API calls Service Integrations
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Full Accountability: Builders Build, SecOps Monitors Capital Markets UX Team Portfolio API Team Monitoring AuthN, AuthZ Data Protection MonitoringAuthN, AuthZ Data Protection SecOps Team Detective Controls Preventative Controls Directive Controls Service Integrations
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. InfoSec Auditing Four Types of Security Anti -Patterns Account Structure Software DeliveryNetwork Design
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Routing is not security • Dynamic IP whack-a-mole • Doesn’t identify end users • Not defense in depth • Not highly scalable Anti-Pattern: Trusted IP Access w/o Client Auth HTTP (80) ALLOW 88.44.21.148 HTTP (80) ALLOW 64.23.0.0/16 HTTP (80) ALLOW 204.172.63.12 HTTP (80) ALLOW 183.62.242.71 Backend network DMZ network Backend Core Services VPN 1 … and so many more … VPN 2 Private Route 3 Private NAT 4
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Design your web services to be publically addressable, even if they’re not • Especially for core services • Highly scalable and auditable • Defense in depth: stacked edge services Best Practice: Implement AuthN and AuthZ Amazon API Gateway Amazon EC2 IAM Auth, Cert, or Custom Auth AWS Lambda AWS Shield Amazon S3 bucket Amazon DynamoDB Core Shared Resources AWS CloudTrail AWS API Calls AWS Service Integration AWS service Integrations AWS VPC Endpoints
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: Network Egress Backhauling Amazon SQS public endpoint Amazon EC2 IGW or NAT
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: Network Egress Backhauling Amazon SQS public endpoint Amazon EC2
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: Network Egress Backhauling Corp data center Traffic Inspection Proxy Internet Direct Connect (required) Amazon SQS public endpoint Amazon EC2 • Requires DX on all VPCs • Forces hybrid architecture • Not highly scalable • Adds fragility • Adds latency
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: restricted egress via Exit VPC Public Internet External Endpoints Restricted Proxy Instances corporate data center VPC Peering VPC Endpoints Direct Connect (optional) Use the Cloud to Secure the Cloud Amazon EC2 Amazon S3
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Four Types of Security Anti -Patterns Account Structure Network Design Software DeliveryInfoSec Auditing
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • How some customers audit you • Point-in-time: not continuous • Not based on standards • No independent verification • Not highly scalable Anti-Pattern: Security Questionnaires
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • SOC 2, PCI DSS, HIPAA, etc… • Standardized controls: • AICPA Trust Services Criteria (SOC 2) • NIST Cybersecurity Framework • PCI DSS ROC Template (PCI) • ISO 27002 (ISO 27001 Annex A) • HITRUST CSF (HIPAA) • NIST 800-53 (FISMA) • Third-party QSAs verify compliance • Recertification cadence Best Practice: Attestations Instead of Questionnaires
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Best Practice: Align with the Standard Controls NIST CSF AICPA TSC HITRUST CSF ISO 27001 • Audit trails • Change management • System documentation • InfoSec policy training • Incident response • Intrusion prevention • Data encryption • Backup tests • etc. … Non-standard controls: lower priority
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. InfoSec Controls Pertaining to Servers Control TSC Ref (SOC 2) PCI DSS v3.2 Ref Software patching, change management CC7.5, CC8.1 6.2, 6.4 Anti-virus detection and prevention CC6.8 5.1 Access logging, anomaly detection CC7.2 4.3, 10.1 Access management CC6.1 2.1, 8.1 Data encryption CC6.1 4.3, 3.5, 3.6 Secrets management CC6.1 2.1, 3.5 Monitoring CC7.1, CC7.2 10.1 Time clock synchronization (CC2.1) 10.4 Asset inventory CC6.1 2.4, 3.5.1, 9.7.1
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • How you audit yourself • Manual technical audits • Not highly scalable • Inconsistent process • Typically reactive Anti-Pattern: Manual Technical Auditing
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevSecOps: security as code: • Proactive controls enforced by code • Continuous evidence-based auditing Continuous detective controls: • Amazon CloudWatch Logs + Alarms • Amazon Inspector for EC2 • Amazon Macie for Amazon S3 • AWS Trusted Advisor • AWS Config rules • Cloud Conformity • Cloud Custodian • evident.io • Dome9 • cfn-nag • …and many more! Best Practice: Continuous Automated Auditing
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anti-Pattern: Not Using AWS Native-Managed Services DevOps Team A DevOps Team B DevOps Team C DevOps Team D Methodology sprawl: audit complications + patch drift
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Consistency and Compliance from AWS-Managed Services DevOps Team A DevOps Team B DevOps Team C DevOps Team D Refer to AWS Artifact for AWS attestations and responsibilities
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. import boto3 ec2 = boto3.client('ec2') regions = ec2.describe_regions() # Lambda invoked by a CloudWatch Scheduled Event def handler(event, context): # scan each AWS region for reg in regions['Regions']: # check each RDS instance in region rds = boto3.client('rds', region_name = reg['RegionName']) try: dbis = rds.describe_db_instances()['DBInstances'] for dbi in dbis: print '{} {} {}'.format( reg['RegionName'], dbi['DBInstanceIdentifier'], dbi['StorageEncrypted']) # react if database StorageEncrypted is False • (Python example) • Can be serverless • Can be continuous • Can log the results • Can send alerts • Can remediate • No DB connection • AWS Config rule: RDS_STORAGE_ENCRYPTED Example: Amazon RDS At-Rest Encryption Audit
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: Amazon S3 Bucket Security Controls us-east-1 region Amazon S3 Bucket VPC Endpoint For S3 Data Warehouse Backend VPC Endpoint Policy S3 Bucket Policy Bucket Access Logs Encrypted Objects Amazon EMR Cluster EC2 instances Preventative controls: S3 Bucket Policy • Deny request unless: • From specific sourceVpce • From specific sourceVpc • (AND) has specific IAM role • (AND) Server Side Encryption • (AND) Secure Transport (SSL) • (AND MFA Delete required) • (AND Versioning Enabled) VPC S3 Endpoint Policy • Denies S3 request unless: • Targeted to specific S3 buckets Detective controls: AWS Config rules • s3-bucket-logging-enabled • s3-bucket-public-read-prohibited • s3-bucket-public-write-prohibited • s3-bucket-ssl-requests-only public Internet blocked Lambda function: automated S3 policy remediation (Reactive Control)
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • AWS Auditor Learning Path • AWS Tech Essentials • Goal: DevSecOps Best Practice: Train Your Technical Auditors
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. InfoSec Auditing Four Types of Security Anti-Patterns Account Structure Network Design Software Delivery
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Dev, QA, and ops kept separate • Manual handoff processes • CI/CD logistically blocked • Tight controls and guardrails • Post-deployment security checks • Infrequent release cycles • Infrequent patch rollouts Anti-Pattern: Over-the-Wall Software Delivery
  35. 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Traditional Delivery via Separate Functional Teams Development QA Operations Architecture
  36. 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps: Small Interdisciplinary Delivery Teams Development QA Operations DevOps
  37. 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps Delivery: SDLC (Software Development Lifecycle) Development QA Operations Automated Delivery Automated Tests Automated Deployment Automated Monitoring Change Request Develop DevOps
  38. 38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevOps Quality: Fanatical Testing and Automation Development QA Operations Automated Delivery Automated Tests Automated Deployment Automated Monitoring Change Request Develop DevOps UI Tests Integration Tests Unit Tests
  39. 39. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Critical Practice: SSDLC (Secure Software Development Lifecycle) Development QA Operations UI Tests Security Tests Code Review Integration Tests Unit Tests, Static Analysis Automated Delivery Automated Tests Code Review Automated Deployment Automated Monitoring Change Request Develop DevSecOps Test results Deployment logs Deployment notifications Audit Trails and Artifacts
  40. 40. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: DevSecOps Pipeline on AWS Commit Build Test Approve Production AWS CodePipeline AWS CodeCommit private git repo AWS CloudFormation Amazon SNS Review Dashboard Amazon EC2Unit Tests Acceptance Tests AWS CodeDeploy Amazon EC2 SecOps Monitoring and Alerts AWS CodeBuild Developers commit app code Security Tests Code scanning Amazon S3 Build artifact Change Review
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example: Continuous and Routine OS Rehydration, Patching Commit Build Test ProductionAWS CodePipeline AWS CodeCommit private git repo AWS CloudFormation Amazon EC2Unit Tests Acceptance Tests AWS CodeDeploy Amazon EC2 SecOps Monitoring and Alerts AWS CodeBuild App developers commit app code Security Tests Code scanning Amazon S3 Build artifact Commit Build Test Publish AWS CodeCommit private Git repo Amazon EC2 Base AMI AWS CodeBuild: Ubuntu runtime SecOps devs commit new Ansible playbook.yml Custom EC2 AMI Install HashiCorp Packer Acceptance Tests Security Tests New Blessed AMI AWS CloudFormation AWS CodePipeline Amazon SNS App dev teams
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DevSecOps at Fidelity Investments Jonathan Baulch Director of Architecture Fidelity Investments
  43. 43. • Web application re-platform • Big-data analytics • Artificial Intelligence platform • DevOps transformation How Fidelity is Leveraging AWS
  44. 44. Layers of Security at Fidelity Detection RemediationPrevention
  45. 45. Example CI/CD Pipeline Used at Fidelity
  46. 46. Example CI/CD Pipeline Used at Fidelity Prevention recommended
  47. 47. Example CI/CD Pipeline Used at Fidelity Prevention enforced
  48. 48. Example CI/CD Pipeline Used at Fidelity Rogue IAM Role
  49. 49. Example CI/CD Pipeline Used at Fidelity Rogue IAM Role Continuous detection
  50. 50. Example CI/CD Pipeline Used at Fidelity Rogue IAM Role Automatic remediation
  51. 51. cfn-nag: Linting for CloudFormation Templates • Free, open source • Extremely extensible • Least-privilege checking • Access-logs check • Encryption checks • Security groups checks • and more!
  52. 52. Extending cfn-nag for Fidelity
  53. 53. Extending cfn-nag for Fidelity
  54. 54. Extending cfn-nag for Fidelity
  55. 55. … "Resources": { "sqsProducer": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "SQS_Producer", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Fn::Join": [ … Example: IAM policy compliance check Every role requires a whitelist attached
  56. 56. $ cfn_nag_scan -i sampleCfnCft.json ------------------------------------------------------------ sampleCfnCft.json -------------------------------------------------------------------------- ---------------------------------------------- | FAIL FID1 | | Resources: ["sqsProducer"] | | Role does not have IAM Whitelist policy attached Failures count: 1 Warnings count: 0 Compliance exception caught by cfn -nag
  57. 57. • Avoid the wall-drive controls through practical use cases • DevSecOps increases not only agility, but security as well • Application team empowerment Critical Learnings
  58. 58. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Standard controls: • Prescriptive • Certifiable Managed services: • Consistent controls • Less overhead DevSecOps practices: • Faster delivery • Faster patching • Faster innovation Key Takeaways
  59. 59. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! Please submit your evaluations!
  60. 60. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. References and Resources • AWS Artifact: AWS compliance reports and certifications • AWS Cloud Compliance • AWS Auditor Learning Path • AWS Managed Config Rules • AWS Multi-Account Strategy • Practicing CI/CD on AWS • AWS Security Blog • How to Automate S3 Bucket Policy Remediation • How to Automate Security Group Rule Remediation • How to Setup Sophos Outbound Web Proxy • How to Setup a CloudFormation Template Validation Pipeline • cfn-nag: CloudFormation linting • Succeeding with Agile by Mike Cohn • DevSecOps.org

×