Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Security-Focused Standardized Architecture

4,460 views

Published on

The AWS Security Focused Standardized Architecture solution is designed to enable customers create secure and compliant workloads in AWS, as well as reduce the complexity of maintaining secure baselines at scale as customer environments transform over time. This solution provides many benefits, including the ability to securely deploy recommended, reliable, and secure resources in AWS. AWS Security Focused Standardized Architecture is an automated reference architecture, following security-leading practices and supporting multiple customer compliance requirements (e.g. FISMA, PCI, CJIS, FFIEC, HIPAA, etc.). The webinar will dive deep into the four core aspects of this tool: Security Control Responsibility Matrix (CRM), Architecture diagrams, AWS CloudFormation templates, and User Guides and deployment instructions; and will also include an actual demonstration of an automated deployment of a secure and compliant baseline architectures using one of the CloudFormation templates.

Published in: Technology
  • Login to see the comments

Introduction to Security-Focused Standardized Architecture

  1. 1. Brett Miller AWS Professional Services December 2015 Introduction to Security-Focused Standardized Architectures (SFSA)
  2. 2. Welcome & Objectives  Understand the purpose and benefits of SFSA  Review contents of the SFSA package  Review common use case scenarios and implementations  Know how to get started using SFSA in your organization
  3. 3. Customer Challenges  Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)  Choosing from a myriad of options when designing for the cloud  Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model  Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS Services  Error prone and time-consuming manual configuration of AWS resources AWS developed SFSA to address major customer challenges when moving to the cloud
  4. 4. Customer Challenges  Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)  Choosing from a myriad of options when designing for the cloud  Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model  Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS Services  Error prone and time-consuming manual configuration of AWS resources AWS developed SFSA to address major customer challenges when moving to the cloud AWS Solution: SFSA  Standardized for specific use cases  Address security/compliance requirements and AWS best practices  Ready to be pre-approved by customer assessment organizations  Ready to deploy “out of the box”  Customizable
  5. 5. Shared Responsibility Model Customers are responsible for how they use AWS components in AWS Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption / Integrity / Identity) DatabaseStorageCompute Networking Edge Locations Regions Avail. Zones AWS Global Infrastructure Customer Responsible for security ‘in’ the Cloud Responsible for security ‘of’ the Cloud AWS
  6. 6. Infrastructure Services Container Services Abstracted ServicesSecurity Controls Inherited Hybrid Shared Customer Specific Fully inherited by AWS AWS provides partial implementation AWS and customer provides their implementation Sole Responsibility of the customer Division of Responsibility changes depending on AWS service
  7. 7. SFSA helps simplify and accelerate your AWS migrations Benefits  Automate system deployments  Address security/compliance requirements  Follow best practices  Decrease deployment time  Provide Reusable Documentation
  8. 8. AWS built the SFSA Package to include several key artifacts to meet customer needs Package Overview  CloudFormation Templates  Guidance Documentation  Security Controls/Requirements Matrix − NIST SP 800-53 available now − Coming Soon: PCI DSS, CJIS, HIPAA, ISO 27001  Customizable Reference Architecture Diagram
  9. 9. AWS SFSA CloudFormation Stacks  Multiple nested stacks − For different types of workloads − Modular and customizable − Each stack builds a portion of architecture Each package consists of multiple CloudFormation templates reusable across different use cases
  10. 10. SFSA CloudFormation Stack 2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions
  11. 11. Documentation Included with every package is a User Guide along with an inventory of resources deployed by the templates Resource Inventory User Guide
  12. 12. Security Controls / Compliance Mapping  Pre-documents how security controls/requirements are addressed by the SFSA within the VPC/infrastructure layer − Can be included in a customer’s compliance documentation/SSP − Can be ingested into customer security/compliance databases/workflow tools  Contains additional guidance for each control/requirement  Identifies which CloudFormation stack implements the control/requirement  Identifies related AWS resources within each stack  NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and other third-party compliance frameworks
  13. 13. Security Controls / Compliance Mapping: Example Matrix
  14. 14. Customizable Reference Architecture
  15. 15. SFSA Use Cases  Base Architectures Examples: − Base IAM Configuration − Base VPC Architecture for Internal VPC  Full Applications Examples: − 3 Tier Linux Web Application − Shared Services VPC with Active Directory
  16. 16. Before you get started…  Understand use cases and workload types  Have a basic understanding of your governance model  Have a basic cloud strategy and roadmap  Identify relevant security standards or compliance requirements − Have an organizational appetite to comply with them
  17. 17. As a Baseline for your architectures Plan and design the Cloud- based infrastructure Build the infrastructure using AWS components Application Deployment Deploy applications using EC2 instances and other services within the cloud infrastructure SFSA Plan and design the Cloud-based infrastructure Build the infrastructure using AWS components Application Deployment Deploy applications using EC2 instances and other services within the cloud infrastructure SFSA As a Full Application Deployment How can SFSA be used?
  18. 18. Security Focused Standardized Architectures (SFSA) CloudFormation Intro and Tools
  19. 19. AWS CloudFormation  Basic standard in AWS for automating deployment of resources  CloudFormation Template − JSON-formatted document which describes a configuration to be deployed in an AWS account − When deployed, refers to a “stack” of resources AWS CloudFormation
  20. 20. CloudFormation Template Structure
  21. 21.  Describe detailed configuration of a resource in AWS  Include, but not limited to: − IAM Policies, Users, Groups, Roles − VPCs, Subnets, NACLs, Security Groups − EC2 instances, Auto Scaling Groups − RDS Databases, S3 Buckets − Elastic Load Balancers − CloudWatch Alarms − Lambda Functions − Logging (CloudTrail, CW Logs) SFSA CloudFormation Resources
  22. 22.  20+ selectable variables to customize the AWS infrastructure  Variables can be immutable based on organizational requirements SFSA CloudFormation Parameters
  23. 23. SFSA + Customer Governance Model
  24. 24. Managing SFSA Packages  Templates can be kept under version control  Establishes baselines for standard AWS configurations  Organizationally approved architectures can be stored centrally  Mandatory for many third-party security frameworks
  25. 25. Deployment Options  AWS Console  CLI Deployment − Deployment scripts included with package  AWS Service Catalog − As a Service Catalog “Product”
  26. 26. AWS Management Console
  27. 27. CLI Deployment Scripts  “cfdeploy” − Optional tool included with package to make deployment from CLI easier − Simpler management of standard parameters cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json -- region us-east-1 Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a
  28. 28. SFSA Deployment with AWS Service Catalog  Standardize deployment  Allow push-button build of common architectures based on compliance and use case  Provide a self-service model for workload owners
  29. 29.  Allows administrators to create and manage approved catalogs of resources (products) that end users can access via a personalized portal  A Service Catalog Product is a deployable CloudFormation template  Managed compliance with Service Catalog − Provide a catalog of pre-built, compliant architectures ready to deploy − Enforce resource tagging − Allow workload owners to deploy resources which normally require higher levels of IAM permissions than they are given − Separate Portfolios of Products can be used to segment products by compliance type AWS Service Catalog
  30. 30. AWS SFSA & Service Catalog
  31. 31. Get started with SFSA  Contact your sales representative/SA  AWS Quickstart Deployments (coming soon)  Getting Help: − Whitepapers/User Guides/SA Included with the package − FREE 1 day workshop provided by Solutions Architects or Professional Services − SOW-based 2-5 day ProServe customization workshop Professional Services or APN Partner  Email: brettmi@amazon.com
  32. 32. Additional Resources  AWS SFSA Quick Start Test Drive − https://s3.amazonaws.com/quickstart-reference/security-compliance/latest/doc/Standard_NIST_800- 53_Architecture_on_the_AWS_Cloud.pdf  AWS re:Invent 2015 Videos (SEC312) Reliable Design and Deployment of Security and Compliance https://youtu.be/KtMANvC7_n8 (ISM206) Modern IT Governance Through Transparency and Automation https://youtu.be/YYiV_z9D2CE
  33. 33. Questions?

×