Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Managing Enterprise security in the Cloud

90 views

Published on

Managing Enterprise security in the Cloud

  • Be the first to comment

  • Be the first to like this

Managing Enterprise security in the Cloud

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Managing Enterprise Security in the Cloud Koen van Blijderveen Security, Risk & Compliance Consultant – AWS Professional Services Bas Wouwenaar Chief Information Officer - Ohpen B U S 0 0 1
  2. 2. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Global Infrastructure 20 Regions – 61 Availability Zones – 158 Edge Locations Announced Regions Bahrain, Cape Town, Hong Kong, Jakarta, Milan US East N. Virginia (6), Ohio (3) US West N. California (3), Oregon (4) Asia Pacific Mumbai (2), Seoul (2), Singapore (3), Sydney (3), Tokyo (4), Osaka- Local (1) Canada Central (2) China Beijing (2), Ningxia (3) Europe Frankfurt (3), Ireland (3), London (3), Paris (3), Stockholm (3) South America São Paulo (3) AWS GovCloud (US) US-East (3), US-West (3) Region & Number of Availability Zones
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Move to AWS – Strengthen Your Security Posture
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Inherit global security and compliance controls SOC 1 SOC 2 SOC 3 CJIS DoD SRG FERPA SEC Rule 17a-4(f) VPAT Section 508 GxP MPAA My Number Act G-Cloud
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Shared Responsibility Model Security OF the Cloud AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud Security IN the Cloud Customer responsibility will be determined by the AWS Cloud services that a customer selects Customer AWS
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security Engineering – Then and Now
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T But, do I have to?... CostScale Reliability/ Repeatability
  9. 9. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Networking Governance, Compliance, and Encryption Identity Active Directory integration SAML Federation Amazon VPC AWS Direct Connect Flow logs Route table Amazon VPC PrivateLink AWS WAF AWS Shield AWS Identity and Access Management MFATemporary security credentials AWS Organizations AWS Secrets Manager AWS Security Hub AWS Single Sign- On AWS Artifact Amazon Macie Amazon Cognito Amazon GuardDuty Amazon Inspector AWS Service Catalog AWS Systems Manager AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service AWS Firewall Manager AWS Certificate Manager AWS Key Management Service AWS VPN AWS Transit Gateway AWS Trusted Advisor AWS Control Tower AWS CloudHSM Client-side Encryption Access a deep set of cloud security tools
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations AWS Master Account Organization Unit - Business Unit #1 Organization Unit - Business Unit #2 AWS Organizations AWS Account Development #1 AWS Account AWS Account Test #1 AWS Account AWS Account Production #1 AWS Account AWS Account AWS Account AWS Account AWS Account Development #2 AWS Account AWS Account Test #2 AWS Account AWS Account Production #2 AWS Account AWS Account AWS Account AWS Account
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Organizations AWS Master Account Organization Unit - Business Unit #1 Organization Unit - Business Unit #2 AWS Organizations AWS Account Development #1 AWS Account AWS Account Test #1 AWS Account AWS Account Production #1 AWS Account AWS Account AWS Account AWS Account AWS Account Development #2 AWS Account AWS Account Test #2 AWS Account AWS Account Production #2 AWS Account AWS Account AWS Account AWS Account Service Control Policy Service Control Policy Service Control Policy Service Control Policy
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS CloudTrail AWS Software Development Kit (SDK) AWS Management Console AWS Command Line Interface (CLI) >_ AWS Cloud Services Supported by AWS CloudTrail AWS CloudTrail Partner Solution SNS Topic S3 Bucket Amazon CloudWatch
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS CloudTrail – Centralized Logging AWS Account 111111111111 Services Supported by AWS CloudTrail AWS CloudTrail S3 Bucket AWS Account 222222222222 Services Supported by AWS CloudTrail AWS CloudTrail AWS Account 333333333333 Services Supported by AWS CloudTrail AWS CloudTrail AWS Account 444444444444 Services Supported by AWS CloudTrail AWS CloudTrail
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon GuardDuty
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Config
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Config Rules Changing Resources AWS Config RulesAWS Config Normalized SNS Topic AWS API Endpoint CloudWatch Event The image part with relationship ID rId53 was not found in the file. AWS Systems Manager Automation
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Config Rules
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Config – Aggregation
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon CloudWatch Events Event (event-based) Event (time-based) Targets Custom AWS APIs AWS Cloud
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Amazon CloudWatch Events Not just API
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Systems Manager - Capabilities Automation Documents Patch Manager Parameter Store Inventory Maintenance Windows State Manager Run Command
  23. 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Focus on the Ins and Outs DevSecOps Events Alerts AWS Resources Automation
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DevSecOps DEV Develop software & Infrastructure-as-code following same processes and standards as application development SEC Security is embedded in your delivery processes and scans your deployment code for/based on: • Threats • Policies • Identity and Access Controls • And more OPS The security-focused software developed runs as a part of ongoing operations for your applications/ organization • Automated • Embedded in process • Always-on • An extension of your team + +
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DevSecOps – Example Pipeline #1 AWS Lambda (or AWS CodeBuild) AWS CodeCommit (or S3/GitHub) AWS CodePipeline AWS CodePipeline Developer commits CloudFormation Policy FAIL PASS Developers Stack
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DevSecOps – Automating Pipelines https://github.com/awslabs/aws-deployment-framework
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Focus on the Ins and Outs DevSecOps Events Automation Alerts AWS Resources
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Security Automation & Compliance Focus on the evidence Mapping evidence & requirements to specific controls Not just the what, but also the how Enable your compliance team! (Yes, they are your friends)
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Lambda Function Services (Anything) Changes in data state Requests to endpoints Changes in resource state • Node • Python • Java • C# • Go Event Source AWS Lambda allows you to run code in response to an event
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Wrangling Information Sources The image part with relationship ID rId3 was not found in the file. The image part with relationship ID rId16 was not found in the file. The image part with relationship ID rId39 was not found in the file. The image part with relationship ID rId40 was not found in the file. The image part with relationship ID rId41 was not found in the file. The image part with relationship ID rId42 was not found in the file. The image part with relationship ID rId44 was not found in the file. The image part with relationship ID rId45 was not found in the file. The image part with relationship ID rId47 was not found in the file. The image part with relationship ID rId48 was not found in the file. The image part with relationship ID rId49 was not found in the file. Macie CloudTrail GuardDuty Inspector Security Hub On-instance Logs VPC Flow Logs CloudWatch Logs CloudWatch Event CloudWatch Alarm The image part with relationship ID rId51 was not found in the file. S3 Data Events The image part with relationship ID rId41 was not found in the file. CloudWatch Event The image part with relationship ID rId53 was not found in the file. AWS Config AWS Lambda Function
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automated Security Response Workflow Users AWS API Endpoints AWS CloudTrail Amazon CloudWatch Event Amazon S3 Bucket AWS Lambda With IAM Role AWS API Endpoints Amazon SNS Topic (HTTP) Amazon SNS Topic (E-Mail) SecOps Engineer Third Party Tool/Ticketing System Third Party SIEM
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T 4 34 THE THINGS WE WANTED TO FIX WHEN WE STARTED OHPEN… Old software leading to high hardware costs and low performance Spaghetti of applications Old fashioned customer service Insufficient audit trail and basic analytics Record keeping Vendors did not understand our business
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T From this
  36. 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T To This
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T RUTHLESSLY EFFECTIVE CLOUD-BASED CORE BANKING ENGINE
  38. 38. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  39. 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Enterprise Risk & Security
  40. 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Excel, we have to let you go
  41. 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating controls and risks
  42. 42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What you want from compliance * Just enough: you don’t get an award for being “more compliant” –minimize costs and overhead Free: where possible, take advantage of work that people are already doing Clear: everyone should know when they are doing things right/wrong Measurable: you can tell if you are doing things right/wong Practical: rules that people can and will follow Shareable: work can be reused across systems/teams Consistent: checks/tests that work every time Non-blocking: don’t stop people from getting useful work done
  43. 43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating controls and risks HOW? DevOps àDevSecOps àCompliance as Code
  44. 44. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating controls and risks steps 1: Risk Assessment 2. Decide on tooling 3. Setup Control Framework 4. Determine security and compliance controls
  45. 45. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Inherit global security and compliance controls SOC 1 SOC 2 SOC 3 CJIS DoD SRG FERPA SEC Rule 17a-4(f) VPAT Section 508 GxP MPAA My Number Act G-Cloud
  46. 46. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Ohpen global security and compliance controls
  47. 47. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automating controls 1. Authority Documents 2. Citations / Control Objectives 3. Map Policies 4. Setup Control Templates 5. Set Scope 6. Generate Controls 7. Automate Evidencing
  48. 48. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automate Evidencing DevSecOps Events Automation Alerts AWS Resources
  49. 49. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Automate Evidencing Query your log sources Evidence your automated controls
  50. 50. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Networking Governance, Compliance, and Encryption Identity Active Directory integration SAML Federation Amazon VPC AWS Direct Connect Flow logs Route table Amazon VPC PrivateLink AWS WAF AWS Shield AWS Identity and Access Management MFATemporary security credentials AWS Organizations AWS Secrets Manager AWS Security Hub AWS Single Sign- On AWS Artifact Amazon Macie Amazon Cognito Amazon GuardDuty Amazon Inspector AWS Service Catalog AWS Systems Manager AWS CloudTrail Amazon CloudWatch AWS Config AWS Directory Service AWS Firewall Manager AWS Certificate Manager AWS Key Management Service AWS VPN AWS Transit Gateway AWS Trusted Advisor AWS Control Tower AWS CloudHSM Client-side Encryption Ohpen uses..
  51. 51. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Ohpen uses..
  52. 52. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
  53. 53. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Key Takeaways
  54. 54. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×