Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Moving from the Shadows to the Throne - SID310 - re:Invent 2017

1,060 views

Published on

What do you do when leadership embraces what was called "shadow IT" as the new path forward? How do you onboard new accounts while simultaneously pushing policy to secure all existing accounts? This session walks through Cisco’s journey consolidating over 700 existing accounts in the Cisco organization, while building and applying Cisco’s new cloud policies. Learn valuable tips and hear about mechanisms used to automate the process. Gain insight into how Cisco integrates AWS’s security and monitoring with Cisco’s enterprise tools, Cisco SSO integration and continuous security auditability on Cisco’s AWS account, and Cisco’s CI/CD pipelines with AWS to ensure secure development.

  • This was one of the top 5 presentations related to Security. Most presentation just presented the ideas while this presentation went into details. Great job and thank you.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Moving from the Shadows to the Throne - SID310 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Moving from the Shadows to the Throne Vinay Bansal, Principal Security Architect, Cisco Systems Larry Gilreath, Global Accounts Security Solution Architect N o v e m b e r 2 9 , 2 0 1 7 AWS re:INVENT SID310
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rise of Shadow IT IT Focus • Process and mechanisms • Security controls • Event management Time to deliver • Months (not days) • Touchpoint security reviews Operating in the shadows • Business teams with budgets • Outpace competition
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AND Move Fast Stay Secure
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Outline 1. Cisco’s journey with AWS 2. Security guardrails 3. Security automation in AWS i. Security audit ii. Logging and monitoring iii. Vulnerability management 4. Risk scoring and metrics 5. Benefits and lessons learned
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cisco’s Journey with AWS • Cisco engineering, IT, and product teams increasingly leveraging public clouds • Many acquisitions with existing footprint on public cloud providers • More than 700 AWS accounts across Cisco and growing Security Problem: How to Ensure Cisco’s Workloads Run Securely in AWS?
  7. 7. Past Security: Past and Present Present Environment: Data centers Environment: Cloud Methodology: DevOps Methodology: DevSecOps Requirements: Written Assessment: Manual reviews Requirements: Security as code Assessment: Automated Metrics: Static reports Metrics: Real-time continuous
  8. 8. Securing Cisco’s Workloads on AWS Establish enterprise agreement Define security guardrails Security automation •Audit checks •Monitoring •Vulnerability management Apply security guardrails at account provisioning Risk scoring and metrics Improve cloud security
  9. 9. Initial Security Guardrails for Cisco AWS Accounts (Day -1) AWS Cisco Account/Project Space 1. Enforce Strong Identity 7. Create Account Level Encryption Key Audit Role Audit TemplatesAudit User 10. Tagging and Automated Security Audits IAM Bastion/Jump 2. Set Up Bastion/Jump Host for Secure Access ELB Logs CloudTrail Logs VPC Logs Log Bucket 9. Trusted Advisor Setup 5. Set Up Vul Scanning 6. Enable Security Logging New AWS account request Cisco AWS account provisioned Security Applied 3. Harden Base OS 4. Network Zoning to restrict external exposure 8. Harden Core AWS Components Tagging
  10. 10. Initial Security Guardrails for Cisco AWS Accounts (Day -N) 1. Enforce Strong Identity 7. Create Account Level Encryption Key Audit Role Audit TemplatesAudit User 10. Tagging and Automated Security Audits IAM Bastion/Jump 2. Set Up Bastion/Jump Host for Secure Access ELB Logs CloudTrail Logs VPC Logs Log Bucket 9. Trusted Advisor Setup 5. Set Up Vul Scanning 6. Enable Security Logging 3. Harden Base OS 4. Network Zoning to restrict external exposure 8. Harden Core AWS Components Tagging SSO/MFA Encryption as a Service 11. Vault 1a. Cisco Enterprise MFA/SSO Direct Connect 12. Direct Connect (Secure Data Flow) 5,9, 10 (Vul and Audit Reports) 6a. Monitoring for Incident detection, response and Forensics Security Logs 10a. Security scan automation CSB (Continuous Security Buddy)
  11. 11. Security Automation: Continuous Security Buddy (CSB) Cisco AWS Tenant Account Audit Role Continuous Security Validation AWS Lambda Cisco CSIRT Account (Cisco Security Incident Response Team) Monitoring CloudTrail Logs Log Bucket Security Logs Amazon Kinesis Analytics Log Monitoring Strong Identity IAM Cisco Enterprise SSO Cisco SSO (CEC) 2 1 3 Trusted Advisor Security CloudFormation Templates Tagging Cisco security accounts CSB Audit Account AWS Config Rules Security Config Rules 4 Self Security Validation
  12. 12. CSB Guardrail Validation (Audit): Automation Runs every 24 hours across all Cisco AWS accounts table Dynamo DB Security Assessment Results Amazon API Gateway AWS Lambda Security Audit Scripts Cross-Account Security Audit Role Cisco AWS Tenant Accounts Risk Management System (Jira)Nightly Reports email Real-time Integration [WIP] queue Amazon SQS Cisco CSB Audit Account
  13. 13. Security Logging and Monitoring: Automation Amazon Kinesis Cisco AWS Tenant Account ELB Logs* VPC Logs* CloudTrail Logs Log BucketCloudWatch Notifications from AWS security team Log Bucket Cisco security investigator Cisco CSIRT Account (Cisco Security Incident Response Team) Security Logs Security Plays Exposure of insecure services Insecure authentication Log cessation or modification Permissive network ingress Privileged account compromise *WIP
  14. 14. External Vulnerability Scan: Automation Qualys Cloud (Cisco Enterprise Account) Cisco Tenant-1 Cisco Tenant-2 Cisco Tenant-3 4. Vulnerability Scan 1. Surface Identification: Identify all external exposed EC2 instances across all Cisco accounts 2. Notify AWS (current via email) 3. Initiate Scan: Initiate Qualys scan for external AWS Cisco IP Addresses 5. Vulnerability Results 1 2 3 4 5  Automated nightly scans  Vulnerabilities, summarized and reported to the respective teams CSB
  15. 15. AWS Security Risk Report Card Overall Risk Score: Security Metrics Section Section Score 1. Identity and Access Management - 75.6/100 2. Network Security - 80/100 3. Storage (S3 buckets) - 100/100 4. Tagging - 90/100 5. External Vulnerabilities (Qualys) - 90/100 6. CIS AWS Benchmarks - 80/100 7. Trusted Advisor Checks - Not Scored A B C D E F
  16. 16. • Consolidation of IAM users via SSO integration • Identification and remediation of insecure S3 buckets • Risk reporting (and grading) helps get attention and remediation • Monitoring and vulnerability management capability extends to cloud • Tagging helps to improve attribution • CSB seamlessly scale to 100s of AWS accounts Benefits and Lessons Learned
  17. 17. • Identify your security guardrails • Critical elements of security based on the enterprise needs • Automate security in AWS cloud • Scalability, speed, and lower cost • Constantly evolve security automation and metrics • Changing threat landscape, business needs Summary
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×