With the upswell of cloud adoption, many traditional infrastructure paradigms are shifting. Security is no different. The cloud service provider industry is discovering new ways to tackle security, including automation, bottomless logging, scalable analysis clusters, and pluggable security tools. This session presents a case study in extending a traditional infrastructure operation into AWS. We provide a practical look into the technical challenges and benefits of operating in this new paradigm, explore incident response automation (Alexa integration), and provide various examples of shifting an on-premises security operation to a scalable, hybrid model. Through lessons learned and analysis, we show why your data is safer in the cloud than in that rack you can touch in your data
2. Common challenges in the public sector
Budget constraints
Security slowing down mission
Need for scalable (and low-cost) real-time log analysis
Scaling uniformly across environment types
− Multiple locations/regions
− On premises or cloud
− Classified/unclassified
Implementing agile approaches within organizations with cultural or
political challenges
3. Journey to an “all in” cloud infrastructure
What is agility?
Why be agile?
− Cost reduction / pay for only what you use
− Speed of deployment
− Scalability
− Reduced Risk
4. Hybrid Design
Network Services
− Project segmentation
− Layered firewall design
Central Services
− VDI (on-prem and remote
access)
− Software development
repositories
− Central authentication and
security
− Core services: DNS, DHCP, NTP
− Big Data (HADOOP/SPARK)
− Desktop deployment automation
5. Hybrid Design: View from the Cloud
Region Selection
− Geographic requirements (us-east, us-west,
etc)
− Commercial vs. AWS GovCloud
VPC design
− Internal/support services
− External access
− Special: Disconnected VPCs
Availability Zones
− Inter-region failover
Routing
− 10G DirectConnect
− Inter-VPC connectivity
− VPN Gateways to on-prem
− Internet gateways, Out of band management
6. Developer Services
Requirements
− Isolation
Internal: Intranet access only
External: Internet accessible,
facilitates collaboration with
partners
− Availability
Elastic Load Balancing (ELB) for
automatic, multi-AZ availability of
instances
− Performance
ElastiCache for fast, managed,
in-memory cache
− Database
Amazon RDS: managed,
scalable database service
Used for GITLab service failover
No-downtime upgrades
7. Isolated Web Hosting
High risk web presence!
Requirements
− Isolated environment
“Special” disconnected VPC
− Minimizing Cost/Risk
Gen1 Architecture: Dynamic Content
Web/App/DB Architecture
Route53, EC2, Internet GW
Gen2 Architecture: Static Archive
Static Web Hosting with Route53,
S3, and CloudFront
9. NextGen Security Operations:
Key Concepts
Infrastructure Automation
− Rapid deployment / tear down
− Automated security features
Location Independence
− Flexibility across regions / domains (commercial, AWS GovCloud)
− Integration with existing / legacy environments
Aggregated data sources
− Real time, scalable analytics (making sense of collected data)
API driven incident response
− Automated detection and response to security threats
Centralized Management / Transparency
10. Traditional security architecture
Network traffic and logs captured
by taps and analyzed with on-
premises tools
Limitations
− Limited interfaces to manage live
data
o Real time analysis with multiple tools
− Expensive to scale
o Log retention capacity
o Processing power
o Big data access
o Big data backup
11. Cloud-enabled security architecture
All the benefits of the cloud
− Elasticity, Scalability
− Ease of use
− Flexibility
− Cost efficiency
− Reliability
− Breadth of services
Security Automation
Transparency
− Logging, auditing, metrics = Lots of data!
Without the cost of licensing, on-prem storage, maintenance, facilities…
14. Logging: processing and forwarding
Logstash
− Collects, processes, and forwards application events and log
messages to a final destination in a customizable format
− Does not store data
3-part architecture
o Inputs – Configurable input plug-ins that are compatible with
raw socket or packet communication, file tailing, and several
message bus clients
o Filters – Filters that process, modify, and annotate the event
data, and then parse and transform the data into useful
formats
o Outputs – Ability to move the events to a variety of external
services including Elasticsearch, Amazon Simple Storage
Service (Amazon S3), local files, and several message bus
implementations
16. Logging: search & analytics
Elasticsearch
− Open-source search and analytics engine for log
analytics, real-time application monitoring, and click-
stream analytics
− Search-server based on Lucene that provides a
distributed, multitenant-capable full-text search engine
with a web interface and schema-free JSON
− Uses the Kibana web interface as its visualization plug-in
Amazon Elasticsearch Service (Amazon ES)
− Managed service that makes it easy to deploy, operate,
and scale Elasticsearch clusters in AWS
− Cluster scaling and self-healing
− Region and Availability Zone (AZ) replication
− Data durability, monitoring
17. Logging: log storage & retention
Amazon Simple Storage Service (S3)
− Accessible through web services protocols (e.g., REST, SOAP)
− Durable, low-cost, available, secure, scalable, integrated, easy to use
− Integrates with AWS Key Management Service (AWS KMS)
Use case for logging
− Centralized storage
− Access control
o S3 bucket policies & security (WORM, MFA delete, versioning)
o Cross-account access
− Lifecycle policies (Example)
o Transition to the Standard - Infrequent Access storage class 180 days after creation date
o Archive to the GLACIER storage class 365 days after the object's creation date
o Permanently delete 2,562 days (7 years) after the object's creation date
Analytics
− S3 data readily available
− EMR (Spark/Hadoop) clusters look at S3 bucket
− Dedicated Amazon ES to research project point to S3 bucket
18. Logging: content visualization
Kibana
− Open source data visualization plug-in for Elasticsearch
− Provides visualization capabilities on top of the content
indexed on an Elasticsearch cluster
− Gives shape to data
− Understands large volumes of data
− Creates bar charts, line or scatter plots, histograms, pie
charts, and maps
Provides sophisticated analytics
− Analyzes data intelligently, performs mathematical
transformations
− Slices and dices the data to custom requirements
21. Takeaways: for your next workload on AWS
Design for Agility
Use available services for the “heavy lifting”
Security, logging, analytics
Architect for location independence
Region requirements, compliance – GovCloud vs. commercial
Consider points of isolation and integration
Segmentation with VPCs, NACLs, security groups, firewall
VPC Peering, connectivity to on premises
Aggregate data sources (infrastructure, network, application logs)
Make use of data (analysis, visualization)
Automate (security as code – DevSecOps!)