Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Invent 2014

4,615 views

Published on

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

Published in: Technology

(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Invent 2014

  1. 1. Hart Rossman—AWS Principal Security Consultant Bill Shinn—AWS Principal Security Solutions Architect Brent Funk—Boeing, Chief Architect, Commercial Digital Aviation PaaS November 13, 2014 | Las Vegas, NV
  2. 2. Organizes and describes the perspectives in planning, creating, managing, and supporting a modern IT service. Offers practical guidance and comprehensive guidelines for establishing, developing and running AWS cloud-enabled environments. It provides a structure where business and IT can work together towards common strategy and vision, supported by modern IT automation and process optimization. People Perspective Process Perspective Security Perspective Maturity Perspective Platform Perspective Operating Perspective Business Perspective
  3. 3. 0 13 16 23 51 70 167 24 48 61 82 159 280 454 0% 5% 10% 15% 20% 25% 30% 35% 40% 0 50 100 150 200 250 300 350 400 450 500 2008 2009 2010 2011 2012 2013 2014 Security Features All Significant Features and Services Percent
  4. 4. Enterprise
  5. 5. Security Program Reference Architectures Asset Management Identity Lifecycle Management Ubiquitous Logging Security Management Layer DevSecOps Security Services & API Just In Time Access The Basics
  6. 6. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  7. 7. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints Enterprise Security Operations Compliance • Lead change • Audits & assurance • Protection of workloads, shared services, interconnects • MSB definition • Cloud security operations Product & Platform Teams • MSB customization • Application/Platform infrastructure • Security development lifecycle Enterprise Security Extending
  8. 8. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Governance & Risk Business Partners Security Operations Compliance Product & Platform Teams Enterprise Security Extending Partner Ecosystem
  9. 9. Capability Principle Action Anticipate Infrastructure as code Skill up security team in code & automation. DevSecOps. Design guard rails not gates Architectto drive towards good behavior Deter Use the cloudto protect the cloud Build, operate, and manage security tools in the cloud. Stay current, run secure Consume new security features. Patch and replace frequently. Reduce reliance on persistentaccess Establishrole catalog;automate KMI via secrets service Detect Total visibility Aggregate AWS logs and metadata with OS & App logs Deep insights Security data warehouse with BI & analytics Respond Scalable incident response Update IR SOP for shared responsibility framework Forensic readiness Updateworkloads to support forensic readiness and containment Recover Automate Continuous Integration & Continuous Deployment
  10. 10. E C 2 E C 2 Amazon S3 Customers Distributed attackers Distributed attackers Amazon Route 53 Region
  11. 11. Central Account (Trusted) SecUser IAM User IAM IAM IAM IAM IAM IAM BU Accounts (Trusting) SecRole SecRole SecRole SecRole SecRole SecRole IAM Centralized Governance w/ IAM Role Catalog
  12. 12. Proprietary: The information contained herein is proprietary to The Boeing Company and shall not be reproduced or disclosed in whole or in part or used for any reason except when such user possesses direct, written authorization from The Boeing Company. The statements contained herein are based on good faith assumptions and provided for general information purposes only. Thesestatements do not constitute an offer, promise, warranty orguarantee of performance. Actual results may vary depending on certainevents or conditions. This document should not be used or relied upon for any purpose other than that intended by Boeing. BOEING is a trademark of Boeing Management Company.
  13. 13. •SOA –Publish/subscribe model –Data/Functions/Visualization –Internal/External services models •Secure –VPC Perimeter security –VPC to VPC Peering –Intra-VPC security –Logging and Auditing •Message Oriented Middleware –Enterprise Service Bus –Global Registry –Global Security –Load balanced
  14. 14. •Logstash –Filtering •Kibana –Visualization •ElasticSearch –Indexing
  15. 15. SQS Queue Auto Scaling Group ElasticSearch Auto Scaling Group Kibana Internal Elastic Load Balancing Internal Elastic Load Balancing Auto Scaling Group Reverse Proxy Auto Scaling Group Logstash Indexer HTTP Traffic HTTPS Traffic Log Shipping via Amazon SQS CloudWatch Alarm CloudWatch Alarm Scale Down Alarm Scale Up Alarm
  16. 16. •Expedited Root Cause Analysis Activities –Streaming ingest of log data –every 5 seconds. –Security tie-ins from application to networking to infrastructure. –Dynamic correlation of data within a single location resulting in quicker RCA activities. •Immediate Validation of Security Incident Remediation •Allows for Segregation of Duties for Threat Analysis vs. Operational Configuration/Support
  17. 17. Peer Review •Shared Infrastructure Security Services moved to VPC •1 to 1 Peering = App Isolation •Security Groups and NACLs still apply AWS region Public-facing web app Internal company app #1 HA pair VPN endpoints company data center Internal company app #2 Internal company app #3 Internal company app #4 Services VPC Internal company Dev Internal company QA AD, DNS Monitoring Logging •Security Groups still bound to single VPC
  18. 18. Version Control CI Server Package Builder Deploy Commit to Server Dev Git/master Pull Code AMIs Send Build Report to Dev Stop everything if build failed Staging Env Test Env Code Config Tests Prod Env Push Config Install Create Repo AWS CloudFormation Templates for Env Generate Security Repository Vulnerability and pen testing •Security Infrastructure tests •Security unit tests in app
  19. 19. Pull Push Source Code Repository Baseline IAM Catalog Trusting BU Accounts SecRole IAM Role Develop Review Test Approve Commit Ruby AKID/SAK 1 2 Admin 3 5 STS Creds 4
  20. 20. Security Program Reference Architectures Asset Management Identity Lifecycle Management Ubiquitous Logging Security Management Layer DevSecOps Security Services & API Just In Time Access The Basics
  21. 21. http://bit.ly/awsevals

×