Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Advanced Automation in the Enterprise

1,033 views

Published on

As the complexity of your AWS environment grows, automating security is a crucial step in protecting your data from malicious attacks and unintentional vulnerabilities. Automation and security practices must work hand-in-hand in order to effectively protect your environment. In this session, you will learn how to leverage AWS tools and best-in-class 3rd party services to automate access control, security configuration, and monitoring in order to improve your overall security posture. Using real-life examples, you will come away with an understanding of how to secure your deployments while minimizing the work it takes to keep them secure – all while simplifying your compliance audit process. Topics include:
· Controlling access to your environment with automation tools
· Maintaining security during high velocity deployment cycles
· Protecting data from malicious attacks with automated security controls
· Monitoring and measuring configuration, access, and policy changes

Published in: Technology
  • Be the first to comment

Security and Advanced Automation in the Enterprise

  1. 1. Security and Advanced Automation in the Enterprise Phil Christensen Senior Systems Engineer, DevOps Logicworks www.logicworks.net ©2015 Logicworks. All Rights Reserved.
  2. 2. ©2015 Logicworks. All Rights Reserved. 2 Agenda  Why automate security?  Best practices during build, maintenance, and monitoring  What can be automated? Automate all the things!
  3. 3. ©2014 Logicworks. All Rights Reserved. 3 What’s the problem? Cloud engineers manage huge, complex systems Automated deployments encourage adoption of evolving standards
  4. 4. ©2014 Logicworks. All Rights Reserved. 4 What’s the problem? Security often has the highest priority during infrastructure build-out How to ensure both new and legacy builds gain the benefits of evolving standards?
  5. 5. ©2015 Logicworks. All Rights Reserved. 5 Why Automate? Issues w/ Manual Security Human Error The limitations of human memory Inconsistent naming conventions Time suck as environment grows Auditors have a lot to dig through Slower deploys
  6. 6. Manual work = risk Separate configuration and code Code it once and maintain templates, not instances No/limited custom configurations Ensure historical vulnerabilities continue to be patched ©2015 Logicworks. All Rights Reserved. 6 Why Automate? Basic Principles of SecOps
  7. 7. Best Practices Security and Advanced Automation in the Enterprise ©2015 Logicworks. All Rights Reserved. 7
  8. 8. Infrastructure Buildout Configuration Management Iterative Deployment Process Monitoring ©2015 Logicworks. All Rights Reserved. 8 Best Practices: Architecture Overview
  9. 9. Infrastructure Buildout Configuration Management Iterative Deployment Process Monitoring ©2015 Logicworks. All Rights Reserved. 9 Best Practices: Architecture Overview
  10. 10. ©2015 Logicworks. All Rights Reserved. 10 Best Practices: Infrastructure Buildout CHALLENGES:  Need new, identical environment for every client  Quick turnaround  HIPAA compliance  Many unique security requirements SOLUTION:  CloudFormation allows us to spin up completely new environment in hours  No manual security group configuration, no AWS Identity and Access Management (IAM) role configuration  Consistent configuration, so updates / security patches are near-simultaneous  “Guaranteed” compliance  Consistent naming conventions
  11. 11. Best Practices: Infrastructure Buildout ©2015 Logicworks. All Rights Reserved. 11 Master CloudFormation Stack { "Resources" : { "mao-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion- cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "mao-prod", "EnvironmentNetwork": "10.64.100.0/24", "ManagementAZ": "a", "PrimaryAZ": "b", "SecondaryAZ": "c", "KeyPair": "lw-orion", "DhcpDomainName": "orionhealth.com", "DhcpNs1": "10.64.196.246", "DhcpNs2": "10.64.196.246", "DhcpNtp": "10.64.196.246", "DhcpNetbios": "10.64.196.246", "GatewayAccessCidr": "206.252.134.18/32", "ManagementDefaultGateway": "10.64.100.1", "ManagementPrivateCidr": "10.64.100.0/27", "ManagementPublicCidr": "10.64.100.32/27", "PrimaryPrivateCidr": "10.64.100.64/27", "PrimaryPublicCidr": "10.64.100.128/26", "SecondaryPrivateCidr": "10.64.100.96/27", "SecondaryPublicCidr": "10.64.100.192/26" }
  12. 12. Best Practices: Infrastructure Buildout ©2015 Logicworks. All Rights Reserved. 12 Master CloudFormation Stack "clx-prod" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-prod", "EnvironmentNetwork": "10.64.101.0/24”, ... } } }, "clx-dev" : { "Type" : "AWS::CloudFormation::Stack", "Properties" : { "TemplateURL" : "https://s3.amazonaws.com/orion-cf-templates/orion-master-env-cfn.json", "Parameters" : { "EnvironmentName": "clx-dev", "EnvironmentNetwork": "10.64.110.0/24", ... }. } } } }
  13. 13. Best Practices: Infrastructure Buildout ©2015 Logicworks. All Rights Reserved. 13 CloudFormation COOL TRICKS:  Register static ENIs to enable support for fixed private IPs, simplifying route management  Manage LaunchConfiguration updates and reduce confusion in Auto Scaling groups  Easily test boot process by terminating instances in fixed-size Auto Scaling groups. WHAT CLOUDFORMATION DOES:  Build network foundation  Configure gateways and access points  Install management services, like Puppet  Allocate Amazon S3 buckets  Attach encrypted volumes  Control and manage access though IAM  Register DNS names with Amazon Route 53  Configure log shipping and retention
  14. 14. ©2015 Logicworks. All Rights Reserved. 14 Best Practices: Configuration Management CHALLENGES:  Quick turnaround, previous MSP suddenly ceased operations  Global presence, end-users mostly in Europe  PCI compliance requirements SOLUTION:  Most crucial part of an instance lifetime is standard across instances  Continual check-in rolls back non- authorized changes  Living single source of truth on instance configuration  Changes are recorded  Prevents regressions
  15. 15. Best Practices: Configuration Management ©2015 Logicworks. All Rights Reserved. 15 BASH vs. Puppet BASH Puppet
  16. 16. Best Practices: Configuration Management ©2015 Logicworks. All Rights Reserved. 16 Puppet COOL TRICKS:  Functions run on the PuppetMaster, so sensitive AWS API calls can be made from custom Puppet functions so only the PM needs privileges API access  Puppet ‘apply’ can configure assets before a PuppetMaster even exists, making it possible to bootstrap an entire environment from scratch  Puppet’s idempotent design ensures manifests can be re-applied to snapshotted AMIs without issue — save time on boot by saving an interstitial image STUFF THAT NEEDS TO HAPPEN:  Configure hostnames  Bind instance to central authentication  Require MFA on bastion host  Install NTP, MTA, and other essentials  Install log shipping and monitoring software  Install IDS agents (AlertLogic)  Provision machine for deploy
  17. 17. ©2015 Logicworks. All Rights Reserved. 17 Best Practices: Deploy CHALLENGES:  Agile development process  Catch 22: Auto scaling often, they want instance up quickly w/latest version of software  Make sure instances do not get added to load balancer before they’re ready SOLUTION: CodeDeploy ensures that all your instances have the latest software  Simultaneous deployment across auto scaling group maintains HA  Respond to security threats quickly  Jenkins also suitable, but requires custom build scripts for AWS
  18. 18. Best Practices: Deploy ©2015 Logicworks. All Rights Reserved. 18 CodeDeploy Overview
  19. 19. Best Practices: Deploy ©2015 Logicworks. All Rights Reserved. 19 CodeDeploy STUFF THAT NEEDS TO HAPPEN: 1.  Create deployable content and add to AppSpec file and bundle into an archive file 2.  Upload the archive file to Amazon S3 or GitHub 3.  Provide CodeDeploy with information about which set of instances to deploy the revision to 4.  The Agent polls CodeDeploy to determine what and when to pull the revision from the S3 bucket or GitHub repository 5.  The Agent pulls the revision and starts deploying the contents to that instance, following the instructions in the AppSpec file
  20. 20. ©2015 Logicworks. All Rights Reserved. 20 Best Practices: Monitoring  Customized dashboards  Automated reporting  Trend analysis  First response  Change monitoring w/ AWS CloudTrail integration  IAM reporting  Geographic awareness of data  Visibility into key security settings  Cost analysis  Threat Manager (IDS)  Log Manager collects parses, analyses data  Custom reporting
  21. 21. Automate All The Things! Security and Advanced Automation in the Enterprise ©2015 Logicworks. All Rights Reserved. 21
  22. 22. ©2015 Logicworks. All Rights Reserved. 22 Automate All The Things Feature Tool Security Groups CloudFormation Network ACL (Firewall) CloudFormation Subnet Sizing CloudFormation Naming CloudFormation, Puppet Authentication Puppet Encryption CloudFormation (S3), Puppet (GPG) Anti-Virus Puppet Hosts/Users Puppet Software Versions Puppet Log Shipping / Aggregator Puppet
  23. 23. ©2015 Logicworks. All Rights Reserved. 23 Automate All The Things: Security Groups Inconsistent naming conventions are a bigger security threat than many think.
  24. 24. ©2015 Logicworks. All Rights Reserved. 24 Automate All The Things: Encryption BEST PRACTICES:  Create encrypted Amazon Elastic Block Store (Amazon EBS) volumes to store the most sensitive data  Use S3 bucket policies to force use of server-side encryption  Use Puppet to configure applications to use encrypted storage for sensitive data  Force SSL ciphers and encryption standards across all web hosts { "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid": "DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption": "AES256" } } }] }
  25. 25. ©2015 Logicworks. All Rights Reserved. 25 Automate All The Things: Authentication BEST PRACTICES:  Bind all instances to ActiveDirectory domain control at boot  Install MFA extensions  Import custom root CA certificates into java keystores  Puppet-managed sudo access MANAGING SECRETS:  Use Amazon EC2 Instance roles to grant limited access to S3 for fetching credentials files.  Pass sensitive parameters into your Puppet classes instead of hard- coding  Use Hiera to configure credentials for each environment dynamically
  26. 26. ©2015 Logicworks. All Rights Reserved. 26 Automate All The Things: Authentication /etc/puppet/hiera.d/production.yml authentication::ad_netbios_name: "DOMAIN" authentication::ad_realm_name: "domain.example.com" authentication::ad_bind_username: "ec2-bin" authentication::ad_bind_passwd: "BynbeQuocs" /etc/puppet/hiera.yaml --- :backends: yaml :yaml: :datadir: /etc/puppet/hiera.d :hierarchy: - “%{::environment}” - common :logger: puppet /etc/puppet/hiera.d/testing.yml authentication::ad_netbios_name: ”TEST" authentication::ad_realm_name: ”test.example.com" authentication::ad_bind_username: "ec2-bin" authentication::ad_bind_passwd: "lymKuaj5"
  27. 27. About Logicworks ©2015 Logicworks. All Rights Reserved. 27 Global leader in enterprise cloud strategy and managed hosting, offering a single provider solution for improving the performance, availability, and security of mission-critical IT systems. Services: Enterprise Cloud Strategy Managed Private Cloud Security and Compliance Managed AWS  Trusted advisor for enterprises moving to the cloud  Over 20 years of experience managing complex enterprise IT systems  Premier AWS Partner with dedicated AWS DevOps team  Average architect and engineer experience >20 years  Security and compliance expertise for Healthcare, Financial Services, eCommerce, and Government organizations
  28. 28. Thank you ©2015 Logicworks. All Rights Reserved. Phil Christensen Logicworks www.logicworks.net Visit Logicworks’ Booth #217 for more information on AWS Managed Services

×