AWS and the Cloud has ushered in a new era for Information Security & Risk Professionals. In this session, we will talk through how the world's leading corporates are reinventing their internal GRC practices to enable their business to leverage the business value of AWS while improving the security posture of their organisation. We will talk about the journey undertaken by globally regulated entities such as Capital One who now believe they can operate more securely in the public cloud than they can in their own data centres. Finally, we will provide lessons and best practices on how you can use AWS to improve the security posture of your organisation.
Speaker: Rodney Haywood, Manager Solutions Architecture, Amazon Web Services
Featured Customer - Xero
2. "The financial services industry attracts some of the worst
cyber criminals. We work closely with AWS to develop a
security model, which we believe enables us to operate
more securely in the public cloud than we can in our own
data centers.”
Rob Alexander, CIO, Capital One
15. What Assets do I Have?
View Current Assets via Multiple Interfaces
• AWS Management Console
• AWS SDKs
• AWS CLI
• Windows PowerShell
16. What Instances do I Have in a Region?
AWS SDK for Ruby
#!/usr/bin/ruby
require 'rubygems’; require 'aws-sdk'
AWS.regions['ap-southeast-2'].ec2.instances.each do |instance|
puts instance.id
end
OUTPUT
i-9e47d6a1
i-93eb2cad
i-9bc1b747
i-5085ef8c
i-49739697
AWS CLI
$aws ec2 describe-instances --query "Reservations[*].Instances[*].InstanceId" --output text
17. What Access is Occurring?
AWS CloudTrail
• Records AWS API to S3 giving you a history
• Includes the identity, time and source IP address of
the API caller. Request Parameters and the Response
elements returned
• Enables security analysis, resource change tracking,
and compliance auditing
• Optionally encrypted with your AWS KMS key
• Optional Log File Integrity Validation
18.
19. Is Access and Permission Being Used?
• IAM Password & IAM Access Key last used details
• IAM Access Advisor
20.
21.
22. What Activity is Occurring?
AWS CloudWatch Events
• Near real-time stream of system events that describe
changes in AWS resources
• Supported events include console login, auto scaling,
instance state change, an API call or a schedule
• Triggers to Lambda function, SNS topic, SQS queue,
Kinesis stream or built-in functions
25. What Network Activity is Occurring?
• VPC Flow Logs
Capture IP traffic information to & from VPC interfaces
• AWS Web Application Firewall
Improve web traffic visibility to monitor requests that
match your security filter criteria
26. What Activity Occurred?
AWS Config
A fully managed service that provides you with an AWS
resource inventory, configuration history, and
configuration change notifications to enable security and
governance.
• Supports EC2, IAM and CloudTrail
• Interactive view in AWS Management Console
• History files stored in S3
• Send change events to an SNS topic
32. Audits, Accreditations and Certifications
• Independent 3rd party assessors review and validate AWS internal controls
• Audit reports (such as SOC1 & SOC2) are available under NDA.
• You can review the control results and auditor notes.
• You can take comfort that the controls have been appropriately
implemented and are operating effectively.
33. AWS
Foundation
Services
AWS
Global
Infrastructure
Your
own
accreditation
Start with services
Your
own
certifications
Your
own
external
audits
Built on AWS
consistent baseline of
validated controls
Customer scope and
effort is reduced
Better results through
focused efforts
34. Shared Responsibility across Deployment Models
Infrastructure
Services
Container Services Abstract Services
Customer IAM
AWS IAM
Networking/Firewall
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
AWS Foundation
Services
AWS Global
Infrastructure
AWS Foundation
Services
AWS Global
Infrastructure
Applications
Operating System
AWS Foundation
Services
AWS Global
Infrastructure
Applications
Operating System
Networking/Firewall
AWS IAM
Data
Customer IAM
Customers
AWS
AWS
AWS
Customers
Amazon
EC2
Amazon
RDS
Amazon
Redshift
Elastic Load
Balancing
Amazon
DynamoDB
Amazon
S3
Amazon
Kinesis
Customers
38. https://github.com/awslabs/aws-config-rules/
A Community – Based Source of Custom Rules for AWS
Config
For example
23. Ensure that no users have password policy requirements weaker than
specified.
24. Ensure that no users have access keys that have never been used.
25. Ensure that there are no users that have never been logged in.
39. AWS Foundations Benchmark
A set of security
configuration best
practices for AWS.
Providing AWS users with
clear, step-by-step
implementation and
assessment procedures.
40.
41. Cloud Custodian is a rules engine for AWS resource management. It allows users to define
policies to be enforced to enable a well managed cloud, with metrics and structured outputs.
It consolidates many of the adhoc scripts organizations have into a lightweight and flexible
tool.
Organizations can use Custodian to manage their AWS environments by ensuring
compliance to security policies, tag policies, garbage collection of unused resources, and
cost management via off-hours resource management.
Cloud Custodian
47. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Three Lines of Defense
Operations Supervision Evaluation
48. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Management
Controls
Internal
Control
Measures
Internal Audit
Financial Control
Security
Risk Management
Quality
Inspection
Compliance
Three Lines of Defense – Responsibilities
Operations Supervision Evaluation
49. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Controls
• Transparency
• Log Processing
• Policy Review
• Separation of Duties
• Account Governance
• Event Review
Controls
• Configuration Controls
• Authorisation Controls
• Change Controls
• Logging & Integrity Controls
• Policy Controls
• Policy Violation Controls
Three Lines of Defense – Applicable Controls
Controls
• Network Controls
• Access Controls
• Traceability Controls
• Encryption Controls
• Awareness and Response
Controls
Operations Supervision Evaluation
50. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
AWS Applicable ServicesAWS Applicable Services
Three Lines of Defense – AWS Services
AWS Applicable Services
Amazon
VPC
AWS IAM AWS KMS
Amazon
CloudWatch
Amazon
CloudWatch
AWS
Config
AWS
CloudTrail
AWS
CloudFormation
AWS
CloudTrail
Permissions
Amazon
SNS
Amazon
Inspector
AWS
Config
Amazon S3Marketplace
Operations Supervision Evaluation
AWS Trusted
Advisor
51. 3 Lines of Defense Example
Control : Are policies enforced?
Enforcement : Configuration Management
52. 1st Line of Defense (Operations) : Configuration Management
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
Provisions
53. 2nd Line of Defense (Supervision) - Configuration Monitoring
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Provisions
AWS Config rules
54. 3rd Line of Defense (Evaluation) - Configuration Log Testing
CloudFormation
template
Admin
Define
AWS Service Catalog
Publish
CloudFormation
stack
Users
Browse and Launch
AWS Config
Provisions
AWS Config rules AWS CloudTrail
Amazon S3
55. 1st
Line of Defense 2nd
Line of Defense 3rd
Line of Defense
Three Lines of Defense Risk Management
INFRASTRUCTURE
AS CODE
AUTOMATE
COMPLIANCE
TOTAL
TRANSPARENCY
Operations Supervision Evaluation
59. subscribers
600,000
474Mraised in capital
$
transactions processed
in past 12 mths
356B$
+
23Mbusinesses have interacted
on the Xero platform
+
215Minvoices in past 12 mths
+
1300staff globally
+
All figures shown are in NZD
subscription revenue
FY15
121M$
+
60. Improving data
protection
Eliminating
scheduled
downtime
Maintaining
and improving
our security
Support the next
wave of growth
Reducing our per
customer cost
Public cloud migration
61. Repeatable and Automated
build and management of
Security Systems
Accelerated pace of
security innovation
On-Demand security
infrastructure that works at
any scale
Key Principles
62. VPN
connectivity
Host Based
Security
Web Application
Security and
Delivery
Shared Key
Management
Services
Security
Operations and
Consulting
Services
Secure
Bastion
Access
Proxy Services
Security as a Service
63. Security by Design -
What's that?
Communication is Key -
Who are your
spokespeople?
Measure and Test,
Monitor Everything
Welcome to the cloud -
"Where's my span port"?
Key Learnings
64. Repeatable and Automated
build and management of
Security Systems
Accelerated pace of
security innovation
On-Demand security
infrastructure that works
at any scale
Final Takeaways
67. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
68. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training