Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amazon Web Services Federation Integration Governance Workshop with Layer 7


Published on

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.

Published in: Technology, Business
  • Be the first to comment

Amazon Web Services Federation Integration Governance Workshop with Layer 7

  1. 1. Amazon Web Services - Federal<br />Sri Vasireddy, Federal Solutions Architect<br />
  2. 2. AWS Cloud Security Model Overview<br />Shared Responsibility Model<br />Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance<br />Application level security, including password and role based access<br />Host-based firewalls, including Intrusion Detection/Prevention Systems <br />Encryption/Decryption of data. Hardware Security Modules<br />Separation of Access<br />Certifications & Accreditations<br />Sarbanes-Oxley (SOX) compliance<br />ISO 27001 Certification<br />PCI DSS Level I certification<br />HIPAA compliant architecture<br />SAS 70 Type II Audit<br />FISMA Low ATO<br /><ul><li>Pursuing FISMA Moderate ATO
  3. 3. Pursuing DIACAP MAC II Sensitive
  4. 4. FedRAMP</li></ul>Service Health Dashboard<br />Network Security<br />Instance firewalls can be configured in security groups; <br />The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).<br />Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources<br />VM Security<br />Multi-factor access to Amazon Account<br />Instance Isolation<br /><ul><li>Customer-controlled firewall at the hypervisor level
  5. 5. Neighboring instances prevented access
  6. 6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)</li></ul>Support for SSL end point encryption for API calls<br />Physical Security<br />Multi-level, multi-factor controlled access environment<br />Controlled, need-based access for AWS employees (least privilege)<br />Management Plane Administrative Access <br />Multi-factor, controlled ,need-based access to administrative host<br />All access logged, monitored, reviewed<br />AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data<br />
  7. 7. AWS Certifications<br />Shared Responsibility Model<br />Sarbanes-Oxley (SOX) <br />SAS70 Type II Audit <br />PCI Data Security Standard compliance<br />Working on FISMA A&A<br />NIST Low Approvals to Operate<br />Actively pursuing NIST Moderate<br />ATOs in progress at several agencies<br />ST&E and Moderate Controls available now for incorporation into SSP<br />Actively pursuing FedRAMP<br />Includes DIACAP Mac II Sensitive<br />ISO 27001 Certification<br />Customers have deployed various compliant applications such as HIPAA (healthcare)<br />
  8. 8. Amazon Web Services: Durable & Available<br />Note: Conceptual drawing only. The number of Availability Zones may vary<br />US East Region<br />EU West Region<br />Japan<br />US West Region<br />Singapore<br />GovCloud (US)<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone C<br />Customer Decides Where the Data Resides<br />
  9. 9. Three Services: Better Together<br />Elastic Load Balancer<br />Latency<br />CloudWatch<br />Auto Scaling<br />Utilization<br />Metrics<br />Server icons courtesy of<br />
  10. 10. COOP and DR<br />Load Balancer<br />Availability Zone - B<br />Availability Zone - A<br />EC2<br />EC2<br />Auto Scale<br />Ephemeral<br />Network IO<br />Network IO<br />EBS Snapshot<br />Amazon S3<br />EBS Snapshot<br />EBS Snapshot<br />US EAST<br />Amazon S3<br />US WEST<br />We Can Do Even Better..<br />
  11. 11. AWS Multi-Factor Authentication<br /><ul><li>Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
  12. 12. Additional protection for account information
  13. 13. Works with</li></ul>Master Account<br />IAM Users<br /><ul><li>Integrated into</li></ul>AWS Management Console<br />Key pages on the AWS Portal<br />S3 (Secure Delete)<br />A recommended opt-in security feature!<br />
  14. 14. Users and Groups within Accounts<br />Unique security credentials<br />Access keys<br />Login/Password<br />MFA device<br />Policies control access to AWS APIs<br />Deep integration into S3<br />policies on objects and buckets<br />AWS Management Console now supports User log on <br />Not for Operating Systems or Applications<br />use LDAP, Active Directory, ADFS, etc...<br />AWS Identity and Access Management (IAM)<br />
  15. 15. Identity Federation Sample<br />Use case:<br />Enterprise employee signs with his normal credentials<br />Access S3 with enterprise application<br />Setup<br />IIS for enterprise authentication against Active Directory<br />Client application to access S3<br />Read-only access to S3<br />
  16. 16. Amazon VPC Architecture<br />Customer’s isolated AWS resources<br />Subnets<br />NAT<br /> Internet<br />Router<br />VPN Gateway<br />AmazonWeb Services<br />Cloud<br />Secure VPN Connection over the Internet<br />Customer’sNetwork<br />
  17. 17. AWS GovCloud (US) Access<br />AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be:<br />U.S. Persons;<br />not subject to export restrictions; and <br />comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations. <br />
  18. 18. AWS Deployment Models<br />Amazon Confidential<br />
  19. 19. Amazon EC2 Instance Isolation<br />…<br />Customer 1<br />Customer 2<br />Customer n<br />Hypervisor<br />Virtual Interfaces<br />…<br />Customer 1<br />Security Groups<br />Customer n<br />Security Groups<br />Customer 2<br />Security Groups<br />Firewall<br />Physical Interfaces<br />Launching EC2<br />
  20. 20. Multi-tier Security Architecture <br />AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers<br />Web Tier<br />Application Tier<br />Database Tier<br />EBS Volume<br />Ports 80 and 443 only open to the Internet<br />Engineering staff have ssh access to the App Tier, which acts as Bastion<br />Amazon EC2 Security Group Firewall<br />Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier<br />All other Internet ports blocked by default<br />
  21. 21. Network Traffic Confidentiality<br />Internet Traffic<br />Amazon EC2 Instances<br />Corporate Network<br />Encrypted File System<br />Amazon EC2<br />Instance<br />Encrypted Swap File<br />VPN<br /><ul><li>All traffic should be cryptographically controlled
  22. 22. Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)</li></li></ul><li>
  23. 23. Cloud Federation, Integration and Governance<br />
  24. 24. Agenda<br />The Role of Policy Enforcement in Governing the Cloud<br />Layer 7’s Cloud Security and Governance Solution<br />Conclusion & Questions <br />
  25. 25. Current App Environment<br />NIPRNet<br />or<br />SIPRNet<br />Firewall<br />DMZ<br />Internal Apps<br />Enterprise <br />On-Premises IT<br />Identity<br />
  26. 26. Move Cloudable App onto Amazon<br />Cloud Application<br />DMZ<br />Firewall<br />Internal Service Host<br />Identity??<br />Enterprise <br />On-Premises IT<br />
  27. 27. Policy Enforcement on Amazon<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  28. 28. Federate Identity<br />Cloud Application<br />SAML<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />Enterprise Identity Repository<br />
  29. 29. API Mediation<br />Cloud Application<br />SOAP, REST, or JSON<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  30. 30. Monitoring<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  31. 31. Putting it all Together for Cloud Governance<br />Monitor and Report<br />Control<br />Amazon EC2<br />VirtualAppliance<br />Amazon EC2<br />Employee<br />Adapt<br />LDAP, SSO, MS AD, STS, etc<br />Amazon EC2<br />