Amazon Web Services Federation Integration Governance Workshop with Layer 7


Published on

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Shared Responsibility EnvironmentAWS services operate under a model of shared responsibility between the customer and AWS. AWS relieves customer burden by managing physical infrastructure and those components that enable virtualization. An example of this shared responsibility would be that a customer utilizing Amazon EC2 should expect AWS to operate, manage and control the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. In this case the customer should assume responsibility and management of, but not limited to, the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services and their integration. It is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of items such as host based firewalls, host based intrusion detection/prevention, encryption and key management.  The nature of this shared responsibility provides the flexibility and customer control that permits the deployment of solutions that meet industry-specific certification requirements. For instance, customers have built HIPAA-compliant healthcare applications on AWS (Creating HIPAA-Compliant Medical Data Applications with AWS whitepaper). Control Environment AWS is a unit within that is aligned organizationally around each of the web services, such as Amazon EC2 and Amazon S3. AWS leverages various aspects of Amazon’s overall control environment in the delivery of these web services. The collective control environment encompasses management and employee efforts to establish and maintain an environment that supports the effectiveness of specific controls. The control environment at Amazon begins at the highest level of the Company. Executive and senior leadership play important roles in establishing the Company’s tone and core values at the top. Every employee is provided with the Company’s Code of Business Conduct and Ethics, which sets guiding principles. The AWS organizational structure provides a framework for planning, executing and controlling business operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing, efficiency of operations, and the segregation of duties. Management has also established authority and appropriate lines of reporting for key personnel. Included as part of the Company’s hiring verification processes are: education, previous employment, and criminal checks. The Company follows a structured on-boarding process to familiarize new employees with Amazon tools, processes, systems, policies and procedures. Certifications and AccreditationsAmazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.  AWS plans to continue efforts to obtain industry certifications in order to verify its commitment to provide a secure, world-class cloud computing environment.
  • Point of Slide: to explain VPC's high-level architecture, walking them through the discrete elements of a VPC, and a specific data flow to exemplify 1) data-in-transit security and continued 1) AAA control by the enterprise.AWS (”orange cloud"): What everybody knows of AWS today.Customer’s Network (“blue square”): The customer’s internal IT infrastructure.VPC (”blue square on top of orange cloud"): Secure container for other object types; includes Border Router for external connectivity. The isolated resources that customers have in the AWS cloud.Cloud Router (“orange router surrounded by clouds”): Lives within a VPC; anchors an AZ; presents stateful filtering.Cloud Subnet (“blue squares” inside VPC): connects instances to a Cloud Router.VPN Connection: Customer Gateway and VPN Gateway anchor both sides of the VPN Connection, and enables secure connectivity; implemented using industry standard mechanisms. Please note that we currently require whatever customer gateway device is used supports BGP. We actually terminate two (2) tunnels - one tunnel per VPN Gateway - on our side. Besides providing high availability, we can service one device while maintaining service. As such, we can either connect to one of the customer's BGP-supporting devices (preferably running JunOS or IOS).
  • The HypervisorAmazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization (in the case of Linux guests). Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. The CPU provides four separate privilege modes: 0-3, called rings. Ring 0 is the most privileged and 3 the least. The host OS executes in Ring 0. However, rather than executing in Ring 0 as most operating systems do, the guest OS runs in a lesser-privileged Ring 1 and applications in the least privileged Ring 3. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Instance IsolationDifferent instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which ensures awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
  • The firewall can be configured in groups permitting different classes of instances to have different rules. Consider for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly secure applications can be deployed using this expressive mechanism. Here is an example of the commands needed to establish multi-tier security architecture and of course customers could use the AWS Management Console to do the same:# Permit HTTP(S) access to Web Layer from the Entire Internetec2auth Web -p 80,443 -s Permit ssh access to App Layer from Corp Networkec2auth App -p 22 -s Permit ssh access to DB Layer from Vendor Networkec2auth DB -p 22 -s Permit Application and DB Layer Access to appropriate internal layersec2auth App -p $APP_PORT -o Webec2auth DB -p $DB_PORT -o App# Permit Bastion host access for Web and DB Layers from App Layerec2auth Web -p 22 -o Appec2auth DB -p 22 -o App
  • Amazon suggests that all EC2 users cryptographically control their EC2 control traffic, and SSH is the default method for doing so. Some users elect to wrap all their inbound and outbound traffic to their home corporate network within industry standard VPN tunnels. Doing so permits them to control the confidentiality and integrity of their traffic using industry-standard, tested cryptographic components that they control.
  • To understand why there’s all this excitement, it’s helpful to look at analogies of some major changes that have occurred in other industries over time. Here’s a picture of our CEO at the museum of a beer manufacturing facility in Belgium. This is their electric generator that they used over 100 years ago. There was no electric grid or utility industry then. If you wanted electricity, you made it yourself. That probably seemed very natural at the time – but I guarantee you that making their own electricity didn’t make their beer taste any better. Well, a couple decades later, the electric grid sprang up, and companies stopped making their own electricity; that was a fundamental shift in how they consumed one of their major inputs, and this freed them up to focus on things that likely mattered a lot more to their customers – like the beer. We think the chance exists for the company-owned data center to undergo just as fundamental a transformation over the coming years, as companies realize that they don’t necessarily have to be experts in this. People are now starting to glimpse that future, and find it pretty exciting.
  • Amazon Web Services Federation Integration Governance Workshop with Layer 7

    1. 1. Amazon Web Services - Federal<br />Sri Vasireddy, Federal Solutions Architect<br />
    2. 2. AWS Cloud Security Model Overview<br />Shared Responsibility Model<br />Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance<br />Application level security, including password and role based access<br />Host-based firewalls, including Intrusion Detection/Prevention Systems <br />Encryption/Decryption of data. Hardware Security Modules<br />Separation of Access<br />Certifications & Accreditations<br />Sarbanes-Oxley (SOX) compliance<br />ISO 27001 Certification<br />PCI DSS Level I certification<br />HIPAA compliant architecture<br />SAS 70 Type II Audit<br />FISMA Low ATO<br /><ul><li>Pursuing FISMA Moderate ATO
    3. 3. Pursuing DIACAP MAC II Sensitive
    4. 4. FedRAMP</li></ul>Service Health Dashboard<br />Network Security<br />Instance firewalls can be configured in security groups; <br />The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).<br />Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources<br />VM Security<br />Multi-factor access to Amazon Account<br />Instance Isolation<br /><ul><li>Customer-controlled firewall at the hypervisor level
    5. 5. Neighboring instances prevented access
    6. 6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)</li></ul>Support for SSL end point encryption for API calls<br />Physical Security<br />Multi-level, multi-factor controlled access environment<br />Controlled, need-based access for AWS employees (least privilege)<br />Management Plane Administrative Access <br />Multi-factor, controlled ,need-based access to administrative host<br />All access logged, monitored, reviewed<br />AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data<br />
    7. 7. AWS Certifications<br />Shared Responsibility Model<br />Sarbanes-Oxley (SOX) <br />SAS70 Type II Audit <br />PCI Data Security Standard compliance<br />Working on FISMA A&A<br />NIST Low Approvals to Operate<br />Actively pursuing NIST Moderate<br />ATOs in progress at several agencies<br />ST&E and Moderate Controls available now for incorporation into SSP<br />Actively pursuing FedRAMP<br />Includes DIACAP Mac II Sensitive<br />ISO 27001 Certification<br />Customers have deployed various compliant applications such as HIPAA (healthcare)<br />
    8. 8. Amazon Web Services: Durable & Available<br />Note: Conceptual drawing only. The number of Availability Zones may vary<br />US East Region<br />EU West Region<br />Japan<br />US West Region<br />Singapore<br />GovCloud (US)<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone C<br />Customer Decides Where the Data Resides<br />
    9. 9. Three Services: Better Together<br />Elastic Load Balancer<br />Latency<br />CloudWatch<br />Auto Scaling<br />Utilization<br />Metrics<br />Server icons courtesy of<br />
    10. 10. COOP and DR<br />Load Balancer<br />Availability Zone - B<br />Availability Zone - A<br />EC2<br />EC2<br />Auto Scale<br />Ephemeral<br />Network IO<br />Network IO<br />EBS Snapshot<br />Amazon S3<br />EBS Snapshot<br />EBS Snapshot<br />US EAST<br />Amazon S3<br />US WEST<br />We Can Do Even Better..<br />
    11. 11. AWS Multi-Factor Authentication<br /><ul><li>Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
    12. 12. Additional protection for account information
    13. 13. Works with</li></ul>Master Account<br />IAM Users<br /><ul><li>Integrated into</li></ul>AWS Management Console<br />Key pages on the AWS Portal<br />S3 (Secure Delete)<br />A recommended opt-in security feature!<br />
    14. 14. Users and Groups within Accounts<br />Unique security credentials<br />Access keys<br />Login/Password<br />MFA device<br />Policies control access to AWS APIs<br />Deep integration into S3<br />policies on objects and buckets<br />AWS Management Console now supports User log on <br />Not for Operating Systems or Applications<br />use LDAP, Active Directory, ADFS, etc...<br />AWS Identity and Access Management (IAM)<br />
    15. 15. Identity Federation Sample<br />Use case:<br />Enterprise employee signs with his normal credentials<br />Access S3 with enterprise application<br />Setup<br />IIS for enterprise authentication against Active Directory<br />Client application to access S3<br />Read-only access to S3<br />
    16. 16. Amazon VPC Architecture<br />Customer’s isolated AWS resources<br />Subnets<br />NAT<br /> Internet<br />Router<br />VPN Gateway<br />AmazonWeb Services<br />Cloud<br />Secure VPN Connection over the Internet<br />Customer’sNetwork<br />
    17. 17. AWS GovCloud (US) Access<br />AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be:<br />U.S. Persons;<br />not subject to export restrictions; and <br />comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations. <br />
    18. 18. AWS Deployment Models<br />Amazon Confidential<br />
    19. 19. Amazon EC2 Instance Isolation<br />…<br />Customer 1<br />Customer 2<br />Customer n<br />Hypervisor<br />Virtual Interfaces<br />…<br />Customer 1<br />Security Groups<br />Customer n<br />Security Groups<br />Customer 2<br />Security Groups<br />Firewall<br />Physical Interfaces<br />Launching EC2<br />
    20. 20. Multi-tier Security Architecture <br />AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers<br />Web Tier<br />Application Tier<br />Database Tier<br />EBS Volume<br />Ports 80 and 443 only open to the Internet<br />Engineering staff have ssh access to the App Tier, which acts as Bastion<br />Amazon EC2 Security Group Firewall<br />Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier<br />All other Internet ports blocked by default<br />
    21. 21. Network Traffic Confidentiality<br />Internet Traffic<br />Amazon EC2 Instances<br />Corporate Network<br />Encrypted File System<br />Amazon EC2<br />Instance<br />Encrypted Swap File<br />VPN<br /><ul><li>All traffic should be cryptographically controlled
    22. 22. Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)</li></li></ul><li>
    23. 23. Cloud Federation, Integration and Governance<br />
    24. 24. Agenda<br />The Role of Policy Enforcement in Governing the Cloud<br />Layer 7’s Cloud Security and Governance Solution<br />Conclusion & Questions <br />
    25. 25. Current App Environment<br />NIPRNet<br />or<br />SIPRNet<br />Firewall<br />DMZ<br />Internal Apps<br />Enterprise <br />On-Premises IT<br />Identity<br />
    26. 26. Move Cloudable App onto Amazon<br />Cloud Application<br />DMZ<br />Firewall<br />Internal Service Host<br />Identity??<br />Enterprise <br />On-Premises IT<br />
    27. 27. Policy Enforcement on Amazon<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
    28. 28. Federate Identity<br />Cloud Application<br />SAML<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />Enterprise Identity Repository<br />
    29. 29. API Mediation<br />Cloud Application<br />SOAP, REST, or JSON<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
    30. 30. Monitoring<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
    31. 31. Putting it all Together for Cloud Governance<br />Monitor and Report<br />Control<br />Amazon EC2<br />VirtualAppliance<br />Amazon EC2<br />Employee<br />Adapt<br />LDAP, SSO, MS AD, STS, etc<br />Amazon EC2<br />