Amazon Web Services Federation Integration Governance Workshop with Layer 7


Published on

For these customers needing a way to bridge the enterprise and public cloud without limiting scale out, Layer 7 demonstrates a simple solution for addressing the challenges of federation, integration and governance using the Layer 7 AWS Gateway.

Published in: Technology, Business
  • Be the first to comment

Amazon Web Services Federation Integration Governance Workshop with Layer 7

  1. 1. Amazon Web Services - Federal<br />Sri Vasireddy, Federal Solutions Architect<br />
  2. 2. AWS Cloud Security Model Overview<br />Shared Responsibility Model<br />Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance<br />Application level security, including password and role based access<br />Host-based firewalls, including Intrusion Detection/Prevention Systems <br />Encryption/Decryption of data. Hardware Security Modules<br />Separation of Access<br />Certifications & Accreditations<br />Sarbanes-Oxley (SOX) compliance<br />ISO 27001 Certification<br />PCI DSS Level I certification<br />HIPAA compliant architecture<br />SAS 70 Type II Audit<br />FISMA Low ATO<br /><ul><li>Pursuing FISMA Moderate ATO
  3. 3. Pursuing DIACAP MAC II Sensitive
  4. 4. FedRAMP</li></ul>Service Health Dashboard<br />Network Security<br />Instance firewalls can be configured in security groups; <br />The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).<br />Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources<br />VM Security<br />Multi-factor access to Amazon Account<br />Instance Isolation<br /><ul><li>Customer-controlled firewall at the hypervisor level
  5. 5. Neighboring instances prevented access
  6. 6. Virtualized disk management layer ensure only account owners can access storage disks (EBS)</li></ul>Support for SSL end point encryption for API calls<br />Physical Security<br />Multi-level, multi-factor controlled access environment<br />Controlled, need-based access for AWS employees (least privilege)<br />Management Plane Administrative Access <br />Multi-factor, controlled ,need-based access to administrative host<br />All access logged, monitored, reviewed<br />AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data<br />
  7. 7. AWS Certifications<br />Shared Responsibility Model<br />Sarbanes-Oxley (SOX) <br />SAS70 Type II Audit <br />PCI Data Security Standard compliance<br />Working on FISMA A&A<br />NIST Low Approvals to Operate<br />Actively pursuing NIST Moderate<br />ATOs in progress at several agencies<br />ST&E and Moderate Controls available now for incorporation into SSP<br />Actively pursuing FedRAMP<br />Includes DIACAP Mac II Sensitive<br />ISO 27001 Certification<br />Customers have deployed various compliant applications such as HIPAA (healthcare)<br />
  8. 8. Amazon Web Services: Durable & Available<br />Note: Conceptual drawing only. The number of Availability Zones may vary<br />US East Region<br />EU West Region<br />Japan<br />US West Region<br />Singapore<br />GovCloud (US)<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone A<br />Availability Zone B<br />Availability Zone C<br />Customer Decides Where the Data Resides<br />
  9. 9. Three Services: Better Together<br />Elastic Load Balancer<br />Latency<br />CloudWatch<br />Auto Scaling<br />Utilization<br />Metrics<br />Server icons courtesy of<br />
  10. 10. COOP and DR<br />Load Balancer<br />Availability Zone - B<br />Availability Zone - A<br />EC2<br />EC2<br />Auto Scale<br />Ephemeral<br />Network IO<br />Network IO<br />EBS Snapshot<br />Amazon S3<br />EBS Snapshot<br />EBS Snapshot<br />US EAST<br />Amazon S3<br />US WEST<br />We Can Do Even Better..<br />
  11. 11. AWS Multi-Factor Authentication<br /><ul><li>Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
  12. 12. Additional protection for account information
  13. 13. Works with</li></ul>Master Account<br />IAM Users<br /><ul><li>Integrated into</li></ul>AWS Management Console<br />Key pages on the AWS Portal<br />S3 (Secure Delete)<br />A recommended opt-in security feature!<br />
  14. 14. Users and Groups within Accounts<br />Unique security credentials<br />Access keys<br />Login/Password<br />MFA device<br />Policies control access to AWS APIs<br />Deep integration into S3<br />policies on objects and buckets<br />AWS Management Console now supports User log on <br />Not for Operating Systems or Applications<br />use LDAP, Active Directory, ADFS, etc...<br />AWS Identity and Access Management (IAM)<br />
  15. 15. Identity Federation Sample<br />Use case:<br />Enterprise employee signs with his normal credentials<br />Access S3 with enterprise application<br />Setup<br />IIS for enterprise authentication against Active Directory<br />Client application to access S3<br />Read-only access to S3<br />
  16. 16. Amazon VPC Architecture<br />Customer’s isolated AWS resources<br />Subnets<br />NAT<br /> Internet<br />Router<br />VPN Gateway<br />AmazonWeb Services<br />Cloud<br />Secure VPN Connection over the Internet<br />Customer’sNetwork<br />
  17. 17. AWS GovCloud (US) Access<br />AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be:<br />U.S. Persons;<br />not subject to export restrictions; and <br />comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations. <br />
  18. 18. AWS Deployment Models<br />Amazon Confidential<br />
  19. 19. Amazon EC2 Instance Isolation<br />…<br />Customer 1<br />Customer 2<br />Customer n<br />Hypervisor<br />Virtual Interfaces<br />…<br />Customer 1<br />Security Groups<br />Customer n<br />Security Groups<br />Customer 2<br />Security Groups<br />Firewall<br />Physical Interfaces<br />Launching EC2<br />
  20. 20. Multi-tier Security Architecture <br />AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers<br />Web Tier<br />Application Tier<br />Database Tier<br />EBS Volume<br />Ports 80 and 443 only open to the Internet<br />Engineering staff have ssh access to the App Tier, which acts as Bastion<br />Amazon EC2 Security Group Firewall<br />Authorized 3rd parties can be granted ssh access to select AWS resources, such as the Database Tier<br />All other Internet ports blocked by default<br />
  21. 21. Network Traffic Confidentiality<br />Internet Traffic<br />Amazon EC2 Instances<br />Corporate Network<br />Encrypted File System<br />Amazon EC2<br />Instance<br />Encrypted Swap File<br />VPN<br /><ul><li>All traffic should be cryptographically controlled
  22. 22. Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC)</li></li></ul><li>
  23. 23. Cloud Federation, Integration and Governance<br />
  24. 24. Agenda<br />The Role of Policy Enforcement in Governing the Cloud<br />Layer 7’s Cloud Security and Governance Solution<br />Conclusion & Questions <br />
  25. 25. Current App Environment<br />NIPRNet<br />or<br />SIPRNet<br />Firewall<br />DMZ<br />Internal Apps<br />Enterprise <br />On-Premises IT<br />Identity<br />
  26. 26. Move Cloudable App onto Amazon<br />Cloud Application<br />DMZ<br />Firewall<br />Internal Service Host<br />Identity??<br />Enterprise <br />On-Premises IT<br />
  27. 27. Policy Enforcement on Amazon<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  28. 28. Federate Identity<br />Cloud Application<br />SAML<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />Enterprise Identity Repository<br />
  29. 29. API Mediation<br />Cloud Application<br />SOAP, REST, or JSON<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  30. 30. Monitoring<br />Cloud Application<br />Firewall<br />DMZ<br />Virtual PEP<br />Internal Service Host<br />PEP<br />Enterprise <br />On-Premises IT<br />
  31. 31. Putting it all Together for Cloud Governance<br />Monitor and Report<br />Control<br />Amazon EC2<br />VirtualAppliance<br />Amazon EC2<br />Employee<br />Adapt<br />LDAP, SSO, MS AD, STS, etc<br />Amazon EC2<br />