#ALSummit: Amazon Web Services: Understanding the Shared Security Model
•
0 likes•169 views
Bill Murray (Director of Security Programs, AWS)'s presentation on the Shared Security Model at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (8)
Similar to #ALSummit: Amazon Web Services: Understanding the Shared Security Model
Similar to #ALSummit: Amazon Web Services: Understanding the Shared Security Model (20)
More from Alert Logic
More from Alert Logic (20)
Recently uploaded
Recently uploaded (20)
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
- 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bill Murray Accelerating Cloud Adoption Director, AWS Security Programs
- 2. Security is Job Zero Network Security Physical Security Platform Security People & Procedures
- 3. Build everything on a constantly improving security baseline AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud GxP ISO 13485 AS9100 ISO/TS 16949
- 4. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Security & compliance is a shared responsibility Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
- 6. Security is Familiar • We strive to make security at AWS as familiar as what you are doing right now – Visibility – Auditability – Controllability – Agility
- 8. VISIBILITY HOW OFTEN DO YOU MAP YOUR NETWORK? WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
- 11. Security is Visible • Who is accessing the resources? • Who took what action? – When? – From where? – What did they do? – Logs Logs Logs
- 13. Cryptographic Services Amazon CloudHSM Deep integration with AWS Services CloudTrail AWS SDK for application encryption Dedicated HSM Integrate with on-premises HSMs Hybrid Architectures AWS KMS
- 15. AWS Config & Config Rules AWS Config Amazon Config Rules Record configuration changes continuously Time-series view of resource changes Archive & Compare Enforce best practices Automatically roll-back unwanted changes Trigger additional workflow
- 16. AWS CloudFormation – Infrastructure as Code Template StackAWS CloudFormation Orchestrate changes across AWS Services Use as foundation to Service Catalog products Use with source code repositories to manage infrastructure changes JSON-based text file describing infrastructure Resources created from a template Can be updated Updates can be restrictured
- 18. Security by Design (SbD)
- 19. Security by Design - SbD • Systematic approach to ensure security • Formalizes AWS account design • Automates security controls • Streamlines auditing. • Provides control insights throughout the IT management processAWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config
- 20. SbD - Scripting your governance policy • Set of CloudFormation Templates that accelerate compliance • Result: Reliable technical implementation of administrative controls
- 21. How we build our organization
- 22. AWS Security Team Operations Application Security Engineering Compliance Aligned for agility
- 23. How does your security team think? Should not be the Department of “NO!”
- 24. Security Ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security stakeholder in business success • Enables easier and smoother communication Distributed Embedded
- 25. Operating Principles Separation of duties Different personnel across service lines Least privilege
- 26. Technology to automate operational principles Visibility through automation Shrinking the protection boundaries Ubiquitous encryption
- 28. Making Life Easier Choosing security does not mean giving up on convenience or introducing complexity
- 29. Design & Deploy Define sensible defaults Inherit compliance controls Use available security features Manage templates - not instances
- 30. Operate & Improve Constantly reduce the role of people Reduce Privileged accounts Concentrate on what matters
- 31. Conclusions Security is critical We’re creating tools to make it easier We’re creating ways help you build a world class team You can move fast and stay safe
- 32. Don’t take my word for it….. CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly and reliably leverage the benefits of this increasingly ubiquitous computing model. Clouds Are Secure: Are You Using Them Securely? Published: 22 September 2015 -- Jay Heiser
Editor's Notes
- AWS Marketplace is an important part of the AWS ecosystem. Through the AWS Marketplace you can buy many of the same tools as you use within your own environments today, all validated and optimized to work in an AWS environment. There are over 200 offerings available, across 7 key technology areas, Advanced Threat Analytics, Application Security, Identity and Access Management, Server & Endpoint Protection, Network Security, Encryption and Key Management, and Vulnerability and Pen Testing. These are some of our key partners in each of these spaces, and many of you will be running at least a few of these already. Why Customer purchase through Marketplace fast evaluation and procurement of software Simplifies buying by eliminating contracting process / no need to get a new vendor approved On demand pricing – options for annual with hourly option when customer bursts
- AWS allows you to see your ENTIRE infrastructure at the click of a mouse Can you map your current network? Also, you can do that automatically via the API, as many times as you need.
- Author custom rules using AWS Lambda Invoked automatically for continuous assessment Use dashboard for visualizing compliance and identifying offending changes
- Can tie to CM system with name and/or tags as options passed into change set.
- SbD follows the same concept as Quality by Design, or QbD. The concept of QbD is now very well known in the industry. Traditionally, manufacturing QA is a reactive, back end process that creates rework. New QbD concepts implemented result in no rework – the quality checker at the end of the process should be doing nothing. “The conventional development process uses an empirical approach that requires continuous end product testing and inspection to determine quality. The processes that create the end product are seen as fixed, averse to change, and focus only on process reproducibility. This approach ignores real-world variability in materials and process controls.” As of January 2013, all FDA applicants are being “strongly encouraged” by the FDA to use a Quality by Design approach. This makes sense to those in the industry who are acutely aware of the issues with doing QA at the end of the manufacturing process.
- We are doing the same with security in AWS. We’re designing security and compliance to not simply in OS and application controls as done in the last few decades; we’re designing it in everything about the IT environment; the permissions, the logging, the use of approved machine images, the trust relationships, the changes made, enforcing encryption, and more. We’re converting manual, administrative controls to technically enforced controls with the assurance that, if designed properly, the controls are operating 100% of the time. We call this “Secure by Design” or SbD. AWS is a modern platform that allows you to formalize the design of security controls in the platform itself. It simplifies system use for administrators and those running IT, and makes your AWS environment much simpler to audit. It’s creating an environment where there are no control findings at the audit (similar to having no quality findings at the end of a manufacturing process). It’s a systematic way to security assurance, and gives you insight to how things are operating and insight into how to respond to emerging threats.
- SbD Architecture are forcing functions that cannot be overridden (easily). It provides reliable operation of certain controls and allows for continuous and real-time auditing capability. It is essentially scripting your governance policy. The result is a huge win in the security assurance, governance, security and compliance space: you get reliable implementation of what was previously just written in books as a policy. You get enforceable security and compliance. You have functional governance. We could talk about this all day long, but I thought it would be better to show you how this is done, making this more of a demo than a lecture. In a 60 minute session we can only show you so much, so we’re then going to give you some rich resources to get you exposure and technical training geared towards accomplishing this. I’m going to pass over the presentation to Tim Sandage on my team to go through some of these concepts in the AWS interface. Hopefully you’ll get some exposure here that will really boost your ability to implement SbD in your own AWS account. Tim…
- Define Secure, Sensible, Defaults Identity & Access Control – Users, Groups, Access Policies, MFA, Lifecycle mgmt Network – DirectConnect & Virtual Private Gateway, Routing Controls Data – Encryption at rest, encryption in motion Gain Visibility and Accountability - Log aggregation, Configuration, Asset management Inherit Compliance Controls Use Available Security Features New features – Almost 200 security features launched last year Identity – Large # of customers still use root instead of IAM users Encryption – Most customers not encrypting data internally Templatize & Inherit Controls Known Good Images - Validate against requirements and templatize
- Constantly reduce the role of people Eliminate the need for guest OS access - no more logging into instances Automate fixes - If an instance is not working, shut it down and roll it back Reduce Privileged accounts Eliminate service accounts - Trade long-term weak credentials for short-term tokens Use Security Token Services - No need for long-term, privileged credentials Concentrate on what matters Devote resources to key infrastructure - Internet Gateways, Identity and Access Management, VPC Subnet and NACL changes,Security Groups Spend more time on application security – Templatized infrastructure requires less effort to maintain
- Recommendations ■ Cut through your organizational cloud preconceptions, and encourage cloud decisions based on business requirements. ■ Develop an enterprise public cloud strategy, including security guidance on acceptable uses for infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). ■ Implement and enforce policies on usage responsibility and cloud risk acceptance processes. ■ Follow a life cycle governance approach that emphasizes the ongoing operational control of your public cloud use.
- Define Secure, Sensible, Defaults Identity & Access Control – Users, Groups, Access Policies, MFA, Lifecycle mgmt Network – DirectConnect & Virtual Private Gateway, Routing Controls Data – Encryption at rest, encryption in motion Gain Visibility and Accountability - Log aggregation, Configuration, Asset management Inherit Compliance Controls Use Available Security Features New features – Almost 200 security features launched last year Identity – Large # of customers still use root instead of IAM users Encryption – Most customers not encrypting data internally Templatize & Inherit Controls Known Good Images - Validate against requirements and templatize
- Constantly reduce the role of people Eliminate the need for guest OS access - no more logging into instances Automate fixes - If an instance is not working, shut it down and roll it back Reduce Privileged accounts Eliminate service accounts - Trade long-term weak credentials for short-term tokens Use Security Token Services - No need for long-term, privileged credentials Concentrate on what matters Devote resources to key infrastructure - Internet Gateways, Identity and Access Management, VPC Subnet and NACL changes,Security Groups Spend more time on application security – Templatized infrastructure requires less effort to maintain
- Each Inspector rule is assigned a severity level. This simplifies the decision of prioritizing one rule over another in your assessments and can help you decide what your reaction and corrective steps should be in the event of the rule highlighting a potential problem. The following are the severity levels for the Inspector rules: High – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you treat this security issue as an emergency and implement an immediate remediation. Medium – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue at the next possible opportunity, for example, during your next service update. Low - this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue as part of one of your future service updates. Informational – this severity level describes a particular security configuration detail of your application. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your application. https://alpha-docs-aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html
- a new capability of AWS Config that continuously monitors the configuration of existing and new AWS resources to assess compliance with desired configurations. Using Falcon, customers can get an overview of how compliant their resources are with rules they defined based on internal practices and industry guidelines. Customers can dive into non-compliant resources, offending configuration parameters, and set of API actions that may have led to non-compliance. They also get a historical view of compliance, and can look at trending of overall compliance over time to assess improvements in their overall security and governance posture on AWS.
- SPLUNK Evident.IO PCI-DSS Telos NIST 800-18
- TALKING POINTS: We’ve released a new security curriculum with two new classes. · Security Fundamentals on AWS – free, online course for security auditors and analysts This self-paced course is designed to introduce you to fundamental cloud computing and AWS security concepts including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure. · Security Operations on AWS – 3-day class for Security engineers, architects, analysts, and auditors This course teaches you how to stay secure and compliant in the AWS cloud. It covers AWS best practices for securing data and systems in the cloud, and addresses security features of key AWS services. This course also teaches you about regulatory compliance standards and use cases for running regulated workloads on AWS. You also get practice using tools for automation and continuous monitoring—taking your security operations to the next level.