Bill Murray (Director of Security Programs, AWS)'s presentation on the Shared Security Model at the NYC Alert Logic Cloud Security Summit on June 14th, 2016.
2. Security is Job Zero
Network
Security
Physical
Security
Platform
Security
People &
Procedures
3. Build everything on a constantly improving security baseline
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
4. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Security & compliance is a shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
6. Security is Familiar
• We strive to make security at AWS as familiar as
what you are doing right now
– Visibility
– Auditability
– Controllability
– Agility
16. AWS CloudFormation – Infrastructure as Code
Template StackAWS
CloudFormation
Orchestrate changes across AWS
Services
Use as foundation to Service Catalog
products
Use with source code repositories to
manage infrastructure changes
JSON-based text file describing
infrastructure
Resources created from
a template
Can be updated
Updates can be
restrictured
19. Security by Design - SbD
• Systematic approach to ensure security
• Formalizes AWS account design
• Automates security controls
• Streamlines auditing.
• Provides control insights throughout the
IT management processAWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
20. SbD - Scripting your governance policy
• Set of CloudFormation Templates that
accelerate compliance
• Result: Reliable technical implementation of
administrative controls
23. How does your security team think?
Should not be the
Department of “NO!”
24. Security Ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
31. Conclusions
Security is critical
We’re creating tools to make it
easier
We’re creating ways help you
build a world class team
You can move fast and stay
safe
32. Don’t take my word for it…..
CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead apply
their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly and reliably leverage the benefits of this
increasingly ubiquitous computing model.
Clouds Are Secure: Are You Using Them Securely?
Published: 22 September 2015 -- Jay Heiser
Editor's Notes
AWS Marketplace is an important part of the AWS ecosystem. Through the AWS Marketplace you can buy many of the same tools as you use within your own environments today, all validated and optimized to work in an AWS environment. There are over 200 offerings available, across 7 key technology areas, Advanced Threat Analytics, Application Security, Identity and Access Management, Server & Endpoint Protection, Network Security, Encryption and Key Management, and Vulnerability and Pen Testing.
These are some of our key partners in each of these spaces, and many of you will be running at least a few of these already.
Why Customer purchase through Marketplace
fast evaluation and procurement of software
Simplifies buying by eliminating contracting process / no need to get a new vendor approved
On demand pricing – options for annual with hourly option when customer bursts
AWS allows you to see your ENTIRE infrastructure at the click of a mouse
Can you map your current network?
Also, you can do that automatically via the API, as many times as you need.
Author custom rules using AWS Lambda
Invoked automatically for continuous assessment
Use dashboard for visualizing compliance and identifying offending changes
Can tie to CM system with name and/or tags as options passed into change set.
SbD follows the same concept as Quality by Design, or QbD. The concept of QbD is now very well known in the industry.
Traditionally, manufacturing QA is a reactive, back end process that creates rework. New QbD concepts implemented result in no rework – the quality checker at the end of the process should be doing nothing.
“The conventional development process uses an empirical
approach that requires continuous end product testing
and inspection to determine quality. The processes
that create the end product are seen as fixed, averse to
change, and focus only on process reproducibility. This
approach ignores real-world variability in materials and
process controls.”
As of January 2013, all FDA applicants are being “strongly encouraged” by the FDA to use a Quality by Design approach. This makes sense to those in the industry who are acutely aware of the issues with doing QA at the end of the manufacturing process.
We are doing the same with security in AWS. We’re designing security and compliance to not simply in OS and application controls as done in the last few decades; we’re designing it in everything about the IT environment; the permissions, the logging, the use of approved machine images, the trust relationships, the changes made, enforcing encryption, and more. We’re converting manual, administrative controls to technically enforced controls with the assurance that, if designed properly, the controls are operating 100% of the time. We call this “Secure by Design” or SbD. AWS is a modern platform that allows you to formalize the design of security controls in the platform itself. It simplifies system use for administrators and those running IT, and makes your AWS environment much simpler to audit. It’s creating an environment where there are no control findings at the audit (similar to having no quality findings at the end of a manufacturing process). It’s a systematic way to security assurance, and gives you insight to how things are operating and insight into how to respond to emerging threats.
SbD Architecture are forcing functions that cannot be overridden (easily). It provides reliable operation of certain controls and allows for continuous and real-time auditing capability. It is essentially scripting your governance policy. The result is a huge win in the security assurance, governance, security and compliance space: you get reliable implementation of what was previously just written in books as a policy. You get enforceable security and compliance. You have functional governance.
We could talk about this all day long, but I thought it would be better to show you how this is done, making this more of a demo than a lecture. In a 60 minute session we can only show you so much, so we’re then going to give you some rich resources to get you exposure and technical training geared towards accomplishing this.
I’m going to pass over the presentation to Tim Sandage on my team to go through some of these concepts in the AWS interface. Hopefully you’ll get some exposure here that will really boost your ability to implement SbD in your own AWS account. Tim…
Define Secure, Sensible, Defaults
Identity & Access Control – Users, Groups, Access Policies, MFA, Lifecycle mgmt
Network – DirectConnect & Virtual Private Gateway, Routing Controls
Data – Encryption at rest, encryption in motion
Gain Visibility and Accountability - Log aggregation, Configuration, Asset management
Inherit Compliance Controls
Use Available Security Features
New features – Almost 200 security features launched last year
Identity – Large # of customers still use root instead of IAM users
Encryption – Most customers not encrypting data internally
Templatize & Inherit Controls
Known Good Images - Validate against requirements and templatize
Constantly reduce the role of people
Eliminate the need for guest OS access - no more logging into instances
Automate fixes - If an instance is not working, shut it down and roll it back
Reduce Privileged accounts
Eliminate service accounts - Trade long-term weak credentials for short-term tokens
Use Security Token Services - No need for long-term, privileged credentials
Concentrate on what matters
Devote resources to key infrastructure - Internet Gateways, Identity and Access Management, VPC Subnet and NACL changes,Security Groups
Spend more time on application security – Templatized infrastructure requires less effort to maintain
Recommendations
■ Cut through your organizational cloud preconceptions, and encourage cloud decisions based
on business requirements.
■ Develop an enterprise public cloud strategy, including security guidance on acceptable uses for
infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).
■ Implement and enforce policies on usage responsibility and cloud risk acceptance processes.
■ Follow a life cycle governance approach that emphasizes the ongoing operational control of
your public cloud use.
Define Secure, Sensible, Defaults
Identity & Access Control – Users, Groups, Access Policies, MFA, Lifecycle mgmt
Network – DirectConnect & Virtual Private Gateway, Routing Controls
Data – Encryption at rest, encryption in motion
Gain Visibility and Accountability - Log aggregation, Configuration, Asset management
Inherit Compliance Controls
Use Available Security Features
New features – Almost 200 security features launched last year
Identity – Large # of customers still use root instead of IAM users
Encryption – Most customers not encrypting data internally
Templatize & Inherit Controls
Known Good Images - Validate against requirements and templatize
Constantly reduce the role of people
Eliminate the need for guest OS access - no more logging into instances
Automate fixes - If an instance is not working, shut it down and roll it back
Reduce Privileged accounts
Eliminate service accounts - Trade long-term weak credentials for short-term tokens
Use Security Token Services - No need for long-term, privileged credentials
Concentrate on what matters
Devote resources to key infrastructure - Internet Gateways, Identity and Access Management, VPC Subnet and NACL changes,Security Groups
Spend more time on application security – Templatized infrastructure requires less effort to maintain
Each Inspector rule is assigned a severity level. This simplifies the decision of prioritizing one rule over another in your assessments and can help you decide what your reaction and corrective steps should be in the event of the rule highlighting a potential problem. The following are the severity levels for the Inspector rules:
High – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you treat this security issue as an emergency and implement an immediate remediation.
Medium – this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue at the next possible opportunity, for example, during your next service update.
Low - this severity level describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your application. It is recommended that you fix this issue as part of one of your future service updates.
Informational – this severity level describes a particular security configuration detail of your application. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your application.
https://alpha-docs-aws.amazon.com/inspector/latest/userguide/inspector_rule-packages.html
a new capability of AWS Config that continuously monitors the configuration of existing and new AWS resources to assess compliance with desired configurations. Using Falcon, customers can get an overview of how compliant their resources are with rules they defined based on internal practices and industry guidelines. Customers can dive into non-compliant resources, offending configuration parameters, and set of API actions that may have led to non-compliance. They also get a historical view of compliance, and can look at trending of overall compliance over time to assess improvements in their overall security and governance posture on AWS.
SPLUNK
Evident.IO
PCI-DSS
Telos
NIST 800-18
TALKING POINTS:
We’ve released a new security curriculum with two new classes.
· Security Fundamentals on AWS – free, online course for security auditors and analysts This self-paced course is designed to introduce you to fundamental cloud computing and AWS security concepts including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure.
· Security Operations on AWS – 3-day class for Security engineers, architects, analysts, and auditors
This course teaches you how to stay secure and compliant in the AWS cloud. It covers AWS best practices for securing data and systems in the cloud, and addresses security features of key AWS services. This course also teaches you about regulatory compliance standards and use cases for running regulated workloads on AWS. You also get practice using tools for automation and continuous monitoring—taking your security operations to the next level.