AWS is Emory University’s preferred and recommended cloud service for computational infrastructure needs, such as high-performance computing and big data analytics. In this session, Rich Mendola, Enterprise CIO and Senior Vice Provost for Library Services at Emory University, describes the AWS at Emory service, a tripartite mission platform that can facilitate the advancement of science and education across the university.
2. Emory University: Building a Secure
and Manageable Cloud Environment
Rich Mendola
Enterprise Chief Information Officer and
Senior Vice Provost for Library Services and Digital Scholarship
3. Topics
• High level objectives for AWS at Emory Service
• Emory & faculty context
• AWS at Emory – security model
• AWS at Emory – provisioning and management
• RHEDcloud foundation
• Q&A
4. Objectives
• Mediate access to AWS for Emory
research community:
– Preserve functionality, agility, and
automation of AWS to the greatest possible
extent
– Simplify administrative overhead by
integrating Emory authentication, billing,
network and service desk workflows
– Reduce risks associated with sensitive
research by incorporating AWS and
Emory security controls
“The parts of the stack under customer
control can make public cloud computing
a highly efficient way for inexperienced
users to implement poor practices, which
can easily result in security or compliance
failures”
Clouds are Secure: Are You Using Them Securely?
Gartner Analyst Jay Heiser, January 31, 2018
5. Emory University
• Located in Atlanta, Georgia
• 33,000+ employees (university: 14,349;
healthcare: 18,328)
• $5.6 billion annual operating budget (university:
$2.1; healthcare: $3.5)
• 10 hospitals, 172 preventative care locations,
496 specialty locations
• $7.31 billion total endowment
• $734 million in research funding awards (fiscal
2018)
6. Faculty Engagement
• Central research IT group meetings with
investigators and their teams to understand
requirements
• Feasibility pilots
• Research IT governance review
• Many months determining
security approach and
commitment
7. Security Concerns
• HIPAA and other compliance obligations
• Little understanding of the shared responsibility
model
• IT and cyber security competency of expected
user base varies
• Loss of centralized network security controls
• How to block critical threats
8. Layered Security Approach
• Service risk assessments
• Network design
• Service control policies
• Identity and access management policies
• Security risk detectors and security risk remediators
• Splunk monitoring of CloudTrail logs
• Rules of behavior
9. Service Risk Assessments
• For each service, we:
– Identify risks
– Determine how the risks can be addressed
– Document service use guidelines
• The aforementioned assessments inform specifications for the
implementation of detective, preventative, and policy-based
controls.
10. Network Design and Preventative Controls
• Network topology – VPCs extend Emory’s network through site-to-site
VPN tunnels allowing Emory to leverage existing on-premises network
controls
• Deep integration with Emory network, Emory on-premises Palo Alto
firewalls, Emory Shibboleth (SAML) for authentication, Emory NetIQ
Identity Management for role-based authorization
• Preventative Controls (preferred)
– Service Control Policies
– IAM roles
– IAM policies (attached to roles)
11. Detective and Remediation Controls
• AWS GuardDuty enabled in each account
– Analyzes Amazon VPC flow logs and CloudTrail logs with machine Learning to
identify and alert on anomalous or malicious activity
– Does not analyze configurations for variance against desired state
• Custom security risk detectors/remediators (64 and counting)
– Emory engineered software that can scale out to overwatch many accounts and
realize short check intervals (10s)
– Our SRD/SRR infrastructure far exceeds AWS platform capabilities for similar
detection and remediation
– Commercial solutions in this space were prohibitively expensive and had
significantly higher latency
12. Policy Controls
• AWS at Emory: Rules of Behavior
– Account owners and administrators must agree to terms
– Limits cloud based processing of sensitive data to AWS at Emory
– Establishes financial accountability
– Documents additional requirements for electronically protected
health information (ePHI) and Institute for Healthcare Improvement
– Emphasizes the shared responsibility model of AWS
– Prohibits users from attempting to hack or bypass security controls
– Requires prompt remediation of risks identified within customer
accounts
13. Account Creation Workflow
• Initiated via Emory ServiceNow form
• Highlights include
– Allows user to select HIPAA or non-HIPAA account
– Specifies type of VPC (1 – extend Emory’s network
to AWS/all traffic backhauled to Emory; or 2 –
direct access to public facing internet behind Palo
Alto firewall)
– Creates new AWS account and links it with Emory
IDM system (NetIQ) allowing for SAML SSO
– Links Emory (Peoplesoft) financial account to AWS
account/billing
…
14. Virtual Private Cloud Provisioning (VPCP) App
• Single pane of glass with Emory specific AWS functions
– Manage account metadata and admin roles
– Create and maintain VPCs
– Manage CIDR ranges for VPCs
– Create and maintain elastic IPs
– Create and maintain firewall rules
– View detailed billing information
15. Other Important Attributes of Offering
• Over 600k lines of code (web app, provisioning, and security)
• Emory users that adopt our offering also get:
– AWS Enterprise Support plan
– Business Associate Addendum (BAA) that applies to HIPAA-
designated services
– Custom utilities that simplify generation of temporary keys, reducing
security risk
• Offering built using service-oriented architecture with Java,
web services, Python, and PyTest
16. Custom AWS at Emory Landing Page
https://aws.emory.edu/
Shows a subset of Emory
approved AWS and provides
links to both a different account
creation page and a Virtual
Private Cloud Provisioning app
Note: There is a demo of the AWS at Emory Service under the documentation menu.
17. RHEDcloud Foundation
• Created the RHEDcloud foundation to open source work
products described in this presentation and extend to other
major cloud platforms. Founding members include Emory,
AWS, Google, Microsoft, Smartronix, Cisco, Palo Alto Networks,
Merck Pharmaceuticals, Duke, Rice, U. of Colorado, U. of North
Carolina, U. of Washington, U. of Minnesota and U. of
Wisconsin
• Goal is to make it financially feasible for all parties to curate a
security model that works on all the major cloud platforms
18. Have we achieved our objectives?
• AWS @ Emory service launched in June; currently 33 accounts
• In the past 30 days, our SRD/SRRs have detected and
remediated 334 misconfigurations
• GuardDuty alerted us to 7 actionable issues that needed to be
investigated/remediated
• Splunk monitoring of CloudTrail logs alerted us to 18 issues
that needed to be investigated/remediated