AWS Security and Compliance Automation

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Koen van Blijderveen
Security Consultant Professional Services, Amazon Web Services
Leon Kortekaas
Manager Cloud Integration, NN Group
Security & Compliance in the Cloud

Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS – Strengthen Your Security Posture

The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to
boost our own security is really important for our business.
AWS does a much better job at security than we could ever
do running a cage in a data center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises
data center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)

Inherit global security and compliance controls

Humans and Data Don’t Mix

How do I govern my environment to
ensure it is secure and compliant?

Some definitions
Governance: oversight role and process by which companies
manage and mitigate business risks.
Compliance: process and internal controls to meet the
requirements imposed by a governing body.

Implementing a governance and compliance program…
What is IT doing?
What are IT
resources doing?
When changes occur
and/or IT resources
become “non-
compliant”
What IT
resources exist?
What is IT supposed
to do?
Define Discover
MonitorRespond

Security & Compliance then and now

The challenge
Governance
Speed
• Define
• Discover
• Monitor
• Respond
• Manage
• Report
• Agility
• Innovation
• Scale

AWS allows you to do both
With AWS you can programmatically:
• Define how to provision and configure resources
• Discover new resources and changes to existing resources
• Monitor resources and operations for compliance
• Respond to (and report on) changes to your resources

AWS Security, Risk, Compliance, and Automation
Toolbox
Audit Visibility Protection Automation
AWS
CloudTrail
Amazon
CloudWatch
AWS Systems
Manager
AWS
Config
AWS
CodePipeline
AWS
WAF
AWS
KMS
AWS Trusted
Advisor
AWS
CloudFormation
AWS
Organizations
AWS
Lambda
Amazon
Inspector
AWS
Service Catalog
Amazon
Macie
AWS
Shield
AWS
Config Rules

How can I view what activity occurred in
my AWS account?

AWS CloudTrail
You make API calls
On a set of AWS services
around the world
CloudTrail
continuously records
API calls
AWS
CloudTrail
Store or archive logs in
an S3 bucket
AWS Management
Console
IAM AWS CLI

How do I correlate CloudTrail and other
AWS native logging into tangible
events?

Amazon GuardDuty Threat Detection & Notification

How can I easily discover what AWS
resources exist and detect if AWS
resources are compliant with rules I
defined?

AWS Config and Config Rules
Enables you to assess, audit, and evaluate the configurations
of your AWS resources.
Changing resources
History
Notifications
API Access
Normalized
AWS
Config
AWS
Config Rules

How can I monitor the specific state of
a resource and discover what software
is running on my AWS instances?

AWS Systems Manager
Provides visibility and control of your infrastructure on AWS.
You can view operational data from multiple AWS services
and automate operational tasks across your AWS resources
Run command State manager Inventory Maintenance
window
Patch manager Automation Parameter
store
Documents

How can I take action when an event
occurs?

Amazon CloudWatch Events
AWS APIs
Custom Events
Service Events
AWS APIs
event
(time-based)
event
(event-based)
Custom
Rules
Targets

AWS Lambda
AWS Lambda allows you to run code in response to an event
Function Services (Anything)
Changes in
data state
Requests to
endpoints
Changes in
resource state
• Node
• Python
• Java
• C#
• Go
Event Source

General remediation pattern
Amazon
CloudWatch
AWS
CloudTrail
VPC Flow
Logs
Lambda
function
AWS APIs
AWS WAF
Team
collaboration
(Slack etc.)
• Define/Create
• Discover/Detect
• Monitor/Alert
• Respond/Remediate
• Define counter
measures
• Conduct forensics
Amazon
GuardDuty
AWS
Config

Putting it into practice…

Compliance in the cloud at NN
Leon Kortekaas
Manager Cloud Integration (AWS, Azure, Windows / Linux and CI/CD tooling)
Leon.kortekaas@nn-group.com

27
• NN’s roots lie in the 18th- century the Netherlands
• Strong business positions; market positions built organically
• Unified international culture with shared best practices
• 17 million customers (excl. NN IP)
• About 15,000 employees
• Successful IPO on 2 July 2014
• Businesses rebranded to “NN” in 2015
• ING’s divestment of NN Group completed in April 2016
• Tender offer for Delta Lloyd successfully completed in April 2017
• Shareholders’ equity of EUR 22.7 bn at 15 February 2018
• Credit ratings1: A/stable (S&P), A+/stable (Fitch)
International financial services company with strong
businesses in Europe and Japan
Some facts and figures Our brand promise ‘You matter’
1. Financial Strength Ratings
Key takeaways:
1. We are an European financial company, meaning we
are regulated by the Dutch National Bank but also by
other regulators
2. We have a lot of ‘proven technology’
3. We are of reasonable size

Overview of steps
Step 1: Perform a risk assessment
Step 2: Set boundaries with a set of compliance principles
Step 3: Determine a list of security principles
The security principles are meant to mitigate the risks found
during the cloud risk assessment. The security principles should
be checked against the compliance principles.
This cloud risk and security framework is sent to the regulators
for approval
Step 4: Let the cloud teams build services compliant with the
cloud risk and security framework
Framework for cloud risk control
Compliance
Principles
Security
Principles
Security
Models
Cloud Risk
Assessment
Security
Standards
Security Architecture

Compliance Principles
1. NN is accountable
2. Always compliant
3. Always in control
4. Use of NN security solutions
Assumption: Cloud Services are not compliant by default

Cloud Security Principles
1. Controlled Environment
2. Minimize Trust
3. Secured authentication, secured communication
4. Separation of responsibilities
5. Full control on IAM and key management
6. SIEM separated from operations
7. TSCM/VM separated from operations

Cloud Security Principles example
SEC-01: Controlled environment
Examples of security controls to
be implemented:
• Security logs are sent to our
central SIEM solution
• Connect cloud platform to
central IAM solution
• Encrypt data at-rest and in
transit
• Have a traceable process for
changes

Implementation
Role of the AWS team
32

Responsibility AWS team
Goal
Create value by adding thin layer to the AWS services and platform, making the services easily consumable within NN. We
do this centrally, proving it as a service to our internal customers (business units)
Shared responsibility model
We are responsible for the platform, the business unit / application owner remains responsible for the compliance of its
application
What do we deliver?
•Compliant platform
•Compliant base builds
•CI / CD tooling
33
Delivering consumable cloud services
Concourse CI Pipeline
Build Test DeployVCS
TSC
M
SIEM IAM
Platform compliance
Hardened OS
TSC
M
SIEM
Splu
nk
IAMLinux /
Windows
Base Image
Build
GIT
Test
CICI/CD
capabilities
1
2
3
Cloud team

Platform compliance
Goal
Providing a compliant AWS platform for our customers. Protect NN against mistakes and miscommunication which might
harm the group while providing a lot of freedom to our customers in their accounts.
Lessons learned
•We started by manually creating and deploying Lambda and Cloud config rules to check and enforce compliance. This
did not work because of:
• A lot of manual work (deploying, testing) when creating new accounts (time consuming and error prone)
• No traceable process and hard to understand for non tech people (e.g. what check is implemented, approved by who)
•Adopt market standards (CIS best practice for platform controls)
•When you make compliance easy, customers will come by them selves.
Please remember: You’re not the first organization with additional compliance requirements!
35

Platform compliance
36
Technical state compliance monitoring
• Based on CIS best practice
• Some controls are enforced (risk based: e.g. public IP, disk encryption), the rest monitored
• Cloud custodian is used to implement the controls
IAM
• Automated role provisioning of IAM roles and policies to both AD and AWS
• SSO with multi factor
Security event monitoring
• Sent cloud trail logs to our central SIEM solution (Arcsight)
• Use cases are defined at our SOC. They inform the AWS team or take mitigating action if needed
Change control and traceability
• No manual access to our A/P accounts
• Everything is automatically tested and deployed via our pipeline

Demo: Platform compliance
37
1. Human readable declarative controls
2. Automatically tested
3. Automatically deployed in all accounts
4. Results sent to our team

Compliance of our workloads
38

Base build compliance
Goal
Providing a NN base build for our customers, out of the box secure, connected to our security tooling and easy to use.
Lessons learned
•Build for automation and self service
• It will not scale if not automated, cloud provides all the capabilities needed, so automate!
• Without self service you will nullify one of the most important cloud benefits (speed)
•Use open source tools for hardening, having a huge community behind a tool is a big benefit
• You’re not the first who needs a hardened OS, don’t invent but adopt
•Rethink the status quo, the current solution (non cloud) may not be suited for cloud
39

Base build compliance
Technical state compliance monitoring
•Nessus for runtime, everything on the inside of the server (e.g. vulnerabilities, config)
•Cloud Custodian for everything on the ‘outside’ of the server (e.g. security groups, encryption)
•OpenSCAP during build time
Security event monitoring
•Sent systems and applications logs to our central SIEM solution (Arcsight), scalable setup op collectors behind a ASG
•Use cases are defined at our SOC. They inform the customer or take mitigating action if needed
Change control and traceability
•Users cannot login on the servers
•Everything is automatically tested and deployed via our pipeline
40

Demo: Base build
41
1. Declarative Ansible playbooks
2. Includes hardening, SIEM, TSCM, Splunk
3. Tested and build in our pipeline
4. Checked on compliancy
5. Base builds propagated to other accounts to be used by our customers

Meet security & compliance requirements by…
Continuous Logging &
Monitoring
Automating Security
& Compliance Controls
Remediate Issues
Automatically
Enforcing Policies
Automatically
Infrastructure-as-code
Continuous and
automated deployments

Thank you!

AWS Security and Compliance Automation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security and Compliance Automation

Similar to AWS Security and Compliance Automation (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security and Compliance Automation