Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
17th June 2016
Compliance in the Cloud Using Security by Design
Dean Samuels Manager, Solutions Architecture – Hong Kong & Taiwan
Amazon Web Services
Problem statement
Increasing complexity (mobility, system connectivity) causes increasing difficulty in managing risk and security
and demonstrating compliance.
Current state—technology governance
Policies
Procedures and guidelines
Standards
Issues—technology governance The majority of technology governance processes relies predominantly on administrative and operational security controls with limited technology enforcement.
Assets
Threat Vulnerability
Risk
AWS has an opportunity to innovate and advance technology governance services.
Flexibility and complexity
Single VPC or multiple VPCs
Public or private
subnets
Who will manage
the keys
AWS Identity and Access
Management (IAM) groups or roles
What is the regulatory requirement?
What's in scope or out of scope?
How to verify the standards are met?
Which AWS
database
Security by Design
Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process.
AWS Identity & Access Management (IAM)
AWS CloudTrail
Amazon CloudWatch
AWS Config Rules
AWS Trusted Advisor
AWS CloudHSM
AWS Key Management Service
(AWS KMS)
AWS Directory Service
SbD—design principles
• Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for breach
• Don't fear constraints • Leverage different storage options • Design for cost • Treat infrastructure as code
• Modular • Versioned • Constrained
Security by Design involves developing new risk mitigation capabilities, which go beyond global security frameworks by treating risks, eliminating manual processes, and optimizing evidence and audit ratifications processes through rigid automation.
SbD—ecosystem
Security by Design (SbD)
AWS CloudFormation
AWS Config Rules
Amazon Inspector
SbD—modernizing tech governance (MTG)
Why?
Complexity is growing, making the old way to govern technology obsolete.
You need automation that AWS offers to manage
security.
Goal—modernizing tech governance
Adopt “prevent” controls; make “detect” controls more powerful and
comprehensive.
SbD—modernizing tech governance
1.2 Identify your workloads moving to AWS
2.1 Rationalize security requirements
2.2 Define data protections and controls
2.3 Document security architecture
3.1 Build/deploy security architecture
1. Decide what to do (strategy)
2. Analyze and document (outside of AWS)
1.1 Identify stakeholders
3. Automate, deploy, and monitor 3.2 Automate
security operations
4. Certify
3.3 Continuously monitor
4.1 Audit and certify
3.4 Test and have game days
SbD—rationalize security requirements AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally.
https://www.cisecurity.org/
The benchmarks are: • Recommended technical control rules
and values for hardening operating systems, middleware and software applications, and network devices.
• Distributed free of charge by CIS in .PDF format.
• Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
SbD—AWS CIS benchmark scope
Foundational benchmark
CloudTrail
AWS Config & Config Rules AWS KMS
IAM CloudWatch
Amazon S3
Amazon SNS
Three-tier web architecture
Amazon EC2 Elastic Load Balancing Amazon VPC
AWS Direct Connect
Amazon Elastic Block Store
CloudHSM Amazon Glacier Amazon Route 53
VPN Gateway
Amazon CloudFront
SbD—define data protections and controls
https://aws-poc.allgress.com/allgress/awsgc
SbD—document security architecture
SbD—automate security operations Automate deployments, provisioning, and configurations of the AWS customer environments.
CloudFormation AWS Service Catalog Stack
Template
Instances Apps Resources Stack
Stack
Design Package
Products Portfolios
Deploy Constrain
IAM
Set Permissions
AWS CloudTrail
Amazon
EMR
Amazon Kinesis
Amazon
VPC
Elastic Load Balancing
Amazon
S3 AWS
Lambda
AWS Config
AWS CloudWatch
AWS IoT Other
Services
Add-on for AWS
Splunk app for AWS Explore Analyze Dashboard Alert
UsecasesforAWS:Securityintelligence(CloudTrail,CloudWatch,VPC)Opera;onalintelligence(CloudWatch,ELB,etc.)DevOpsintelligence(CloudWatch,Lambda)
Bigdatainsights(AmazonKinesis,EMR,IoT,S3)
SbD—continuously monitor—Splunk
AWS CloudTrail resource activity
Splunk app for AWS—visualize and monitor
AWS CloudTrail user activity
SbD—modernizing technology governance (MTG)
Automate governance
Automate deployments
Automate security operations
Continuous compliance
Closing the loop
SbD—modernizing technology governance Result: Reliable technical implementation and enforcement of operational and administrative controls
AWS resources Amazon Web Services Cloud Compliance
• https://aws.amazon.com/compliance/
SbD website and whitepaper—to wrap your head around this • https://aws.amazon.com/compliance/security-by-design/
Allgress—getting started 1. Engage with Allgress in the field: Contact sales 2. Get started with the Allgress GetCompliant Portal to easily
pull compliance configurations from AWS customer accounts 3. Download the Allgress Module Breakdown
Splunk—Getting started
1. Engage with Splunk in the field: [email protected] can point you in the right direction, and you can request the Splunk Playbook.
2. Download Splunk>Enterprise. 3. Download and set up the Splunk App for AWS (and supporting TA) to
easily configure Splunk for Config, CloudTrail, CloudWatch metrics, VPC flog logging, S3, and Billing.
4. Take the self-paced Using Splunk tutorial and look at Splunk>Docs and Splunk>Apps for more.
5. You can get started quickly with the Splunk search commands, and then use supporting documentation to advance your skill. Our Quick Reference Guide becomes an essential tool and cheat sheet. Other search reference documentation is posted also.
Dean Samuels Manager, Solutions Architecture – Hong Kong & Taiwan
Amazon Web Services
Thank you!
