This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture decisions made by Fortune 500 organizations during actual sensitive workload deployments as told by the AWS professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
2. What to expect from this session
• Learn patterns for integrating AWS adoption into your security
program
• Provide a “Day 1” approach to each AWS account
• Highlight the top security patterns used by the most mature AWS
customers
3. Patterns adopted by highly successful security programs
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
4. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
5. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
7. Security program – Foundations
Control
framework
Roles and
responsibilities
Risk register
and security
metrics
8. Security program – Ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
9. Capability Principle Action
Directive
Infrastructure as code Skill up security team in code and automation, DevSecOps
Design guardrails not gates Architect to drive toward good behavior
Preventive
Use the cloud to protect the cloud Build, operate, and manage security tools in the cloud
Stay current, run secure Consume new security features; patch and replace frequently
Reduce reliance on persistent access Establish role catalog; automate KMI via secrets service
Detective
Total visibility Aggregate AWS logs and metadata with OS and app logs
Deep insights Security data warehouse with BI and analytics
Responsive
Scalable incident response Update IR SOP for shared responsibility framework
Forensic readiness Update workloads to support forensic readiness and containment
Security program – Enterprise security strategy
• AWS CAF components help organize
• Principles driving transformation of security culture
• Realized by taking specific actions and measuring progress
10. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Governance and
Risk
Business
Security
Operations
Compliance
Product and Platform Teams
Enterprise
Security
Security program:
Extending the Shared Responsibility Model through Partners
PartnerEcosystem:
Technology
PartnerEcosystem:
Services
11. Security program – Account Governance – New
Accounts
AWS
Config
AWS
CloudTrail
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
AWS Account
Ownership
AWS Account
Contact
Information
AWS Sales and
Support
Relationship
Baseline Requirements
12. Security Program – Account Governance – Existing
Accounts
AWS
Config
AWS
CloudTrail
InfoSec’s
Cross-
Account
Roles
AWS Account
Credential
Management
(“Root Account”)
Federation
AWS Account
Ownership
AWS Account
Contact
Information
AWS Sales and
Support
Relationship
Baseline Requirements
15. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
16. Security As Code: Using AWS CodeDeploy
Imaging instance memory:
LiME - https://github.com/504ensicslabs/lime
AWS CodeDeploy:
17. Security as code
1. Use the cloud to protect the cloud
2. Security infrastructure should be cloud aware
3. Expose security features as services via API
4. Automate everything so everything scales
18. Security as code: Innovation, stability, & security
Business
Development Operations
Build it faster Keep it stable
Security
Protect it
19. Security as code: A shorter path to the customer
Requirements
Gathering
Release
Automated
Build and
Deploy
Some learning
Minimal learning
Lots of learning
20. Security as code: Deploying more frequently lowers risk
Smaller effort
“Minimized risk”
Frequent release events:
“Agile methodology”
Time
Change
Rare release events:
“Waterfall methodology”
Larger effort
“Increased risk”
Time
Change
21. Security as code: Agile user stories
1. Epics vs. stories
An epic is delivered over many sprints; a user story is
delivered in one sprint or less.
Icebox backlog sprint
2. Product owner
The product owner decides the priority of each story, is
responsible for accepting the story, and is responsible for
defining the detailed requirements and detailed acceptance
criteria for the story.
22. Security as code: Agile user stories
3. Persona (or role)
A persona/role is a fictitious user or actor within or of the system.
4. Acceptance criteria
What does good look like? How will we know?
5. Summary format
Every story should have the same summary format:
As a (persona/role) I want (function) so that (benefit).
23. Responsibility & Accountability
Own it.
Govern it.
Not my monkeys; not my circus.
Operating with Shared Responsibilty
How do I know?
Do I carry a pager for this
service?
Do I make the rules?
Should I be consulted or
informed?
24. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
25. Evolution of compliance at AWS
AWS
certifications
Customer
enabler docs
Customer
case studies
Security by
Design tech
(SbD)
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
26. Security by Design - SbD
Security by Design (SbD) is a modern,
security assurance approach that
formalizes AWS account design, automates
security controls, and streamlines auditing.
It is a systematic approach to ensure
security; instead of relying on after-the-fact
auditing, SbD provides control insights
throughout the IT management process.
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
27. What you do in any IT Environment
• Firewall rules
• Network ACLs
• Network time pointers
• Internal and external subnets
• NAT rules
• Gold OS images
• Encryption algorithms for data
in transit and at rest
Golden Code: Security Translation to AWS
AWS JSON translation
Gold Image, NTP
and NAT
Network ACLs,
Subnets, FW
rules
28. SbD: The Next Big Thing in IT GRC
AWS provides Governance, Risk, and Compliance teams:
1. The right SbD tech - AWS
2. SbD Whitepaper
3. AWS GoldBase
1. Security controls implementation matrix
2. Architecture diagrams
3. AWS CloudFormation templates - industry compliance templates for
PCI, NIST 800-53, HIPAA, FFIEC, and CJIS
4. User Guides and deployment instructions
4. AWS Config Rules – auditing
5. AWS Inspector – advanced in-host security and audit
6. Training
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
29. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Security
management
layer
Asset
management
Minimum
security
baseline
31. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
32. Peer Review
• Shared infrastructure security
services moved to VPC
• 1-to-1 peering = App isolation
• Security groups and NACLs still
apply
AWS
region
Public-facing
web app
Internal
company
app #1
HA pair
VPN
endpoints
Company data center
Internal
company
app #2
Internal
company
app #3
Internal
company
app #4
Services
VPC
Internal
company
dev
Internal
company
QA
AD, DNS
Monitoring
Logging
• Security groups still bound to
single VPC
Security management layer using VPC peering
33. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
34. Ubiquitous encryption
AWS CloudTrail
AWS IAM
EBS
RDS
Amazon
Redshift
S3
Glacier
Encrypted in transit
and at rest
Fully auditable
Fully managed
keys
Restricted access
35. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
36. Reduced reliance on long-term, privileged access
• AssumeRole and GetFederationToken APIs calls baked into the heart
of developer behavior, federation, cross-account governance
• Just-in-time access. Use APIs to only open up the network for
management when necessary. Change and break/fix ticketing
executes scripts to build bastions or open up Security Groups upon
approval or stage.
37. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
38. Ubiquitous logging:
Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and
upload to Amazon
Redshift
Amazon EC2
instances
Analyze with standard
BI tools
Archive to
Amazon Glacier
AWS CloudTrail
Encrypted
end to end!
39. Ubiquitous logging: What are we looking for?
• Unused permissions
• Overuse of privileged accounts
• Usage of keys
• Anomalous logins
• Policy violations
• System abuse
….
• Collect data once, many use cases
40. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
41. Version
Control
CI
Server
Package
Builder
Deploy
ServerCommit to
repoDev
Pull
Code
AMIs
Send build report to dev and
stop everything if build failed
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config Install
Create
Repo
AWS CloudFormation
templates for Env
Generate
DevOps DevSecOps
Security
Repository
Vulnerability
and pen
testing
•Security Infrastructure
tests
•Security unit tests in
app
42. Version Control
Build/
compile
code
Dev
Unit test
app code
IT Ops
DR Env
Test Env
Prod Env
Dev Env
Application
Write
app
code
Infrastructure
CloudFormation
tar, war, zip
yum, rpmDeploy
app
Package
application
Deploy application
only
Deploy infrastructure
only
AMI
Build
AMIs
Validate
templates
Write
infra
code
Deploy
infras
Automate
deployment
Artifact Repository
Continuous integration/deployment and
automation for security infrastructure
43. Building DevSecOps teams
• Make DevOps the security team’s job.
• No siloed/walled off DevOps teams.
• Encourage {security} developers to participate openly in
the automation of operations code.
• Embolden {security} operations participation in testing
and automation of application code.
• Take pride in how fast and frequently you deploy.
44. Patterns adopted by highly successful security programs
Ubiquitous
encryption
Just-in-time
access
Ubiquitous
logging
DevSecOps
Security
services and
API
Security
program
Security as
code
Minimum
security
baseline
Asset
management
Security
management
layer
45. Security as code: Architectural elements
Shared
Responsibility
Model
Identity and Access
Control
Logging and Monitoring
Infrastructure Security
Data Protection
Secure Continuous
Integration/Continuous
Delivery Toolchain
Configuration and
Vulnerability Analysis
Big Data and Predictive
Analytics
46. Getting Started
Story: As a security analyst I want to monitor interactions
with AWS API so that we can baseline user behavior
Sprint 1: Enable AWS CloudTrail globally
Story: As a security operations team member I want to take
action on AWS CloudWatch alarms so that we respond
responsibly
Sprint 2: Integrate alerting into security workflow & ticketing
47. Strategy and Value Domain
Why to invest?
Why change?
How to measure success?
Process Domain
How to structure cloud programs?
How to ensure quality of delivery?
People Domain
What skills and capabilities are
required?
How to compose migration team?
Maturity Domain
What are the priorities?
When to deliver solutions?
Platform Domain
How to design foundations?
How to migrate workloads?
Operating Domain
What are key ops capabilities?
What is the new ITSM cycle?
Security Domain
Will risk increase?
Can we run cloud secure and
compliant?
AWS Cloud Adoption Framework
48. AWS Marketplace Network/Security Partner Ecosystem
Infrastructure
Security
SECURITY
Logging and
Monitoring
Identity and
Access Control
Configuration and
Vulnerability
Analysis
Data
Protection
Network
Infrastructure
SaaS
SaaS
SaaS