Introduction to Security-Focused Standardized Architecture
•Télécharger en tant que PPTX, PDF•
15 j'aime•5,225 vues
The AWS Security Focused Standardized Architecture solution is designed to enable customers create secure and compliant workloads in AWS, as well as reduce the complexity of maintaining secure baselines at scale as customer environments transform over time. This solution provides many benefits, including the ability to securely deploy recommended, reliable, and secure resources in AWS. AWS Security Focused Standardized Architecture is an automated reference architecture, following security-leading practices and supporting multiple customer compliance requirements (e.g. FISMA, PCI, CJIS, FFIEC, HIPAA, etc.). The webinar will dive deep into the four core aspects of this tool: Security Control Responsibility Matrix (CRM), Architecture diagrams, AWS CloudFormation templates, and User Guides and deployment instructions; and will also include an actual demonstration of an automated deployment of a secure and compliant baseline architectures using one of the CloudFormation templates.
Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (18)
Plus de Amazon Web Services
Plus de Amazon Web Services (20)
Dernier
Dernier (20)
Introduction to Security-Focused Standardized Architecture
- 1. Brett Miller AWS Professional Services December 2015 Introduction to Security-Focused Standardized Architectures (SFSA)
- 2. Welcome & Objectives Understand the purpose and benefits of SFSA Review contents of the SFSA package Review common use case scenarios and implementations Know how to get started using SFSA in your organization
- 3. Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when designing for the cloud Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS Services Error prone and time-consuming manual configuration of AWS resources AWS developed SFSA to address major customer challenges when moving to the cloud
- 4. Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.) Choosing from a myriad of options when designing for the cloud Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS Services Error prone and time-consuming manual configuration of AWS resources AWS developed SFSA to address major customer challenges when moving to the cloud AWS Solution: SFSA Standardized for specific use cases Address security/compliance requirements and AWS best practices Ready to be pre-approved by customer assessment organizations Ready to deploy “out of the box” Customizable
- 5. Shared Responsibility Model Customers are responsible for how they use AWS components in AWS Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption / Integrity / Identity) DatabaseStorageCompute Networking Edge Locations Regions Avail. Zones AWS Global Infrastructure Customer Responsible for security ‘in’ the Cloud Responsible for security ‘of’ the Cloud AWS
- 6. Infrastructure Services Container Services Abstracted ServicesSecurity Controls Inherited Hybrid Shared Customer Specific Fully inherited by AWS AWS provides partial implementation AWS and customer provides their implementation Sole Responsibility of the customer Division of Responsibility changes depending on AWS service
- 7. SFSA helps simplify and accelerate your AWS migrations Benefits Automate system deployments Address security/compliance requirements Follow best practices Decrease deployment time Provide Reusable Documentation
- 8. AWS built the SFSA Package to include several key artifacts to meet customer needs Package Overview CloudFormation Templates Guidance Documentation Security Controls/Requirements Matrix − NIST SP 800-53 available now − Coming Soon: PCI DSS, CJIS, HIPAA, ISO 27001 Customizable Reference Architecture Diagram
- 9. AWS SFSA CloudFormation Stacks Multiple nested stacks − For different types of workloads − Modular and customizable − Each stack builds a portion of architecture Each package consists of multiple CloudFormation templates reusable across different use cases
- 10. SFSA CloudFormation Stack 2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions
- 11. Documentation Included with every package is a User Guide along with an inventory of resources deployed by the templates Resource Inventory User Guide
- 12. Security Controls / Compliance Mapping Pre-documents how security controls/requirements are addressed by the SFSA within the VPC/infrastructure layer − Can be included in a customer’s compliance documentation/SSP − Can be ingested into customer security/compliance databases/workflow tools Contains additional guidance for each control/requirement Identifies which CloudFormation stack implements the control/requirement Identifies related AWS resources within each stack NIST SP 800-53 controls matrix will be followed by CJIS, SOC, PCI, and other third-party compliance frameworks
- 13. Security Controls / Compliance Mapping: Example Matrix
- 15. SFSA Use Cases Base Architectures Examples: − Base IAM Configuration − Base VPC Architecture for Internal VPC Full Applications Examples: − 3 Tier Linux Web Application − Shared Services VPC with Active Directory
- 16. Before you get started… Understand use cases and workload types Have a basic understanding of your governance model Have a basic cloud strategy and roadmap Identify relevant security standards or compliance requirements − Have an organizational appetite to comply with them
- 17. As a Baseline for your architectures Plan and design the Cloud- based infrastructure Build the infrastructure using AWS components Application Deployment Deploy applications using EC2 instances and other services within the cloud infrastructure SFSA Plan and design the Cloud-based infrastructure Build the infrastructure using AWS components Application Deployment Deploy applications using EC2 instances and other services within the cloud infrastructure SFSA As a Full Application Deployment How can SFSA be used?
- 18. Security Focused Standardized Architectures (SFSA) CloudFormation Intro and Tools
- 19. AWS CloudFormation Basic standard in AWS for automating deployment of resources CloudFormation Template − JSON-formatted document which describes a configuration to be deployed in an AWS account − When deployed, refers to a “stack” of resources AWS CloudFormation
- 21. Describe detailed configuration of a resource in AWS Include, but not limited to: − IAM Policies, Users, Groups, Roles − VPCs, Subnets, NACLs, Security Groups − EC2 instances, Auto Scaling Groups − RDS Databases, S3 Buckets − Elastic Load Balancers − CloudWatch Alarms − Lambda Functions − Logging (CloudTrail, CW Logs) SFSA CloudFormation Resources
- 22. 20+ selectable variables to customize the AWS infrastructure Variables can be immutable based on organizational requirements SFSA CloudFormation Parameters
- 23. SFSA + Customer Governance Model
- 24. Managing SFSA Packages Templates can be kept under version control Establishes baselines for standard AWS configurations Organizationally approved architectures can be stored centrally Mandatory for many third-party security frameworks
- 25. Deployment Options AWS Console CLI Deployment − Deployment scripts included with package AWS Service Catalog − As a Service Catalog “Product”
- 27. CLI Deployment Scripts “cfdeploy” − Optional tool included with package to make deployment from CLI easier − Simpler management of standard parameters cfdeploy --deploy SFSA --yaml-parameters templates/parameters/example_useast1.yaml --template templates/main-webapp-linux.json -- region us-east-1 Launched Stack ID: arn:aws:cloudformation:us-east-1:979676883363:stack/ASFA/e1442430-78f8-11e5-b55e-50d5018a129a
- 28. SFSA Deployment with AWS Service Catalog Standardize deployment Allow push-button build of common architectures based on compliance and use case Provide a self-service model for workload owners
- 29. Allows administrators to create and manage approved catalogs of resources (products) that end users can access via a personalized portal A Service Catalog Product is a deployable CloudFormation template Managed compliance with Service Catalog − Provide a catalog of pre-built, compliant architectures ready to deploy − Enforce resource tagging − Allow workload owners to deploy resources which normally require higher levels of IAM permissions than they are given − Separate Portfolios of Products can be used to segment products by compliance type AWS Service Catalog
- 30. AWS SFSA & Service Catalog
- 31. Get started with SFSA Contact your sales representative/SA AWS Quickstart Deployments (coming soon) Getting Help: − Whitepapers/User Guides/SA Included with the package − FREE 1 day workshop provided by Solutions Architects or Professional Services − SOW-based 2-5 day ProServe customization workshop Professional Services or APN Partner Email: brettmi@amazon.com
- 32. Additional Resources AWS SFSA Quick Start Test Drive − https://s3.amazonaws.com/quickstart-reference/security-compliance/latest/doc/Standard_NIST_800- 53_Architecture_on_the_AWS_Cloud.pdf AWS re:Invent 2015 Videos (SEC312) Reliable Design and Deployment of Security and Compliance https://youtu.be/KtMANvC7_n8 (ISM206) Modern IT Governance Through Transparency and Automation https://youtu.be/YYiV_z9D2CE
- 33. Questions?
Notes de l'éditeur
- SFSA provides AWS customers with pre-built “golden” reference architectures. These are deployable architectures for applications and use cases that have been pre-vetted by AWS and in addition a 3PAO (third party assessment) to be compliant and secure and help ensure customers have a proper starting point for deploying their applications.
- How many heard of shared responsibility model?
- Reality for customers
- What customers ask/need A way to easily automate architectures and configurations on AWS While ensuring compliance and best practices Decreasing deployment time – also making it easier to validate what is being deployed is compliant Ultimately – drive adoption and accelerate customers transition to AWS
- The fundamental part of the SFSA package is a set of structured, reusable CloudFormation templates which have been validated for the specific compliance of the package and are built for the use case. In addition included is user documentation, reference architectures, as well as a security controls mapping to help speed up accreditation as proof for auditors that the architecture deployed is compliant.
- Modular, reusable template design Use cases take advantage of nested templates
- Documentation to make the package easier for customers to get started with
- The SFSA packages include automated templates which can be used for either base architectures – starting points which can be built upon. Or can be used in some cases to deploy configurations for entire applications.
- AWS SFSA, formerly Trusted Architect
- Resources is only required section
- In this example you can optionally just use different base layers of a SFSA deployment. Very often you might have a provisioning team which simply provisions accounts for workload owners or developers and wants to keep the standards and guardrails in place from which the application can be deployed into. This means that at a minimum each workload will meet a certain number of controls and have a baseline level of compliance.