Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Security Framework Shakedown

2 633 vues

Publié le

Security Framework Shakedown. AWS Initiate Day, Austin, TX

  • Soyez le premier à commenter

Security Framework Shakedown

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Framework Shakedown Chart Your Journey with AWS Best Practices
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Objectives • Define a security strategy, deliver a security program and develop robust security operations on AWS • Explain, Implement AWS security best practices • Adopt AWS security services at an accelerated pace • Get some code!
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • NAB Cloud security journey • Cloud adoption framework security perspective • AWS well-architected framework security pillar
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. National Australia Bank Our vision: To be Australia's leading bank, trusted by customers for exceptional service • One of Australia’s four major banks and largest business bank • More than 30,000 employees and 9 million customers across 900 locations
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our cloud security strategy Objectives • Extend our existing Security Services to the Cloud • Integrated and Secure by Default • Continuous Security Governance
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our cloud security strategy Objectives • Extend our existing Security Services to the Cloud • Integrated and Secure by Default • Continuous Security Governance Insights • We had to change our approach • Scale with automation and decentralization • Security compliments agile
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Foundations of continuous compliance Baseline Compliance Portfolio AWS Service Compliance Portfolio Application Compliance Portfolio Service A Service B API Gateway Amazon RDS Amazon EBS Prod Account Non-Prod Account Application Security Assessment AWS Service Control Review Security Posture
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS cloud adoption framework
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CAF security perspective Security Perspective Directive Preventative Detective Responsive
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Core five epics
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS shared responsibility model
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define a strategy Identify your workloads moving to AWSIdentify stakeholders
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deliver a security program Rationalize security requirements Define data protections and controls Document security architecture
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security cartography
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CAF best practices Inventory current security requirements Adopt a security framework Identify workload security controls Map current security controls to cloud controls Create a security RACI Create a risk register
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Robust security operations Deploy architecture Automation Continuous monitoring Testing and Gameda
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & Access Mgmt Detective Control Infrastructure Security Data Protection Incident Response Week 1 Week 2 Week 5Week 3 Week 4 Sample security Epics journey
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is the AWS Well-Architected Framework? Pillars Design Principles Questions
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of AWS Well-Architected Security Reliability Performance Efficiency Cost Optimization Operational Excellence
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A mechanism for your cloud journey Learn Measure Improve
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Strong identity foundation Root account should never be used Consider AWS Organizations Set account security questions & contacts Centralize identities Continuously Audit
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Strong identity foundation Never store credentials or secrets in code Enforce MFA on everything Use IAM roles for users and services Establish least privileged policies Use temporary credentials
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Enforce MFA User can only assume a role with MFA MFA token Permissions RoleUser AWS CloudPermissions http://bit.ly/AWSWALabs
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Enable traceability Consider Amazon GuardDuty Configure application & infrastructure logging Centralize using a SIEM Proactively monitor Regular reviews of news & best practices
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Enable traceability Use AWS CloudFormation! http://bit.ly/D3T3cT
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Network protection Amazon CloudFront + AWS WAF Amazon VPC and security groups Private connectivity - VPC peering, VPN, AWS Direct Connect Service endpoints Enforce service level permission
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Network protection Bucket Instances Region VPC Users https://amzn.to/2PbHOpz WAF Automation www.example.com
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Apply security at all layers Harden operating systems & defaults Use anti-malware + intrusion detection Scan infrastructure Scan code Patch vulnerabilities
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: compute protection
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Scan vulnerabilities Scan instances with Amazon Inspector https://amzn.to/2DT9jyg Scan code in the pipeline Dependency Check: http://bit.ly/2SPzUAp Testing OWASP Zap: http://bit.ly/2yWwzqN
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Serverless • Authorization and authentication – API Gateway • Enforce boundaries - AWS services & network • Input validation • Protect sensitive data
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Automate security best practices Template infra: AWS CloudFormation / AWS SAM Automate build and test AWS Config rules for verification Automate response to non-compliance Automate response to events
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Automate management Automation Patch manager State manager https://amzn.to/2AaOwSg https://amzn.to/2DSTLdK https://amzn.to/2Qihzxm
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Automate checks Config Rules
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Protect data Encryption mechanisms are enforced Verify accessibility of data, e.g. Amazon S3 & EBS Consider AWS Certificate Manager Consider tokenization to substitute sensitive data Data segmentation and isolation
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Classify your data • Start classifying data based on sensitivity • Use resource tags to help define the policy Amazon Macie discover, classify, and protect sensitive data in AWS IAM control: http://bit.ly/IAMctrlTAG
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Keep people away from data Dashboards for users Tools for administrators
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Incident response Prepare for different scenarios Pre-deploy tools using automation Pre-provision access for response teams Practice responding through game days Continuously improve your processes
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Run incident response game day 1. Schedule a four to eight hour block 2. Find a prize (bribery) 3. Supply food & beverages 4. Pick relevant scenarios from: https://amzn.to/2PetNro 5. Create a runbook 6. Practice 7. Have fun!
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Simple run book Event description [Attack Type] [Attack Description] Data to gather for troubleshooting [Evaluation of current data] Steps to troubleshoot and fix [Contain / impact / recovery / forensics] Urgency category [Critical, Important, moderate, informational] Communications & escalation
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action! CAF: aws.amazon.com/professional-services/CAF/ W-A: aws.amazon.com/well-architected W-A Labs: http://bit.ly/AWSWALabs AWS sec twitter: @AWSSecurityInfo AWS sec blog: https://aws.amazon.com/blogs/security/

×