선도 금융사들의 aws security 활용 방안...
TRANSCRIPT
Re:Inventing Security Landscape
Eugene Yu, Global Security, Risk and ComplianceAWS Professional Services
Time : 02:20 – 03:00
Cloud focuses on differentiation
Reasons Cloud Computing is Gaining Traction in FinServ
Lower the time spent on infrastructure
Dedicate more resources to innovation
Concentrate on new business initiatives
Cloud Security What’s different & what’s the same?
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones Edge Locati
ons
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Cus
tom
ers
Security is a shared responsibility
Customers are responsible for their security IN the
Cloud
AWS is responsible for the security OF
the Cloud
Accreditation & Compliance, Old and New
Old world• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year
• Workload-specific compliance checks
New world• Functionally necessary – high watermark
of requirements
• Audits done by third party experts
• Accountable to everyone
• Superior security drives broad compliance
• Continuous monitoring
• Compliance approach based on all workload scenarios
OR
Move Fast
Stay Secure & Compliant
AND
Move Fast
Stay Secure & Compliant
Making life easier
Choosing security does not mean giving up on convenience or introducing complexity
Strengthen your security posture
Get native functionality and tools at no additional charge
Over 30 global compliancecertifications and accreditations
Leverage security enhancements gleaned from 1M+ customer experiences
Benefit from AWS industry leading security teams 24/7, 365 days a year
Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
Access a deep set of cloud security toolsEncryption
KeyManagement
Service
CloudHSM Server-sideEncryption
Networking
Virtua l Private Cloud
Web Appl ication
Fi rewal l
Compliance
ConfigCloudTra i lServiceCata log
Identity
IAM ActiveDirectory In tegration
SAMLFederation
Evolving the Practice of Security Architecture• Security architecture as a separate function can no longer exist
• Static position papers, architecture diagrams & documents
• UI-dependent consoles and “pane of glass” technologies
• Auditing, assurance, and compliance are decoupled, separate processes
Current Security Architecture
Practice
Evolving the Practice of Security Architecture• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts (design choices, narrative, etc.) committed to common repositories
• Complete solutions account for automation
• Solution architectures are living audit/compliance artifacts and evidence in a closed loop
Evolved Security Architecture Pract
ice
Leveraged by FSI & Enterprises Worldwide
Cloud Security Design Patterns
Access rights just-in-time
Security Token ServiceIdentity and Access Management
+
AWS IAM enables to securely control access to AWS services and resources• Control who can do what and when from where• Fine grained control of user permissions, resources and
actions• Add multi factor authentication
• Hardware token or smartphone apps• Test out new policies using the IAM policy simulator
Grained control of your AWS environment
Segregate duties between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
Choose who can do what in your AWS environment and from where
AWS account
owner (master)
Network
management
Security
management
Server
management
Storage
management
Manage and operate
Amazon S3AWS CloudTrail Amazon Glacier
Consolidated Logging
Amazon CloudWatchEvents
+
AWS CloudTrail logs for many powerful use cases
CloudTrail achieves many tasks• Security analysis
• Track changes to AWS resources, for example VPC security groups and NACLs
• Compliance – understand AWS API call history
• Troubleshoot operational issues – quickly identify the most recent changes to your environment
Consolidated Logging:Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and upload to AmazonRedshift
Amazon EC2 instances
Analyze with standardBI tools
Archive to Amazon Glacier
AWS CloudTrail
Encrypted end to end!
AWS CloudHSMAWS KMS
DIY
GlacierS3 EBS
RDS Redshift CloudTrail
Ubiquitous Encryption
+
Ubiquitous Encryption
AWS CloudTrail
AWS IAM
EBS
RDS
S3
Encrypted in transit
Encrypted at rest
Fully auditable
Fully managedkeys
Restricted access
AWS KMS
Amazon Auto-scaling GroupsAWS Elastic Compute Cloud
Non-Persistent & Elastic
+
Amazon VPC
+Security Group
+AWS Direct Connect
Network Architecture Agility
You can also connect privately using AWS Direct ConnectA
vaila
bilit
y Zo
ne A
EC2
EC2
NAT
EC2Jump
EC2WebEC2WebEC2EC2Web VPC Router
DirectConnectVirtual Private
Gateway
Customer Gateway
Your premises
AWS Lambda
Monitor and React
+AWS
CloudWatch
Enforcing Encryption with CloudWatch Events
CloudWatch Event
SNS
Check if instance is encrypted
Not EncryptedEC2
RDSLambda
Enforcement / remediation actions
Log-in anomaly event – Detect
• "ConsoleSignInAnomalyMetricFilter": {• "Type": "AWS::Logs::MetricFilter",• "Properties": {• "LogGroupName": { "Ref" : "LogGroupName" },• "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }",• "MetricTransformations": [• {• "MetricNamespace": "CloudTrailMetrics",• "MetricName": "ConsoleSignInAnomalyCount",• "MetricValue": "1"• }• ]• }• },
Log-in anomaly event – Recover
Add null IAM policy to the user (Deny all permissions):
{"Version": "2012-10-17","Statement": [
{"Effect": "Deny","Action": [
"*"],"Resource": [
"*"]
}]
}
Log-in anomaly event – Investigate
Look in CloudTrail – Determine what events happened after the ConsoleLogin.
Log-in anomaly event – Protect
Add Condition statements to IAM
"Condition" : {"IpAddress" : {
"aws:SourceIp" : [”55.55.0.0/16”]}
}
+AWS CloudFormation AWS SDK
Standardized Environments & Security as Code
Security Control Matrix•Security Control Responsibility Matrix (CRM)
Standardized Architecture
What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Golden OS images• Encryption algorithms for data
in transit and at rest
Security Translation to AWSAWS JSON translation
Golden OS
Network ACLs, subnets, firewall
rules