control security by design - cloudsec · cloudformation: infrastructure as code describe almost any...
TRANSCRIPT
www.cloudsec.com/tw | #CLOUDSEC
Control Security by Design
Harry Lin 林書平, Solutions Architect
Amazon Web Services
#CLOUDSEC
What to Expect From This Session
• Learn approaches to compliance that enable and are
improved by modern cloud technology
• Embrace core security design and operational principles
that address regulatory requirements as a result
• How to use AWS security services to build a automatic
compliance environment
#CLOUDSEC
Why is security such a hot topic?
Because it’s important, and it’s hard
Technology
Control/Compliance
#CLOUDSEC
2016 for IT/Developers
https://www.flickr.com/photos/via/
#CLOUDSEC
2016 for Auditors and Security Teams
https://www.flickr.com/photos/anniemole/
IT/Developers:
• Incentives
• Speed
• Features
• Want
• Freedom to innovate
• New technology
Incentives and Perspectives
Security:
• Incentives
• Compliance with regulatory
obligations
• Verifiable processes
• Want
• Well-known technology
• Predictability and stability
Who Cares About These Answers?
• When did that configuration/code change?
• Who made the change?
• Who logged in to that host?
• What did they do?
• Who pushed that code?
• Was that build tested before deployment?
• What were the test results?
• What are monitoring and recovery mechanism?
?
Two Approaches
https://www.flickr.com/photos/sp8254/https://www.flickr.com/photos/29853404@N03/
#CLOUDSEC
AWS Security By Design
Security Requirements
Implement necessary controls from design phase
#CLOUDSEC
Security by Design – SbD
• Systematic approach to ensure security• Formalizes AWS account design• Automates security controls• Streamlines auditing
• Provides control insights throughout the IT management processAWS
CloudTrailAWS
CloudHSM
AWS IAMAWS KMS
AWS
Config
#CLOUDSEC
SbD – Scripting your governance
policy
• Set of CloudFormation templates that accelerate
compliance with PCI, HIPAA, FFIEC, FISMA, CJIS
• Result: Reliable technical implementation of
administrative controls
#CLOUDSEC
AWS SbD Advantages
IT/Developers Benefits Trade capital expense for
variable expense
Benefit from massive economies of scale
Stop guessing capacity
Increase speed and agility
Stop spending money on data centers
Go global in minutes
Security Benefits Designed for Security & Quality
Constantly Monitored
Highly Automated
Highly Available
Highly Accredited
Repeatable with same quality
ISO 9001:2008, ISO 27001:2013ISO 27017:2015, ISO 27018:2014
1st Line of Defense - Operations 3rd Line of Defense - Evaluation2nd Line of Defense - Supervisory
Objective:• Evaluates Program• Tests effectiveness of controls
and monitoring programs (Auditing)
Objective:• Control (Compliance & Risk)• Establishes supervisory
framework to monitor and validate controls
Objective:
• Risk Management Operations
• Owns and Manages Risks
Three Lines of Defense - Objective
1st Line of Defense - Operations 2nd Line of Defense - Supervisory 3rd Line of Defense - Evaluation
AWS Applicable ServicesAWS Applicable Services
Three Lines of Defense – AWS Services
AWS Applicable Services
Amazon
VPCAWS
CloudTrailAWS IAM
AWS KMS
Amazon
CloudWatch
IAM
Permissions
AWS
CloudFormation AWS
Config
AWS
Config Rules
AWS
CloudTrail
AWS
Service Catalog
Amazon
Inspector
Amazon
S3
1st Line of Defense - Operations
Deep Security
#CLOUDSEC
1st Line of Defense – Configuration Management
#CLOUDSEC
CloudFormation: Infrastructure as Code
Describe almost any AWS resource and have it automatically provisioned as a set of resources with a single API call (API-driven security).
Template StackAWS CloudFormation Engine
JSON-formatted file describing the resources to be created
Treat it as source code put it in your repository
AWS service component Processes AWS
CloudFormation template into stacks
A collection of resources created by AWS CloudFormation
API calls to Create, Update, and Delete
#CLOUDSEC
Configuration Management in AWS
CloudFormation template
Admin
Define
AWS Service Catalog
Publish
CloudFormation stack
Users
Browse and Launch
Provisions
#CLOUDSEC
2nd Line of Defense – Configuration Monitoring
#CLOUDSEC
AWS Config
• AWS Config is a fully managed service that
provides you with an inventory of your AWS
resources, lets you audit the resource
configuration history and notifies you of
resource configuration changes.
#CLOUDSEC
Config Rules
• Set up rules to check configuration changes recorded
• Use pre-built rules provided by AWS
• Invoked automatically for continuous assessment
• Use dashboard for visualizing compliance and identifying
offending changes
NormalizeRecordChanging Resources
AWS Config & Config Rules
Deliver
Stream
Snapshot (ex. 2014-11-05)
AWS Config
APIs
Store
History
Rules
#CLOUDSEC
AWS Managed Rules
• All EC2 instances must be inside a VPC.
• All attached EBS volumes must be encrypted, with KMS ID.
• CloudTrail must be enabled, optionally with S3 bucket, SNS topic and CloudWatch Logs.
• All security groups in attached state should not have unrestricted access to port 22.
• All EIPs allocated for use in the VPC are attached to instances.
• All resources being monitored must be tagged with specified tag keys:values.
• All security groups in attached state should not have unrestricted access to these specific ports.
#CLOUDSEC
Configuration Alarm
CloudFormation template
Admin
Define
AWS Service Catalog
Publish
CloudFormation stack
Users
Browse and Launch
AWS Config
Track changes
Notifies
Changes
Provisions
AWS Config rules
#CLOUDSEC
3rd Line of Defense – Configuration Testing
You are making
API calls...On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
Redshift
#CLOUDSEC
Use Cases Enabled by CloudTrail
• Security Analysis Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns
• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes
• Troubleshoot Operational Issues Identify the most recent actions made to resources in your AWS account
• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards
#CLOUDSEC
Configuration Log Testing
CloudFormation template
Admin
Define
AWS Service Catalog
Publish
CloudFormation stack
Users
Browse and Launch
AWS Config
Captures Resource Changes
Notifies
Changes
Provisions
AWS Config rules AWS CloudTrail
Captures all API
interaction
Amazon S3
ORMove Fast Control Securely
Move Fast Control SecurelyAND