management security and governancedavidmcdaniel.me/wp-content/uploads/2019/09/aws... · aws...
TRANSCRIPT
Identity Management
Application Access Risk
Cloud Security
IaaS Protection
External Vendor / Customer Management
Data Protection
Security and Governance In AWS
Kelvin BrewerCISSP, CEH
A Customer Case Study
Denver AWS Meetup
Who’s having access to
what ?
Access escalations/creep in J/M/L movements
Privileged Usage Monitoring difficult due to high volume and velocity
Fortune 500 Customer’s AWS Landscape and Challenges
Terminated users having
access to AWS objects
Custom AWS resource groupings using tags
150+ AWS Accounts
Mix of Federating Identities via on-premises AD and
Local AWS Admins
What are the different types of
privileged Identities on
AWS?
1 3
Security Themes
Securing IaaS
Privileged Access Management
2
Identity Lifecycle Management
Visibility/Compliance
1 3
Security Themes
Securing IaaS
Privileged Access Management
2
Identity Lifecycle Management
Visibility/Compliance
Challenge 1Determining point in time consolidated access view across AWS accounts
Permissions
Local AWS IAM Users
Role Policy
AWS Services and Resources
Group
User
AWS Services and Resources
Assume Role
Cross Account
Identity Mgmt / Reconciliation
Ingest IAM Groups,
Roles, Policies
Ingest HR Data
Access Visibility for Local IAM Users
Access Visibility
Access Details
Challenge 2Access Visibility for Federated Identities
Federated Role PolicyIdentity Provider Federated Group
Enterprise AWS Account
Permissions
AWS Services and Resources
Organizations access visibility Missed Access Visibility
Identity Mgmt / Reconciliation
Access Visibility for Federated Identities
AWS Account 1
Federation AWS Roles
AWS Account 2
Federation AWS Roles
AWS Account 3
Federation AWS Roles
Identity Providers
Access Details
Access Visibility
IT General Controls
SOX
FedRAMP
HIPAA / HITECH
PCI
ITAR
NERC / CIP & more…
CIS
S3
VPNPolicies
ALB
Elasticsearch
RedShift
Dynamo DB
KinesisEBS
S3 Objects
EC2
RDS
ELB
Cloud formation
AWS IAM
VPC
Terraform
Violations
Remediate
RISK
IaaS & DevOps Resources
Challenge 3 Point in time compliance readiness
Continuously monitors policy
violations, suspicious activity
User creates an unencrypted database
User creates a S3 bucket with open internet access
Security Plug-in (webhooks) intercepts event and alerts IaaS Admin
Performs initial analysis for type of security violation
Execute preventive actions by terminating instances,Databases etc.
Send event details to SIEM, Support platforms
Challenge 4 Achieving Compliance is hard, staying compliant is harder
Identity ManagementReconciliation
Deep Integration with AWS Services
Amazon CloudWatch Events/Config
AmazonSQS
Real time framework
AWS API
Events
Leaky S3 Buckets Unencrypted databases User MFA DisabledInsecure workloads, ports opened etc.
SNS Notifications
Lambda based actions
Support tickets
Real time alerting
1 User Create leaky S3 Bucket/Disable MFA/Open Port to Internet
2 Real time-security intercepts the event
3 IGA tool performs analysis of event against Enterprise Security baseline Policy
4 IGA takes Preventive Action: terminate Database/Execute Lambda/Send Alerts
Security Themes
1 3
Securing IaaS
Privileged Access Management
2
Identity Lifecycle Management
Visibility/Compliance
Traditional
PAM
challenges
are 10x in
Cloud
Scalability, over reliance on gateway-based access model
Longer time to bootstrap / rollout
Additional integration with IGA & SIEM / Security Analytics to realize full value
Rudimentary audit, no preventive risk-awareness
Challenge 5 Privileged Access Management for IaaS
Mgmt.Console
Instances/Workloads
Command Line
Serverless
Cloud databases APIs
Multiple
conduits to
consume
IaaS ServicesdevOps tools
SEPARATE IGA
THICK SSH CLIENT
• Temporal access elevation + privileged ID assignment
• Workload discovery and auto-registration
• SSH key distribution and credential vaulting
• Privileged session manager with inline command management
• Integrated service account lifecycle management
• Intelligent audit with support for keylogging and cloud native logs
JUMPBOX
SEAMLESS SSO
SOD RISK AWARE
BETTER AUDITABILITY
CLOUD NATIVE
Design Strategies/Patterns
15
Security Themes
1 3
Securing IaaS
Privileged Access Management
2
Identity Lifecycle Management
Visibility/Compliance
UsersAWS Services and Resources
Privileges
Enterprise AWS Account
Joiner
Mover
Leaver
Challenge 6 : Disconnected HR systems, Lack of centralized IGA
x
LCM for users/groups/roles, federated access
HR
Joiner
Mover
Leaver
4 Intelligent Self-Service / DelegatedAccess Request
4 Preventive policy evaluation including license violation
4 Risk-based Access Certification(event-based, periodic)
4 Birthright Provisioning
4 Role / Group Transport & Management
4 Link Federated Access
4 Segregation of Duty Management
MaintainAppropriate
Access
RISKEVALUATION
Outlier | SOD | Business Policy | License
AWS Security and Governance Summed Up
Implement Identity Governance to:v Understand point in time access of local AWS usersv Understand detailed role and fine-grained access of
federated usersv Maintain point in time compliance readinessv Maintain continuous compliancev Address privileged access across interfacesv Maintain continual appropriate access
Identity Management
Application Access Risk
Cloud Security
IaaS Protection
External Vendor / Customer Management
Data Protection
Questions? Or even…suggestions?
Email – [email protected] – www.saviynt.com