mission (not) impossible: nist 800-53 high impact controls on aws | aws public sector summit 2016
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bryan Webster, Principal Architect, Trend Micro Brett Miller, Professional Services Consultant, AWS
June 20, 2016
Mission (Not) Impossible: NIST 800-53 high impact controls on AWS
Why we’re here today
• Learn how to implement NIST SP 800-53 (rev 4) High Impact security controls with AWS & partner technology
• Provide reusable building blocks and sample code• Demonstrate automated deployment and integration of
multiple technologies
Mission: PossibleImpossible
What are the challenges of achieving NIST high impact security controls on AWS?
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer applications & contentYou get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
YouInventory & Config
Data Encryption
Enterprise Accelerator for NIST SP 800-53 (rev 4)
Works in Gov Cloud (US)& commercial AWS regions
Leveraging AWS services for NIST controls
AWS Identity & Access Management (IAM)
What is configured? Base security, IAM and access configuration for AWS account
Why?• Manage user access• Programmatically implement controls for
machines, roles, groups, data access
Control Families• Access Control• Audit & Accountability• Configuration
Management• Contingency Planning• Identification &
Authentication• System &
Communications Protection
• System & Information Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
AWS CloudTrail
What is configured?Define S3 bucket, versioning enabled, capture all events
Why?• Automated audit of infrastructure and
change management
Control Families • Access Control• Audit & Accountability• Configuration
Management
CREATE_IN_PROGRESSCREATE_COMPLETE
Amazon SNS, AWS CloudWatch
What is configured?Security alarms and notifications
Why?• Automated exception notification and
configurable alarms• Triggering incident response
Control Families• Access Control• Audit & Accountability• Configuration
Management
CREATE_IN_PROGRESSCREATE_COMPLETE
VPC, NACL, Security Groups
What is configured?Provides networking configuration for a standard management VPC, enforces traffic with NACL
Why?• Programmatic delivery of network infrastructure
and access controls
Control Families • Access Control
CREATE_IN_PROGRESSCREATE_COMPLETE
IAM, AWS CloudTrail, Amazon SNS, Amazon VPC, NACL
Infrastructure security
Cloud Infrastructure
Operating System
Data
ApplicationsFile Security
Netw
orkSecurity
Log Inspection and Application Scanning
Anti-malware and Integrity Monitoring
Intrusion prevention, Firewall
Anti-malware
Integrity Monitoring
Intrusion Prevention
Log Inspection
Web Reputation
Host Firewall
Trend Micro Deep Security
• Seamlessly integrated with EC2
• Deploy as AMI, SaaS or software
All in a single, host-based tool
Leveraging Deep Security for NIST controls
Management and Visibility
What is configured? Deploys Deep Security Manager to AWS
Why?• Visibility of EC2 resources• Single console with integrated threat
information
Applicable Controls• Access Control• Audit & Accountability• Incident Response• Risk Assessment• System &
Communications Protection
• System & Information Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
File Controls
What is configured? Anti-Malware, Integrity Monitoring, Log Inspection
Why?• Discover and block malicious code• Monitor files for changes • Inspect existing logs for indications of unusual
activity
Applicable Controls• Audit & Accountability• Configuration
Management• System & Information
Integrity
Applicable Controls• Audit & Accountability• Security Assessment
& Authorization• Configuration
Management• System & Information
Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
Network Controls
What is configured? Intrusion detection & prevention, Firewall
Why?• Add additional stateful controls to enhance
security groups and NACLs• Add layer 7 visibility and inspection
Applicable Controls• Security Assessment
& Authorization• Audit & Accountability• Configuration
Management• Contingency Planning• Identification &
Authentication• System &
Communications Protection
• System & Information Integrity
CREATE_IN_PROGRESSCREATE_COMPLETE
Automating NIST controls with AWS CloudFormation
Why use it?• Infrastructure
as code• Repeatable• Audit baseline
AWS CloudFormation
Third party integration with CloudFormation
If you can’t automate 3rd party products
with AWS CloudFormation
They aren’t built for AWS
AWS + Trend Micro Enterprise Accelerator: NIST 800-53 High Impact Controls
• Adds additional coverage for High Impact controls• Design philosophy• NIST SP 800-53 (r4) security controls best practices• Sample implementation for many different resource
types and hundreds of controls• Plug and play sub-templates to fit your requirements
https://aws.amazon.com/quickstart/
Trend Micro Deep Security
AWS Enterprise Accelerator - Compliance: NIST High Impact controls
AWS Enterprise Accelerator: NIST High Impact controls
Access Control
Audit & Accountability
Configuration Management
Contingency Planning
Identification & Authentication
Incident Response
Maintenance
Media Protection
Physical & Environmental Protection
Risk Assessment
Security Assessment & Authorization
System & Communications Protection
System & Information Integrity
System & Services Acquisition
Major NIST SP 800-53 (rev4) Trend Micro + AWS coverage
CustomerOverall Inherited Shared
Enterprise Accelerator: Quick Start CloudFormation Stack
2,500 lines of JSON code = 126 AWS Resources, 200+ API Actions
Prevent Malicious code execution
Block Remote Exploits
Shield App Vulnerabilities
Detect OS and App changes
Deep Security Stack
Deep Security Manager, Agents, and required AWS Infrastructure
Amazon EC2 Instances, Availability Zones, Amazon RDS databases, Auto scaling
ELB load balancers, Amazon S3 Bucket Policies, Security Groups, Amazon SNS, Amazon SQS, Amazon Cloud Watch
VPCs, Subnets, Gateways, Route Tables, NACLs
Users, Groups & Roles, CloudFormation access, and Service Catalog constraints
Additional Resources
• Spreadsheet with High security controls mapping• Github repo• Templates• Deployment guide – tailor and deploy template
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist-high-impact/welcome.html
aws.amazon.com/quickstart/
Question & Answer
trendmicro.com/aws