security operations in the cloud … · • automated provisioning—the more automated the...

©2019 SANSTM Institute | www.sans.org Sponsored by:

Security Operations in the Cloud Monthly Webinar Series


Sponsored by

How to Secure App Pipelines in AWS


Today’s Speakers

• Dave Shackleford, SANS Analyst

• David Aiken, AWS Marketplace, Solutions Architect

3


• We are seeing nothing less than an evolutionary shift in how security infrastructure is moving to software-defined models that improve speed and scale.

• Much like other areas of security, the responsibility for application security varies widely depending on the cloud model in place.

• We’ll delve into the changing nature of application development and security as organizations are building and deploying applications for the cloud.

Introduction

4


• The software development life cycle (SDLC) has moved to a methodology that prioritizes collaboration and more frequent (yet smaller) updates.

• To shift toward a more collaborative culture, security teams need to integrate with the developers responsible for promoting code.

• Security teams need to determine which tools they have in operations that can integrate into the application pipeline.

How the SDLC Is Changing

5


• Many organizations are adopting Continuous Integration (CI) and Continuous Delivery (CD) for their cloud application pipelines.

– CD is usually exhibited through small, incremental and frequent code pushes (often to stage or test), but does not usually manifest as large production code releases.

• CD means you actually deliver code to production in an automated pipeline.

The Modern CI/CD Pipeline

6


• Automated provisioning—The more automated the provisioning of resources and assets, the more rapidly the SDLC and operations model can operate.

• No-downtime deployments—Because cloud services are based on service-oriented costing models, downtime is less acceptable.

• Monitoring—Constant monitoring and vigilance of code and operations help to streamline and improve quality immensely.

• Rapid testing and updates—The sooner code flaws can be detected, the less impact they’ll have in a working production environment. Rapid and almost constant testing needs to occur for this to happen.

• Automated builds and testing—More automation in the testing and QA processes will help to speed things up and improve delivery times.

The Modern CI/CD Pipeline (cont.)

7


• Application development teams

• Cloud architecture and engineering teams

• Security architecture and operations teams

• IT in infrastructure teams (server engineering, database management and more)

• Compliance and legal teams (where appropriate)

• Business unit management (where appropriate)

Role Assignments

8


• Make sure that your security team discusses:– Standard and planned coding and release cycles—If the team

plans on doing CI, how will the code be centrally stored and managed?

– Tools in use for development, testing and deployment—Automated testing suites are ideal, but security teams need to understand the tools the development team plans to use.

– How security can best integrate with the teams—Ideally, security teams will have some understanding of development practices, and will know how to write test scripts and infrastructure-as-code templates where applicable.

– Expected standards and behaviors—If there are no standards to adhere to, what will the team seek to enforce?

Prep: Discussions

9


• When integrating into a cloud-focused application development model, security teams need to focus on:– Code security—How is code being scanned for vulnerabilities?– Code repositories—How is code being checked in and checked

out, and by whom?– Automation tools—What tools are in use to automate builds,

deployments, etc.? How can security integrate with these?– Orchestration platforms—How are orchestration tools being

used to coordinate and automate infrastructure and cloud components?

– Gateways and network connectivity—How can we ensure secure connectivity to the cloud for deployments?

Security in the CI/CD World

10


• Risk assessment and analysis practices should be updated to continually review:– Cloud provider security controls, capabilities and

compliance status

– Internal development and orchestration tools and platforms

– Operations management and monitoring tools

– Security tools and controls both on premises and in the cloud

Risk Assessment

11


Security for the CI/CD Pipeline

12

Code/Develop

Build

Package

Test

Deploy/Upgrade

Operate


• Are check-in and check-out procedures defined?

• Do solid role-based access controls exist?

• Cloud providers often have options available for code storage and management that includes authentication with strong identity management and robust logging/tracking.

Code/Develop

13


• This stage should include:

– Validated code

– Approved build architecture and controls

– Automated build testing for compiled code

• AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests and produces software packages that are ready to deploy.

Build

14


• Some traditional vulnerability scanning vendors have adapted their products to work within cloud provider environments.

• Another option is to rely on host-based agents that can scan their respective virtual machines continually.

• Tools like Trend Micro Deep Security can help to automate application protection and package validation for workloads, too.

Package

15


• Keys for security teams during the testing phase are:

– Security testing should be as seamless as possible (avoid interfering with QA if you can help it).

– Define test cases and tools.

– Define acceptable outcomes that meet policy.

– Automate tools and teach developers/QA engineers to run them.

Test

16


• In this phase, security teams are focused on:

– Documentation—Note any bugs that are outstanding; document plans to fix and when.

– Communication—Coordinate with development and operations teams to instantiate any controls needed for remediation or “stop gaps.”

– Life cycle—Ensure an approved policy for bug remediation is in place and monitored for future release cycles.

Deploy/Upgrade

17


• Define security use cases for production operations by answering the following questions:

– What events should trigger alerts?

– What events should trigger automated remediation?

– What event severities should be in place?

– What controls are needed to properly secure the environment?

Operations

18


• A critical aspect of managing security in a cloud environment is to carefully limit and control the accounts and privileges assigned to resources.

• In addition to privilege management in configuration definitions, application development teams need to ensure no sensitive material like encryption keys or credentials are stored in definition files, on systems that are exposed or in code that could be exposed.

Secrets Management

19


• APIs are integral to building a robust and automated development pipeline.

• The security posture of APIs should be documented by providers, and all APIs should be strongly controlled through IAM policies.

• Use of APIs should be carefully monitored, too, with full logging to AWS CloudTrail and other logging engines.

API Security

20


• Strong privilege management is a necessity in fast-moving application pipelines.

– Integration with secrets management tools and a granular IAM policy engine like AWS Identity and Access Management (IAM) is crucial.

• A fragmented privilege management and IAM implementation strategy can lead to poor operational oversight of users, groups and permissions.

Privilege Management and IAM

21


• Containers are rapidly becoming a common means of quickly deploying application workloads in both internal and cloud environments.

• Look for:

– Secure repositories for container images, such as Amazon Elastic Container Registry (ECR)

– Orchestration tools that can be used for managing container deployments securely, such as Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)

Containers and Container Management/Orchestration

22


• Serverless security should involve:

– Static code review (Numerous third-party providers can integrate into serverless environments like AWS Lambda to scan the code.)

– Privilege and permission control over all serverless applications with IAM

– Complete logging of all serverless application updates and execution using tools like AWS CloudTrail

Serverless Applications and Security

23


• For modern application pipelines, there are a plethora of tools available to help automate strong security controls through the entire development and deployment process.

• A strong governance structure is critical to ensure all stakeholders are involved and on board with the new tools and processes needed.

• Security operations teams will need to help define standards for code and images, as well as build strong protective and detective controls in the cloud environment.

Summary

24

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Enabling application pipeline

protection in AWS


AWS services that enforce application pipeline security

Identify Protect Detect Respond Recover

Amazon

Macie

Investigate

AutomateAWS Lambda

Snapshot Archive

AWS WAF

Amazon

InspectorAWS Security

Hub


Improve app security with automated assessments

Instances

Install the AWS agent

on EC2 instances

Run an assessment for

assessment target

according to

assessment template

Review findings and

remediate issues


Protect your web apps from exploits

• Create custom rules and deploy

new rules within minutes, letting

you respond quickly to changing

traffic patterns

• Trend Micro offers pre-configured,

managed rules to provide an extra

layer of protection

CloudFront access

log S3 bucket

Web servers

Allowed users

based on default

behavior

Bad requests

counted or

blocked based

on rule and

conditionWeb ACL

Rules:


How are AWS customers leveraging Trend Micro?

Continuous

Integration and

Delivery (CI/CD)

Deep Security for

application

containers

Accelerate DevOps

with security

automation


Cloudticity gains continuous DevOps protectionUsing Trend Micro Deep Security protection

Benefits:

• Automates compliance with

critical healthcare regulations

• Simplifies security

management with

automated protection and

policies

• Detects malware and

vulnerabilities earlier in the

application pipeline before

they enter the code base

• Helps drive 70% of the

annual revenue growth


Verizon Media protects complex environments Utilizing Tenable.io for vulnerability analysis and monitoring

Benefits:

• Can scale upward of 1 million

instances of EC2 across

1,000+ accounts that need

continuous discovery and

assessment

• Able to secure a wide variety

of environments across many

media properties with a

single platform

Tenable AWS

Account

(012615275169)

Org Account N

Org Account 1

AWS Orgs Root

Account

Tenable.io - AWS Cloud Customer - AWS Cloud

ListAccounts()

Trust

Trust

Trust


GreenSky integrates security for faster TTMLeveraging Contrast Assess from Contrast Security

Benefits:

• Successfully migrated from

on-premises to AWS

• Freed up 10 hours a week for

2-3 people on the security

team

• Developers can see their

results almost immediately

• Vulnerabilities are found

much earlier


Why AWS Marketplace?

Flexible consumption

and contract models

Quick and

easy deploymentHelpful humans

to support you


How can you get started?

Find

A breadth of security

solutions:

Buy

Free trial

Pay-as-you-go

Hourly | Monthly | Annual |

Multi-Year

Bring Your Own License (BYOL)

Seller Private Offers

Channel Partner Private Offers

Through flexible

pricing options:

Deploy

SaaS

Amazon Machine Image (AMI)

CloudFormation Template

Amazon Elastic Container Services (ECS)

With multiple

deployment options:


Webinar summary

New tools? Pick vendors that know AWS and offer bleeding-edge capabilities.

Current tools? Check out AWS Marketplace for assurance that what you know

works in AWS.

AWS Services can help optimize your security program.

Leveraging integrations and APIs are integral to securing development pipeline.


Please use GoToWebinar’s Questions tool to submit questions to our panel.

Send to “Organizers” and tell us if it’s for a specific panelist.

Q&A

36


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guest: David Aiken

37

security operations in the cloud … · • automated provisioning—the more automated the...

Documents