Re:Inventing Security Landscape

Eugene Yu, Global Security, Risk and ComplianceAWS Professional Services

Time : 02:20 – 03:00

Cloud focuses on differentiation

Reasons Cloud Computing is Gaining Traction in FinServ

Lower the time spent on infrastructure

Dedicate more resources to innovation

Concentrate on new business initiatives

Cloud Security What’s different & what’s the same?

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones Edge Locati

ons

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Cus

tom

ers

Security is a shared responsibility

Customers are responsible for their security IN the

Cloud

AWS is responsible for the security OF

the Cloud

Accreditation & Compliance, Old and New

Old world• Functionally optional (you can build a

secure system without it)

• Audits done by an in-house team

• Accountable to yourself

• Must maintain talent and keep pace

• Check typically once a year

• Workload-specific compliance checks

New world• Functionally necessary – high watermark

of requirements

• Audits done by third party experts

• Accountable to everyone

• Superior security drives broad compliance

• Continuous monitoring

• Compliance approach based on all workload scenarios

OR

Move Fast

Stay Secure & Compliant

AND

Move Fast

Stay Secure & Compliant

Making life easier

Choosing security does not mean giving up on convenience or introducing complexity

Strengthen your security posture

Get native functionality and tools at no additional charge

Over 30 global compliancecertifications and accreditations

Leverage security enhancements gleaned from 1M+ customer experiences

Benefit from AWS industry leading security teams 24/7, 365 days a year

Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations

Access a deep set of cloud security toolsEncryption

KeyManagement

Service

CloudHSM Server-sideEncryption

Networking

Virtua l Private Cloud

Web Appl ication

Fi rewal l

Compliance

ConfigCloudTra i lServiceCata log

Identity

IAM ActiveDirectory In tegration

SAMLFederation

Evolving the Practice of Security Architecture• Security architecture as a separate function can no longer exist

• Static position papers, architecture diagrams & documents

• UI-dependent consoles and “pane of glass” technologies

• Auditing, assurance, and compliance are decoupled, separate processes

Current Security Architecture

Practice

Evolving the Practice of Security Architecture• Security architecture can now be part of the ‘maker’ team

• Architecture artifacts (design choices, narrative, etc.) committed to common repositories

• Complete solutions account for automation

• Solution architectures are living audit/compliance artifacts and evidence in a closed loop

Evolved Security Architecture Pract

ice

Leveraged by FSI & Enterprises Worldwide

Cloud Security Design Patterns

Access rights just-in-time

Security Token ServiceIdentity and Access Management

+

AWS IAM enables to securely control access to AWS services and resources• Control who can do what and when from where• Fine grained control of user permissions, resources and

actions• Add multi factor authentication

• Hardware token or smartphone apps• Test out new policies using the IAM policy simulator

Grained control of your AWS environment

Segregate duties between roles with IAM

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

Choose who can do what in your AWS environment and from where

AWS account

owner (master)

Network

management

Security

management

Server

management

Storage

management

Manage and operate

Amazon S3AWS CloudTrail Amazon Glacier

Consolidated Logging

Amazon CloudWatchEvents

+

AWS CloudTrail logs for many powerful use cases

CloudTrail achieves many tasks• Security analysis

• Track changes to AWS resources, for example VPC security groups and NACLs

• Compliance – understand AWS API call history

• Troubleshoot operational issues – quickly identify the most recent changes to your environment

Consolidated Logging:Log flow

Raw logs

Permissions

Amazon EMR

Amazon Glacier

Amazon Redshift

Amazon S3

Write to S3

Parse in EMR and upload to AmazonRedshift

Amazon EC2 instances

Analyze with standardBI tools

Archive to Amazon Glacier

AWS CloudTrail

Encrypted end to end!

AWS CloudHSMAWS KMS

DIY

GlacierS3 EBS

RDS Redshift CloudTrail

Ubiquitous Encryption

+

Ubiquitous Encryption

AWS CloudTrail

AWS IAM

EBS

RDS

S3

Encrypted in transit

Encrypted at rest

Fully auditable

Fully managedkeys

Restricted access

AWS KMS

Amazon Auto-scaling GroupsAWS Elastic Compute Cloud

Non-Persistent & Elastic

+

Amazon VPC

+Security Group

+AWS Direct Connect

Network Architecture Agility

You can also connect privately using AWS Direct ConnectA

vaila

bilit

y Zo

ne A

EC2

EC2

NAT

EC2Jump

EC2WebEC2WebEC2EC2Web VPC Router

DirectConnectVirtual Private

Gateway

Customer Gateway

Your premises

AWS Lambda

Monitor and React

+AWS

CloudWatch

Enforcing Encryption with CloudWatch Events

CloudWatch Event

SNS

Check if instance is encrypted

Not EncryptedEC2

RDSLambda

Enforcement / remediation actions

Log-in anomaly event – Detect

• "ConsoleSignInAnomalyMetricFilter": {• "Type": "AWS::Logs::MetricFilter",• "Properties": {• "LogGroupName": { "Ref" : "LogGroupName" },• "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }",• "MetricTransformations": [• {• "MetricNamespace": "CloudTrailMetrics",• "MetricName": "ConsoleSignInAnomalyCount",• "MetricValue": "1"• }• ]• }• },

Log-in anomaly event – Recover

Add null IAM policy to the user (Deny all permissions):

{"Version": "2012-10-17","Statement": [

{"Effect": "Deny","Action": [

"*"],"Resource": [

"*"]

}]

}

Log-in anomaly event – Investigate

Look in CloudTrail – Determine what events happened after the ConsoleLogin.

Log-in anomaly event – Protect

Add Condition statements to IAM

"Condition" : {"IpAddress" : {

"aws:SourceIp" : [”55.55.0.0/16”]}

}

+AWS CloudFormation AWS SDK

Standardized Environments & Security as Code

Security Control Matrix•Security Control Responsibility Matrix (CRM)

Standardized Architecture

What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Golden OS images• Encryption algorithms for data

in transit and at rest

Security Translation to AWSAWS JSON translation

Golden OS

Network ACLs, subnets, firewall

rules