AWS Security Best Practices Real-world examples and Common Mistakes
AWS Frederick MeetupTuesday, 19th July 2016
Gaurav Pal & Madhu Joshi
SaaS, Security and AWS
2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR
Cloud Solutions Architect and Technology Strategist• Focused on full-stack security and operations management • Cloud automation and business process acceleration• Cybersecurity Policies, Procedures and Tactics
Supported the first AWS cloud migration in 2009 for Recovery.gov and have successfully led multiple large enterprise cloud modernization programs in regulated industries, Financial Services and Healthcare.
GPCEO and Founder
www.stackArmor.com@cloudpalgp
https://www.linkedin.com/in/[email protected]
AWS Automation & Security
3PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR
Cloud Solutions Architect and Technology Strategist• Focused on full-stack security and operations management • Cloud automation and business process acceleration• Educator, training and professor at JHU
Madhu JoshiCTO
What we do
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4
Business Landscape• Data breaches are “daily” news
• Regulators are starting to take notice◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015
• NIST Cybersecurity Framework is “standard of care”◦ http://www.nist.gov/cyberframework/◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001
• Cybersecurity is a Board level issue
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5
Technology Landscape
• AWS/Cloud “takes care of everything”!!◦ Shared Responsibility Model
• Managed Services and Processes required◦ Patching and Vulnerability Management◦ Boundary protection and monitoring◦ Logging and Centralized log analysis◦ Backups/Restore
• Most SaaS shops are strong on the Dev but weak on Ops
• Network Engineering, Security Zoning, Boundary Protection and Enclave Hardening are not well understood
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6
What??
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 7
“…while doing cloud hosting cost analysis for a venture funded start-up with $8million of VC capital, we noticed heavy data egress charges. A simple analysisrevealed that a hacker had penetrated the platform and downloaded the firms’database and IP. The vulnerability was traced to an un-patched server”.
“The Technology team of a SaaS startup with Fortune 500 customers is operatingtheir environment in a cloud environment without any intrusion detection andprevention systems such as web application firewalls thereby creating third-partyrisk.”
“…a SaaS startup exposed their access secret key in their web application
in plain view for anyone to access. This could have caused someone to
wipe out the firms entire production and operational platform…”
Hmm…
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 8
Top Security “Boo boos”Common poor security mistakes Comment
1 Creating unnecessary access and secret keys for IAM Users
Console users don’t need keys
2 Using developer keys instead of instance roles for accessing instance
Use IAM roles to separate access to AWS resources that provide temporary credentials
3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as required
4 Lack of restrictions on production instances Any user can perform actions on production instances. Provision IAM roles that allow for separation of duties.
5 Poor segmentation and zoning of application and data components through the use of public and private sub-nets
Proper zoning through sub-nets allows for segregating netflow and blackholing requests in the event of an attack
6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions
7 Inconsistent patch management and vulnerability scanning
Create an information security policy with a patching schedule with roles, responsibilities and reporting
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 9
Vulnerability Scanning
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 10
• Good operational hygiene keeps the hacker away!?!
Logging and Monitoring…
• AWS VPC Flow Logs◦ Most Talkers
◦ Rejected Traffic
• AWS CloudTrail◦ Who deleted my instances?
◦ Who is asking for old or deleted keys?
• AWS Config◦ Configuration Management
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 11
Full-stack Approach
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 12
Advanced VPC Connectivity Options
• VPC Refresher
• VPC Peering
• Transit VPC
• Shared Services VPC
• Partial-Mesh
• Direct Connect, Transitive VPC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 13
VPC Refresher
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 14
VPC Refresher
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 15
Destination Target
10.0.0.0/16 local
VPC Refresher
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 16
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw
Destination Target
10.0.0.0/16 local
VPC Refresher
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 17
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw
Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-instance-id
VPC Refresher
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 18
VPC Peering
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 19
Shared-Services VPC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 20
Transit VPC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 21
Virtual Appliances such as
Cisco 1000V, Fortigate,
Palo Alto, Sophos
Partial-Mesh VPC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 22
Direct-Connect, Transitive VPC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 23
DoD STIG Process
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 24
• Defense Information Systems Agency (DISA) maintains security posture for DoD IT systems
• Security Technical Implementation Guides (STIGs) are guidelines for hardening◦ OS
◦ Databases
◦ Applications
◦ Web Servers
• Recommendations change the configuration settings and parameters of these services
DoD STIG Process
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 25
• Potentially hundreds of settings / recommendations
• ID # and severity category (CAT 1 – CAT 3)
• Most of the changes need to be manual
• Verification of STIG compliance is daunting◦ GoldDisk scan tool for automated verification
◦ NIST Security Content Automation Protocol (SCAP)
• Automated tools can provide remediation and/or fix
• Contact us if you need help with STIG process for AWS GovCloud deployments
Tools of our Trade
1 Web Application Firewalls Fortiweb, Sophos, AWS WAF
2 IDS Snort
3 Monitoring Splunk, Elasticsearch, Sensui, Pallera
4 Vulnerability Scanning Tenable Nessus, Retina, OpenVAS
5 Web Application Scanning Acunetix
6 Compliance openSCAP
7 QA/Code Quality SonarQube
8 Static Code Scanning CheckMarx
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 26
Compliance
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 27
Document Description
Basic Security PolicyThis document provides a basic set of high level security policies that allow client to state that they have a security policy in place that can serve as an initial baseline.
Assessment PlanThis is a checklist security assessment, basically a self-assessment with questions asked by an experienced Information Assurance Analyst to demonstrate understanding and maturity of Cybersecurity posture.
High Level Security Assessment Report
Security Assessment Report (SAR) that summarizes the scope, approach, and high level findings.
Vulnerability and Penetration Testing
Automated scans with basic parameters with provided auto-generated reports. This includes working with the technology team to perform a test to ensure that any technical remediation that have been applied adequately addressed the vulnerabilities found.
Attestation LetterGenerally speaking an external third-party should be engaged to execute the assessment and be asked to provide an attestation letter that describes the nature of the assessment, findings and remediation conducted.
Trusted Cloud Solutions
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 28
Many organizations are looking for trusted and secure cloud hosting solutions and need the agility to quickly consume cloud application services. stackArmor has developed https://stackbuilder.stackArmor.com as an easy to use deployment automation service that incorporates advanced security capabilities, pre-configured VPC and management services as well as support services.
questions?
Gaurav “GP” Pal
Founder
www.stackArmor.com
Tel: (571) 271 4396
Email: [email protected]
29
Madhu Joshi
CTO
www.stackArmor.com
Tel: (703) 402-6105
Email: [email protected]