Amazon Web Services Federation Integration Governance Workshop with Layer 7
-
Upload
ca-api-management -
Category
Technology
-
view
4.997 -
download
0
description
Transcript of Amazon Web Services Federation Integration Governance Workshop with Layer 7
Amazon Web Services - FederalSri Vasireddy, Federal Solutions Architect
Certifications & Accreditations
Sarbanes-Oxley (SOX) complianceISO 27001 CertificationPCI DSS Level I certificationHIPAA compliant architectureSAS 70 Type II AuditFISMA Low ATO
Pursuing FISMA Moderate ATO Pursuing DIACAP MAC II Sensitive FedRAMP
Service Health Dashboard
Shared Responsibility Model
Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenanceApplication level security, including password and role based accessHost-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security ModulesSeparation of Access
Physical SecurityMulti-level, multi-factor controlled access environmentControlled, need-based access for AWS employees (least privilege)
Management Plane Administrative Access Multi-factor, controlled ,need-based access to administrative hostAll access logged, monitored, reviewedAWS Administrators DO NOT have access inside a customer’s VMs, including applications and data
AWS Cloud Security Model Overview
VM SecurityMulti-factor access to Amazon AccountInstance Isolation
• Customer-controlled firewall at the hypervisor level
• Neighboring instances prevented access
• Virtualized disk management layer ensure only account owners can access storage disks (EBS)
Support for SSL end point encryption for API calls
Network SecurityInstance firewalls can be configured in security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
AWS Certifications
Shared Responsibility ModelSarbanes-Oxley (SOX) SAS70 Type II Audit PCI Data Security Standard complianceWorking on FISMA A&A NIST Low Approvals to Operate Actively pursuing NIST Moderate
• ATOs in progress at several agencies• ST&E and Moderate Controls available now for incorporation into SSP
Actively pursuing FedRAMP• Includes DIACAP Mac II Sensitive
ISO 27001 CertificationCustomers have deployed various compliant applications such as HIPAA (healthcare)
Japan
Availability Zone A
Availability Zone B
Customer Decides Where the Data Resides
EU West Region
Availability Zone A
Availability Zone B
US East Region
Availability Zone A
Availability Zone C
Availability Zone B
US West Region
Availability Zone A
Availability Zone B
Note: Conceptual drawing only. The number of Availability Zones may vary
Singapore
Availability Zone A
Availability Zone B
Amazon Web Services: Durable & Available
GovCloud (US)
Availability Zone A
Availability Zone B
Three Services: Better Together
Elastic Load Balancer
CloudWatchAuto Scaling
Server icons courtesy of http://creativecommons.org/licenses/by-nd/3.0/.
Latency
Utilization
Metrics
Auto Scale
Amazon S3
US WEST
Amazon S3
COOP and DR
Network IO EBS Snapshot
EBS Snapshot
EC2
Network IO
EBS Snapshot
EC2
Ephemeral
US EAST
Availability Zone - A Availability Zone - B
We Can Do Even Better..
Load Balancer
AWS Multi-Factor Authentication
• Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
• Additional protection for account information
• Works with Master Account IAM Users
• Integrated into AWS Management Console Key pages on the AWS Portal S3 (Secure Delete)
A recommended opt-in security feature!
Users and Groups within AccountsUnique security credentials Access keys Login/Password MFA device
Policies control access to AWS APIsDeep integration into S3 policies on objects and buckets
AWS Management Console now supports User log on Not for Operating Systems or Applications use LDAP, Active Directory, ADFS, etc...
AWS Identity and Access Management (IAM)
Identity Federation Sample
Use case: Enterprise employee signs
with his normal credentials Access S3 with enterprise
application
Setup IIS for enterprise
authentication against Active Directory
Client application to access S3 Read-only access to S3
Customer’sNetwork
AmazonWeb ServicesCloud
Secure VPN Connection over the Internet
Subnets
Customer’s isolated AWS resources
Amazon VPC Architecture
RouterVPN
Gateway
Internet InternetNAT
AWS GovCloud (US) Access
AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be: U.S. Persons; not subject to export restrictions; and comply with U.S. export control laws and regulations,
including the International Traffic In Arms Regulations.
AWS Deployment Models
Logical Server and Application Isolation
Granular Information Access Policy
Logical Network Isolation
Physical server Isolation
Government Only Physical Network and Facility Isolation
ITAR Compliant(US Persons Only)
Sample Workloads
Commercial Cloud
Public facing apps. Web sites, Dev test etc.
Virtual Private Cloud (VPC)
Data Center extension, TIC environment, email, FISMA low and Moderate
AWS GovCloud (US)
US Persons Compliant and Government Specific Apps.
Amazon Confidential
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
Launching EC2
Multi-tier Security Architecture
Web Tier
Application Tier
Database Tier
EBS VolumePorts 80 and 443 only open to the Internet
Engineering staff have ssh access to the App Tier, which acts as Bastion
All other Internet ports blocked by default
Authorized 3rd parties can be granted ssh access to select AWS resources, such as the
Database Tier
Amazon EC2 Security Group Firewall
AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers
Network Traffic Confidentiality
Amazon EC2 Instances
Amazon EC2Instance
Encrypted File System
Encrypted Swap File
• All traffic should be cryptographically controlled• Inbound and outbound traffic to corporate networks should be
wrapped within industry standard VPN tunnels (option to use Amazon VPC)
Corporate Network
Internet Traffic
VPN
Cloud Federation, Integration and Governance
Agenda
The Role of Policy Enforcement in Governing the CloudLayer 7’s Cloud Security and Governance SolutionConclusion & Questions
Current App Environment
Enterprise On-Premises IT
DMZ Firewall
Internal Apps
NIPRNet
or
SIPRNet
Identity
Move Cloudable App onto Amazon
Enterprise On-Premises IT
DMZ Firewall
Internal Service
Host
Cloud Application
Identity??
Policy Enforcement on Amazon
Enterprise On-Premises IT
DMZ Firewall
Internal Service
Host
Cloud Application
PEPPEP
Virtual PEPVirtual PEP
Federate Identity
Enterprise On-Premises IT
DMZ
SAML
Internal Service
Host
Cloud Application
PEPPEP
Virtual PEPVirtual PEP
Enterprise Identity Repository
API Mediation
Enterprise On-Premises IT
DMZ
SOAP, REST, or
JSON
Internal Service
Host
Cloud Application
PEPPEP
Virtual PEPVirtual PEP
Monitoring
Enterprise On-Premises IT
DMZ Firewall
Internal Service
Host
Cloud Application
PEPPEP
Virtual PEPVirtual PEP
Putting it all Together for Cloud Governance
Amazon EC2
Amazon EC2
Amazon EC2
VirtualAppliance
Employee
Monitor and Report Control
Adapt
LDAP, SSO, MS AD, STS, etc