Arquitectando la seguridad de punta a punta a nivel corporativo
-
Upload
amazon-web-services-latam -
Category
Technology
-
view
72 -
download
2
Transcript of Arquitectando la seguridad de punta a punta a nivel corporativo
Arquitectando la seguridad de punta a punta a nivel corporativoMauricio Muñoz, Solutions Architect
Agosto de 2017
Management VPC
Users
Archive Logs Bucket
S3 Lifecycle Policies to
Glacier
CloudTrailAWS Config Rules
CloudWatch Alarms
NAT
us-east-1b
Bastion
us-east-1c
Potential use for security appliances for monitoring, logging, etc.
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/overview.html
¿Qué esperar de esta sesión?
¿Qué esperar de esta sesión?
• Arquitectura de Seguridad
• Framework
• Puntos claves
• ¿Qué significa ”punta a punta”?
• Definición
• Habilidades de traducción
• Ejemplos de controles de seguridad implementados de ”punta a punta”
PeoplePerspective
ProcessPerspective
SecurityPerspective
PlatformPerspective
OperatingPerspective
BusinessPerspective
Identity & Access
Management
Detective Controls
Infrastructure Security
DataProtection
Incident Response
1
2
3
4
5
Perspectiva de Seguridad
COMPONENTES:
• Establecer las directivas de seguridad
• Identificar medidaspreventivas
• Inspeccionar y detectarposibles infraccciones a las políticas
• Crear playbooks para responder a eventos de seguridad
SecDevOpsCI/CD
Compliance / Validation
Resilience
Config & Vulnerability
Analysis
Cloud AdoptionFramework (CAF)
Security Big Data &
Analytics
6
7
8
9
10A U G M E N T E D
S E C U R I T YE P I C S
La seguridad como ”Epics” y flujo de ”Sprints”
Sprint 1Sprint
2Sprint
3Sprint
4Sprint
5Sprint
6Sprint
7Sprint
8Entradas / PreWork
Security & Compliance Workshop
Security IR Simulation
Seguridad &
Cumplimiento
1. Share Resp. Model2. Security Cartography3. 3rd Party Oversight
Identity & Access Mgt.
Detective Controls
Infrastructure Security
Data Protection
Incident Response
Requerimientos
Criterios de ”Punta a Punta”: Feedback
Ciclo de mejorías- Ampliar alcance, mayor eficiencia- Corregir deficiencias, remediar
Habilidades de traducción
• Leer el ”Código Fuente”
• Personas de compliance puedencodificar/Desarrolladores pueden leer frameworks de control
• Documentar, documentar, documentar…...
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestiónde cuentasNIST 800-53 Access Control Family (AC)
AC-2 Account Management
Control: The organization:
a. […];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
e. Requires approvals by for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts [...];
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestiónde cuentas (reducción de palabras)
NIST 800-53 Access Control Family (AC)
• AC-2 Account Management
• Control: The organization:
• a. […];
• b. Assigns account managers for information system accounts;
• c. Establishes conditions for group and role membership;
• d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
• e. Requires approvals by for requests to create information system accounts;
• f. Creates, enables, modifies, disables, and removes information system accounts [...];• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestiónde cuentas (reducción de palabras)
Verbos Sustantivos
Asignar Gestores de cuentas
Establecer Grupos y roles
Especificar Privilegios y atributos
Requerir Aprobaciones
Crear, habilitar/deshabilitar, modificar, eliminar
Cuentas
Gestión de cuentas: ”Punta a Punta”
Ciclo de mejorías- Menor privilegio, NeedToKnow- Corregir deficiencias, remediar
Política de IAM - Ejemplo
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
PortalBD
Roles
Roles
Cuenta centralSeguridad
Cuenta de recursos
Cuenta de recursos
Federación de acceso Cross-Account
Amazon Organizations:Service Control Policies (SCP)
• Define los servicios que pueden ser accedidos
• SCPs pueden ser aplicadas a nivel de:- Organización- OUs- Cuenta AWS
• SCPs son heredadas (Cuenta AWS, OU, Organización)
A6
Development Test Production
A8A1
A5A4A3
A2
A9
A7
Security
AWS Organizations 32
Amazon Organizations
NIST 800-53 Audit & Accountability Family (AU)
AU-6 Audit Review, Analysis, and Reporting
• Control: The organization:
• a. Reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity.
• b. Reports findings to organization-defined personnel or roles.
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Controlesde detección
Controles de detección: ”Punta a Punta”
Ciclo de mejorías- Nuevas reglas, Extensión de alcance- Corregir deficiencias, remediar
Análisis exploratorio – Usando VPC Flow Logs para detectar comportamiento anormal (beaconing)
Histograma: Granularidad en segundos
Histograma: Granularidad de 20 minutos
• Analizando el flujo en una escala
de seg. o ms no muestra un
patrón.
• Consolidando los datos con
granularidad de 20 minutos permite
una visualización clara del patrón.
2. Amazon Kinesis Firehose
6 Cluster History by Host Communication
5a. Spark Data Prep Application and
Store in S3
5c –k-Means
7. Cluster Changed Alarm
3. Store raw data in S3
5.b Store Enriched data in S3
5. EMR20 Min Batch
8. EMRRun Daily
9. Spark Data Prep Application and
Store in S3
10. Daily Batch Spark Streaming K-
Means
4. Amazon Glacier
5d. –Identify Changes
11. Hive Metastore
12. Presto On Demand EMR and Spark Cluster
13. Zeppelin
Notebook
EC2
1-1 LambdaRuns on Schedule
1-2. Lambda –Collect ENI Data
per acct
MVP 1 – Procesamiento en Batch: 20min y diario
Flow Logs
NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time.[1]
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestión de Configuración
NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specificationsfor information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard softwarepackages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating newbaselines as organizational information systems change over time.[1]
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Habilidades de traducción – Gestión de Configuración
• Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications
• Palabras Clave (Sustantivos): “Documented […] sets of specifications”
Habilidades de traducción – Gestión de Configuración
Componente Documentación
Red Tablas de enrutamientoReglas de FWPolíticas de balanceadorSubredes
Sistema Operativo VersiónLibreríasNivel de patches
Aplicaciones CódigoParámetros de buildDependenciasArchivos de configuración
• Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications
• Palabras Clave (Verbos): “ […] formally reviewed and agreed-upon […] ”
Habilidades de traducción – Gestión de Configuración
Componente Revisión
Red TicketsRequerimientos de serviciosCommit de códigoPull request
Sistema Operativo Master ImageCommit de códigoBuild
Aplicaciones TicketsCommit de códigoBuildPull request
Gestión de Configuración: ”Punta a Punta”
Ciclo de mejorías- Aumentar el alcance, Service Catalog- Corregir deficiencias, remediar
Gestión de Configuración: ”Punta a Punta”Ejemplo de arquitectura
AWSCloudFormation
AWS CodeCommit
AWS CodePipeline Template
Diseño del Control Implementación del Control
AWSCloudTrail
AWSConfig
Validaciónde
Efectividad
EC2VPCSecGroupsRDSAPIGW
¿Qué esperar de esta sesión?
•Arquitectura de Seguridad• Framework• Puntos claves
•¿Qué significa ”punta a punta”?• Definición• Habilidades de traducción
•Ejemplos de controles de seguridad implementados de ”punta a punta”