AWS Enterprise Summit Netherlands - Infosec by Design
-
Upload
amazon-web-services -
Category
Technology
-
view
756 -
download
0
Transcript of AWS Enterprise Summit Netherlands - Infosec by Design
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wednesday Sept 21st, 2016
Information Security by Design in AWS
Dave WalkerSpecialist Solutions Architect, Security and Compliance
Agenda
• “Start Here”• Standards and Other Requirements• Control Mapping• The Enterprise Accelerator Initiative
Industry Best Practices for Securing AWS Resources
CIS Amazon Web Services FoundationsArchitecture agnostic set of security configuration best practicesprovides set-by-step implementation and assessment procedures
Compliance: How to work with AWS Certifications• “The magic’s in the Scoping”
• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a compliant deployment• …but it won’t be usable for a purpose which touches sensitive data• See Re:Invent sessions, especially "Navigating PCI Compliance in the
Cloud”, https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZpdzukcJvl0e65MqqwycgpkCENmg
• Remember the Shared Responsibility Model• “we do our bit at AWS, but you must also do your bit in what you build
using our services”• Our audit reports make it easier for our customers to get approval
from their auditors, against the same standards• Liability can’t be outsourced…
Compliance: How to work with AWS Certifications• Time-based Subtleties:
• PCI, ISO: point-in-time assessments• SOC: assessment spread over time, therefore more rigorous assessment
of procedures and operations• (AWS Config allows you to make a path between these, for your own
auditors)• FedRAMP: Continuous Monitoring and Reporting – important proof
• If a service for defined sensitive data isn’t in scope of an audit report, can this be designed around?• Eg standing up a queue system on EC2 as a substitute for SQS…
• Be careful of what elements of a Service are in scope, too…• Metadata is typically “out”
SOC 1• Availability:
• Audit report available to any customer with an NDA• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
• Sensitive data:• N/A
• Particularly good for:• Datacentre management, talks about KMS for key management and
encryption at rest, discusses Engineering bastions• Downsides:
• None
SOC 2• Availability:
• Audit report available to any customer with an NDA• Scope:
• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces
• Sensitive data:• N/A
• Particularly good for:• Risk assessment considerations, management visibility and process,
organisational structure• Downsides:
• None
PCI-DSS• Availability:
• Audit report available to any customer with an NDA• Scope:
• Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect, Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB, Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS, Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF
• Sensitive data:• CVV, PAN
• Particularly good for:• Forensics cooperation, breach disclosure, explaining Shared
Responsibility in depth; also Hypervisor-based instance separation assurance
• Downsides:• None (since the August 2015 update, when KMS was added)
ISO 27001• Availability:
• Certificate is public at http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of Applicability is normally not available externally
• Scope:• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS
Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:• N/A
• Particularly good for:• A broad-ranging “backstop” and important “tick box item” – ISMS considerations (see
“Technical and Organisational Measures” later)• Downsides:
• No detailed audit report available
ISO 27018• Availability:
• Certificate available at https://d0.awsstatic.com/certifications/iso_27018_certification.pdf
• Scope:• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS
Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces
• Sensitive data:• PII
• Particularly good for:• Assurance of protection of PII in AWS environments
• Downsides:• No detailed audit report available
Others (and Resources):• ISO 27017: Cloud security recommended practices• ISO 9001: Quality control• UK G-Cloud / CESG Security Principles, gov.uk “Cyber Essentials”:
• See me J and our whitepaper at https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_UK_Cloud_Security_Principles.pdf
• IT-Grundschutz: Workbook at https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschutz_TUV_Certification_Workbook.pdf
• MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch with AWS Specialist Security and Compliance SAs there as needed, there are also some whitepapers.
• EU Data Protection Guidance: https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Protection_Whitepaper.pdf
Auditing - Comparisonon-prem vs on AWS
Start with bare concreteFunctionally optional – you can build a secure system without itAudits done by an in-house teamAccountable to yourselfTypically check once a yearWorkload-specific compliance checksMust keep pace and invest in security innovation
on-prem
Start on base of accredited servicesFunctionally necessary – high watermark of requirementsAudits done by third party expertsAccountable to everyoneContinuous monitoringCompliance approach based on all workloadscenariosSecurity innovation drives broad compliance
on AWS
What this means
You benefit from an environment built for the most security sensitive organisations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload sensitivity
You always have full ownership and control of your data
The AWS Well-Architected Framework
• Increase awareness of architectural best practices• Addresses foundational areas that are often neglected • Consistent approach to evaluating architectures
• Composed of:• Pillars• Design principles• Questions
Why a Mapping of Security Controls?
• PCI-DSS• standards for merchants which process credit card payments and
have strict security requirements to protect cardholder data. A point-in-time certification.
• SOC 1-3• designed by the “big 4” auditors as an evolution of SSAE16, SAS70
etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation.
• ISO 27001• outlines the requirements for Information Security Management
Systems. A point-in-time certification, but one which requires mature processes.
Standards, Controls and Commonality
Controls overlap between standards• see eg https://www.unifiedcompliance.com
AWS master control list and mappings• 1800+ internal controls• Mappings to external standards• Engage auditors, and…
“Principles Rarely Change, but Implementations Do”
• Zeno’s Paradox: Achilles and the Tortoise• Technology (almost) always leads standards• (AWS made 10 feature updates last week – see
https://aws.amazon.com/new/ ) • ISO27001, ISO9001, SOC1-3, PCI-DSS (and lots of others) are
covered by various AWS services at the infrastructure and container layers – but not all are
• The AWS Marketplace is growing…
Encryption & Key Mgmt
Server & Endpoint
Protection
Application Security
Vulnerability & Pen
Testing
Advanced Threat
Analytics
Identity and Access Mgmt
Network Security
AWS Marketplace: One-stop shop for security tools
“When I were a Lad…”: Traditional Controls
Service networks looked like:
Internet gateway
Elastic LoadBalancing
Amazon VPC routerinstances
But:
AWS security controls are rather more extensive• Can’t readily be reduced to a 2D “onion”
• (5 dimensions might about do it…)
So, we have tables• And they’re not small…
General Headings:
Infrastructure meta-securityHost securityNetwork securityLogging and AuditingResilienceUser Access Control and ManagementCryptography and Key ManagementIncident Response and Forensics“Anti-Malware”Separation of DutyData Lifecycle ManagementGeolocationAnti-DDoS
“Can our current Security Functions be mapped onto AWS?”
AWS Environment Management
Logging and AuditingAsset ManagementManagement Access ControlConfiguration Management
Configuration
Monitoring
AWS CloudTrailAWS Config, APIAWS IAMWeb ConsoleAWS CloudFormationAWS OpsWorksCLIAPISDKsAmazon CloudWatch
“Can our current Security Functions be mapped onto AWS?”
Network
AWS to Customer NetworksLayer 2 Network SegregationStateless Traffic ManagementIPsec VPNFirewall/ Layer 3 Packet FilterIDS/IPS
Managed DDoS Prevention
Internet and/or Direct ConnectAmazon VPCNetwork Access Control ListsVPC VGW, MarketplaceSecurity GroupsAWS CloudTrail, CloudWatchLogs,SNS, VPC Flow LoggingIncluded in Amazon CloudFront
“Can our current Security Functions be mapped onto AWS?”
Encryption, Key Management
Data-In-FlightVolume EncryptionObject EncryptionKey ManagementDedicated HSMsDatabase Encryption
IPsec or TLS or your own Amazon EBS EncryptionAmazon S3 Encryption (Server and Client Side)
AWS Key Management ServiceAWS CloudHSMTDE (RDS / Oracle EE)Encrypted Amazon EBS (with KMS)Encrypted Amazon Redshift
“Can our Current Security Functions be mapped onto AWS?”
Data Management
Hierarchical StorageDeletion ProtectionVersioningArchiving
Amazon S3 Lifecycle Amazon S3 MFA DeleteAmazon S3 VersioningAmazon Glacier (optionally, with Vault Lock)
“Can our Current Security Functions be mapped onto AWS?”
Host / Instance Security
Traditional ControlsInstance ManagementIncident ManagementAsset ManagementInstance Separation
Traditional Controls (mostly)Delete-and-promoteMore alternatives!“What the API returns, is true”PCI Level 1 HypervisorDedicated Instances
• For some functions, AWS architecture will take you in a particular direction – for other functions, AWS architecture allows you to do more interesting things than on-premise.
• You may get considerable benefit from looking “behind the control” to discern the underlyingrisk, and mitigate it differently.
• Some examples:
“Can our Current Security Functions be mapped onto AWS?”
“Familiar functions, made Cloud scale”:
• IAM: “RBAC writ large”• Fine-grained privilege• Further access controls
• Source IP• Time of day• Use of MFA• Region affected (a work in progress; works for EC2, RDS)
• Data Pipeline: “Cron writ large”• (…and now, CloudWatch Events =
“cron for Lambda”)
Asset Management, Logging and Analysis:
• “What the API returns, is true”• CloudTrail, Config, CloudWatch Logs
• “Checks and balances”• S3 append-only, MFA delete• SNS for alerting• Easy building blocks for Continuous Protective Monitoring
AWS Config
AWS CloudTrail CloudWatch
Logs→metrics→alerts→actions
AWS Config
CloudWatch / CloudWatch Logs
CloudWatch alarms
AWS CloudTrail
Amazon EC2 OS logs
Amazon VPC Flow Logs
Amazon SNS
email notification
HTTP/S notification
SMS notifications
Mobile push notifications
API calls from most services
Monitoring data from
AWS services
Custom metrics
IDS / IPS / WAF:
• Host vs network• Everything preventative needs to be inline
• IPS / WAF in particular• Unless you wanted to have fun with RST packets
• Dealing with autoscaling• Separation of Duty / managed service?
• VPC Flow Logging• 2-step Hybrid WAF with AWS WAF, [Alert Logic |
Imperva | Trend Micro]
Immutability and Mandatory Access Control:
• S3 cross-account sharing, Versioning and MFA Delete• SELinux on EC2
• SELinux enforcing policy can be complicated to write – see eghttp://www.tresys.com
Incident Management:
• Traditional infrastructure:• Manage and Mitigate?• Pursue and Prosecute?
• Cloud gives you a third option:• Replicate, repair, ringfence and redirect• You’re back up and running, with previous environment isolated
for forensic examination
AWS Enterprise Accelerator: Compliance Architectures
Sample Architecture –Security Controls MatrixCloudformation Templates
5 x templatesUser GuideNIST 800-53 and PCI-DSS
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html
Education — AWS Security & ComplianceAWS Security Fundamentals
3 hour eLearning courseTarget audience – Security Auditors/AnalystsIt’s Free J
AWS Security Operations3 day Instructor Lead TrainingTarget audience – Security Engineer/Architects12 Modules + Labs
Self-paced labs available on http://qwiklabs.com
https://aws.amazon.com/training/course-descriptions/
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Centre Website: https://aws.amazon.com/compliance
Security Centre: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/
AWS Audit Training: [email protected]
Helpful Videos
The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption on AWS: https://youtu.be/DXqDStJ4epE
Securing Serverless Architectures: https://www.youtube.com/watch?v=lKVp8d45HSU