AWS Enterprise Summit Netherlands - Infosec by Design

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Wednesday Sept 21st, 2016

Information Security by Design in AWS

Dave WalkerSpecialist Solutions Architect, Security and Compliance

Agenda

• “Start Here”• Standards and Other Requirements• Control Mapping• The Enterprise Accelerator Initiative

“Start Here”

Industry Best Practices for Securing AWS Resources

CIS Amazon Web Services FoundationsArchitecture agnostic set of security configuration best practicesprovides set-by-step implementation and assessment procedures

Standards and Other Requirements

AWS Assurance Programs

Compliance Resources

https://aws.amazon.com/compliance/resources/

Compliance: How to work with AWS Certifications• “The magic’s in the Scoping”

• If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a compliant deployment• …but it won’t be usable for a purpose which touches sensitive data• See Re:Invent sessions, especially "Navigating PCI Compliance in the

Cloud”, https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr1KZpdzukcJvl0e65MqqwycgpkCENmg

• Remember the Shared Responsibility Model• “we do our bit at AWS, but you must also do your bit in what you build

using our services”• Our audit reports make it easier for our customers to get approval

from their auditors, against the same standards• Liability can’t be outsourced…

Compliance: How to work with AWS Certifications• Time-based Subtleties:

• PCI, ISO: point-in-time assessments• SOC: assessment spread over time, therefore more rigorous assessment

of procedures and operations• (AWS Config allows you to make a path between these, for your own

auditors)• FedRAMP: Continuous Monitoring and Reporting – important proof

• If a service for defined sensitive data isn’t in scope of an audit report, can this be designed around?• Eg standing up a queue system on EC2 as a substitute for SQS…

• Be careful of what elements of a Service are in scope, too…• Metadata is typically “out”

SOC 1• Availability:

• Audit report available to any customer with an NDA• Scope:

• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces

• Sensitive data:• N/A

• Particularly good for:• Datacentre management, talks about KMS for key management and

encryption at rest, discusses Engineering bastions• Downsides:

• None

SOC 2• Availability:


• AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces


• Particularly good for:• Risk assessment considerations, management visibility and process,

organisational structure• Downsides:

• None

PCI-DSS• Availability:


• Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect, Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB, Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS, Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF

• Sensitive data:• CVV, PAN

• Particularly good for:• Forensics cooperation, breach disclosure, explaining Shared

Responsibility in depth; also Hypervisor-based instance separation assurance

• Downsides:• None (since the August 2015 update, when KMS was added)

ISO 27001• Availability:

• Certificate is public at http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of Applicability is normally not available externally

• Scope:• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS

Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces


• Particularly good for:• A broad-ranging “backstop” and important “tick box item” – ISMS considerations (see

“Technical and Organisational Measures” later)• Downsides:

• No detailed audit report available

ISO 27018• Availability:

• Certificate available at https://d0.awsstatic.com/certifications/iso_27018_certification.pdf

• Scope:• AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS

Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces

• Sensitive data:• PII

• Particularly good for:• Assurance of protection of PII in AWS environments

• Downsides:• No detailed audit report available

Others (and Resources):• ISO 27017: Cloud security recommended practices• ISO 9001: Quality control• UK G-Cloud / CESG Security Principles, gov.uk “Cyber Essentials”:

• See me J and our whitepaper at https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_UK_Cloud_Security_Principles.pdf

• IT-Grundschutz: Workbook at https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschutz_TUV_Certification_Workbook.pdf

• MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch with AWS Specialist Security and Compliance SAs there as needed, there are also some whitepapers.

• EU Data Protection Guidance: https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Protection_Whitepaper.pdf

Auditing - Comparisonon-prem vs on AWS

Start with bare concreteFunctionally optional – you can build a secure system without itAudits done by an in-house teamAccountable to yourselfTypically check once a yearWorkload-specific compliance checksMust keep pace and invest in security innovation

on-prem

Start on base of accredited servicesFunctionally necessary – high watermark of requirementsAudits done by third party expertsAccountable to everyoneContinuous monitoringCompliance approach based on all workloadscenariosSecurity innovation drives broad compliance

on AWS

What this means

You benefit from an environment built for the most security sensitive organisations

AWS manages 1,800+ security controls so you don’t have to

You get to define the right security controls for your workload sensitivity

You always have full ownership and control of your data

The AWS Well-Architected Framework

• Increase awareness of architectural best practices• Addresses foundational areas that are often neglected • Consistent approach to evaluating architectures

• Composed of:• Pillars• Design principles• Questions

Pillars of Well-Architected

Security Reliability Performance Efficiency

Cost Optimization

Control Mapping

Why a Mapping of Security Controls?

• PCI-DSS• standards for merchants which process credit card payments and

have strict security requirements to protect cardholder data. A point-in-time certification.

• SOC 1-3• designed by the “big 4” auditors as an evolution of SSAE16, SAS70

etc, and to address perceived shortcomings in ISO27001. A continuous-assessment certification, covering process and implementation.

• ISO 27001• outlines the requirements for Information Security Management

Systems. A point-in-time certification, but one which requires mature processes.

Standards, Controls and Commonality

Controls overlap between standards• see eg https://www.unifiedcompliance.com

AWS master control list and mappings• 1800+ internal controls• Mappings to external standards• Engage auditors, and…

“Principles Rarely Change, but Implementations Do”

• Zeno’s Paradox: Achilles and the Tortoise• Technology (almost) always leads standards• (AWS made 10 feature updates last week – see

https://aws.amazon.com/new/ ) • ISO27001, ISO9001, SOC1-3, PCI-DSS (and lots of others) are

covered by various AWS services at the infrastructure and container layers – but not all are

• The AWS Marketplace is growing…

Encryption & Key Mgmt

Server & Endpoint

Protection

Application Security

Vulnerability & Pen

Testing

Advanced Threat

Analytics

Identity and Access Mgmt

Network Security

AWS Marketplace: One-stop shop for security tools

“When I were a Lad…”: Traditional Controls

Service networks looked like:

Internet gateway

Elastic LoadBalancing

Amazon VPC routerinstances

“When I were a Lad…”: Traditional Controls

Management networks looked like:

“When I were a Lad…”

Security technologies looked like:

But:

AWS security controls are rather more extensive• Can’t readily be reduced to a 2D “onion”

• (5 dimensions might about do it…)

So, we have tables• And they’re not small…

General Headings:

Infrastructure meta-securityHost securityNetwork securityLogging and AuditingResilienceUser Access Control and ManagementCryptography and Key ManagementIncident Response and Forensics“Anti-Malware”Separation of DutyData Lifecycle ManagementGeolocationAnti-DDoS

“Can our current Security Functions be mapped onto AWS?”

AWS Environment Management

Logging and AuditingAsset ManagementManagement Access ControlConfiguration Management

Configuration

Monitoring

AWS CloudTrailAWS Config, APIAWS IAMWeb ConsoleAWS CloudFormationAWS OpsWorksCLIAPISDKsAmazon CloudWatch


Network

AWS to Customer NetworksLayer 2 Network SegregationStateless Traffic ManagementIPsec VPNFirewall/ Layer 3 Packet FilterIDS/IPS

Managed DDoS Prevention

Internet and/or Direct ConnectAmazon VPCNetwork Access Control ListsVPC VGW, MarketplaceSecurity GroupsAWS CloudTrail, CloudWatchLogs,SNS, VPC Flow LoggingIncluded in Amazon CloudFront


Encryption, Key Management

Data-In-FlightVolume EncryptionObject EncryptionKey ManagementDedicated HSMsDatabase Encryption

IPsec or TLS or your own Amazon EBS EncryptionAmazon S3 Encryption (Server and Client Side)

AWS Key Management ServiceAWS CloudHSMTDE (RDS / Oracle EE)Encrypted Amazon EBS (with KMS)Encrypted Amazon Redshift

“Can our Current Security Functions be mapped onto AWS?”

Data Management

Hierarchical StorageDeletion ProtectionVersioningArchiving

Amazon S3 Lifecycle Amazon S3 MFA DeleteAmazon S3 VersioningAmazon Glacier (optionally, with Vault Lock)


Host / Instance Security

Traditional ControlsInstance ManagementIncident ManagementAsset ManagementInstance Separation

Traditional Controls (mostly)Delete-and-promoteMore alternatives!“What the API returns, is true”PCI Level 1 HypervisorDedicated Instances

• For some functions, AWS architecture will take you in a particular direction – for other functions, AWS architecture allows you to do more interesting things than on-premise.

• You may get considerable benefit from looking “behind the control” to discern the underlyingrisk, and mitigate it differently.

• Some examples:


“Familiar functions, made Cloud scale”:

• IAM: “RBAC writ large”• Fine-grained privilege• Further access controls

• Source IP• Time of day• Use of MFA• Region affected (a work in progress; works for EC2, RDS)

• Data Pipeline: “Cron writ large”• (…and now, CloudWatch Events =

“cron for Lambda”)

Asset Management, Logging and Analysis:

• “What the API returns, is true”• CloudTrail, Config, CloudWatch Logs

• “Checks and balances”• S3 append-only, MFA delete• SNS for alerting• Easy building blocks for Continuous Protective Monitoring

AWS Config

AWS CloudTrail CloudWatch

Logs→metrics→alerts→actions

AWS Config

CloudWatch / CloudWatch Logs

CloudWatch alarms

AWS CloudTrail

Amazon EC2 OS logs

Amazon VPC Flow Logs

Amazon SNS

email notification

HTTP/S notification

SMS notifications

Mobile push notifications

API calls from most services

Monitoring data from

AWS services

Custom metrics

IDS / IPS / WAF:

• Host vs network• Everything preventative needs to be inline

• IPS / WAF in particular• Unless you wanted to have fun with RST packets

• Dealing with autoscaling• Separation of Duty / managed service?

• VPC Flow Logging• 2-step Hybrid WAF with AWS WAF, [Alert Logic |

Imperva | Trend Micro]

Immutability and Mandatory Access Control:

• S3 cross-account sharing, Versioning and MFA Delete• SELinux on EC2

• SELinux enforcing policy can be complicated to write – see eghttp://www.tresys.com

Incident Management:

• Traditional infrastructure:• Manage and Mitigate?• Pursue and Prosecute?

• Cloud gives you a third option:• Replicate, repair, ringfence and redirect• You’re back up and running, with previous environment isolated

for forensic examination

The Enterprise Accelerator Initiative

AWS Enterprise Accelerator: Compliance Architectures

Sample Architecture –Security Controls MatrixCloudformation Templates

5 x templatesUser GuideNIST 800-53 and PCI-DSS

http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

Education — AWS Security & ComplianceAWS Security Fundamentals

3 hour eLearning courseTarget audience – Security Auditors/AnalystsIt’s Free J

AWS Security Operations3 day Instructor Lead TrainingTarget audience – Security Engineer/Architects12 Modules + Labs

Self-paced labs available on http://qwiklabs.com

https://aws.amazon.com/training/course-descriptions/

Helpful Resources

Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/

Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/

Compliance Centre Website: https://aws.amazon.com/compliance

Security Centre: https://aws.amazon.com/security

Security Blog: https://blogs.aws.amazon.com/security/

Well-Architected Framework: https://aws.amazon.com/blogs/aws/are-you-well-architected/

AWS Audit Training: [email protected]

Helpful Videos

The Shared Security Model in Detail: https://youtu.be/RwUSPklR24M

IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U

Encryption on AWS: https://youtu.be/DXqDStJ4epE

Securing Serverless Architectures: https://www.youtube.com/watch?v=lKVp8d45HSU

AWS Enterprise Summit Netherlands - Infosec by Design

Technology

Transcript of AWS Enterprise Summit Netherlands - Infosec by Design