Rackspace provides a comprehensive set of tooling and expertise on AWS that further unlocks your ability to secure your environment efficiently and cost effectively. The dynamic environment of data, applications, and infrastructure can pose challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a scalable security solution to ensure their data is safe, secure, and stable. In this webinar, Brad Schulteis, Jarret Raim and Todd Gleason will discuss the topic of security control requirements on AWS through the lens of three common compliance scenarios: HIPAA, PCI-DSS, and generalized security compliance based on the NIST Risk Management Framework. Watch our webinar to learn how Rackspace combines AWS and security expertise with tools like AWS CloudFormation, AWS CodeCommit and AWS CodeDeploy to help customers meet their security and compliance needs. Join us to learn: • Best practices for securely operating workloads on the AWS Cloud • Architecting a secure environment for dynamic workloads • How to incorporate Security by Design principles to address compliance needs across 3 use cases: HIPAA, PCI-DSS and generalized security compliance based on the NIST Risk Management Framework Who should attend: Directors and Managers of Security, IT Administers, IT Architects, and IT Security Engineers

1. Rackspace: Best Practices for
Security Compliance on AWS
Brad Schulteis, CISSP, CCSP, Sr. AWS & Security Architect, Fanatical Support for AWS, Rackspace
Jarret Raim, Director, Managed Security, Rackspace
Sai Reddy Thangirala, Solutions Architect, Amazon Web Services

2. Agenda
AWS Security Overview
Security By Design Overview – What is it?
Four phases of Security by Design with use cases
 Phase 1 - Understand your requirements
 Phase 2 - Build a secure environment that fits your requirements and implementation
 Phase 3 - Enforce the use of the templates
 Phase 4 - Perform validation activities
Active security for advanced cyber threats
A complete security solution: AWS Infrastructure + Security by Design + Active
security monitoring

3. $6.53M 56% 70%
Your data and IP are your most valuable assets
https://www.csid.com/resources/stats/
data-breaches/
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
https://www.csid.com/resources/stats/
data-breaches/

4. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
AWS can be more secure than your existing environment
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication

5. The AWS infrastructure is protected by extensive network and security
monitoring systems:
 Network access is monitored by AWS
security managers daily
 AWS CloudTrail lets you monitor
and record all API calls
 Amazon Inspector automatically assesses
applications for vulnerabilities
Constantly monitored

6. The AWS infrastructure footprint protects your data from costly downtime
 35 Availability Zones in 13 regions for
multi-synchronous geographic redundancy
 Retain control of where your data resides
for compliance with regulatory requirements
 Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53
Highly available

7. AWS enables you to improve your security using many of your existing
tools and practices
 Integrate your existing Active Directory
 Use dedicated connections as a secure,
low-latency extension of your data center
 Provide and manage your own encryption
keys if you choose
Integrated with your existing resources

8. Key AWS Certifications and Assurance Programs

9. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security

10. Security on AWS
Security ‘of’
the cloud
Security ‘on’
the cloud
Navigator
Rackspace consults and provide best
practices. Customer implements.
Aviator
Rackspace implements best practices on
behalf of the customer.
Identity & access
management
Workload security Data encryption Security logging
Cloud Infrastructure
Compute
Storage
Network
Rackspace Managed Security
People
CSOC
24x7x365 support
Shared expertise
Product
Best-of-breed technology
Host security
Network security
Advanced analytics
Process
Immediate response
Detect faster
Remediate faster
Managed security & compliance assistance
Actively
Securing Your
Environment
Building A Secure
Environment
Secure
Foundation
Fanatical Support for AWS
SaaSPaaSIaaS

11. noun | se·cu·ri·ty | səˈkyo͝ orədē
 The state of being free from danger or threat
 Procedures followed or measures taken to
ensure the safety of an IT system
 Illusory restrictions bolted on post-
implementation to satisfy a regulatory
requirement
What is security?

12. What is Security by Design (SbD)?
 Modern, systematic security assurance approach
 Formalizes AWS account design, automates security
controls and streamlines auditing
 Provides control insights throughout the IT
management process
Security works best when it is ubiquitous and automatic

13. Why is this important?
The dynamic environment of data, applications, and infrastructure poses challenges for
businesses trying to manage security while following compliance regulations. To mitigate
these challenges, businesses need a reliable security solution to ensure their data is safe,
secure, and stable.
Confidentiality Integrity Availability

14. Four Phased Implementation
SbD approach
Understand your
requirements
Build a “secure
environment” that fits
your requirements
1
Enforce the use of
the templates
Perform validation
activities
2 3 4

15. Security Controls
 Access
 Audit
 Config Mgmt
 Contingency Plans
Data Classification
 Data Type
 Data Impact
 Data Sensitivity
Data Usage
 Storage
 Retention
 Processing
 Sharing
Regulations
 Governmental
 Organizational
 Individual
#1: Understand your requirements

16. Data Classification
 What data do I have?
 What is its intended use?
 Which do I need to protect?
 Who am I protecting
it from?
Security requirements
Data Usage
 What can I do with
the data?
 Where can I process it?
 How should it be
accessed?
 Can and when should I
destroy it?
Regulations
 Am I bound by legal
restrictions?
 Do I need a 3rd party auditor?
 Must I obtain a certification?
 Must I leverage a specific
framework
Security Controls
 Who can access the
environment?
 How are access requests
audited?
 How are changes controlled?
 How do I detect improper
access?

17. Security Controls
 Enforce the use of HTTPS
Elastic Load Balancers (ELBs)
with compliant w/TLS Policies
 Enforce the use of encrypted
(HTTPS) Amazon S3
connections
Regulations
 4.1 Use strong
cryptography and security
protocols to safeguard
sensitive cardholder data
during transmission
Data Usage
 Encrypt transmission of
cardholder data across
open, public networks
(Req #4)
Data Classification
 Cardholder Data (CHD)
Understand your requirements example
PCI-DSS

18. #2: Build a “secure environment”
What are the different options for securing your environment?
 Service Selection
 Encryption
 Network Segmentation
 User Permissions
 Authorized OS Images
 Resource Protection
 Logging
What is the appetite for risk?
 Each choice comes with trade-offs

19. Establish “blueprint” architectures to allow workload owners as much
autonomy as possible while automating enforcement
Create Modularized Templates
 Use nested stacks, e.g.
• Main
• Network
• Compute
• Data
• Permissions and Logging configuration
 Use parameters whenever possible
 Use stack policies to protect running resources
 Use IAM policies to restrict the permissions of users
Balancing security requirements with agility

20. NIST 800-53
What are the different options for
securing your environment?
Build a secure environment example
What is the appetite for risk?
 Each choice comes with trade-offs
 Authorized OS
Images
 Resource
Protection
 Logging
 Service Selection
 Encryption
 Network
Segmentation
 User Permissions

21. Build a secure environment example
NIST 800-53
CM-7a | LEAST FUNTIONALITY
 Configure the information system to provide only essential capabilities
The AWS CloudFormation templates that are used to deploy this architecture pre-
configure it to provide only essential capabilities for a multi-tiered web service.
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/

22. NIST 800-53
Configure the
information
system to provide
only essential
capabilities
There will never be
ANY additional
resources that were
not essential parts of
the application.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Provides only resources directly required for the application”
"Resources": {
"rRDSInstanceMySQL": {
"Type": "AWS::RDS::DBInstance",
...
},
"rAutoScalingGroupApp": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": "rRDSInstanceMySQL",
...
},
"rELBApp": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"DependsOn": "rAutoScalingGroupApp",
...
},
...
}
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/

23. Build a secure environment example
NIST 800-53
SC-7B | BOUNDARY PROTECTION
 Implement subnetworks for publicly accessible system components that are logically
separated from internal organizational networks
This architecture features subnetworks for publicly accessible system components
that are logically separated from internal private subnetworks via AWS security
groups, refined routing tables, and NACLs.
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/

24. "ProductionVpcTemplate": {
"Type": "AWS::CloudFormation::Stack",
"Properties": {
"TemplateURL": {
"Fn::Join": ["", [{
"Fn::FindInMap": ["CustomVariables", "vTemplateUrlPrefix",
"Value"]
}, "templates/template-vpc-production.json"]]
},
"TimeoutInMinutes": "20",
"Parameters": {
"pRegionAZ1Name": {"Ref":"pAvailabilityZoneA"},
"pRegionAZ2Name": {"Ref":"pAvailabilityZoneB"},
"pProductionVPCName": "Production VPC",
"pBastionSSHCIDR": "0.0.0.0/0",
"pDMZSubnetACIDR": "10.100.10.0/24",
"pDMZSubnetBCIDR": "10.100.20.0/24",
"pManagementCIDR": "10.10.0.0/16",
"pAppPrivateSubnetACIDR": "10.100.96.0/21",
"pAppPrivateSubnetBCIDR": "10.100.119.0/21",
"pDBPrivateSubnetACIDR": "10.100.194.0/21",
"pDBPrivateSubnetBCIDR": "10.100.212.0/21",
}
}
}
NIST 800-53
Implement
subnetworks for
publicly
accessible system
components that
are logically
separated from
internal
organizational
networks
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/

25. #3: Enforce the use of templates
Life is about choices
 What if the ONLY choices are “pre-approved templates?
 Templates that guarantee ALL configurations comply with
your organization’s security standards

26. AWS CloudFormation
 Templates that automate the
deployment and configuration
of all AWS compute, network,
storage and other services to
your exact specifications
 Stack policies control who can
modify what and how
Amazon Machine Image (AMI)
 “Gold image” templates for the root
(OS) volume of an instance
 Launch permissions control who
can use the AMI to launch
instances
AWS CodeDeploy
 Optional for fully automating
custom code deployment as
well
Key services

27. #4: Perform Validation Activities
100% Audit-Ready
 Environments deployed from templates are audit-ready
 Rules defined within the templates are the baseline for comparison
100% Audit Coverage
 Auditing itself is configured and enabled via template
 Auditing it performed continuously and in real-time
 Properly scoped permissions prevent and detect attempts to tamper with or
disable auditing
100% Visibility
 Audit information captures the state of all deployed resources
100% Remediation
 Non-compliant resources are flagged and alerts are generated
 These alerts can be used to trigger actions such as quarantining the offending
resource
100%
Completely complete

28. AWS Config
 Point-in-time current settings of
your architecture
 Execute a sweeping check of
controls across the environment
 Detects when a resource
configuration differs from an
expected state (the template
from step 3) in real-time and
flags the resource as
noncompliant
AWS CloudTrail
 Records AWS API calls for your
account
 Quickly and easily take
immediate action for API
activity
Amazon CloudWatch
 Sends notifications of alarms
and conditional breaches
Key services

29. Security Controls
 Restrict the use of
unauthorized services w/ IAM
Policies
 Use Config to detect any
unauthorized services in a
HIPAA VPC
Regulations
 There are nine HIPAA-
eligible services today,
including DynamoDB, EBS,
EC2, Amazon EMR, ELB,
Glacier, Amazon RDS
[MySQL and Oracle],
Redshift, and S3.
Data Usage
 Customers should only
process, store and transmit
PHI in the HIPAA-eligible
services defined in the BAA.
Data Classification
 Protected Health
Information (PHI)
Perform validation activities example
HIPAA

30. Automate all the (secure) things
 Secure and automated methods reduce human
errors which lead to non-compliance
 Secure configurations should be automatic,
and therefore simple to achieve
 Fine-grained access control is easier when it
happens automatically
 With all of the automatically generated audit
logs, it would be impossible to look in
retrospect – automate alerting of compliance
related events and know in real-time

31. It’s a multi-cloud world

32. Security is a business enabler
How do we enable the business
while reducing risk?
Embrace the rate of change
of the business.

33. Its truly about the people and process
Technology Alone Will Not Succeed
Deep Human
Expertise
Leading
Technologies
Threat
Intelligence
24x7x365
Remediation
Lower
TCO
@

34. A security strategy for the new normal
 Prioritize your data and understand its business value
 Abandon the traditional reactive posture triggered by alerts
 Enable immediate action to protect data and minimize business impact
Our Security Approach
Rapid Detection Rapid Response Deep Expertise

35. Security on AWS
Security ‘of’
the cloud
Security ‘on’
the cloud
Navigator
Rackspace consults and provide best
practices. Customer implements.
Aviator
Rackspace implements best practices on
behalf of the customer.
Identity & access
management
Workload security Data encryption Security logging
Cloud Infrastructure
Compute
Storage
Network
Rackspace Managed Security
People
CSOC
24x7x365 support
Shared expertise
Product
Best-of-breed technology
Host security
Network security
Advanced analytics
Process
Immediate response
Detect faster
Remediate faster
Managed Security & Compliance Assistance
Actively
Securing Your
Environment
Building A Secure
Environment
Secure
Foundation
Fanatical Support for AWS

36. Some parting advice…
 Understand your data protection
requirements
 Your needs dictate your security
strategy but…
 AWS makes it easier; make secure
decisions your default where it
makes sense
Useful Links
AWS Security Best Practices
CIS Amazon Web Services Foundations

37. Thank you!
To learn more, please visit us at rackspace.com/aws
or follow our blog at blog.rackspace.com/aws

38. Questions & Answers