Rackspace provides a comprehensive set of tooling and expertise on AWS that further unlocks your ability to secure your environment efficiently and cost effectively. The dynamic environment of data, applications, and infrastructure can pose challenges for businesses trying to manage security while following compliance regulations. To mitigate these challenges, businesses need a scalable security solution to ensure their data is safe, secure, and stable. In this webinar, Brad Schulteis, Jarret Raim and Todd Gleason will discuss the topic of security control requirements on AWS through the lens of three common compliance scenarios: HIPAA, PCI-DSS, and generalized security compliance based on the NIST Risk Management Framework. Watch our webinar to learn how Rackspace combines AWS and security expertise with tools like AWS CloudFormation, AWS CodeCommit and AWS CodeDeploy to help customers meet their security and compliance needs.
Join us to learn:
• Best practices for securely operating workloads on the AWS Cloud
• Architecting a secure environment for dynamic workloads
• How to incorporate Security by Design principles to address compliance needs across 3 use cases: HIPAA, PCI-DSS and generalized security compliance based on the NIST Risk Management Framework
Who should attend: Directors and Managers of Security, IT Administers, IT Architects, and IT Security Engineers
Rackspace: Best Practices for Security Compliance on AWS
1. Rackspace: Best Practices for
Security Compliance on AWS
Brad Schulteis, CISSP, CCSP, Sr. AWS & Security Architect, Fanatical Support for AWS, Rackspace
Jarret Raim, Director, Managed Security, Rackspace
Sai Reddy Thangirala, Solutions Architect, Amazon Web Services
2. Agenda
AWS Security Overview
Security By Design Overview – What is it?
Four phases of Security by Design with use cases
Phase 1 - Understand your requirements
Phase 2 - Build a secure environment that fits your requirements and implementation
Phase 3 - Enforce the use of the templates
Phase 4 - Perform validation activities
Active security for advanced cyber threats
A complete security solution: AWS Infrastructure + Security by Design + Active
security monitoring
3. $6.53M 56% 70%
Your data and IP are your most valuable assets
https://www.csid.com/resources/stats/
data-breaches/
Increase in theft of hard
intellectual property
Of consumers indicated
they’d avoid businesses
following a security breach
Average cost of a
data breach
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
https://www.csid.com/resources/stats/
data-breaches/
4. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
AWS can be more secure than your existing environment
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
5. The AWS infrastructure is protected by extensive network and security
monitoring systems:
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
Constantly monitored
6. The AWS infrastructure footprint protects your data from costly downtime
35 Availability Zones in 13 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53
Highly available
7. AWS enables you to improve your security using many of your existing
tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
Integrated with your existing resources
9. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security
10. Security on AWS
Security ‘of’
the cloud
Security ‘on’
the cloud
Navigator
Rackspace consults and provide best
practices. Customer implements.
Aviator
Rackspace implements best practices on
behalf of the customer.
Identity & access
management
Workload security Data encryption Security logging
Cloud Infrastructure
Compute
Storage
Network
Rackspace Managed Security
People
CSOC
24x7x365 support
Shared expertise
Product
Best-of-breed technology
Host security
Network security
Advanced analytics
Process
Immediate response
Detect faster
Remediate faster
Managed security & compliance assistance
Actively
Securing Your
Environment
Building A Secure
Environment
Secure
Foundation
Fanatical Support for AWS
SaaSPaaSIaaS
11. noun | se·cu·ri·ty | səˈkyo͝ orədē
The state of being free from danger or threat
Procedures followed or measures taken to
ensure the safety of an IT system
Illusory restrictions bolted on post-
implementation to satisfy a regulatory
requirement
What is security?
12. What is Security by Design (SbD)?
Modern, systematic security assurance approach
Formalizes AWS account design, automates security
controls and streamlines auditing
Provides control insights throughout the IT
management process
Security works best when it is ubiquitous and automatic
13. Why is this important?
The dynamic environment of data, applications, and infrastructure poses challenges for
businesses trying to manage security while following compliance regulations. To mitigate
these challenges, businesses need a reliable security solution to ensure their data is safe,
secure, and stable.
Confidentiality Integrity Availability
14. Four Phased Implementation
SbD approach
Understand your
requirements
Build a “secure
environment” that fits
your requirements
1
Enforce the use of
the templates
Perform validation
activities
2 3 4
15. Security Controls
Access
Audit
Config Mgmt
Contingency Plans
Data Classification
Data Type
Data Impact
Data Sensitivity
Data Usage
Storage
Retention
Processing
Sharing
Regulations
Governmental
Organizational
Individual
#1: Understand your requirements
16. Data Classification
What data do I have?
What is its intended use?
Which do I need to protect?
Who am I protecting
it from?
Security requirements
Data Usage
What can I do with
the data?
Where can I process it?
How should it be
accessed?
Can and when should I
destroy it?
Regulations
Am I bound by legal
restrictions?
Do I need a 3rd party auditor?
Must I obtain a certification?
Must I leverage a specific
framework
Security Controls
Who can access the
environment?
How are access requests
audited?
How are changes controlled?
How do I detect improper
access?
17. Security Controls
Enforce the use of HTTPS
Elastic Load Balancers (ELBs)
with compliant w/TLS Policies
Enforce the use of encrypted
(HTTPS) Amazon S3
connections
Regulations
4.1 Use strong
cryptography and security
protocols to safeguard
sensitive cardholder data
during transmission
Data Usage
Encrypt transmission of
cardholder data across
open, public networks
(Req #4)
Data Classification
Cardholder Data (CHD)
Understand your requirements example
PCI-DSS
18. #2: Build a “secure environment”
What are the different options for securing your environment?
Service Selection
Encryption
Network Segmentation
User Permissions
Authorized OS Images
Resource Protection
Logging
What is the appetite for risk?
Each choice comes with trade-offs
19. Establish “blueprint” architectures to allow workload owners as much
autonomy as possible while automating enforcement
Create Modularized Templates
Use nested stacks, e.g.
• Main
• Network
• Compute
• Data
• Permissions and Logging configuration
Use parameters whenever possible
Use stack policies to protect running resources
Use IAM policies to restrict the permissions of users
Balancing security requirements with agility
20. NIST 800-53
What are the different options for
securing your environment?
Build a secure environment example
What is the appetite for risk?
Each choice comes with trade-offs
Authorized OS
Images
Resource
Protection
Logging
Service Selection
Encryption
Network
Segmentation
User Permissions
21. Build a secure environment example
NIST 800-53
CM-7a | LEAST FUNTIONALITY
Configure the information system to provide only essential capabilities
The AWS CloudFormation templates that are used to deploy this architecture pre-
configure it to provide only essential capabilities for a multi-tiered web service.
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
22. NIST 800-53
Configure the
information
system to provide
only essential
capabilities
There will never be
ANY additional
resources that were
not essential parts of
the application.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Provides only resources directly required for the application”
"Resources": {
"rRDSInstanceMySQL": {
"Type": "AWS::RDS::DBInstance",
...
},
"rAutoScalingGroupApp": {
"Type": "AWS::AutoScaling::AutoScalingGroup",
"DependsOn": "rRDSInstanceMySQL",
...
},
"rELBApp": {
"Type": "AWS::ElasticLoadBalancing::LoadBalancer",
"DependsOn": "rAutoScalingGroupApp",
...
},
...
}
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
23. Build a secure environment example
NIST 800-53
SC-7B | BOUNDARY PROTECTION
Implement subnetworks for publicly accessible system components that are logically
separated from internal organizational networks
This architecture features subnetworks for publicly accessible system components
that are logically separated from internal private subnetworks via AWS security
groups, refined routing tables, and NACLs.
https://docs.aws.amazon.com/quickstart/latest/accelerator-nist/
25. #3: Enforce the use of templates
Life is about choices
What if the ONLY choices are “pre-approved templates?
Templates that guarantee ALL configurations comply with
your organization’s security standards
26. AWS CloudFormation
Templates that automate the
deployment and configuration
of all AWS compute, network,
storage and other services to
your exact specifications
Stack policies control who can
modify what and how
Amazon Machine Image (AMI)
“Gold image” templates for the root
(OS) volume of an instance
Launch permissions control who
can use the AMI to launch
instances
AWS CodeDeploy
Optional for fully automating
custom code deployment as
well
Key services
27. #4: Perform Validation Activities
100% Audit-Ready
Environments deployed from templates are audit-ready
Rules defined within the templates are the baseline for comparison
100% Audit Coverage
Auditing itself is configured and enabled via template
Auditing it performed continuously and in real-time
Properly scoped permissions prevent and detect attempts to tamper with or
disable auditing
100% Visibility
Audit information captures the state of all deployed resources
100% Remediation
Non-compliant resources are flagged and alerts are generated
These alerts can be used to trigger actions such as quarantining the offending
resource
100%
Completely complete
28. AWS Config
Point-in-time current settings of
your architecture
Execute a sweeping check of
controls across the environment
Detects when a resource
configuration differs from an
expected state (the template
from step 3) in real-time and
flags the resource as
noncompliant
AWS CloudTrail
Records AWS API calls for your
account
Quickly and easily take
immediate action for API
activity
Amazon CloudWatch
Sends notifications of alarms
and conditional breaches
Key services
29. Security Controls
Restrict the use of
unauthorized services w/ IAM
Policies
Use Config to detect any
unauthorized services in a
HIPAA VPC
Regulations
There are nine HIPAA-
eligible services today,
including DynamoDB, EBS,
EC2, Amazon EMR, ELB,
Glacier, Amazon RDS
[MySQL and Oracle],
Redshift, and S3.
Data Usage
Customers should only
process, store and transmit
PHI in the HIPAA-eligible
services defined in the BAA.
Data Classification
Protected Health
Information (PHI)
Perform validation activities example
HIPAA
30. Automate all the (secure) things
Secure and automated methods reduce human
errors which lead to non-compliance
Secure configurations should be automatic,
and therefore simple to achieve
Fine-grained access control is easier when it
happens automatically
With all of the automatically generated audit
logs, it would be impossible to look in
retrospect – automate alerting of compliance
related events and know in real-time
32. Security is a business enabler
How do we enable the business
while reducing risk?
Embrace the rate of change
of the business.
33. Its truly about the people and process
Technology Alone Will Not Succeed
Deep Human
Expertise
Leading
Technologies
Threat
Intelligence
24x7x365
Remediation
Lower
TCO
@
34. A security strategy for the new normal
Prioritize your data and understand its business value
Abandon the traditional reactive posture triggered by alerts
Enable immediate action to protect data and minimize business impact
Our Security Approach
Rapid Detection Rapid Response Deep Expertise
35. Security on AWS
Security ‘of’
the cloud
Security ‘on’
the cloud
Navigator
Rackspace consults and provide best
practices. Customer implements.
Aviator
Rackspace implements best practices on
behalf of the customer.
Identity & access
management
Workload security Data encryption Security logging
Cloud Infrastructure
Compute
Storage
Network
Rackspace Managed Security
People
CSOC
24x7x365 support
Shared expertise
Product
Best-of-breed technology
Host security
Network security
Advanced analytics
Process
Immediate response
Detect faster
Remediate faster
Managed Security & Compliance Assistance
Actively
Securing Your
Environment
Building A Secure
Environment
Secure
Foundation
Fanatical Support for AWS
36. Some parting advice…
Understand your data protection
requirements
Your needs dictate your security
strategy but…
AWS makes it easier; make secure
decisions your default where it
makes sense
Useful Links
AWS Security Best Practices
CIS Amazon Web Services Foundations
37. Thank you!
To learn more, please visit us at rackspace.com/aws
or follow our blog at blog.rackspace.com/aws
Rather than attempting to bolt-on security retroactively, SbD automates and enforces security best-practices throughout the AWS lifecycle. By completely automating all aspects of AWS deployment by leveraging services like CloudFormation, CodeCommit and CodeDeploy, security and compliance in the cloud can be made more efficient and ubiquitous.
We are also certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards.
Top Row (left to right)
ISO 27001 Information Security Management
ISO 9001 Quality Management Systems Requirements
American Institute of Certified Professional Accounts (SOC 1, SOC 2, SOC 3 reports)
Payment Card Industry Data Security Standard (PCI-DSS)
Federal Information Security Management
Cloud Security Alliance
Middle Row:
TUV Trust IT – independent certification body for the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT Grundschutz)
UK G-Cloud Digital Marketplace
HIPAA (Health Information Portability and Accountability Act)
Federal Information Processing Standards 140-2
Americans with Disabilities Act Section 508
Motion Pictures of America Association
Bottom Row:
US International Traffic in Arms Regulations
Department of Defense Cloud Security Model
Criminal Justice Information Systems (CJIS) Security Policy
Federal Risk Authorization Management Program (FedRAMP)
Australian Information Risk Assurance Program
US Department of Education (FERPA)
<FOR MORE IN DEPTH QUESTIONS REFER THE CUSTOMER TO http://aws.amazon.com/compliance FOR MORE DETAILS>
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.
As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.
As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
Security on AWS starts with the secure foundation AWS provides, but then you must ensure that what you build ontop of that is also secure.
Navigator = we consult and provide guidance based on our best practices. The customer decides to do the work.
Aviator = we implement our best practices for the customer (building them a secure environment)
RMS = securing the things that are running on that environment using advanced analytics and an active approach to deterring crime
AWS (https://manage.rackspace.com/docs/product-guide/security.html)As a general best practice, Rackspace advises customers to use Security Groups as their primary method of securing workloads within AWS. While Network ACLs (NACLs) are typically more familiar to networking engineers, they often introduce complexity into AWS architectures.
Security in a lot of organizations is an inside joke. This is because in reality, it’s almost impossible to apply security measures to an IT system after the fact, which is what we tend to do almost every time.
“Ok… The application is deployed, now let’s ‘secure’ it.”
Rather than attempting to bolt-on security retroactively, SbD automates and enforces security best-practices throughout the AWS lifecycle. By completely automating all aspects of AWS deployment by leveraging services like CloudFormation, CodeCommit and CodeDeploy, security and compliance in the cloud can be made more efficient and ubiquitous.
Establishing and maintaining a secure cloud environment is now a top priority for most organizations, but it presents an ever evolving set of challenges you must overcome - particularly when protecting sensitive data. AWS provides a comprehensive set of tools and services to enable organizations to operate securely in the cloud, but making effective use of these technologies requires a calculated and formalized approach to incorporate secure design practices within every component in your AWS environment and the AWS environment itself.
Phase 1 – Understand your requirements. Outline your policies, and then document the controls you inherit from AWS, document the controls you own and operate in your AWS environment, and decide on what security rules you want to enforce in your AWS IT environment.
Phase 2 – Build a “secure environment” that fits your requirements and implementation. Define the configuration you require in the form of AWS configuration values, such as encryption requirements (forcing server side encryption for S3 objects), permissions to resources (which roles apply to certain environments), which compute images are authorized (based on hardened images of servers you have authorized), and what kind of logging needs to be enabled (such as enforcing the use of CloudTrail on all resources for which it is available). Since AWS provides a mature set of configuration options (with new services being regularly released), we provide some templates for you to leverage for your own environment. These security templates (in the form of AWS CloudFormation Templates) provide a more comprehensive rule set that can be systematically enforced. We have developed templates that provide security rules that conform to multiple security frameworks and leading practices. These pre-packaged industry template solutions are provided to customers as a suite of templates or as stand alone templates based on specific security domains (e.g. access control, security services, network security, etc.)
Phase 3 – Enforce the use of the templates. Enable Service Catalog, and enforce the use of your template in the catalog. This is the step, which enforces the use of your “secure environment” in new environments that are being created, and prevents anyone from creating an environment that doesn’t adhere to your “secure environment” standard rules or constraints. This effectively operationalizes the remaining customer account security configurations of controls in preparation for audit readiness.
Phase 4 – Perform validation activities. Deploying AWS through Service Catalog and the “secure environment” templates creates an audit- ready environment. The rules you defined in your template can be used as an audit guide. AWS Config allows you to capture the current state of any environment, which can then be compared with your “secure environment” standard rules. This provides audit evidence gathering capabilities through secure “read access” permissions, along with unique scripts, which enable audit automation for evidence collection. Customers will be able to convert traditional manual administrative controls to technically enforced controls with the assurance that, if designed and scoped properly, the controls are operating 100% at any point in time - versus traditional audit sampling methods or point-in-time reviews.
You can build a “golden environment” that fits your requirements and implementation: define the configuration you require in the form of AWS configuration values, such as encryption requirements (forcing server side encryption for S3 objects); permissions to resources (which roles apply to certain environments); which compute images are authorized (based on gold images of servers you have authorized); and what kind of logging needs to be enabled (such as enforcing the use of CloudTrail on all resources).
Connect the dots on the wide range of security and audit services and features we offer and provide security, compliance and auditing personnel a straightforward way to configure an environment for security and compliance based on “least privileges” across the AWS customer environment.
An organization with a decentralized cloud governance model can use this automation structure to establish “blueprint” architectures and allow workload owners full control of deployment at all levels. In contrast, an organization with a centralized cloud team that is responsible for provisioning might allow workload owners to provision only the application-level components of the architecture while retaining responsibility for initial account provisioning, IAM controls, and Amazon VPC configuration.
To successfully build templates to automate compliance:
Keep templates modular; use nested stacks when possible
Use parameters as much as necessary to ensure flexibility
Use the DependsOn attribute and wait conditions to prevent dependency issues when resources are deployed
Develop a version control process to maintain template packages
Allow for command line interface (CLI)-based or AWS Service Catalog based deployment
Use a parameters file
Use IAM policies to restrict the ability of users to delete AWS CloudFormation stacks
You can build a “golden environment” that fits your requirements and implementation: define the configuration you require in the form of AWS configuration values, such as encryption requirements (forcing server side encryption for S3 objects); permissions to resources (which roles apply to certain environments); which compute images are authorized (based on gold images of servers you have authorized); and what kind of logging needs to be enabled (such as enforcing the use of CloudTrail on all resources).
After creating a “secure environment,” you need to enforce its use in AWS. You do this by using exclusively approved CloudFormation templates. Everyone with access to the account must create their environment using the CloudFormation templates you created. Every time anyone uses the environment, all those “secure environment” standard rules and/or constraints will be applied. This effectively operationalizes the remaining customer account security configurations of controls and prepares you for audit readiness.
The goal of this phase is to ensure AWS customers can support an independent audit based on public, generally-accepted auditing standards. Auditing standards provide a measure of audit quality and the objectives to be achieved when auditing a system built within an AWS customer environment.
AWS provides tooling to detect whether there are actual instances of non- compliance. AWS Config gives you the point-in-time current settings of your architecture. You can also leverage AWS Config Rules, a service that allows you to use your secure environment as the authoritative criteria, to execute a sweeping check of controls across the environment. You’ll be able to detect who isn’t encrypting, who is opening up ports to the Internet, and who has databases outside a production VPC. Any measurable characteristic of any AWS resource in the AWS environment can be checked.
NOT STARTED
o Customers have a variety of systems on the continuum between on-premise dedicated, pets to public cloud cattle
o Some systems will improve, some won’t and all will change at different rates
o More cloud services specialization (PaaS, containers, lamba, etc) will be game changes for specific types of applications (e.g. IoT)
o Therefore, any customer of sufficient age / size will have needs for various infrastructures to meet their business goals
Security is people, process and tools – tools is 10%
o People
§ People are fast changing in this business – process can save you
§ Focus on people and training, processing, learnings – spend money here
§ The best tool you have is useless without the people
· It’s not the weapon, it’s how you sling it that makes you lethal
o Processes
§ Know your enemy – the APT is a person, well-motivated and well-equipped
§ Tools will not find them, you have to go look
§ Get proactive – this means getting block and tackle off your plate (vuln management, patching)
o Tools
§ Focus on integration – no silver bullet tools. Look for APIs, bias towards open-source.
o This is hard – outsource it.
Security is people, process and tools – tools is 10%
o People
§ People are fast changing in this business – process can save you
§ Focus on people and training, processing, learnings – spend money here
§ The best tool you have is useless without the people
· It’s not the weapon, it’s how you sling it that makes you lethal
o Processes
§ Know your enemy – the APT is a person, well-motivated and well-equipped
§ Tools will not find them, you have to go look
§ Get proactive – this means getting block and tackle off your plate (vuln management, patching)
o Tools
§ Focus on integration – no silver bullet tools. Look for APIs, bias towards open-source.
o This is hard – outsource it.
o The operating theater for security in business is becoming more complex and important to the business. You can’t control that – accept and persevere.
o Nothing burns your security cred faster than being a blocker – if you aren’t enabling and business objective, stop doing it.
o People processes and tools – It’s the people stupid.
Security on AWS starts with the secure foundation AWS provides, but then you must ensure that what you build ontop of that is also secure.
Navigator = we consult and provide guidance based on our best practices. The customer decides to do the work.
Aviator = we implement our best practices for the customer (building them a secure environment)
RMS = securing the things that are running on that environment using advanced analytics and an active approach to deterring crime
AWS (https://manage.rackspace.com/docs/product-guide/security.html)As a general best practice, Rackspace advises customers to use Security Groups as their primary method of securing workloads within AWS. While Network ACLs (NACLs) are typically more familiar to networking engineers, they often introduce complexity into AWS architectures.