This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.
Boost Fertility New Invention Ups Success Rates.pdf
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Invent 2014
1. Hart Rossman—AWS Principal Security Consultant
Bill Shinn—AWS Principal Security Solutions Architect
Brent Funk—Boeing, Chief Architect, Commercial Digital Aviation PaaS
November 13, 2014 | Las Vegas, NV
2. Organizes and describes the perspectives in planning, creating, managing, and supporting a modern IT service.
Offers practical guidance and comprehensive guidelines for establishing, developing and running AWS cloud-enabled environments.
It provides a structure where business and IT can work together towards common strategy and vision, supported by modern IT automation and process optimization.
People
Perspective
Process
Perspective
Security
Perspective
Maturity
Perspective
Platform
Perspective
Operating
Perspective
Business
Perspective
5. Security Program
Reference Architectures
Asset Management
Identity Lifecycle Management
Ubiquitous Logging
Security Management Layer
DevSecOps
Security Services & API
Just In Time Access
The Basics
6.
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
8. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Governance &
Risk
Business
• Culture of security and continual
improvement
• Ongoing audits and assurance
• Protection of large-scale service
endpoints
Enterprise
Security
Operations
Compliance
• Lead change
• Audits & assurance
• Protection of workloads, shared
services, interconnects
• MSB definition
• Cloud security operations
Product & Platform Teams • MSB customization
• Application/Platform infrastructure
• Security development lifecycle
Enterprise
Security
Extending
9. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Governance &
Risk
Business
Partners
Security
Operations
Compliance
Product & Platform Teams
Enterprise
Security
Extending
Partner Ecosystem
10. Capability
Principle
Action
Anticipate
Infrastructure as code
Skill up security team in code & automation. DevSecOps.
Design guard rails not gates
Architectto drive towards good behavior
Deter
Use the cloudto protect the cloud
Build, operate, and manage security tools in the cloud.
Stay current, run secure
Consume new security features. Patch and replace frequently.
Reduce reliance on persistentaccess
Establishrole catalog;automate KMI via secrets service
Detect
Total visibility
Aggregate AWS logs and metadata with OS & App logs
Deep insights
Security data warehouse with BI & analytics
Respond
Scalable incident response
Update IR SOP for shared responsibility framework
Forensic readiness
Updateworkloads to support forensic readiness and containment
Recover
Automate
Continuous Integration & Continuous Deployment
11.
12.
13. E
C
2
E
C
2
Amazon S3
Customers
Distributed
attackers
Distributed
attackers
Amazon
Route 53
Region
14.
15. Central Account
(Trusted)
SecUser
IAM User
IAM IAM IAM IAM IAM IAM
BU Accounts (Trusting)
SecRole SecRole SecRole SecRole SecRole SecRole
IAM
Centralized Governance w/ IAM Role Catalog
16. Proprietary:
The information contained herein is proprietary to The Boeing Company and shall not be reproduced or disclosed in whole or in part or used for any reason except when such user possesses direct, written authorization from The Boeing Company.
The statements contained herein are based on good faith assumptions and provided for general information purposes only. Thesestatements do not constitute an offer, promise, warranty orguarantee of performance. Actual results may vary depending on certainevents or conditions. This document should not be used or relied upon for any purpose other than that intended by Boeing.
BOEING is a trademark of Boeing Management Company.
17. •SOA
–Publish/subscribe model
–Data/Functions/Visualization
–Internal/External services models
•Secure
–VPC Perimeter security
–VPC to VPC Peering
–Intra-VPC security
–Logging and Auditing
•Message Oriented Middleware
–Enterprise Service Bus
–Global Registry
–Global Security
–Load balanced
21. SQS Queue
Auto Scaling Group
ElasticSearch
Auto Scaling Group
Kibana
Internal Elastic Load Balancing
Internal Elastic Load Balancing
Auto Scaling Group
Reverse Proxy
Auto Scaling Group
Logstash Indexer
HTTP Traffic
HTTPS Traffic
Log Shipping
via Amazon SQS
CloudWatch Alarm
CloudWatch Alarm
Scale Down
Alarm
Scale Up
Alarm
22. •Expedited Root Cause Analysis Activities
–Streaming ingest of log data –every 5 seconds.
–Security tie-ins from application to networking to infrastructure.
–Dynamic correlation of data within a single location resulting in quicker RCA activities.
•Immediate Validation of Security Incident Remediation
•Allows for Segregation of Duties for Threat Analysis vs. Operational Configuration/Support
23.
24.
25. Peer Review
•Shared Infrastructure Security Services moved to VPC
•1 to 1 Peering = App Isolation
•Security Groups and NACLs still apply
AWS region
Public-facing
web app
Internal
company
app #1
HA pair VPN endpoints
company data center
Internal
company
app #2
Internal
company
app #3
Internal
company
app #4
Services
VPC
Internal
company
Dev
Internal
company
QA
AD, DNS
Monitoring
Logging
•Security Groups still bound to single VPC
26.
27.
28. Version
Control
CI
Server
Package
Builder
Deploy
Commit to Server
Dev Git/master
Pull
Code
AMIs
Send Build Report to Dev
Stop everything if build failed
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config Install
Create
Repo
AWS CloudFormation
Templates for Env
Generate
Security
Repository
Vulnerability
and pen
testing
•Security Infrastructure
tests
•Security unit tests in
app
29.
30. Pull Push
Source Code
Repository
Baseline
IAM Catalog
Trusting BU Accounts
SecRole
IAM Role
Develop
Review
Test
Approve
Commit
Ruby
AKID/SAK
1 2
Admin
3
5
STS
Creds
4
31. Security Program
Reference Architectures
Asset Management
Identity Lifecycle Management
Ubiquitous Logging
Security Management Layer
DevSecOps
Security Services & API
Just In Time Access
The Basics