3. Confidentiality – only authorized users can access data
Integrity – data can’t be changed without detection
Availability – data is accessible when needed
Goals for secure application design
4. • Access control on systems and/or data itself
• Principal, Action, Resource, Condition
• Encryption
• Renders data inaccessible without a key
• Authenticated encryption protects data from modification
• Easier to tightly control access to a key than the data
• Independent controls for keys and data
Confidentiality
5. • Physical integrity
• Replicate across independent systems
• Mitigates risk of data corruption or code errors
• Logical integrity
• Checksum
• Message authentication code (MAC)
• Digital signature
Integrity
6. • Ability to access ANY copy of the data
• How much time can your users live with zero access?
• Latency of access to primary copy of the data
• How much time can your users wait for normal access?
Availability
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
8. Customers choose where to place their data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions
and doesn’t move unless the customer tell us to do so
Customers always own their data, the ability
to encrypt it, move it, and delete it
DATA OWNERSHIP
11. COMPLIANCE – AWS ARTIFACT
AWS Artifact provides customers with an easier process to
obtain AWS compliance reports (SOC, PCI, ISO) with self-
service, on-demand access via the console
AWS Artifact
12. SOLUTIONS IN AWS MARKETPLACE
INFRASTRUCTURE
SECURITY
LOGGING
& MONITORING
CONFIGURATION
& VULNERABILITY
ANALYSIS
DATA
PROTECTION
aws.amazon.com/mp/security
IDENTITY & ACCESS
MANAGEMENT
Deep Security-as-a-Service
VM-Series Next-
Generation Firewall
Bundle 2
vSEC
Web Application
Firewall
Unified Threat
Management 9
FortiGate-VM
SecureSphere WAF
CloudInsight
Security Platform
(ESP) for AWS
SecOps
Log Management & Analytics
Enterprise
Cost & Security Management
DataControl
Transparent
Encryption for AWS
SafeNet ProtectV
Identity & Access
Management or AWS
Security Manager
OneLogin for AWS
Identity Management for
the Cloud
▪ One-click launch
▪ Ready-to-run on AWS
▪ Pay only for what you use
13. MAKING COMPLIANCE EASIER
AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN CLOUDTRAIL AND
CLOUDWATCH EVENTS
Amazon S3 AWS Lambda
Amazon CloudWatch
AWS CloudTrail
14. Apply the security principles of “least privilege” and
“segregation of responsibilities”
AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
15. AWS IDENTITY AND ACCESS MANAGEMENT
FEATURES ADDED IN 2016
• AWS Identity and Access Management (IAM) made 10 AWS
managed policies available that align with common job
functions in organizations
• IAM console now helps prevent you from
accidentally deleting in-use resources
16. AWS IDENTITY AND ACCESS MANAGEMENT
FEATURES ADDED IN 2016
• Administrator
• Billing
• Database Administrator
• Data Scientist
• Developer Power User
• Network Administrator
• System Administrator
• Security Auditor
• Support User
• View-Only User
• AWS Identity and Access Management (IAM) made 10 AWS
managed policies available that align with common job
functions in organizations
17. SECURITY ASSESSMENT TOOL ANALYZING END TO END
APPLICATION CONFIGURATION AND ACTIVITY
AMAZON INSPECTOR
20. AWS SOLUTION: KEY MANAGEMENT SERVICE
Decide on an encryption key management strategy
Manage and use
keys in AWS Key
Management Service
(AWS KMS)
Use service-provided
built-in key
management
Use your own key
management system
Manage and use keys
in AWS CloudHSM
21. • Bring your own keys to AWS Key Management Service using the KMS import key feature
• AWS encryption SDK
KEY MANAGEMENT SERVICE
Features added in 2016
23. AWS Organizations
Programmatic creation of new AWS accounts
• New AWS accounts can only be created from the master account
• As part of the creation process you can configure
- Email address (required)
- Account name (required)
- IAM role name (required - default name is OrganizationAccountAccessRole)
• Trust policy configured for AssumeRole access from master account
• Permissions configured with FULL CONTROL
- IAM user access to billing (optional) Note! IAM users still need permissions
• New AWS account
- Automatically part of your organization
- Cannot be removed from the organization
77
24. AWS Organizations
Invite existing AWS accounts to an organization
• Invitation can only be initiated from master account
• Invited AWS account can accept or decline invitation
- Default action is DECLINE
- Can be controlled with IAM permissions
• When invitation is accepted
- AWS account becomes member of your organization
- Applicable OCPs automatically applied
78
25. AWS Organizations
Logically group AWS accounts
• Group AWS accounts into organizational units (OUs) for management
convenience
• AWS account can be member of multiple OUs
• Only AWS accounts can be member of an OU
79
27. AWS Organizations
Apply Organizational Control Policies (OCP)
• Describes controls to be applied
• Different use cases have different types of OCPs
• OCPs can be attached to
- Organization
- OUs
- AWS account
• OCPs are inherited up the hierarchy (AWS account, OU, organization)
81
29. AWS Organizations
OCP supported in V1: Service Control Policies (SCPs)
• Enables you to control which AWS service APIs are accessible
- Define the list of APIs that are allowed – whitelisting
- Define the list of APIs that must be blocked – blacklisting
• Cannot be overridden by local administrator
• Necessary but not sufficient
• Resultant permission on IAM user/role is intersection between SCP
and assigned IAM permissions
• IAM policy simulator is SCP aware
83
30. AWS Organizations
Simplified billing
• Single payer for all AWS accounts
• All AWS usage across AWS accounts in your organization rolled up for
volume pricing and billing
• All existing Consolidated Billing families will be migrated to an
organization in billing mode
84
32. The case for change
• DevOps, Agile, and Scrum on the rise…
• Workload migrations to software defined environments…
• Mass adoption of the public cloud…
• Talent migration to progressive cloud companies…
• Startups have game-changing tech at their disposal…
• Competitive landscape is becoming fierce…
• The perimeter is no longer an option…
• Security, now more than ever, is an arms race…
33. The DevSecOps mindset
• Customer focus
• Open and transparent
• Iteration over perfection
• Hunting over reaction
• Hmmm → Wait a minute, this sounds like a manifesto…
insert shameless plug here: http://www.devsecops.org
34. Where to start?
• Pontificate?
• Checklists?
• 1-pagers? 6-pagers?
Documents?
Page 3 of 433
Security as code
35. Security as code is easy with AWS
AWS provides all the APIs!
• Programmatically test environments
• Determine state of environment at a
specific point in time
• Repeatable processes
• Scalable operations
36. How can we learn DevSecOps?
Security as
Code?
Security as
Operations?
Compliance
Operations?
Science?
Experiment:
Automate
Policy
Governance
Experiment:
Detection via
Security
Operations
Experiment:
Compliance via
DevSecOps
Toolkit
Experiment:
Science via
Profiling
DevOps
+
Security
Start
Here?
DevOps
+
DevSecOps
37. Ready to build your DevSecOps platform?
insights
security
sciencesecurity
tools & data
AWS
accounts
S3
Glacier
EC2
CloudTrail
ingestion
threat intel
Anot
pres
be d