Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Security Framework Shakedown

2.698 Aufrufe

Veröffentlicht am

Security Framework Shakedown. AWS Initiate Day, Austin, TX

  • Als Erste(r) kommentieren

Security Framework Shakedown

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Framework Shakedown Chart Your Journey with AWS Best Practices
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Objectives • Define a security strategy, deliver a security program and develop robust security operations on AWS • Explain, Implement AWS security best practices • Adopt AWS security services at an accelerated pace • Get some code!
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • NAB Cloud security journey • Cloud adoption framework security perspective • AWS well-architected framework security pillar
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. National Australia Bank Our vision: To be Australia's leading bank, trusted by customers for exceptional service • One of Australia’s four major banks and largest business bank • More than 30,000 employees and 9 million customers across 900 locations
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our cloud security strategy Objectives • Extend our existing Security Services to the Cloud • Integrated and Secure by Default • Continuous Security Governance
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our cloud security strategy Objectives • Extend our existing Security Services to the Cloud • Integrated and Secure by Default • Continuous Security Governance Insights • We had to change our approach • Scale with automation and decentralization • Security compliments agile
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Foundations of continuous compliance Baseline Compliance Portfolio AWS Service Compliance Portfolio Application Compliance Portfolio Service A Service B API Gateway Amazon RDS Amazon EBS Prod Account Non-Prod Account Application Security Assessment AWS Service Control Review Security Posture
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS cloud adoption framework
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CAF security perspective Security Perspective Directive Preventative Detective Responsive
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Core five epics
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS shared responsibility model
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Define a strategy Identify your workloads moving to AWSIdentify stakeholders
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deliver a security program Rationalize security requirements Define data protections and controls Document security architecture
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security cartography
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CAF best practices Inventory current security requirements Adopt a security framework Identify workload security controls Map current security controls to cloud controls Create a security RACI Create a risk register
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Robust security operations Deploy architecture Automation Continuous monitoring Testing and Gameda
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Identity & Access Mgmt Detective Control Infrastructure Security Data Protection Incident Response Week 1 Week 2 Week 5Week 3 Week 4 Sample security Epics journey
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What is the AWS Well-Architected Framework? Pillars Design Principles Questions
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pillars of AWS Well-Architected Security Reliability Performance Efficiency Cost Optimization Operational Excellence
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A mechanism for your cloud journey Learn Measure Improve
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security design principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Keep people away from data • Prepare for security events
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Strong identity foundation Root account should never be used Consider AWS Organizations Set account security questions & contacts Centralize identities Continuously Audit
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Strong identity foundation Never store credentials or secrets in code Enforce MFA on everything Use IAM roles for users and services Establish least privileged policies Use temporary credentials
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Enforce MFA User can only assume a role with MFA MFA token Permissions RoleUser AWS CloudPermissions http://bit.ly/AWSWALabs
  25. 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Enable traceability Consider Amazon GuardDuty Configure application & infrastructure logging Centralize using a SIEM Proactively monitor Regular reviews of news & best practices
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Enable traceability Use AWS CloudFormation! http://bit.ly/D3T3cT
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Network protection Amazon CloudFront + AWS WAF Amazon VPC and security groups Private connectivity - VPC peering, VPN, AWS Direct Connect Service endpoints Enforce service level permission
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Network protection Bucket Instances Region VPC Users https://amzn.to/2PbHOpz WAF Automation www.example.com
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Apply security at all layers Harden operating systems & defaults Use anti-malware + intrusion detection Scan infrastructure Scan code Patch vulnerabilities
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: compute protection
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Scan vulnerabilities Scan instances with Amazon Inspector https://amzn.to/2DT9jyg Scan code in the pipeline Dependency Check: http://bit.ly/2SPzUAp Testing OWASP Zap: http://bit.ly/2yWwzqN
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Serverless • Authorization and authentication – API Gateway • Enforce boundaries - AWS services & network • Input validation • Protect sensitive data
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Automate security best practices Template infra: AWS CloudFormation / AWS SAM Automate build and test AWS Config rules for verification Automate response to non-compliance Automate response to events
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Automate management Automation Patch manager State manager https://amzn.to/2AaOwSg https://amzn.to/2DSTLdK https://amzn.to/2Qihzxm
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Automate checks Config Rules
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Protect data Encryption mechanisms are enforced Verify accessibility of data, e.g. Amazon S3 & EBS Consider AWS Certificate Manager Consider tokenization to substitute sensitive data Data segmentation and isolation
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Classify your data • Start classifying data based on sensitivity • Use resource tags to help define the policy Amazon Macie discover, classify, and protect sensitive data in AWS IAM control: http://bit.ly/IAMctrlTAG
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Keep people away from data Dashboards for users Tools for administrators
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Top best practices: Incident response Prepare for different scenarios Pre-deploy tools using automation Pre-provision access for response teams Practice responding through game days Continuously improve your processes
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Run incident response game day 1. Schedule a four to eight hour block 2. Find a prize (bribery) 3. Supply food & beverages 4. Pick relevant scenarios from: https://amzn.to/2PetNro 5. Create a runbook 6. Practice 7. Have fun!
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to: Simple run book Event description [Attack Type] [Attack Description] Data to gather for troubleshooting [Evaluation of current data] Steps to troubleshoot and fix [Contain / impact / recovery / forensics] Urgency category [Critical, Important, moderate, informational] Communications & escalation
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Take action! CAF: aws.amazon.com/professional-services/CAF/ W-A: aws.amazon.com/well-architected W-A Labs: http://bit.ly/AWSWALabs AWS sec twitter: @AWSSecurityInfo AWS sec blog: https://aws.amazon.com/blogs/security/

×