8. Points of Discovery and Reaction
• Knowns:
• Prevent from entering environment
• Detect and roll back on entry into environment
• Unknowns:
• Baseline normal behavior
• React to anomalies – alerts, investigation
12. The Right People
Cowboy has no
well thought out
plan or expertise
Mr. No Kills Innovation.
He is not open to new ideas.
Analysis Paralysis
Kills Productivity
Engineers = expertise + well-designed
solutions based on available data
13. Deployment Pipeline
DevOps, security, developer and
QA teams should all use the
same process for AWS
deployments.
Add Security Controls at this
checkpoint.
Facilitates inventory, audit and
compliance.
CICD – Continuous Integration,
Continuous Deployment
15. Security Automation
• Automate Biggest Risks ~ Verizon Data Breach Report
• Automated Deployments – CloudFormation, SDKs
- Consider Immutable Infrastructure where possible
• Automated Compliance – AWS Config, AWS Inspector
• Automated Security Operations – AWS WAF, 3rd Party Tools
• Custom automation – roll your own
• Automated Intrusion Detection – Proof of Concept Framework:
https://github.com/tradichel/AWSSecurityAutomationFramework
16.
17. Other Options for SSH and Access Secret Key
• IAM Roles for Users and AWS Resources
• Cross Account Roles
• Active Directory Integration
• STS – temporary credentials
• Use MFA where possible
• Consider CLI, Console and Instance Logins
• If using keys, train users that keys are passwords and treat as such
18. Encryption on AWS
• KMS - AWS Key Management Service
• CloudHSM - Single Tenant Hardware Security Module
• Bring Your Own Key – import from your own key manager or HSM
• AWS Certificate Manager - SSL/TLS for encryption in transit
19. 5. Plan Network Carefully.
Internet Access AWS Only AWS to Corporate
security group
security group
security group
security group
security group
security group
Routes: Enforce Traffic Flow. Subnets: Larger. Security Groups: Whitelist.
20. Avoid This
So many holes in
your network and
running so many
agents that you no
longer know what is
traversing your
network anymore
and network security
is pointless.
21. Avoid This
Subnets with almost nothing in
them has the potential to
exhaust your IP space.
It also becomes unwieldy to
manage numerous subnets and
security groups.
Use security groups for
application specific rules.
22. Architect for the Cloud
Avoid Lift and Shift
Costs will be higher
Doesn’t leverage AWS
Possible Security Issues
Fix it later…right.
If you do...keep it in a
separate account.
25. Have a Sandbox Account
Tightly secure other accounts.
Match production or purpose built.
26.
27. AWS Monitoring Tools
• VPC Flow Logs ~ like Netflow for VPC, not real time
• CloudTrail ~ Monitor actions taken on AWS
• CloudWatch ~ Any kind of logs, cannot be altered if properly secured
• 3rd Party Tools
28. Teri Radichel, Cloud Architect
WatchGuard Technologies ~ We are hiring!
@teriradichel
Security Certifications and Papers:
Http://www.giac.org/certified-professional/teri-radichel/140127
Thank you!
Hinweis der Redaktion
Video from AWS re:Invent 2015 where Rob Alexander was the keynote speaker.
AWS Security Process Overview:
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Top 5 Critical Controls:
https://www.cisecurity.org/critical-controls.cfm
Deski Network Suite on left. AWS Web Console on right.
Sample architecture from AWS Case Studies:
https://aws.amazon.com/solutions/case-studies/
Paper on Security Automation in AWS:
https://www.sans.org/reading-room/whitepapers/incident/balancing-security-innovation-event-driven-automation-36837
AWS IAM Best Practices:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Code Spaces ~ The company that got deleted.
http://www.networkcomputing.com/cloud-infrastructure/code-spaces-lesson-cloud-backup/314805651
Evident IO Blog with Security Best Practices:
http://blogs.evident.io
Images: Shutterstock, Meme Generator
Target was likely compromised via a deployment system: https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412
KMS:
https://aws.amazon.com/kms/
CloudHSM:
https://aws.amazon.com/cloudhsm/
AWS Certificate Manager:
https://aws.amazon.com/certificate-manager/
Bring your own key:
https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/
This new feature allows you to import keys from any key management and HSM (Hardware Security Module) solution that supports the RSA PKCS #1 standard, and use them with the AWS services and your own applications.
Protecting Data At Rest on AWS: https://d0.awsstatic.com/whitepapers/AWS_Securing_Data_at_Rest_with_Encryption.pdf
AWS Security Blog ~ Encryption: https://blogs.aws.amazon.com/security/blog/category/Encryption
AWS Best Practices ~ Architecting for the Cloud:
https://aws.amazon.com/whitepapers/architecting-for-the-aws-cloud-best-practices/
Don’t be a bottleneck image:
http://digital.library.unt.edu/ark:/67531/metadc182/
Images from 6 Ways to Make Toast – Wikihow
http://www.wikihow.com/Make-Toast
AWS Compliance White Paper: https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf