cloud wor kflows: achieving studio -grade ......cloud wor kflows: achieving studio -grade security...

C L O U D W O R K F L O W S :A C H I E V I N G S T U D I O - G R A D E S E C U R I T Y

Ted Harrington

@SecurityTed

ted.harrington@securityevaluators.com

Eli Mezei

@ISESecurity

E emezei@securityevaluators.com

2

About ISE slide(s)

Agenda

3

1) Context

2) Security Models

3) Applying Principles

Agenda

4

1) Context

2) Security Models

3) Applying Principles

WORKFLOWS DRIVE SECURITY!

• Security must support the workflow, not the other way around

• The workflow must be understood in depth before security controls can be defined

• The simplest solution is generally the most secure

5

Example Workflow: Burst Rendering

6

Private Compute and Storage Subnet 10.0.2.0/24

AWS Batch

Spot Fleet

Spot Instances

instances

VPN Subnet 10.0.1.0/24

router

Bastion ServerAmazon CloudWatch

AWS KMS

Content Ingress/

Egress

Amazon EFS

route table

On-premises network

192.168.0.0/16

customer gateway

Active

Directory

Region

Amazon VPC

VPN gateway

VPN connection

route table

Compute Subnet

Render Farm Compute

Domain

ControllerAD

Connect

Sync

Access Control

Agenda

7

1) Context

2) Security Models

3) Applying Principles

TRUST MODEL VS. THREAT MODEL

KNOW YOUR ADVERSARY

SECURE DESIGN PRINCIPLES

10

Secure Design Principles

ISE Proprietary

Principle: universally accepted truth

Secure Design Principle: those upon which systems resilient against attack are built

Agenda

12

1) Context

2) Security Models

3) Applying Principles

PRINCIPLE(S): LEAST PRIVILEGE & PRIVILEGE SEPARATION

13

Privilege

ISE Confidential - not for distribution

LEAST PRIVILEGE PRIVILEGE SEPARATION

Privilege Control

Governance/Control Identity Management Key Mgmt/Custody Networking

AWS

IAM KMSVPC

Azure

Azure AD Key Vault VPN Gateway

GCP

IAM KMS Organizations

15

Example Implementation

16

PRINCIPAL: DEFENSE IN DEPTH

17

Defense in Depth

ISE Confidential - not for distribution

Defense in Depth

Governance/Control Direct Connect Account Segregation MFA

AWS

DirectConnect AWS OrganizationsMulti-factor Auth.

Azure

ExpressRoute

Azure Subscription and

Service Management +

Azure RBAC Multi-factor Auth.

GCP

DirectConnect Google Authenticator

19

Example Implementation

20

Azure Vnet

10.0.0.0/16

Azure Vnet

10.0.0.0/16

Gateway subnet

10.0.255.224/27

User

Defined

Routes

Private DMZ in

10.0.0.0/27

N

I

C

N

I

C

Private DMZ out

10.0.0.32/27

Network

Appliance

Network

Appliance

Network

Appliance

Network

Appliance

NSGNSGN

I

C

N

I

C

NSGNSG

Availability set

On-premises network

192.168.0.0/16

Gateway

VM Based Render Farm

10.0.1.0/24

Render Farm ComputeN

SG

N

SG

VM Based Render Farm

10.0.1.0/24

Render Farm ComputeN

SG

Domain

Controller

Domain

Controller

Azure AD

Connect

Sync

Azure AD

Connect

Sync

AD DS subnet

10.0.4.0/27

Availability set

NSGNSG

AD DS subnet

10.0.4.0/27

Availability set

NSG

Azure Batch

10.0.2.0/24

Azure BatchNS

G

NS

G

Azure Batch

10.0.2.0/24

Azure BatchNS

G

ADRequest

Management subnet

10.0.10.128/25

Bastion Host Bastion Host

NS

G

NS

G

Rendering Data

Active Directory Sync Data

Authentication request

PRINCIPLE: TRUST RELUCTANCE(ASSUME HOSTILITY)

21

Trust Reluctance

ISE Confidential - not for distribution

Logging and Monitoring Services and Intelligence

Governance/Control Log Aggregation &

Monitoring

Policy Center

AWSCloudTrail Inspector

AzureLog Analytics Security Center

GCPCloud Audit Log StackDriver

23

Example Implementation

24

Virtual private cloud

Amazon VPC

flow logsAmazon CloudWatch

bucket

AWS CloudTrail

Monitor API

VPC Logs

Asset Subnet

AWS KMS

route table

S3 Bucket

Encryptionkeys

Logging data

Key Logging

Logging datainstance with

CloudWatch

Amazon

Elasticsearch

Service

Event drive analytics

analytics'

Amazon RedshiftData warehousequeries

AWS LambdaCentralized Logging Proxy

Proxy ServerAdministrator

Log Management

API Calls

Secure Design Principles

• Defense in Depth

• Least Privilege

• Privilege Separation

• Trust Reluctance

• Open Design

• Economy of Mechanism

• Complete Mediation

• Least Common Mechanism

• Psychological Acceptability

• Fail Secure

ISE Proprietary

Takeaways

• Security must support the workflow

• Build security in

• Think like an attacker!

26

emezei@securityevaluators.com@ISESecurity

ted.harrington@securityevaluators.com@SecurityTed