compliance in the cloud using “security by design” principles

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

17th June 2016

Compliance in the Cloud Using Security by Design

Dean Samuels Manager, Solutions Architecture – Hong Kong & Taiwan

Amazon Web Services

Problem statement

Increasing complexity (mobility, system connectivity) causes increasing difficulty in managing risk and security

and demonstrating compliance.

Current state—technology governance

Policies

Procedures and guidelines

Standards

Issues—technology governance The majority of technology governance processes relies predominantly on administrative and operational security controls with limited technology enforcement.

Assets

Threat Vulnerability

Risk

AWS has an opportunity to innovate and advance technology governance services.

Flexibility and complexity

Single VPC or multiple VPCs

Public or private

subnets

Who will manage

the keys

AWS Identity and Access

Management (IAM) groups or roles

What is the regulatory requirement?

What's in scope or out of scope?

How to verify the standards are met?

Which AWS

database

Security by Design

Security by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process.

AWS Identity & Access Management (IAM)

AWS CloudTrail

Amazon CloudWatch

AWS Config Rules

AWS Trusted Advisor

AWS CloudHSM

AWS Key Management Service

(AWS KMS)

AWS Directory Service

SbD—design principles

•  Build security in every layer •  Design for failures •  Implement auto-healing •  Think parallel •  Plan for breach

•  Don't fear constraints •  Leverage different storage options •  Design for cost •  Treat infrastructure as code

•  Modular •  Versioned •  Constrained

Security by Design involves developing new risk mitigation capabilities, which go beyond global security frameworks by treating risks, eliminating manual processes, and optimizing evidence and audit ratifications processes through rigid automation.

SbD—ecosystem

Security by Design (SbD)

AWS CloudFormation

AWS Config Rules

Amazon Inspector

SbD—modernizing tech governance (MTG)

Why?

Complexity is growing, making the old way to govern technology obsolete.

You need automation that AWS offers to manage

security.

Goal—modernizing tech governance

Adopt “prevent” controls; make “detect” controls more powerful and

comprehensive.

SbD—modernizing tech governance

1.2 Identify your workloads moving to AWS

2.1 Rationalize security requirements

2.2 Define data protections and controls

2.3 Document security architecture

3.1 Build/deploy security architecture

1. Decide what to do (strategy)

2. Analyze and document (outside of AWS)

1.1 Identify stakeholders

3. Automate, deploy, and monitor 3.2 Automate

security operations

4. Certify

3.3 Continuously monitor

4.1 Audit and certify

3.4 Test and have game days

SbD—rationalize security requirements AWS has partnered with CIS Benchmarks to create consensus-based, best-practice security configuration guides that will align to multiple security frameworks globally.

https://www.cisecurity.org/

The benchmarks are: •  Recommended technical control rules

and values for hardening operating systems, middleware and software applications, and network devices.

•  Distributed free of charge by CIS in .PDF format.

•  Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.

SbD—AWS CIS benchmark scope

Foundational benchmark

CloudTrail

AWS Config & Config Rules AWS KMS

IAM CloudWatch

Amazon S3

Amazon SNS

Three-tier web architecture

Amazon EC2 Elastic Load Balancing Amazon VPC

AWS Direct Connect

Amazon Elastic Block Store

CloudHSM Amazon Glacier Amazon Route 53

VPN Gateway

Amazon CloudFront

SbD—define data protections and controls

https://aws-poc.allgress.com/allgress/awsgc

SbD—document security architecture

SbD—automate security operations Automate deployments, provisioning, and configurations of the AWS customer environments.

CloudFormation AWS Service Catalog Stack

Template

Instances Apps Resources Stack

Stack

Design Package

Products Portfolios

Deploy Constrain

IAM

Set Permissions

AWS CloudTrail

Amazon

EMR

Amazon Kinesis

Amazon

VPC

Elastic Load Balancing

Amazon

S3 AWS

Lambda

AWS Config

AWS CloudWatch

AWS IoT Other

Services

Add-on for AWS

Splunk app for AWS Explore Analyze Dashboard Alert

UsecasesforAWS:Securityintelligence(CloudTrail,CloudWatch,VPC)Opera;onalintelligence(CloudWatch,ELB,etc.)DevOpsintelligence(CloudWatch,Lambda)

Bigdatainsights(AmazonKinesis,EMR,IoT,S3)

SbD—continuously monitor—Splunk

AWS CloudTrail resource activity

Splunk app for AWS—visualize and monitor

AWS CloudTrail user activity

SbD—modernizing technology governance (MTG)

Automate governance

Automate deployments

Automate security operations

Continuous compliance

Closing the loop

SbD—modernizing technology governance Result: Reliable technical implementation and enforcement of operational and administrative controls

AWS resources Amazon Web Services Cloud Compliance

•  https://aws.amazon.com/compliance/

SbD website and whitepaper—to wrap your head around this •  https://aws.amazon.com/compliance/security-by-design/

Allgress—getting started 1.  Engage with Allgress in the field: Contact sales 2.  Get started with the Allgress GetCompliant Portal to easily

pull compliance configurations from AWS customer accounts 3.  Download the Allgress Module Breakdown

Splunk—Getting started

1.  Engage with Splunk in the field: aws-splunk-team@amazon.com can point you in the right direction, and you can request the Splunk Playbook.

2.  Download Splunk>Enterprise. 3.  Download and set up the Splunk App for AWS (and supporting TA) to

easily configure Splunk for Config, CloudTrail, CloudWatch metrics, VPC flog logging, S3, and Billing.

4.  Take the self-paced Using Splunk tutorial and look at Splunk>Docs and Splunk>Apps for more.

5.  You can get started quickly with the Splunk search commands, and then use supporting documentation to advance your skill. Our Quick Reference Guide becomes an essential tool and cheat sheet. Other search reference documentation is posted also.

Dean Samuels Manager, Solutions Architecture – Hong Kong & Taiwan

Amazon Web Services

Thank you!