aws re:invent 2016: scaling security resources for your first 10 million customers (sec305)
TRANSCRIPT
![Page 1: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eugene Yu – AWS Managing Consultant
Eric Gifford – Cambia Security Architect
Brad Davidson – Cambia Security Engineer
November 29, 2016
SEC305
Scaling Security Resources for
Your First 10 Million Customers
![Page 2: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/2.jpg)
What to expect from the session
• Scale your security and compliance infrastructure
• Agile development with integrated security testing and
validation
• Treating your security as code
![Page 3: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/3.jpg)
How do you scale
your security
resources?
workload
customers
![Page 4: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/4.jpg)
No customer
One workload
workload
customers
security
resources
![Page 5: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/5.jpg)
More customers
More workloads
workload
customers
Security appliances
Bigger boxes
security
resources
![Page 6: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/6.jpg)
More customers
More workloads
workload
customers
More security appliances
Bigger boxes
Increased security staff
![Page 7: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/7.jpg)
workload
customers
security
resources
Scaling is
hard…More customers
More workloads
![Page 8: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/8.jpg)
Security resources must scale to
keep pace with the business.
AWS
CLOUDTRAILAMAZON
INSPECTORAMAZON
VPCAWS WAF AWS IAM
AWS KEY MANAGEMENT
SERVICE
SERVER-SIDE
ENCRYPTION
ENCRYPTION
SDK
![Page 9: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/9.jpg)
WhatsCat™Connecting One Cat at a Time
WhatsCat™
LOL cats »
![Page 10: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/10.jpg)
Application Development
Simple social media
application for Cats
WhatsCat™
LOL cats »
![Page 11: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/11.jpg)
Let’s hope
this mobile app is
successful…WhatsCat™
LOL cats »
![Page 12: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/12.jpg)
WhatsCat TM
Launch Day (0 Cat)
One AWS account
One workload WorkloadAmazon EC2 Instance
Amazon
Route 53
Time to establish
baseline security
![Page 13: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/13.jpg)
Core Security Control
AWS IAM
WorkloadAmazon EC2 Instance
Amazon
Route 53
AWS
IAM
MFA token
Developer
NetworkUser
![Page 14: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/14.jpg)
Core Security Control
Amazon VPC
WorkloadAmazon EC2 Instance
Amazon
Route 53
![Page 15: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/15.jpg)
Core Security Control
Security Groups
WorkloadAmazon EC2 Instance
Amazon
Route 53
![Page 16: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/16.jpg)
Core Security Control
AWS CloudTrail
WorkloadAmazon EC2 Instance
Amazon
Route 53
AWS
CloudTrail
Amazon S3
![Page 17: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/17.jpg)
Core Security Control
Amazon CloudWatch
WorkloadAmazon EC2 Instance
Amazon
Route 53
Amazon
CloudWatch
![Page 18: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/18.jpg)
Cats > 1000
WhatsCat™
![Page 19: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/19.jpg)
Adding a New Feature
Sharing photos with
other Cats
WhatsCat™
LOL cats »
Cat photos »
![Page 20: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/20.jpg)
Resiliency
Multiple Availability ZonesWeb
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
![Page 21: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/21.jpg)
Auto Scaling
Configure Auto Scaling to
scale to handle increased
traffic
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
![Page 22: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/22.jpg)
Data Protection
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
AWS KMS
Amazon
S3
![Page 23: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/23.jpg)
SEC305- Scaling Security Resources for Your
First 10 Million Customers
Presenters:
Eric Gifford – Security Architect
Brad Davidson – Security Engineer
© 2014 Cambia Health Solutions, Inc.
Our story
![Page 24: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/24.jpg)
2424
Our Cause
• Cambia - Born from an inspired idea
• Catalyst -> transform healthcare
• Person-focused & economically sustainable
• Embracing cloud innovation to provide personalized & intuitive experiences
• On AWS: Web applications, micro-services, data lake, data science capabilities
© 2016 Cambia Health Solutions, Inc.
![Page 25: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/25.jpg)
2525
Cloud Security & Automation Principles
• Embrace HIPAA-compliant Cloud & DevOps
• Automation: reduce deviations & risk
• Leverage the shared responsibility model by aligning to serverless and managed services
• Build guardrails, not gates!
• Continuously monitor
© 2016 Cambia Health Solutions, Inc.
![Page 26: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/26.jpg)
2626 © 2016 Cambia Health Solutions, Inc.
![Page 27: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/27.jpg)
2727
Continuously monitor Cloud environments
λ functions to detect non-compliance:
1) MFA disabled
2) Unauthorized region
3) CloudTrail disabled
4) VPC flow logs disabled
And more…
© 2016 Cambia Health Solutions, Inc.
![Page 28: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/28.jpg)
2828
A good start?
Pros
• Simple
• Independent λ functions
Cons
• Customization in each λ
• Lack of context in CloudTrail
events
How to address this?
Keep building!
© 2016 Cambia Health Solutions, Inc.
![Page 29: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/29.jpg)
2929
Decouple & scale
• Move to a 3-tier Lambda
• Design for:
• Efficiency
• Context
• Flexibility
© 2016 Cambia Health Solutions, Inc.
![Page 30: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/30.jpg)
3030 © 2016 Cambia Health Solutions, Inc.
![Page 31: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/31.jpg)
3131
Good enough?
Pros
• Enrich event data for granularity
• Centralize policy/signature database
• Optimize λ for speed
Cons
• Complex to use, support, & maintain
• Need for regression testing
How to turn over to Ops and let them operate?
Keep building!
© 2016 Cambia Health Solutions, Inc.
![Page 32: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/32.jpg)
3232
What’s next for us?
• UI to manage policies, dashboard for reporting
• “Simulation mode” (aka Dry Run)
• Keep enrichment db current
• Integration with ticketing systems
• Apply secure configurations at creation
• VPC Flow Logs + Threat intel?
© 2016 Cambia Health Solutions, Inc.
![Page 33: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/33.jpg)
3333
Demo time!
© 2016 Cambia Health Solutions, Inc.
![Page 34: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/34.jpg)
Cats > 100,000
WhatsCat™
![Page 35: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/35.jpg)
Adding a New Feature
Simple social media
application for Cats
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
![Page 36: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/36.jpg)
Security Infrastructure as Code
Manage security infrastructure
just like your business
workloads
Strong change management
process AWS
CodeCommit
![Page 37: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/37.jpg)
Security Infrastructure as Code
AWS
CodeCommit
Security infrastructure code
• IAM, VPC, Logging,
Application
• Security architecture
document
• Threat modeling analysis
• Security controls document
![Page 38: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/38.jpg)
Security Infrastructure as Code
IAM stack
Infrastructure
stack
Logging
stack
IAM configuration with custom policies, groups,
and roles
VPC, security groups, network ACL, NAT gateway
configuration
AWS CloudTrail, Amazon S3 buckets, and bucket
policies for logging and archive data, Amazon
CloudWatch alarms for security-related CloudTrail
events
![Page 39: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/39.jpg)
Why Security Infrastructure as Code?
Assurance
and visibility
Traceability
and change
management
Knowledge
management
Version and
Source control
![Page 40: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/40.jpg)
Security CI/CD
Pipeline
Integrates and delivers your workloads
Is your most sensitive security workload
Product Release
App Code
Infrastructure Code
Security Code
![Page 41: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/41.jpg)
Security of the CI/CD pipeline
Securing the application starts with securing the pipeline
• Least privilege access
• Logging and monitoring of the pipeline
AWS
IAM
AWS
CloudTrail
Amazon
CloudWatch
Security CI/CD
Pipeline
![Page 42: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/42.jpg)
Security in the CI/CD pipeline
Integrated security testing and validation
• Security unit test
• Vulnerability management
Amazon
Inspector
Security and Compliance
Unit Tests
Security CI/CD
Pipeline
![Page 43: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/43.jpg)
AMI Lifecycle Management
InstancePublic
AMI
Golden
AMI
Launch
instance EC2Configure
instance
Hardened
instance
Bake AMI
Hardening and
configuration
User administration
Operating system
Running
instances
Launch
AWS
Config
AWS
Lambda
Automate AMI
baking
Amazon
Inspector
Amazon
Inspector
Amazon
Inspector
Decommission
![Page 44: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/44.jpg)
Cats > 1million
WhatsCat™
Cats > 1 million
![Page 45: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/45.jpg)
Adding a New Feature
Buy Cat Food feature
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
Buy
Cat Food!
![Page 46: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/46.jpg)
Encrypting
Customer DataElastic Load
Balancing
Amazon
Route 53
AWS KMSDynamoDB
Application
Encrypt using client-side library for DynamoDB in Github
Encrypt data in applications using the AWS encryption SDK in your application
![Page 47: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/47.jpg)
Multi-region Customers
![Page 48: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/48.jpg)
Multi-region Deployments
Amazon
CloudFrontAmazon
CloudFront
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
Elastic Load Balancer
DynamoDB
Application
Amazon RDS
![Page 49: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/49.jpg)
AWS WAF
Good Cats
Bad Dogs AWS
WAF
Amazon
CloudFront
Elastic Load
Balancing
Amazon
Route 53Amazon
DynamoDB
Application
Amazon RDS
![Page 50: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/50.jpg)
Cats > 10 millionWhatsCat™
![Page 51: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/51.jpg)
• Assess current incident
response processes and
procedures
• Test the cloud incident
response process via a
simulated exercise
Security Incident Response Simulation
![Page 52: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/52.jpg)
A security practitioner's job is
to answer tough questions
Automate the way security
practitioners answer these
questions
WhatsCat™
![Page 53: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/53.jpg)
Thank you!
![Page 54: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/54.jpg)
Remember to complete
your evaluations!
![Page 55: AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)](https://reader031.vdocument.in/reader031/viewer/2022030306/586f88521a28ab54768b5c17/html5/thumbnails/55.jpg)
Related sessions
• ARC201 - Scaling Up to Your First 10 Million Users
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC312 - Architecting for End-to-End Security in the
Enterprise
• DEV302 - Automated Governance of Your AWS
Resources