Building a Scalable Security

Blueprint for the AWS Cloud Created by: Nick Holmes

6th September 2016

2

• Password Harvesting (Dropbox)

• State Sponsored Attacks

• $44 Million lost (Leoni AG)

• OSX Malware (Bittorrent client)

Just this week….

3

Nick Holmes – brief synopsis

Internet native “en1nth@bath.ac.uk” – 25 years ago

20 years in Systems, Software Development, largely from the Web side

AWS Architect in the KCOM Cloud Practice

Certified AWS Architect Professional

Working with a number of clients to deliver AWS environments &

solutions, several including Trend deployments

nick.holmes@kcom.com

4

Nick Holmes – brief synopsis

Internet native “en1nth@bath.ac.uk” – 25 years ago

20 years in Systems, Software Development, largely from the Web side

AWS Architect in the KCOM Cloud Practice

Certified AWS Architect Professional

Working with a number of clients to deliver AWS environments &

solutions, several including Trend deployments

nick.holmes@kcom.com

5

Structure

• The Threat

• Security in AWS

• KCOM, Trend and AWS

• Customer Challenges

• Security as a Service

• Autoscaling

• In Action

• KCOM

6

The Threat

There are numerous actors we need to consider

• Organised Crime

• Competitors

• State players

• ‘Script kiddies’

• Employees

• Developers not thinking “Security, Security, Security”

Its hard to deal with a threat that remains intangible until you have been attacked.

7

The Criminal’s Opportunity

Our clients have several concerns

• Access into the business

• Jump-off points to other businesses

• Access to customer data – relationships with financial companies

• Competitor access to data or code

• Disruption of line of business activities – immediate effects

“Can *I* do that?”

8

Cloud Security at AWS

AWS brings several security components that you can make use of & has a commitment

to the shared security model – taking their layer very seriously

• WAF – hardening component

• CloudFront – DDoS mitigation

• Route 53 – DNS attacks

• Scalability – attack / load mitigation

• Security Groups – resource protection

• Network Access Control Layers – resource protection

9

Defence in Depth

Defence in depth is necessary to ensure that a breach does not make your networks the

intruder’s playground

• AWS provides many components on the perimeter

• Breaches _will_ happen

• In AWS:

• Networking resources are typically in the AWS layer and are not available for user management

• Network Tap IDS is not available

• Hypervisor agents are not available

Trend Micro Deep Security brings the facets of

endpoint security to every instance & provides a set of

technologies that can be deployed to defeat and detect

attacks

10

KCOM in Context

• AWS Premier Partner for five years

• In the top 5% of AWS partners worldwide

• Trend DS users for the past three years

• Formally Trend Micro Partners & Resellers for the past two years

• Work very closely with Trend Micro UK

• KCOM is a “Key Integrator” & partner of choice for Trend Micro & AWS

• Business established in 1989

• Formerly Smart421 - part of the KCOM Group since 2006

• KCOM - 1500 people, 340 Million turnover

11

The Partnership

I have used the quote “You only know that your security controls are insufficient when

they fail” to describe the somewhat unusual sell we make to our customers when selling

security solutions and technical controls into their projects.

With Trend DS embedded in all our infrastructure projects, I can now say “You only know

that your traditional security controls are insufficient when Trend DS steps in and tells you

in real-time how is it managing an intrusion event.”

- Jonathan Jenkyn (Security Practice Lead, KCOM)

12

Customer Challenges

• Large numbers of servers

• Transient fleets

• High value resources

• Decentralised ownership of and responsibility for server fleets

• Happening more often with the introduction of Agile and Dev-Ops & on demand provisioning

• Security isn’t front and centre for application teams

• Updates & refreshes still need to be applied

13

KCOM – Security as a Service

• Bronze / Silver / Gold

• Bronze – reactive, Trend AV provision

• Silver - reactive, Trend full provision

• Gold – proactive, Trend full provision

14

Deployment

Marketplace instance

Turnkey installation and instant licensing

Great for getting up and running

Limited licensing options

Ec2 Deployment

Automated deployment

More flexible licensing

KCOM is a reseller, making this the

deployment of choice for the more mature

client.

15

Deployment Topology

Deployments with DSM installed into each environment – separate purposes of environments &

transience make this an easier approach

Common Environment model for more distributed security topology

General VPC

Amazon RDSTrend DSM

Application Instances

ElasticLoad Balancing

Common VPC

Amazon RDSTrend DSM

Application VPC

Application Instances

VPC peering

Application VPC

Application Instances

VPC peering

16

Autoscaling in AWS

Driven by:

• Queue length

• CPU load

• Other CloudWatch metrics

Featuring:

• Lifecycle hooks

• Bootstrap from AMI, not an installed pool

• Standby state for troubleshooting

17

Scale Out and Scale Back

How we rise to the challenge of Autoscaling

• Agent baked into base AMIs for use within organisation

• Applications deployed baked over the top

• Activated on instance build configured from dsm

• Frequent deactivation scans for terminated instances

Puppet, Chef or Ansible used for DevOps deployment of agents

• Typically in serverless deployments using Masterless Puppet and Chef Zero

• Available as an installation mechanism where AMIs have not been generated

18

Management

• Support teams use a runbook for each service level

• Verification of agent coverage in the environment

• Proactive Support and Implementation processes using scan recommendations & experience of

the platform

• Implementation of patching recommendations, ideally through Configuration Management

• Virtual patching is being discussed more, but we don’t yet see much uptake.

19

In Action

• Trend DS AV is our Baseline for security and it goes into every proposal

• Three major customers with current deployments

• Minimum of 100 instances under DS management for each of these customers

Airline industry – development environment for self service & fast to market

disruption support service

Rail Industry – Security to protect £2bn revenue in ticketing & train

information systems, further projects in the pipeline.

Insurance Industry – To protect migration into AWS Cloud from datacentre for

a broad selection of workloads, plus greenfields developments

20

When

What happens when Trend DS starts waving flags that an intrusion is in progress?

Using Autoscaling and Gold Image we gain clean service recovery that is:

• Rapid

• Safe

• Reliable

• Tested

Using scripted deployment together with the rigours of Autoscaling we have options to

Recover/manage in place, or move to a DR scenario, either partial or complete.

Take the opportunity to gather logs and other forensics from instances and AWS layers.

Instigate higher alert levels in other parts of the business.

21

Summary

• Intrusion is a matter of when not if

• Defence in Depth is necessary to manage events effectively

• KCOM uses Trend Micro DS as its core Cloud Security offering

• We have several successful, large scale deployments, including production use

• Use in autoscaling environments is recommended & low overhead

• Inclusion of autoscaling & similar practices improves recovery capability

22