SESSION ID:SESSION ID:

#RSAC

Aaron McKeown

Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances)

CSV-F01

Lead Security Architect Xero

Fast or

Secure

Fast &

Secure

Beautiful cloud-based accounting softwareConnecting people with the right numbers anytime, anywhere, on any device

3

1,450+ staff globally

$474m raised in capital

$202m sub revenue FY16

$1tr incoming and outgoing transactions in past 12 mths

450m incoming and outgoing transactions in past 12 mths

All figures shown are in NZD

2009 2010 2011 2012 2013 2014 2015 2016

862,000+Subscribers globally

#RSAC

Public Cloud Migration

5

Supporting the next wave

of growth

Reducing our cost to serve

Improving data protection

Eliminating scheduled downtime

Maintaining and improving security

#RSAC

Key Challenges

6

Skills are scarce

Regional representation and recommendations

Application architecture has to change

Automation is key

Third-party commercial models need to change

Need to focus on visibility

#RSAC

Challenge #1: Skills are scarce

7

Challenge #1: Skills are scarce

Make an initial investment in education

Join industry groups and forums

Selective engagement of contractors

Promotion of industry wide cyber skills

#RSAC

Challenge #2: Regional representation

8

Challenge #2: Regional representation and recommendations

Build a strong relationship with AWS

Reach out to your contacts

Look at alternatives

Build a communication path to remote organizations

#RSAC

Challenge #3: Application architecture changes

9

Challenge #3: Application architecture has to change

Work in cross-functional teams

Deliver in short, frequent cycles

Communicate quickly and effectively

Build and deliver “security as a service”

#RSAC

Challenge #4: Automation is key

10

Challenge #4: Automation is key

Make automation a core principle

Start with basic use of CloudFormation

Use a code repository

Build a Continuous Integration (CI) and Continuous Delivery (CD) system

#RSAC

Challenge #5: Focus on visibility

11

Challenge #5: Need to focus on visibility

CloudTrail is enabled by default for all accounts

Track configuration drift

Get the development teams invested Extended into a virtual team

#RSAC

Challenge #6: Third-party commercial models

12

Challenge #6: Third-party commercial models need to change

Do what we advise others to do, use the cloud

Work with our technology partners and vendors

Move from perpetual licenses, to core based licenses

Address commercial and legal issues first

#RSAC

Key Principles

13

Repeatable, automated build and management

of security systems

Accelerated pace of security innovation

On-demand security infrastructure that works at any scale

#RSAC

Key Learnings

14

Security by design -

what’s that?

Communication is key

Welcome to the cloud - “Where’s my span port?”

Measure & Test, monitor everything

#RSAC

Key Learnings: Security by design

15

Security by design -

what’s that?

Build security into every layer

Treat your infrastructure as code

Iterate, iterate, iterate

Build security into the product lifecycle

#RSAC

Key Learnings: Communication is key

16

Communication is key

Make everyone a spokesperson

Evangelize and sell your service

Communicate success (as well as failure)

Documentation is critical

#RSAC

Key Learnings: Measure everything

17

Measure & test, monitor everything

How do you know what normal looks like?

Continually track configuration drift Do a gap analysis

Perform internal and external testing

#RSAC

Key Learnings: Where’s my span port?

18

Welcome to the cloud - “Where’s my span port?”

Change your way of thinking

Expand your scope of responsibility

It is a shared journey for all

Use cross-functional teams

#RSAC

The New Paradigm of Shared Responsibility

19

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Identity & Access Control

Network Security

Xero Applications & ContentSecurity IN the Cloud

Security OF the Cloud

Xero + Partner

Ecosystem Inventory & Config

Data Encryption

#RSAC

Security as a Service

20

VPN connectivity

Host Based Security

Web Application Security and

Delivery

Shared Key Management

ServicesSecure Bastion Access

Proxy Services

Security Operations

and Consulting

Services

#RSAC

Multi-Factor Authentication

21

The decision to utilize MFA was a core component of security design

User awareness was initially an issue

Some users refused to utilize the system

Multiple MFA systems already in place

Enable the MFA enhanced features

#RSAC

Configuration Drift Management

22

Finding the needle in an automated and freedom-to-deploy haystack

Used Netflix Security Monkey to track, monitor, and action key AWS resource changes

Watchers configured across all AWS accounts

Started as an internal Cloud Security tool Adoption was driven by the product teams

Risk and compliance utilization for best practice review

#RSAC

Host Security Automation

23

Next layer of defense at the host level

Used to monitor, notify, and action instance-level configurations, vulnerabilities and integrity

Automated roll-out and integration with all hosts

Make use of the cloud

Adopt elasticity and automation

Accelerated pace of development

#RSAC

Apply What You Have Learned Today

24

• Activate multi-factor authentication

• Enable CloudTrail • Start your first

automation!

• Define your principles • Develop a security

architecture • Start to track your

configuration drift

• Measure, test & monitor everything

• Build a culture of communication

• Automate more!

WEEK

1MONTH

3MONTH

6

www.xero.com

@xero

Aaron McKeownLead Security Architect Xero