how can i plan for security, risk, & compliance before migrating to aws? | aws public sector...

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

June 13, 2017

How can I plan for security, risk, and compliance

before migrating to AWS?

Rob Barnes

Cloud Security Architect

Amazon Web Services

Tom OgnibenePrincipal Software Engineer

Blackbaud

Migration & Transformation TrackTuesday, June 13th - Room 201

8:45 - 9:35 AM119706 - My CIO Says That We are Going All-In and Migrating to AWS?

Now What?

9:40 - 10:30 AM125086 - Hybrid as a Stepping Stone: It’s Not All or Nothing for Your

Cloud Transformation Journey

2:00 - 2:50 PM119707 - Why do I need to plan for Security, Risk, & Compliance before

migrating to AWS?

3:30 - 4:20 PM119708 - How Can I Build a Landing Zone & Extend my Operations into

AWS to Support my Migration?

4:30 - 5:20 PM119709 - What Organizational & Governance Changes do I Need to Make

Prior to Migrating to AWS?

Are you wondering about your

compliance right now?

Or do you just want to help?

Directive

PreventiveResponsive

Detective

Identity & Access

Management

Logging &

MonitoringInfrastructure

Security

Data

Protection

Incident

Response

But don’t take my word for it…

Tom Ognibene

Principal Software Engineer

24 years at Blackbaud

10 years payment solutions

PCI SME

Our Journey

Blackbaud began

with a vision to help one

organization

We now support the entire social good community

NonprofitsEducation

InstitutionsFoundationsCorporations

Individual

Change Agents

Blackbaud Payment Service

Service dedicated to securely processing credit card

transactions for our application

• Web servers

• Database servers

• Firewalls

• vLans

• SIEM solutions

• Monitoring

Blackbaud Payment Services

0

2,000

4,000

6,000

8,000

10,000

12,000

Blackbaud Payment Services

Why AWS

Why AWS

We have a good DR story

AWS has a better one!

Why AWS



Our infrastructure can handle the current demand

AWS can do it more cheaply

Why AWS





We have a good SIEM solution

AWS can improve on it

Why AWS







We know how to build infrastructure

AWS can build it faster

Remove Default VPC

…[Amazon.EC2.Model.Vpc[]] $vpcList = Get-EC2Vpc -Filter @{Name="isDefault"; Values="true"} -Region $Region

if ($vpcList -ne $null) { [Amazon.EC2.Model.Vpc] $vpc = $vpcList[0][Amazon.EC2.Model.Filter] $vpcFilter = [Amazon.EC2.Model.Filter]::new("vpc-id", @($vpc.vpcId))

[Amazon.EC2.Model.Subnet[]] $subList = Get-EC2Subnet -Filter @($vpcFilter) -Region $RegionForEach ($sub in $subList) {

Remove-EC2Subnet -SubnetId $sub.SubnetId -Region $Region -Force}

$vpcFilter.Name = "attachment.vpc-id"[Amazon.EC2.Model.InternetGateway[]] $igList = Get-EC2InternetGateway -Filter @($vpcFilter) -Region $RegionForEach ($ig in $igList) {

ForEach ($igAttach in $ig.Attachments) { Dismount-EC2InternetGateway -VpcId $vpc.vpcId -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force

} Remove-EC2InternetGateway -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force

}

Remove-EC2Vpc -VpcId $vpc.vpcId -Region $Region -Force}

Why AWS







We know how to build infrastructure

AWS can build it faster

Right Choice

Is AWS the “right” one

Performance

Is AWS performant

Type of Migration

Lift and Shift

Product rewrite

How Many Environments

Application

SIEM

“Roles”

Who needs to use the environments

What do they need it for

Software Defined Infrastructure

Write software => Test software

Project Planning

Is AWS the best choice

Is it performant

How am I going to migrate

How many environments

How should I separate them

Who is going to access it

Other considerations

AWS Tech

Yikes

SSM deployment

[Object[]] $SSMDocumentFileList = Get-ChildItem -Path $((Get-Item $PSScriptRoot).Parent.FullName + "\Data\SSMCmdDocs") `-Filter "*.json"

ForEach ($SSMDocumentFile in $SSMDocumentFileList) { [String] $SSMDocumentName = "BB-" + $($SSMDocumentFile.BaseName) [String] $SSMDocumentFileContents = [System.IO.File]::ReadAllText($SSMDocumentFile.FullName) try {

[Amazon.SimpleSystemsManagement.Model.GetDocumentResponse] $SSMDocument = Get-SSMDocument -DocumentVersion "`$DEFAULT" `-Name $SSMDocumentName

if ($SSMDocumentFileContents -ne $SSMDocument.Content) { Write-Verbose -Message "Updating document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = Update-SSMDocument `

-Content $SSMDocumentFileContents -DocumentVersion "`$LATEST" -Name $SSMDocumentName

[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion

} } catch [Amazon.SimpleSystemsManagement.Model.InvalidDocumentException] {

Write-Verbose -Message "Adding document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = New-SSMDocument `

-Content $SSMDocumentFileContents -DocumentType ([Amazon.SimpleSystemsManagement.DocumentType]::Command) `-Name $SSMDocumentName

[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion

Implementation

Powershell/C# library

CIS AWS Foundations hardening standards

SSO/Saml integration

IAM Roles/Restrictive Policies

CloudTrail/AWS Config

Security Groups

ELB and Policies

VPC/VPC Peering

Today

Multiple AWS environments

Completed PCI assessment

Completed Multiple External Pen Tests

Migrate additional payment applications

Automation and Security

[ScriptBlock]$RemoveSMBv1 = { Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-NullSet-SmbServerConfiguration -EnableSMB1Protocol $false -ForceUninstall-WindowsFeature -Name FS-SMB1 -Restart | Out-Null

}

WannaCry

how can i plan for security, risk, & compliance before migrating to aws? | aws public sector...

Technology