More Related Content
What's hot (20)
Similar to Build and Manage a Highly Secure Cloud Environment on AWS and Azure (20)
More from CloudHesive (20)
Recently uploaded (20)
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
- 1. Build and Manage a Highly Secure Cloud Environment on AWS and Azure CloudCheckr Webinar - August 1st, 2019
- 2. Frameworks • Cloud Adoption Framework (CAF) – AWS • Well Architected Framework (WAF) – AWS • Game Days –Various • Reference Implementations – AWS • Industry Organizations – Government/Non-Government
- 3. Cloud Adoption Framework (CAF) • Perspectives • Business • Value Realization • People • Roles & Readiness • Governance • Prioritization & Control • Platform • Applications & Infrastructure • Security • Risk & Compliance • Operations • Manage & Scale
- 4. Security Perspective • Directive • Account Ownership and contact information • Change and asset management • Least privilege access • Preventive • Identity and access • Infrastructure protection • Data protection • Detective • Logging and monitoring • Asset inventory • Change detection • Responsive • Vulnerabilities • Privilege escalation • DDoS attack
- 5. Well Architected Framework (WAF) • Pillars • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization • Lenses • Serverless • High Performance Computing (HPC) • Internet ofThings (IOT)
- 6. Security Pillar • Design Principles • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Prepare for security events • Best Practices • Identity andAccess Management • Detective Controls • Infrastructure Protection • Data Protection • Incident Response
- 7. Game Days • Define • Workload, Personnel, Scenario, Environment, Schedule • Execute • Start, Middle, End • Analyze • Debrief, Examine, Document, Root CauseAnalysis (RCA), Correction of Error (CoE)
- 8. Reference Implementations • “NIST Quickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCIVariants Available • Good starting point
- 9. Industry Organizations • National Institute of Standards andTechnology (NIST) • Center for Internet Security (CIS) • Cloud Security Alliance (CSA) • International Information System Security Certification Consortium (ISC2) • OpenWeb Application Security Project (OWASP) • MITRE • Payment Card Industry (PCI) • Secure Controls Framework (SCF) • Feisty Duck • ThreatResponse
- 10. Preventative Controls - Baseline • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • WAF: Layer 7WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • VPC:VGW (Point to Point and IPSEC Connectivity) + Peering (VPC toVPC Connectivity) + Endpoints (Private Connectivity toAWS Services) • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • Secure Credential Storage: Secrets Manager, Systems Manager
- 11. Preventative Controls -Workloads • AWS Auto Scaling: EC2, Dynamo, AuroraAutoscaling • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off”OS and configuration management + application deployment • EC2: Systems Manager (OS and above patching + auditing) • AWS Backup: EC2, RDS, EFS, Dynamo Backups • Workspaces: Secure Bastion • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • Host based security:Trend Micro Deep Security, etc.
- 12. Detective Controls • Config: Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • Tags: Built-in asset + inventory marking and tracking on configuration items • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • VPC: Flow Logs (NetFlow) + Port Mirroring (New!) • CloudWatch Logs:OS and above log management • CloudTrail:AuditTrail, Exportable as JSON to idempotent storage • Cloudfront, ALB andWAF: All log (CloudFront andALB in S3,WAF in Kinesis)
- 13. Enforcing Controls – AWS • ControlTower • Security Hub • Service Catalog • CloudFormation • Guard Duty • Inspector • Macie • Trusted Advisor • Config Rules
- 14. Enforcing Controls –Third Party • CIS CAT • CloudCheckr • AlertLogic • Tenable • Sumologic
- 15. Incident Response • Disk Snapshots • Don’t forget to remove from retention policy • Automated withThreatResponse • Memory Snapshots • Automated withThreatResponse • Logs • Don’t forget to remove from retention policy • Query and Correlate with Athena • BlockAccess • Revert to Known Good State • Identify/Correct Root Cause • Rotate Credentials (people and things) • Measure
- 16. Conclusion • Iterate introduction of your security controls – some in the short term is better than none in the long term. • Detective Controls are just as important as Preventative Controls, they play a significant response in incident detection and response. • Whether your workload is onAWS or not,AWS services can be used to supplement your controls. • There is no lack of frameworks – pick and choose from them to make a framework that works best for your organization’s needs.
Editor's Notes
- #9: https://aws.amazon.com/quickstart/architecture/accelerator-nist