An overview of how to approach security in the cloud, new services and features from AWS, and a glimpse of what we do internally to secure our operations.
Confidentiality – only authorized users can access data Integrity – data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design
• Access control on systems and/or data itself • Principal, Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality
• Ability to access ANY copy of the data • How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
• Root Account • Enable Multi-Factor Authentication (MFA) • Use it for managing account structure and permissions only • Store its credentials safely • Use AWS Identity and Access Management (IAM) for everything else • Create personal users • Use roles when possible (e.g. EC2 workloads) AWS Account Management
• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change
Customers choose where to place their data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP
COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact
MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail
• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change
AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources
AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations
AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels
AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM
• Bring your own keys to AWS Key Management Service using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016
AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, please see session: SEC401 – Automated Formal Reasoning About AWS Systems
• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change
AWS Security – 2016 Pace of Innovation • Reviewed 2,233 services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD
How AWS handles security at scale • We operate over 2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data
AWS CloudTrail logs are a treasure trove of information • Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs
Collecting raw NetFlow-like logs in AWS Scenario: You purchased a company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server"
Change Management • Problem: controlled automated deployment and validation of daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented
Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time: 09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket
• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change
AWS Security – re:Invent 2016 Preparation • Reviewed and tested 91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days)
• AWS compliance program – updates • Security tool enhancements in 2016 • How AWS handles security at scale • Recent announcements • The case for change
The case for change • DevOps, Agile, and Scrum on the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…
The DevSecOps mindset • Customer focus • Open and transparent • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto…insert shameless plug here: http://www.devsecops.org
Security as code is easy with AWS AWS provides all the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations
How can we learn DevSecOps? Security as Code? Security as Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps