Amazon Web Services Security: Release Engineering & Recommended Architecture

Transcript

1. Amazon Web Services Security:
   Release Engineering &
   Recommended Architecture
   Kenneth White
   Principal, BAO Systems
   Raleigh ISSA Back-to-Basics
   May 1, 2014
   

   View Slide

2. My Background
   Developer: Embedded, safety-critical, clinical trials
   Imaging: Signal processing, classifiers, ML
   OS: kernel, network, file/volume encryption
   DevOps: deployment, risk mgmt, lifecycle/governance
   Compliance: FISMA/FIPS, FDA Part 11/820, HIPAA
   Security: DOD, Red Team, defense, forensics, TLS
   Service: Open Crypto Audit Project
   

   View Slide

3. Agenda
   AWS Overview: footprint, offerings, major clients
   Current-gen infrastructure & services
   Recommended practices
   Access Control
   Identity Management
   File & Disk Encryption
   Orchestration
   Auditing
   Required Reading & Resources
   

   View Slide

4. Disclosures
   Views expressed are my own
   No financial interests in vendors presented
   

   View Slide

5. Security is hard
   

   View Slide

6. So, what is AWS?
   

   View Slide

7. Amazon Web Services
   Footprint
   2003: Chris Pinkham & Benjamin Black paper to Bezos
   2004-2006: Team develops v. 1 in Cape Town (EC2+S3)
   2008: EC2 reaches General Release
   (skipping a lot)
   2014: $4.5B est. annual AWS revenue
   5.1M public IP addresses
   Long-time leader in Gartner MQ for Cloud Infrastructure
   

   View Slide

8. AWS Infrastructure & Service
   Offerings
   EC2: Virtual machines “Compute” (PVM & HVM)
   S3: Durable file/object storage
   Route 53: Geo-aware DNS, programmatic anycast
   VPC: Isolation, VLANs, h/w VPN integration, IPsec
   IAM: Fine-grain identity access, key management
   RDS: Managed DBs (MySQL, Oracle, Postgres, SQL
   Server)
   ELB: Programmatic load balancing, SSL termination
   EMR: Hadoop-as-a-Service, on-demand MapReduce
   

   View Slide

9. Major Clients
   Federal Government
   DOE, CIA, NASA, HHS, FDA, NIH, CDC, Navy, AF, FBI,
   State
   May 2013: FedRAMP ATO, all US Regions
   http://www.gsa.gov/portal/content/171827
   March 2014: DoD Authorization Level 1-2, GovCloud
   

   View Slide

10. Major Clients
    Enterprise
    GE
    SAP
    Comcast
    Discovery
    Nasdaq
    Medidata
    Bristol-Myers Squibb
    Pfizer
    J&J
    

    View Slide

11. Current-gen infrastructure &
    services
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    M1 is deprecated
    

    View Slide

12. Current-gen infrastructure &
    services
    M3, C3, R3 instance types: All-SSD
    M3 best for general purpose
    All-SSD local storage
    M3 & R3
    Intel Xeon E5-2670 (Sandy Bridge) CPUs
    C3 best for high CPU workload
    E5-2680 v2 (Ivy Bridge)
    R3 best for high-memory (up to 244GB)
    VPC+HVM+SR-IOV=5X speedup in I/O, sig ↓ load
    

    View Slide

13. Recommended Practices
    IAM
    Roles, Groups, Object-level control, time-limited
    Delegation (EC2 roles, cross-account access)
    Policy variables
    Policy simulator
    2FA
    One-time secret keys
    Native SSO SAML v 2.0 in AWS Management Console
    

    View Slide

14. Recommended Practices
    File/Disk Encryption
    Vendor-managed S3
    Client-managed
    Java, .Net SDK APIs & code samples
    DM-Crypt
    Key Management Integration for CMPs (Enstratius)
    Oracle RDS Transparent Data Encryption (TDE)
    Off-cloud key management for high-sensitivity
    workloads
    AWS HSM appliance
    

    View Slide

15. Recommended Practices
    Orchestration
    Automate, automate, automate
    *So* many options
    ElasticBeanstalk
    CloudFormation
    Chef, Puppet, Salt, Ansible
    RightScale, Enstratius, …
    

    View Slide

16. Recommended Practices
    Auditing & Logging
    IAM
    AD & Shibboleth
    CloudTrails, Sumo Logic
    Financial report automation
    Central logging
    Managed
    Splunk, et al
    

    View Slide

17. Required Reading
    AWS Security by Stephen Schmidt:
    http://www.slideshare.net/AmazonWebServices/
    aws-security-keynote-address-sec101-aws-
    reinvent-2013
    AWS Security Blog:
    http://blogs.aws.amazon.com/security/blog
    Security & Compliance Docs
    http://aws.amazon.com/compliance/
    

    View Slide

18. How good are your controls?
    

    View Slide

19. Thank you!
    

    View Slide

20. Contacts
    Twitter: @kennwhite
    LinkedIn: www.linkedin.com/in/biotech
    Email: kwhite @ baosystems . com
    Web: opencryptoaudit.org/people
    

    View Slide