Security architecture design for Hybrid Multi-cloud

Transcript

None

Agenda › Background › Security considerations for Hybrid multi-cloud ›

Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps

Agenda › Background › Security considerations for Hybrid multi-cloud ›

Background

Background What is Hybrid multi-cloud Multi cloud Cloud Hybrid multi-cloud

IaaS SaaS PaaS FaaS Public Cloud On- premises Hybrid multi-cloud ≒ Hybrid cloud Public Cloud Private Cloud Private Cloud Private Cloud Public Cloud Public Cloud

Background Why does LINE use public cloud?

Background Why does LINE use public cloud? › Using continuous

integration, continuous delivery, and infrastructure as a service › DevSecOps, the CI/CD workflow can deploy software to end users rapidly, possibly several times a day, in a fully automated fashion. Cloud-Native DevOps M&A (Mergers and Acquisitions) As you know, LINE has on-premises › It is difficult to prepare the environment according to the regulations of all countries

Background Why does LINE use public cloud? › Using continuous

Background CSP and CSP accounts usage CSP accounts, projects 100+

CSP 3+ Developers 1000+ CSP : Cloud Service Provider (ex. AWS, GCP, Azure)

Background CSP and CSP accounts usage CSP accounts, projects 100+

Background CSP multi-account security strategy is needed CSP accounts, projects

100+ CSP 3+ Developers 300+ CSP multi-account security strategy is needed CSP : Cloud Service Provider (ex. AWS, GCP, Azure) ⋱

Background Top Threats to Cloud Computing 2019 CSA(Cloud Security Aliance)

releases New Research Top Threats to Cloud Computing: Egregious Eleven ref. https://t.ly/DB8G

Background Top Threats to Cloud Computing ⋮ CSA’s Top Threats

to Cloud Computing LINE Top1. Data Breaches Top2. Misconfiguration and Inadequate Change Control Top3. Lack of Cloud Security Architecture and Strategy Top4. Insufficient Identity, Credential, Access and Key Management Top5. Account Hijacking

Security considerations for Hybrid multi-cloud

Security considerations for Hybrid multi-cloud Key point Key4. Quota and

capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Integrated Cloud IAM › Enforce least privilege policy › User identity is managed through IDaaS › Service account management › Avoiding Key Reuse › Service account Lifecycle IDaaS : Identity as a Service, is cloud-based authentication built and operated by a third-party provider. ( ex. Okta, DUO, Azure AD)

Security considerations for Hybrid multi-cloud Key point Key4. Quota and

capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Provision computing capabilities as needed automatically › manual controls impeding change and agility

Security considerations for Hybrid multi-cloud Key point Key4. Quota and

capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Connect on-premises network to public cloud › private endpoint to access public cloud services › Network access control

Security considerations for Hybrid multi-cloud Key point Key4. Quota and

capacity Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Quota != Capacity › Hard limit › Soft limit › Infrastructure errors can indicate misconfiguration or capacity issues Key3. Simplify network management

Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

based on Posture Management Key5. Infrastructure as Code › Infrastructure as Code using Chef, Ansible, Puppet and Terraform › layers of security to a simple DevOps pipeline

Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

based on Posture Management Key5. Infrastructure as Code › Infrastructure as Code using Chef, Ansible, Puppet and Terraform › layers of security to a simple DevOps pipeline

Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

based on Posture Management Key5. Infrastructure as Code › Collecting artifacts and insight into incidents for incident response › Monitoring operational policies and configuration for performance

Identity and Access Management Managing access and resources

Managing access and resources Two types of identity Account User

accounts Service accounts Identity Human(=Developer, User) Robot (=Compute, Serverless…) Authentication IDaaS (IdP) Keys (JWT, Credential) Authorization IAM Role and Policy(Permission) with ResourceTag/ Label *".3PMFBOE1PMJDZ 1FSNJTTJPO XJUI3FTPVSDF5BH-BCFM Management IAM IAM

Managing access and resources Identity and Access Management Strategy Create

a security account structure for managing multiple accounts Granting authorization to cloud resources Managing users and authentication (Single Sign-On & Two-Factor Authentication with SAML)

Managing access and resources Identity and Access Management Strategy Create

AWS resource hierarchy Managing access and resources Organization Organizational Unit

CSP account Resources

Managing access and resources Managing access to Cloud Console using

Single Sign-On

Managing access and resources Managing access to Cloud Console using

Single Sign-On

Managing access and resources Managing access to Cloud Console using

Single Sign-On

Key1. Humans access to console Key2. Humans get cloud API

tokens Key3. Humans use aws-cli with SSO AWS SSO

Key1. Humans access to console Key2. Humans get cloud API

tokens Key3. Humans use aws-cli with SSO AWS SSO

Key1. Humans access to console Key2. Humans get cloud API

tokens Key3. Humans use aws-cli with SSO - The user signs into complete authentication - Enforced MFA AWS SSO

Key1. Humans access to console Key2. Humans use gcloud-cli with

OAuth 2.0 GCP SSO

Key1. Humans access to console Key2. Humans use gcloud-cli with

OAuth 2.0 - The user signs into complete authentication - Enforced MFA GCP SSO

Service account key management

Service account key management Type of service account key -

Available when running inside CSP - Keys cannot be downloaded - Keys are automatically rotated - Created, downloaded, and managed by users - User must store, revoke, and rotate keys - Rotate/Audit keys via API CSP-managed keys User-managed keys

LINE Service Account (Key) Management architecture Service account key management

GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole … Key life-cycle management PKI

LINE Service Account (Key) Management architecture Service account key management

GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole … Key life-cycle management PKI

LINE Service Account (Key) Management architecture Service account key management

GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole Key life-cycle management … PKI

Hybrid cloud network

Tokyo Region AWS Direct Connect Direct Connect Location Router On

Premises WAN › Speed, Reliability › Enhanced Security › Scalability AWS Direct Connect Multi Cloud Network Server Server Server

Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › Speed, Reliability › Enhanced Security › Scalability AWS Direct Connect Server Server Server Multi Cloud Network

Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › On-Premise or AWS environment connection AWS Direct Connect Multi Cloud Network Server Server Server

Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › Access to EC2 through an existing authentication server authentication server users LINE Network › 10.1.1.0/24 › 10.1.2.0/24 › 10.1.3.0/24 Multi Cloud Network

Tokyo Region VPC( Account #1 ) Availability Zone Private subnet

AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway Direct Connect Gateway AWS Cloud EU Region › Simplify management › Multi-account support AWS Direct Connect Gateway Virtual gateway Multi Cloud Network Server Server Server

Tokyo Region VPC( Account #1 ) Availability Zone Private subnet

AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway Direct Connect Gateway AWS Cloud EU Region › Simplify management › Multi-account support AWS Direct Connect Gateway Virtual gateway AWS Lambda Amazon Elasticsearch Service Public Service Amazon DynamoDB Public VIF Multi Cloud Network Server Server Server

Multi Cloud Network Tokyo Region VPC( Account #1 ) Availability

Zone Private subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway DX Gateway AWS Cloud EU Region › inter-VPC communication AWS Transit Gateway Virtual gateway AWS Transit Gateway Server Server Server

Centralized logging on AWS

Centralized logging on AWS › Improves security awareness and faster

detection of unwanted configuration modifications › Other member accounts within an organization, the logs are never compromised. › Centralized logging is a very important factor in a multi-account environment.

Centralized logging on AWS System Log System All Actions All

Actions KMS logs aggregation Account #1 Account #2 Account #3 Security Log System Log collection Centralized log storage Log analysis

AWS Cloud Member Accounts AWS CloudTrail Security Log Tokyo On

Premises Centralized Logging Account Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Storage Service (S3) Log Server 1 2 3 4 5 Centralized Logging on AWS

AWS Cloud Member Accounts AWS CloudTrail Security Logs Tokyo On

Premises Centralized Logging Account Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Storage Service (S3) Log Server AWS Lambda System Admin Account Amazon Elasticsearch Service AWS CloudTrail Service Logs Amazon CloudWatch Centralized Logging on AWS

AWS Cloud Member Accounts #1 Tokyo On Premises Centralized Logging

Account Amazon Simple Notification Service Amazon Simple Queue Service LogGW AWS Lambda System Admin Account Amazon Elasticsearch Service KR On Premises SIEM Server Elasticsearch Service Amazon Simple Storage Service (S3) Elasticsearch Service AWS CloudTrail Security Logs AWS CloudTrail Service Logs AWS Cloud Member Accounts #2 AWS CloudTrail Security Logs AWS CloudTrail Service Logs Amazon CloudWatch Centralized Logging on AWS

Security monitoring based on Posture Management

Security monitoring based on Posture Management What is Posture Management

CSPM (Cloud Security Posture Management ) › Asset inventory and classification speed and accuracy › Continuously monitor and assess compliance policies › Monitoring operational policies and configuration for performance › Collecting artifacts and insight into incidents for incident response

Security architecture design for Hybrid Multi-c...

Security architecture design for Hybrid Multi-cloud

More Decks by LINE DevDay 2020

Other Decks in Technology

Featured

Transcript