Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security architecture design for Hybrid Multi-cloud

Security architecture design for Hybrid Multi-cloud

Seungnam Jun
LINE Infra Protection Team Security Engineer
Geonhui Lee
LINE CSIRT Team1 Security Engineer
https://linedevday.linecorp.com/2020/ja/sessions/8239
https://linedevday.linecorp.com/2020/en/sessions/8239

Eebedc2ee7ff95ffb9d9102c6d4a065c?s=128

LINE DevDay 2020

November 25, 2020
Tweet

Transcript

  1. None
  2. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  3. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  4. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  5. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  6. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  7. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  8. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  9. Agenda › Background › Security considerations for Hybrid multi-cloud ›

    Managing access and resource › Service account key management › Hybrid multi-cloud network › Centralized logging on AWS › Security monitoring based on Posture Management › Next steps
  10. Background

  11. Background What is Hybrid multi-cloud Multi cloud Cloud Hybrid multi-cloud

    IaaS SaaS PaaS FaaS Public Cloud On- premises Hybrid multi-cloud ≒ Hybrid cloud Public Cloud Private Cloud Private Cloud Private Cloud Public Cloud Public Cloud
  12. Background Why does LINE use public cloud?

  13. Background Why does LINE use public cloud? › Using continuous

    integration, continuous delivery, and infrastructure as a service › DevSecOps, the CI/CD workflow can deploy software to end users rapidly, possibly several times a day, in a fully automated fashion. Cloud-Native DevOps M&A (Mergers and Acquisitions) As you know, LINE has on-premises › It is difficult to prepare the environment according to the regulations of all countries
  14. Background Why does LINE use public cloud? › Using continuous

    integration, continuous delivery, and infrastructure as a service › DevSecOps, the CI/CD workflow can deploy software to end users rapidly, possibly several times a day, in a fully automated fashion. Cloud-Native DevOps M&A (Mergers and Acquisitions) As you know, LINE has on-premises › It is difficult to prepare the environment according to the regulations of all countries
  15. Background Why does LINE use public cloud? › Using continuous

    integration, continuous delivery, and infrastructure as a service › DevSecOps, the CI/CD workflow can deploy software to end users rapidly, possibly several times a day, in a fully automated fashion. Cloud-Native DevOps M&A (Mergers and Acquisitions) As you know, LINE has on-premises › It is difficult to prepare the environment according to the regulations of all countries
  16. Background CSP and CSP accounts usage CSP accounts, projects 100+

    CSP 3+ Developers 1000+ CSP : Cloud Service Provider (ex. AWS, GCP, Azure)
  17. Background CSP and CSP accounts usage CSP accounts, projects 100+

    CSP 3+ Developers 1000+ CSP : Cloud Service Provider (ex. AWS, GCP, Azure)
  18. Background CSP and CSP accounts usage CSP accounts, projects 100+

    CSP 3+ Developers 1000+ CSP : Cloud Service Provider (ex. AWS, GCP, Azure)
  19. Background CSP multi-account security strategy is needed CSP accounts, projects

    100+ CSP 3+ Developers 300+ CSP multi-account security strategy is needed CSP : Cloud Service Provider (ex. AWS, GCP, Azure) ⋱
  20. Background Top Threats to Cloud Computing 2019 CSA(Cloud Security Aliance)

    releases New Research Top Threats to Cloud Computing: Egregious Eleven ref. https://t.ly/DB8G
  21. Background Top Threats to Cloud Computing ⋮ CSA’s Top Threats

    to Cloud Computing LINE Top1. Data Breaches Top2. Misconfiguration and Inadequate Change Control Top3. Lack of Cloud Security Architecture and Strategy Top4. Insufficient Identity, Credential, Access and Key Management Top5. Account Hijacking
  22. Security considerations for Hybrid multi-cloud

  23. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Integrated Cloud IAM › Enforce least privilege policy › User identity is managed through IDaaS › Service account management › Avoiding Key Reuse › Service account Lifecycle IDaaS : Identity as a Service, is cloud-based authentication built and operated by a third-party provider. ( ex. Okta, DUO, Azure AD)
  24. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Integrated Cloud IAM › Enforce least privilege policy › User identity is managed through IDaaS › Service account management › Avoiding Key Reuse › Service account Lifecycle IDaaS : Identity as a Service, is cloud-based authentication built and operated by a third-party provider. ( ex. Okta, DUO, Azure AD)
  25. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Integrated Cloud IAM › Enforce least privilege policy › User identity is managed through IDaaS › Service account management › Avoiding Key Reuse › Service account Lifecycle IDaaS : Identity as a Service, is cloud-based authentication built and operated by a third-party provider. ( ex. Okta, DUO, Azure AD)
  26. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Provision computing capabilities as needed automatically › manual controls impeding change and agility
  27. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key3. Simplify network management Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Connect on-premises network to public cloud › private endpoint to access public cloud services › Network access control
  28. Security considerations for Hybrid multi-cloud Key point Key4. Quota and

    capacity Key2. On-demand self-service Key1. IAM (Identity and Access Management) › Quota != Capacity › Hard limit › Soft limit › Infrastructure errors can indicate misconfiguration or capacity issues Key3. Simplify network management
  29. Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

    based on Posture Management Key5. Infrastructure as Code › Infrastructure as Code using Chef, Ansible, Puppet and Terraform › layers of security to a simple DevOps pipeline
  30. Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

    based on Posture Management Key5. Infrastructure as Code › Infrastructure as Code using Chef, Ansible, Puppet and Terraform › layers of security to a simple DevOps pipeline
  31. Security considerations for Hybrid multi-cloud Key point Key6. Security monitoring

    based on Posture Management Key5. Infrastructure as Code › Collecting artifacts and insight into incidents for incident response › Monitoring operational policies and configuration for performance
  32. Identity and Access Management Managing access and resources

  33. Managing access and resources Two types of identity Account User

    accounts Service accounts Identity Human(=Developer, User) Robot (=Compute, Serverless…) Authentication IDaaS (IdP) Keys (JWT, Credential) Authorization IAM Role and Policy(Permission) with ResourceTag/ Label *".3PMFBOE1PMJDZ 1FSNJTTJPO XJUI3FTPVSDF5BH-BCFM Management IAM IAM
  34. Managing access and resources Identity and Access Management Strategy Create

    a security account structure for managing multiple accounts Granting authorization to cloud resources Managing users and authentication (Single Sign-On & Two-Factor Authentication with SAML)
  35. Managing access and resources Identity and Access Management Strategy Create

    a security account structure for managing multiple accounts Granting authorization to cloud resources Managing users and authentication (Single Sign-On & Two-Factor Authentication with SAML)
  36. Managing access and resources Identity and Access Management Strategy Create

    a security account structure for managing multiple accounts Granting authorization to cloud resources Managing users and authentication (Single Sign-On & Two-Factor Authentication with SAML)
  37. AWS resource hierarchy Managing access and resources Organization Organizational Unit

    CSP account Resources
  38. Managing access and resources Managing access to Cloud Console using

    Single Sign-On
  39. Managing access and resources Managing access to Cloud Console using

    Single Sign-On
  40. Managing access and resources Managing access to Cloud Console using

    Single Sign-On
  41. Key1. Humans access to console Key2. Humans get cloud API

    tokens Key3. Humans use aws-cli with SSO AWS SSO
  42. Key1. Humans access to console Key2. Humans get cloud API

    tokens Key3. Humans use aws-cli with SSO AWS SSO
  43. Key1. Humans access to console Key2. Humans get cloud API

    tokens Key3. Humans use aws-cli with SSO - The user signs into complete authentication - Enforced MFA AWS SSO
  44. Key1. Humans access to console Key2. Humans use gcloud-cli with

    OAuth 2.0 GCP SSO
  45. Key1. Humans access to console Key2. Humans use gcloud-cli with

    OAuth 2.0 - The user signs into complete authentication - Enforced MFA GCP SSO
  46. Service account key management

  47. Service account key management Type of service account key -

    Available when running inside CSP - Keys cannot be downloaded - Keys are automatically rotated - Created, downloaded, and managed by users - User must store, revoke, and rotate keys - Rotate/Audit keys via API CSP-managed keys User-managed keys
  48. LINE Service Account (Key) Management architecture Service account key management

    GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole … Key life-cycle management PKI
  49. LINE Service Account (Key) Management architecture Service account key management

    GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole … Key life-cycle management PKI
  50. LINE Service Account (Key) Management architecture Service account key management

    GCP AWS Identity ServiceAccount Management System Open Source HashiCorp Vault Human Robot CSP(Cloud Service Provider) Authentication IDaaS LDAP AppRole Key life-cycle management … PKI
  51. Hybrid cloud network

  52. Tokyo Region AWS Direct Connect Direct Connect Location Router On

    Premises WAN › Speed, Reliability › Enhanced Security › Scalability AWS Direct Connect Multi Cloud Network Server Server Server
  53. Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

    subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › Speed, Reliability › Enhanced Security › Scalability AWS Direct Connect Server Server Server Multi Cloud Network
  54. Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

    subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › On-Premise or AWS environment connection AWS Direct Connect Multi Cloud Network Server Server Server
  55. Tokyo Region VPC Availability Zone Availability Zone Private subnet Public

    subnet Private subnet Public subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 Amazon EC2 Amazon EC2 Amazon EC2 Internet Internet gateway NAT gateway › Access to EC2 through an existing authentication server authentication server users LINE Network › 10.1.1.0/24 › 10.1.2.0/24 › 10.1.3.0/24 Multi Cloud Network
  56. Tokyo Region VPC( Account #1 ) Availability Zone Private subnet

    AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway Direct Connect Gateway AWS Cloud EU Region › Simplify management › Multi-account support AWS Direct Connect Gateway Virtual gateway Multi Cloud Network Server Server Server
  57. Tokyo Region VPC( Account #1 ) Availability Zone Private subnet

    AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway Direct Connect Gateway AWS Cloud EU Region › Simplify management › Multi-account support AWS Direct Connect Gateway Virtual gateway AWS Lambda Amazon Elasticsearch Service Public Service Amazon DynamoDB Public VIF Multi Cloud Network Server Server Server
  58. Multi Cloud Network Tokyo Region VPC( Account #1 ) Availability

    Zone Private subnet AWS Direct Connect Direct Connect Location Router On Premises WAN Virtual gateway Amazon EC2 VPC ( Account #2 ) Availability Zone Private subnet Amazon EC2 VPC ( Account #3 ) Availability Zone Private subnet Amazon EC2 Virtual gateway DX Gateway AWS Cloud EU Region › inter-VPC communication AWS Transit Gateway Virtual gateway AWS Transit Gateway Server Server Server
  59. Centralized logging on AWS

  60. Centralized logging on AWS › Improves security awareness and faster

    detection of unwanted configuration modifications › Other member accounts within an organization, the logs are never compromised. › Centralized logging is a very important factor in a multi-account environment.
  61. Centralized logging on AWS System Log System All Actions All

    Actions KMS logs aggregation Account #1 Account #2 Account #3 Security Log System Log collection Centralized log storage Log analysis
  62. AWS Cloud Member Accounts AWS CloudTrail Security Log Tokyo On

    Premises Centralized Logging Account Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Storage Service (S3) Log Server 1 2 3 4 5 Centralized Logging on AWS
  63. AWS Cloud Member Accounts AWS CloudTrail Security Logs Tokyo On

    Premises Centralized Logging Account Amazon Simple Notification Service Amazon Simple Queue Service Amazon Simple Storage Service (S3) Log Server AWS Lambda System Admin Account Amazon Elasticsearch Service AWS CloudTrail Service Logs Amazon CloudWatch Centralized Logging on AWS
  64. AWS Cloud Member Accounts #1 Tokyo On Premises Centralized Logging

    Account Amazon Simple Notification Service Amazon Simple Queue Service LogGW AWS Lambda System Admin Account Amazon Elasticsearch Service KR On Premises SIEM Server Elasticsearch Service Amazon Simple Storage Service (S3) Elasticsearch Service AWS CloudTrail Security Logs AWS CloudTrail Service Logs AWS Cloud Member Accounts #2 AWS CloudTrail Security Logs AWS CloudTrail Service Logs Amazon CloudWatch Centralized Logging on AWS
  65. Security monitoring based on Posture Management

  66. Security monitoring based on Posture Management What is Posture Management

    CSPM (Cloud Security Posture Management ) › Asset inventory and classification speed and accuracy › Continuously monitor and assess compliance policies › Monitoring operational policies and configuration for performance › Collecting artifacts and insight into incidents for incident response
  67. Security monitoring based on Posture Management What is Posture Management

    CSPM (Cloud Security Posture Management ) › Asset inventory and classification speed and accuracy › Continuously monitor and assess compliance policies › Monitoring operational policies and configuration for performance › Collecting artifacts and insight into incidents for incident response
  68. Security monitoring based on Posture Management What is Posture Management

    CSPM (Cloud Security Posture Management ) › Asset inventory and classification speed and accuracy › Continuously monitor and assess compliance policies › Monitoring operational policies and configuration for performance › Collecting artifacts and insight into incidents for incident response
  69. Security monitoring based on Posture Management What is Posture Management

    OSS Proprietary software … … CSPs … AWS Config
  70. Security monitoring based on Posture Management Legacy - Metrics sources

    for incident response Cloud Security Posture Management Host-based security logs Cloud Activity logs Billing info Network-based security logs User behavior audit logs
  71. Security monitoring based on Posture Management Cloud based Metrics sources

    for incident response Cloud Security Posture Management Host-based security logs Cloud Activity logs Billing info Network-based security logs User behavior audit logs
  72. Next steps

  73. Next steps Subtitle SOAR (Security Orchestration, Automation, and Response) for

    Hybrid cloud Enhancement of security based on CSPM(Cloud Security Posture Management)
  74. Thank you