Build and Manage a Highly Secure Cloud Environment on AWS and Azure

Build and Manage a Highly Secure Cloud Environment on AWS and Azure

• 1.
  Build and Managea Highly Secure Cloud Environment on AWS and Azure CloudCheckr Webinar - August 1st, 2019
• 2.
  Frameworks • Cloud AdoptionFramework (CAF) – AWS • Well Architected Framework (WAF) – AWS • Game Days –Various • Reference Implementations – AWS • Industry Organizations – Government/Non-Government
• 3.
  Cloud Adoption Framework(CAF) • Perspectives • Business • Value Realization • People • Roles & Readiness • Governance • Prioritization & Control • Platform • Applications & Infrastructure • Security • Risk & Compliance • Operations • Manage & Scale
• 4.
  Security Perspective • Directive •Account Ownership and contact information • Change and asset management • Least privilege access • Preventive • Identity and access • Infrastructure protection • Data protection • Detective • Logging and monitoring • Asset inventory • Change detection • Responsive • Vulnerabilities • Privilege escalation • DDoS attack
• 5.
  Well Architected Framework(WAF) • Pillars • Operational Excellence • Security • Reliability • Performance Efficiency • Cost Optimization • Lenses • Serverless • High Performance Computing (HPC) • Internet ofThings (IOT)
• 6.
  Security Pillar • DesignPrinciples • Implement a strong identity foundation • Enable traceability • Apply security at all layers • Automate security best practices • Protect data in transit and at rest • Prepare for security events • Best Practices • Identity andAccess Management • Detective Controls • Infrastructure Protection • Data Protection • Incident Response
• 7.
  Game Days • Define •Workload, Personnel, Scenario, Environment, Schedule • Execute • Start, Middle, End • Analyze • Debrief, Examine, Document, Root CauseAnalysis (RCA), Correction of Error (CoE)
• 8.
  Reference Implementations • “NISTQuickstart” • Based on Cybersecurity Framework, SP 800-53, SP 800-37 • Corresponding Guide + Controls Matrix • CIS and PCIVariants Available • Good starting point
• 9.
  Industry Organizations • NationalInstitute of Standards andTechnology (NIST) • Center for Internet Security (CIS) • Cloud Security Alliance (CSA) • International Information System Security Certification Consortium (ISC2) • OpenWeb Application Security Project (OWASP) • MITRE • Payment Card Industry (PCI) • Secure Controls Framework (SCF) • Feisty Duck • ThreatResponse
• 10.
  Preventative Controls -Baseline • VPC: Security Groups (Stateful Firewall) + NACLs (Stateless Firewall) • WAF: Layer 7WAF • Shield + AutoScaling + ELB + Cloud Front: DoS/DDoS Protection • VPC:VGW (Point to Point and IPSEC Connectivity) + Peering (VPC toVPC Connectivity) + Endpoints (Private Connectivity toAWS Services) • IAM + Directory Service + SSO: Standalone and Federated AAA • KMS: FIPS 140-2 Certified cryptographic module with integration to various AWS services, provides expiration and ability to provide self-generated cryptographic material • Secure Credential Storage: Secrets Manager, Systems Manager
• 11.
  Preventative Controls -Workloads •AWS Auto Scaling: EC2, Dynamo, AuroraAutoscaling • Code Commit/ECS: Secure Application and Artifact Repository • Code Deploy/Run Command: “Hands off”OS and configuration management + application deployment • EC2: Systems Manager (OS and above patching + auditing) • AWS Backup: EC2, RDS, EFS, Dynamo Backups • Workspaces: Secure Bastion • OpsWorks + Elastic Beanstalk: “Hands off” infrastructure management • Host based security:Trend Micro Deep Security, etc.
• 12.
  Detective Controls • Config:Point in time snapshots of configuration items, Exportable as JSON to idempotent storage • Tags: Built-in asset + inventory marking and tracking on configuration items • S3/Glacier: File based storage with AAA, versioning, secure delete + policy based retention • VPC: Flow Logs (NetFlow) + Port Mirroring (New!) • CloudWatch Logs:OS and above log management • CloudTrail:AuditTrail, Exportable as JSON to idempotent storage • Cloudfront, ALB andWAF: All log (CloudFront andALB in S3,WAF in Kinesis)
• 13.
  Enforcing Controls –AWS • ControlTower • Security Hub • Service Catalog • CloudFormation • Guard Duty • Inspector • Macie • Trusted Advisor • Config Rules
• 14.
  Enforcing Controls –ThirdParty • CIS CAT • CloudCheckr • AlertLogic • Tenable • Sumologic
• 15.
  Incident Response • DiskSnapshots • Don’t forget to remove from retention policy • Automated withThreatResponse • Memory Snapshots • Automated withThreatResponse • Logs • Don’t forget to remove from retention policy • Query and Correlate with Athena • BlockAccess • Revert to Known Good State • Identify/Correct Root Cause • Rotate Credentials (people and things) • Measure
• 16.
  Conclusion • Iterate introductionof your security controls – some in the short term is better than none in the long term. • Detective Controls are just as important as Preventative Controls, they play a significant response in incident detection and response. • Whether your workload is onAWS or not,AWS services can be used to supplement your controls. • There is no lack of frameworks – pick and choose from them to make a framework that works best for your organization’s needs.