Building a More Secure Cloud Architecture

Transcription

1 Building a More Secure Cloud Architecture Jerry Archer SVP and CSO Let s Make College Happen

2 Security Guiding Principles in the Cloud Secure Perimeter Micro-segmentation -- isolating applications and data with a hardened configuration immune to attack Strong abstraction layer from hardware and VM environment Restricted visibility into computing environment Discrete and limited perimeter which can be subjected to effective monitoring Continuous Encryption Encryption of data at rest Encryption of data in transit Secure key management-- leveraging PKI for transaction functions Ready Incident Response Hybrid automation and manual response Continuous Monitoring Reachable attachment points for monitoring capabilities through comprehensive APIs Robust monitoring data availability Easy integration of third party monitoring capabilities Resilient Operations Capable of withstanding attack Minimal degradation of performance as a result of environmental failures Continuous function in the presence of a ongoing attack Highly Granular Access Control Capable highly granular resource allocation Strong cryptographic identity management Ubiquitous users, administrators, applications, data Governance, Risk Management, Compliance Visibility of configurations Auditable evidence Readily identify gaps or other weaknesses Broad regulatory and compliance certifications

3 Basic AWS Building Block: Virtual Private Cloud (VPC) VPC is a logically isolated section of AWS cloud using SDN functionality Complete control over the virtual networking environment IP address ranges Creation of subnets, route tables and network gateways. Supporting both IPv4 and IPv6 Custom Sallie Mae AWS network configuration (template based) Front office public-facing subnet for webservers Backend systems private-facing subnets with no Internet access Multiple layers of security, including security groups and network access control lists limiting access Virtual Private Network (VPN) connection between corporate datacenter and Sallie Mae VPCs

4 Software Defined Perimeter (SDP) Pre-authenticated Eliminates major vulnerability in TCP/IP Authentication prior to connection Context-aware (granular access control) Secure access to enterprise applications Isolating communications to end-user devices Enables rapid identification and prevention of network-based cyberattacks such as denial of service, connection hijacking, and credential theft. Significant improvement in vulnerability management Leverages industry standard security capabilities (SAML, PKI, and mutually authenticated TLS) SDP Controller functions as a trust broker between the SDP Client and back-end security controls such as Issuing Certificate Authority (CA) and identity provider (SAML) An open standard and controller code supported by Cloud Security Alliance (CSA)

5 Sallie Mae Virtual Enclave: Leveraging AWS VPC to Achieve Robust Cloud Security Implementation of the Virtual Enclave (VE) architecture utilizes microsegmentation to provide customizable, strong logical isolation of Sallie Mae systems and services using software defined security techniques. Meeting all of the essential elements of security in the cloud. Benefits of this implementation: Leverages basic building block of AWS Virtual Private Clouds (VPCs) Granular inter/intra VE visibility/access Leverage of AWS native encryption within the VE Limit client device access (granular access control) Enhanced perimeter with Software Defined Perimeter (SDP) Invisibility of the VE

6 Integrated Cloud Security and Architecture with SDP IAM Dynamic Access Leases Forensics Preservation Ready Incident Response Perimeter Security WAF, F/W, IPS, IDS, DDoS Threat Monitoring / Hunting Region Lock 24/7 SOC Tamper Protection ServiceNow Bastian Host DMZ Advanced IAAS Endpoint Protection Secure Web Gateway (Egress) Malware, Content, DLP inspection Governance, Risk and Compliance Auto- Remediation Non Compliance Centralized Egress Endpoint Continuous Compliance Monitoring Highly Granular Access Control Active Directory Federation Strong User Authentication Continuous Encryption Machine Learning, UBA Log Immutability Resilient Operations