SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Transcription

1 WHITE PAPER SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS The Challenges Of Securing AWS Access and How To Address Them In The Modern Enterprise Executive Summary When operating in Amazon Web Services (AWS) it is important to understand your responsibility when it comes to security. AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and you, the AWS customer, are responsible for securing workloads you deploy in AWS. IT administrators and Security Officers should educate themselves on how to leverage AWS Identity and Access Management (IAM) configuration to protect access to AWS resources in a way that enhances security yet doesn t hinder productivity. The path to securing AWS access in the enterprise runs through securing AWS sign-in and configuring least privilege access across multiple accounts. The solution is elimination of passwords with Single Sign-On (SSO) and automated provisioning of AWS roles across all AWS accounts. This is made possible by integrating with a modern identity solution such as OneLogin s cloud directory. The benefits are improved security by reducing risk of identity theft, an increase in productivity with faster access to applications and services, and significant savings for IT with automation and end-user self-service. In this whitepaper we articulate the technical challenges of securing AWS access and the value proposition of an identity platform for the modern enterprise. In addition, we offer a brief introduction to OneLogin and instructions on how to create a free account. Content Executive Summary AWS Security And Enterprise SaaS Challenges Single-Sign On: Eliminating Passwords And Enhancing Access Management Automating Least Privilege Access: Provisioning AWS Roles Across Multiple Accounts Putting It All Together: Modern Identity for Cloud Apps And Services Securing Corporate-Wide Access OneLogin Roles & Mappings: Automating Complex Access Management Summary of Value and Getting Started With OneLogin AWS Security And Enterprise SaaS Challenges When operating in Amazon Web Services (AWS) it is important to understand your responsibility when it comes to security. AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and you are responsible for securing workloads you deploy in AWS. This gives you the flexibility and agility you need to implement the most applicable security controls for your business functions in the AWS environment. You can tightly restrict access to environments

2 2 that process sensitive data, or deploy less stringent controls for information you want to make public. This shared security responsibility model can reduce your operational burden in many ways, and in some cases may even improve your default security posture without additional action on your part. AWS security is a full set of products to meet security infrastructure needs, such as protection from various network attacks, data storage encryption, monitoring and logging. IT administrators should educate themselves on ways to leverage these products, starting with AWS Identity and Access Management (IAM) configuration to protect access to AWS resources. Effective security requires granular access control, and AWS IAM provides the ability to implement a level of fine grained access. With AWS IAM, admins are able to quickly create users and groups, and assign each a fine-grained policy for accessing just the AWS services and actions that the user needs. As an admin, you have the power to give engineers the privileges they need for their tasks while restricting them from risky actions such as restarting production instances on EC2, modifying parts of the network configuration on VPC, or deleting files from certain S3 accounts. These are merely examples, and what is important to remember is that it is possible to apply a policy that lets the engineer do exactly what she needs to do and ensure that she cannot do things that are not part of her job, ensuring that there are no intentional or accidental actions taken. With the functionality provided by AWS IAM, organizations are able to implement the right level of access controls to allow employee productivity while maintaining the appropriate security controls. While AWS offers a robust set of IAM tools designed to secure your AWS account, AWS does not have organizational context which is critical to determine access to sensitive resources. While AWS offers a robust set of IAM tools designed to secure your AWS account, AWS does not have organizational context such as the reporting structure and roles, organization-wide security policies, HR processes, and productivity needs - all critical to accurately determine who should have access to sensitive resources at any point in time. Authentication and authorization of employees should be unified across all corporate applications, services and resources into a Single Sign-On (SSO) solution, and combined with the right means of additional security such as multi-factor authentication (MFA). To accomplish this effectively and efficiently, administrators would need a single integration point for applications, services, corporate directories and security layers. Without extending AWS security to the organization, administrators face the dual challenge of 24x7 uptime for applications built on top of AWS, along with the task of constantly aligning their AWS security with the organization to protect AWS resources from both internal and external threats such as warranted or malicious application access to sensitive data.

3 3 So, while AWS offers granularity and flexibility for protecting access to all AWS platform resources, what remains critical for security champions such as IT administrators and Security Officers to do is educate themselves on how to leverage the power of AWS IAM in a way that enhances security yet doesn t hinder productivity. A modern identity platform plays a big role in making that a reality. Single-Sign On: Eliminating Passwords And Enhancing Access Management Identity theft accounted for 64% 1 of all data breaches in the first half of To understand the reason for it, consider the challenges of deploying and supporting an average of SaaS applications and services, such as Box, AWS and Slack, in the average enterprise. As a result, companies seek to protect their sensitive data by eliminating app-specific passwords, and govern the authentication policy with means like IP-based restrictions, multi-factor authentication, password policies and organizational context - e.g. executive functions need stronger security. IT administrators are tasked with reducing user authentication complexity and risks by unifying all authentication into a Single Sign-On solution that applies to all corporate employees. AWS enables you to tie an identity solution into your AWS account to control access to your AWS resources, thus enabling administrators to simplify and automate secure sign-in and and access control. The first step to implementing and benefiting from this kind of integration is to understand the power of SAML. The challenges of supporting an average of 730 SaaS apps in the modern enterprise lead companies to protect their sensitive data by eliminating app-specific passwords, and using advanced means like multi-factor authentication. SAML (Security Assertion Markup Language) is an XML-based standard which passes login information through a browser between an identity provider server (e.g. appears to the user as a login page) and a 3rd party web application or service. SAML provides apps with tokens instead of credentials for logging in users. End-users only have to signin once to an identity provider which can forward the secure tokens to any app that supports SAML. Key benefits include: 1. Administrators do not need to manually align app-specific access with the corporate directory. After a 5-minute setup for any given app or service that supports SAML, only corporate users would be able to login to corporate apps, with the option of advanced policies like role-based access. 2. End-users enjoy a frictionless sign-in experience. If they are already signed in to their corporate account, they can immediately access 1 Source: Gemalto data breach statistics, Sep Source: Cisco

4 4 the AWS Management Console securely and simply click through to the desired service, significantly reducing the threat of phishing. 3. The identity provider maintains organizational integrity and verifies that only active users are logged in. This significantly reduces the risk of compromised accounts and minimizes orphan accounts. Fortunately for administrators, AWS was built with highly flexible and advanced SAML support that enables administrators to extend AWS access to their organization, with the help of a modern identity solution. AWS, paired with an identity solution, enables companies to accomplish frictionless and secure SSO based on a corporate directory, but there is another challenge: scaling this secure solution across multiple AWS accounts, and tightening security with least privilege access using multiple roles. AWS, paired with an identity solution, enables companies to accomplish frictionless and secure SSO based on a corporate directory. Automating Least Privilege Access: Provisioning AWS Roles Across Multiple Accounts When looking at a large or a fast-growing engineering organization, companies are dealing with serious security concerns for the more critical parts of their business. For example, engineers, technical marketers, and solutions architects should have the freedom to spin up test instances, but only a subset of engineers in dev operations and tech operations roles should have any access to production instances. This simple requirement becomes a true challenge when taking into account complex deployments, multiple engineering departments with different resources and needs, and requirements such as compliance and auditing, e.g. every access must be accounted for. To deal with this critical security requirement, companies seek a secure access solution that separates AWS environments based on security and productivity concerns and applies an access control policy that takes into consideration all security and engineering needs across the organization. With this approach in place, organizations can scale the AWS solution across many environments, including multiple test, staging and production accounts, as well as enable engineers to use least privilege access when performing critical AWS tasks. Fortunately, AWS supports highly granular user policies, even across multiple accounts. For example, one policy could give users only read access to a specific Amazon S3 bucket, while another policy could give users only execute access to launch Amazon EC2 instances. This role granularity is the IT administrator s best friend, but it requires extending it to the organization for role assignments to be meaningful.

5 5 This is where a full-fledged identity platform comes to the rescue, by providing smart and flexible mapping of roles from your corporate directory to roles in your AWS accounts. This mapping can leverage employee metadata such as internal department or job function in order to provide AWS with a list of AWS roles and AWS accounts that the user is allowed to access. Then, with every new login to AWS, the identity platform first calculates the right privileges for the user and passes the information to AWS to provide the right level of access. This is accomplished in real-time such that the employee metadata is always fresh and the privileges are always true to the employee s current role status and organizational role. ROLE-BASED ACCESS FIREWALL CLOUD Active Directory OneLogin AWS Optional external directory, such as on-premise AD or LDAP Role: TechOps Lead Role: DevOps Engineer Role: DevOps Lead Role: TechOps Engineer S3 Admin, VPC User, RDS Power User, Route 53 Admin EC2 Power User, IAM Admin, Route 53 User EC2 Admin, IAM Admin, Route 53 User, VPC Power User Route 53 User, S3 Power User, VPC User With the mapping of corporate metadata to AWS roles complete, users can now sign-in to their AWS Account(s). Depending on the number of roles and accounts the user has access to, she will be presented a list of all accounts and roles in the AWS Management Console dashboard, and she will be able to switch to any account and role for the task at hand. By way of extending AWS security using organizational context, we gain both maximum security and increased productivity. Putting It All Together: Modern Identity for Cloud Apps And Services We have seen how AWS enables administrators and security personnel to protect AWS access in two key ways: Secure token-based signin with SAML, and access control with granular AWS policies. In order to streamline identity information and access control in a way that enables fast and secure access to apps or services like AWS, organizations need a strong identity provider to leverage organizational context for overarching authentication and role-based access control. Modern identity platforms can be a standalone cloud directory for your users or a key integration point for all apps, services and directories, and they enable Single Sign-On as well as passing of employee metadata to apps in a number of standard ways. Organizations need a strong identity provider to leverage organizational context for overarching authentication and role-based access control.

6 6 They also support multiple security layers such as Multi-Factor Authentication IP-based restriction. In the next few sections we will look at how a solution like OneLogin can help you gain the level of security and productivity that you need. Securing Corporate-Wide Access A key strength of OneLogin is the ease of adding a new app with secure corporate-wide access. Within an hour, you can stand up a new OneLogin account that is either a standalone cloud directory with all your corporate users, or it is syncing from one or more external directories such as Active Directory or LDAP. OneLogin has over 5,000 pre-integrated apps, including the AWS Management Console for a one-click access to the AWS dashboard. As you can see in the snippet below, since the app is pre-integrated, the only thing you need is your unique AWS account identifier which you can find in your Amazon account.

7 7 You can allow select users access to the AWS Management Console within seconds, using OneLogin s app policy. Every user who is allowed to access AWS can access it directly or through OneLogin s app portal which is customized for each user with only the apps she is allowed to use: A single click and the user is signed into AWS. At this point, only active corporate users can sign into AWS. Companies gain both security and productivity. With AWS specifically, access to all AWS available accounts and services is reduced to a single access point, which can be protected with a flexible security policy. Interested in learning more about single sign-on or advanced security policies? Visit onelogin.com/aws for more information or request access to OneLogin

8 8 OneLogin Roles & Mappings: Automating Complex Access Management Moreover, an identity provider like OneLogin can make it easier to securely pass key metadata such as user identifiers and roles to integrated apps and services, like AWS and all your other corporate applications. This feature is often called user provisioning, and it can take place in the background between OneLogin and other apps, or in real-time at login, depending on the supported integration. Only advanced identity providers, like OneLogin, can separate application assignment from permission assignment. This gives administrators the flexibility to do a clean application deployment so they can configure role-based access without worrying about any users getting immediate access, and then gradually give access to users when approved and ready. A good rules engine uses simple conditions, with no need for complex code-like expressions to determine whether a user should get access. Only advanced identity providers, like OneLogin, can separate application assignment from permission assignment for SaaS apps. In this OneLogin screenshot, the Active Directory group called IT Administrators corresponds to several AWS Roles such as S3 Full Access and Route 53 Full Access. The end result is that through one connection, administrators are able to utilize a centralized administrative portal to set up multiple application rules that build on top of each other. Because these rules

9 9 all correlate to Active Directory attributes or groups, administrators can handle multiple employee joins, moves or leaves at scale. An AWS multi-role provisioning functionality greatly eases the administrative overhead to secure AWS, allowing IT to move at the speed of the business to fulfill their mandate of delivering end-user productivity. Summary of Value and Getting Started With OneLogin Cloud identity platforms, like OneLogin, provide a comprehensive solution for managing user identities both in the cloud and behind the firewall. OneLogin integrates with cloud and on-premise apps using open standards like SAML and OpenID, to provide services such as Single Sign-On with Multi-Factor Authentication for web and mobile, user provisioning into apps, multiple directory integration, and more. OneLogin comes pre-integrated with thousands of applications. With OneLogin, organizations have an identity provider that moves at the speed of their business. With OneLogin, organizations have an identity provider that moves at the speed of their business. As new applications are created or onboarded, IT can automatically provide access to the correct users. Day 1 productivity for new employees can be achieved in any new application, greatly reducing time to value and increasing productivity for the business. Learn more about user provisioning or role-based access for AWS and activate a free OneLogin account for AWS by visiting onelogin.com/aws.

10 10 Appendix A: How SAML Works SAML (Security Assertion Markup Language) is an XML-based standard which passes login information through a browser between an identity provider server (e.g. appears to the user as a login page) and a 3rd party web application or service. Below is a snippet of a typical SAML response. A full response has additional attributes, a digital signature and encryption. An AWS account is configured to accept logins via the identity solution for single sign-on, and the identity solution is configured with the information of the AWS account. The identity solution authenticates the user with corporate credentials and verifies access, and sends the user immediately to the AWS Management Console to continue working. If the user is accessing the app from a special app portal with all the apps she has access to, then she is already signed in and can launch the AWS Management Console in a single click. It is a smooth and frictionless user experience. Behind the scenes, the user is redirected from the identity solution to the AWS Management Console with a secure token which identifies the user who is associated with additional meta information such as the account identifier and permitted roles. SAML 2.0 FLOW IdP-Initiated Service Provider (e.g. AWS) User (e.g. via browser) Identity Provider (e.g. OneLogin) Request SSO Service Authenticate the user Request access to service Auth request is verified SAML token is verified Redirect to service with SAML token User is logged into service SAML token is generated with user attributes

11 11 Appendix B: How AWS Roles Work In AWS a role is essentially a set of permissions that grant access to actions and resources in AWS. Instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Additionally, a role does not have any credentials associated with it. Instead, when the identity provider requests user access to the role temporary credentials will be issued to allow the user access to AWS resources. When a role is created, a permission policy is also created for the role. This permission policy defines what actions, within the AWS account, the role is allowed to perform. For identity providers an additional policy is tied to the role which states which identity providers are allowed to use the role. SAML messages, which are used to sign-in users with user identifiers as well as other metadata, include multiple Amazon Resource Names (ARN) that point to permitted accounts and roles for the user. The metadata is sourced by your identity provider based on role mappings, and it is digitally signed by the identity provider to ensure that only a trusted provider is signing in the user to the correct accounts and roles. AWS IAM Policy sample. Source: AWS

12 12 About OneLogin, Inc. OneLogin brings speed and integrity to the modern enterprise with an award-winning SSO and identity-management platform. Our portfolio of solutions secure connections across all users, all devices, and every application, helping enterprises drive new levels of business integrity and operational velocity across their entire app portfolios. The choice for innovators of all sizes such as Condé Nast, Pinterest and Steelcase, OneLogin manages and secures millions of identities across more than 200 countries around the globe. We are headquartered in San Francisco, California. For more information, log on to Facebook, Twitter, or LinkedIn. About Amazon Web Services In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services now commonly known as cloud computing. One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale with your business. With the Cloud, businesses no longer need to plan for and procure servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up hundreds or thousands of servers in minutes and deliver results faster. Today, Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world. With data center locations in the U.S., Europe, Brazil, Singapore, Japan, and Australia, customers across all industries are taking advantage of the benefits of AWS.