SESSION ID: CMI-F02 NEXT GENERATION CLOUD SECURITY Myles Hosford Head of FSI Security & Compliance Asia Amazon Web Services
Agenda Introduction to Cloud Security Benefits of Cloud Security Cloud APIs & Automation for Security 4 Next Generation Security Patterns Conclusion 2
Shared Responsibility Model First, we need to understand the shared responsibility model: 3
On-Premise Model App optimization Scaling High availability Database backups DB s/w patches you DB s/w installs OS patches OS installation Server maintenance Rack & stack Power, HVAC, net 4
IaaS Model you App optimization Scaling High availability Database backups DB s/w patches DB s/w installs OS installation Server maintenance Rack & stack OS patches 5 Power, HVAC, net
PaaS or SaaS Model Scaling High availability Database backups DB s/w patches you DB s/w installs OS patches OS installation Server maintenance Rack & stack App optimization 6 Power, HVAC, net
Cloud Provider Compliance 7
Benefits of Cloud Security Inherit Global Compliance Unprecedented Visibility Data Protection Global Resiliency 8
Inherit Global Compliance As a customer of a cloud provider, you might want to obtain certification like PCI-DSS, ISO27001, SOC2 etc. Leverage the shared responsibility model for efficiency and cost savings. 9
Unprecedented Visibility Console API SDK SIEM / SOC Example: Developer changes firewall rule, opens FTP to Internet Change detected in near-real time 10 APIs respond in real-time to revert change and notify cyber security team
Data Protection and at rest Restricted access Encrypted in transit S3 EBS Fully managed keys in KMS RDS Amazon Redshift Fully auditable Amazon Glacier 11 Your KMI
Global Resiliency Disaster Recovery & DDoS Mitigation 12
APIs & Automation
Next Generation Security Patterns 1. Everything as Code Enforce Security by Consistency 2. Immutable Infrastructure - Keep Humans Away from Data 3. Ephemeral Servers - Defeat Malware / APT 4. Automate Compliance & Audit Keep Regulators Happy! 14
SECURITY PATTERN 1: EVERYTHING AS CODE Everything as code (EaC) is the process of managing and provisioning systems, networks, data, configuration and security settings through machine-readable definition files
Everything as Code Current state: Gather Requirements Design Architecture Build and Deploy 16
Everything as Code Cyber Security IT Audit Application Operations 17
Everything as Code Cyber Security IT Audit Application Operations 18
Everything as Code Gather Requirements Design Architecture Represent as Code 19
Everything as Code Environment 1 Environment 2 Environment N 20
Everything as Code 21
Everything as Code Any IP on the Internet Telnet, insecure, clear-text protocol Mis-configuration prevented & detected BEFORE the environment is even built! 22
SECURITY PATTERN 2: IMMUTABLE INFRASTRUCTURE Immutable infrastructure is an approach to managing services and software deployments on IT resources wherein components are replaced rather than changed.
Keep Humans Away From Data 24
CI/CD Pipeline to Keep Humans Away CONTINUOUS INTEGRATION CONTINUOUS DELIVERY SOURCE CONTROL BUILD TESTING & STAGING PRODUCTION MAINTAIN COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT RUN INTEGRATION, SECURITY, LOAD AND OTHER TESTS DEPLOY TO PRODUCTION ENVIRONMENT MANAGE RUNTIME
SECURITY PATTERN 3: EPHEMERAL SERVERS Do not treat servers like pets. The longer they live, the greater the chance of compromise & APT maintaining access.
Ephemeral Servers Use APIs to determine how long servers have been living, automatically replace servers >= 30 days (or 7 days, or 1 day ) aws ec2 describe-instances (returns LaunchTime attribute) UPTIME=`uptime awk {print $3}` if [ $UPTIME -gt 30 ] then # Make an API call to queue the server termination after launching replacement fi 28
SECURITY PATTERN 4: AUTOMATING COMPLIANCE Using APIs to describe your entire environment in near-real time, calculate your compliance position and mitigate risk accordingly.
Automating Compliance MAS TRM MAS Outsourcing ABS Key Controls 30
Automating Compliance 31
Automating Compliance Combine API driven services with automation: 32
Automating Response Automatically respond to non-compliance: Automated response to perform encryption User launches a new server without encryption AWS Config reviews change against controls you define in near real-time Automated response to terminate server 33
Apply Next Generation Cloud Security Next week you should: Hire a developer for your security organization, you need them. In the first three months following this presentation you should: Identify areas of operational risk that can be lowered by leveraging the cloud shared responsibility model. Within six months you should: Automate processes to keep humans away from the data. Set big goals (80% reduction)! 34