Aspirin as a Service: Using the Cloud to Cure Security Headaches

Similar documents
CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

Power Up/Level Up: Supercharging Your Security Program for Cloud and DevOps. Rich

PRAGMATIC SECURITY AUTOMATION FOR CLOUD

Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

NEXT GENERATION CLOUD SECURITY

Getting started with AWS security

DevOps Agility in the Evolving Cloud Services Landscape

Pragmatic Cloud Security

DevOps Tooling from AWS

Eyes Everywhere: Monitoring Today's Borderless Landscape

Getting started with AWS security

Tidal Forces: The Changes Ripping Apart Security as We Know It

CLOUD WORKLOAD SECURITY

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Architecting for Greater Security in AWS

AWS Reference Design Document

How can you implement this through a script that a scheduling daemon runs daily on the application servers?

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

Automating Security Practices for the DevOps Revolution

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Database Engineering. Percona Live, Amsterdam, September, 2015

Elizabeth Lawler CEO & Co-Founder Conjur,

Getting Started with AWS Security

Security & Compliance in the AWS Cloud. Amazon Web Services

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Distributed CI: Scaling Jenkins on Mesos and Marathon. Roger Ignazio Puppet Labs, Inc. MesosCon 2015 Seattle, WA

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

DevOps on AWS Deep Dive on Continuous Delivery and the AWS Developer Tools

Orchestrating the Continuous Delivery Process

AALOK INSTITUTE. DevOps Training

Overcoming the Challenges of Automating Security in a DevOps Environment

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

DevOps Course Content

Introduction to Cloud Computing

Automating Elasticity. March 2018

ITIL isn t evil Most people who implement it are

How to go serverless with AWS Lambda

Building Microservices with the 12 Factor App Pattern

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Cloud Security Strategy - Adapt to Changes with Security Automation -

Deep Dive on AWS CodeStar

Start Building CI/CD as Code The 7 Lessons Learnt from Deploying and Managing 100s of CI Environments

Swift Web Applications on the AWS Cloud

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

HP APPs v.12 Solutions for Dev-Ops

Qualys Cloud Platform

TM DevOps Use Case TechMinfy All Rights Reserved

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Netflix OSS Spinnaker on the AWS Cloud

Accenture Cloud Platform Serverless Journey

Continuous Integration and Delivery with Spinnaker

Hackproof Your Cloud Responding to 2016 Threats

Jenkins: A complete solution. From Continuous Integration to Continuous Delivery For HSBC

Building a Modular and Scalable Virtual Network Architecture with Amazon VPC

Cloud Essentials for Architects using OpenStack

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

AWS London Loft: CloudFormation Workshop

Roles. Ecosystem Flow of Information between Roles Accountability

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Cloud Computing. Amazon Web Services (AWS)

Deploy Early, Deploy Often, Deploy Safely Andy Lowe

CloudCenter for Developers

Puppet on the AWS Cloud

AWS Well Architected Framework

Security Camp 2016 Cloud Security. August 18, 2016

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Cloud & AWS Essentials Agenda. Introduction What is the cloud? DevOps approach Basic AWS overview. VPC EC2 and EBS S3 RDS.

Microservices on AWS. Matthias Jung, Solutions Architect AWS

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Containers or Serverless? Mike Gillespie Solutions Architect, AWS Solutions Architecture

Build planetary scale applications with compartmentalization

PaaS isn t Just for Developers

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Transformation Through Innovation

How Can Testing Teams Play a Key Role in DevOps Adoption?

Security and Compliance at Mavenlink

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

Unlocking Azure with Puppet Enterprise. November 29, 2016

Securing Your Cloud Introduction Presentation

Simple Security for Startups. Mark Bate, AWS Solutions Architect

I keep hearing about DevOps What is it?

DevOps and Continuous Delivery USE CASE

Getting Started With Serverless: Key Use Cases & Design Patterns

Agile CI/CD with Jenkins and/at ZeroStack. Kiran Bondalapati CTO, Co-Founder & Jenkins Admin ZeroStack, Inc. (

Logging, Monitoring, and Alerting

Hardening AWS Environments. Automating Incident Response. AWS Compromises

Transcription:

SESSION ID: CSV-T10 Aspirin as a Service: Using the Cloud to Cure Security Headaches Bill Shinn Principle Security Solutions Architect Amazon Web Services Rich Mogull CEO Securosis @rmogull

Little. Cloudy. Different. Cloud can be more secure than traditional datacenters. The economics are in your favor. Cloud architectures can wipe out some traditional security headaches. This isn t theory, it s being done today. But only if you understand how to leverage the cloud. We will show you how. 2

Not the SaaS you re looking for This session is all IaaS and PaaS 3

Cloud Security Economics For clients to use a cloud provider, they must trust the provider. You get one chance This is especially true for anything with a sensitive data or process. Thus security has to be a top priority for a provider or you won t use them. A major breach for a provider that affects multiple customers is an existential event. 4

Cloud Provider Critical Security Capabilities API/admin activity logging Elasticity and autoscaling Software defined networking Region/location control APIs for all security features Granular entitlements Good SAML support Nice to have: infrastructure templating/automation Multiple accounts per customer 5

Evolving the Practice of Security Architecture Security architecture as a silo d function can no longer exist. Current Security Architecture Practice Static position papers, architecture diagrams & documents UI-dependent consoles and pane of glass technologies Auditing, assurance, and compliance are decoupled, separate processes 6

Evolving the Practice of Security Architecture Security architecture as a silo d function can no longer exist. Evolved Security Architecture Practice Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop 7

Network Segmentation

Segregation is critical but hard Segregating networks in a data center is hard, expensive, and often unwieldy. It s hard to isolate application services on physical machines. Even using virtual machines has a lot of management overhead. Attackers drop in and move North/South in application stacks, and East/West on networks (or both). 9

Network segregation by default Web X X a b c Granularity of host firewall with ease of management of network firewall 10

Limiting blast radius Security Group Security Group Subnet Virtual Network Subnet Virtual Network Account 11

To a host or network Boom Security Group Security Group Subnet Virtual Network Subnet Virtual Network Account 12

To a host or network Boom Security Group Security Group Subnet Virtual Network Subnet Virtual Network Account 13

Or an entire data center Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Subnet Subnet Subnet Subnet Subnet Subnet Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Account Account Account 14

Or an entire data center Boom Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Secu rity Grou p Subnet Subnet Subnet Subnet Subnet Subnet Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Account Account Account 15

Traditional blast radius 16

Application segregation Easier to deploy smaller services Easier to isolate Can integrate PaaS for network air gaps 17

Cloud DMZ 18

Template 19

Immutable Services Architectures

Managing patches and change Nothing we deploy is consistent. Even when we become consistent, it s hard to patch live stuff without breaking things. Privileged users log into servers and make changes. Attackers love persistent servers they can compromise and camp inside. Plus, we need to keep the auditors happy. 21

Design to deploy is a mess Develop Commit Test Deploy Team Dev QA Test Ops Env Dev Test Test Stag e Prod

The power of immutable Instead of updating, you completely replace infrastructure through automation. Can apply to a single server, up to an entire application stack. Incredibly resilient and secure. Think servers without logins. Image from: http://tourismplacesworld.blogspot.com/2012/07/uluru.html 23

Automate Creation of Master OS Images Ops/Server Engineering Requirements Security Tests Packer configuration Git Jenkins Test Master Image InfoSec Requirements

Demo Server Image Bakery/Factory Update the desired configuration of a new master OS image Build the master image Test the master image for security controls Make image available for use 25

How immutable works- auto scaling Load Balancer a b c Auto Scale Group 26

How immutable works- auto scaling Load Balancer a b c Auto Scale Group 27

How immutable works- auto scaling Load Balancer a b c Auto Scale Group 28

How immutable works- auto scaling Load Balancer a b c Auto Scale Group 29

How immutable works- auto scaling Load Balancer unpatched patched a b c Auto Scale Group 30

How immutable works- auto scaling Load Balancer unpatched patched a b c Auto Scale Group 31

How immutable works- auto scaling Load Balancer unpatched patched a b c Auto Scale Group 32

How immutable works- auto scaling Load Balancer unpatched patched a b c Auto Scale Group 33

Demo Rolling update of 40 instances in 4 minutes with 0 downtime. 34

Immutable Infrastructure

Automate with DevOps and Continuous Deployment Functional Tests NonFunctional Tests Security Tests Source Code Cloudformation Templates Chef Recipes Git Jenkins Chef Server Test Prod

Immutable Infrastructure Internet Single, templated stack Template A: 37

Immutable Infrastructure Internet Launch updated version Template A: Template B: 38

Immutable Infrastructure Internet Begin diverting traffic via DNS Template A: Template B: 39

Immutable Infrastructure Internet Rollback or finish, depending on results Template A: Template B: 40

Immutable Infrastructure Internet Template B: 41

Immutable Infrastructure Internet Can still roll back if needed Template B: 42

Let your PaaS do the work We deploy many MANY core components to deliver applications. Load balancers, databases, message queues, and more. It takes a lot of effort to keep these secure and up to date at scale. Each piece is yet more attack surface. 43

PaaS and New Cloud Architectures PaaS providers can t afford a preventable security failure. Including letting things get out of date. Many types of PaaS can t rely on normal networking. Instead you access them via API. This creates an opportunity to air gap parts of your application. Kill off network attack paths (doesn t help with logic flaws) 44

Network attack path? 45

PaaS Air Gap No direct network connection 46

Software Defined Security Attackers are automated, we are mostly manual. Our tools have been poor. We lack trustable security automation and thus need to rely on a Meat Cloud In cloud, APIs are mandatory. We can write code to automate and orchestrate, even across products and services. 47

Code without Coding Work with your devs to build a library of building blocks Learn just enough to glue it together Build some core scripts Mix and match the blocks Pull in the dev when you have new requirements 48

Demo Meet SecuritySquirrel, the first warrior in the Rodent Army (apologies to Netflix). The following tools are written by an analyst with a Ruby-for-Dummies book. Automated security workflows spanning products and services.

Incident Response 1 Detect Compromise 4 Image 2 Pull server information (If you have it) 5 Analyze = Hours! 3 Quarantine 6 Recover Each step is manual, and uses a different set of disconnected tools

1. Pull metadata 2. Quarantine 3. Swap control to security team 4. Identify and image all storage 5. Launch and configure analysis server 6. Can re-launch clean server instantly

Stateless Security Security normally relies on scanning and checking databases. With cloud we are completely integrated into the infrastructure and platforms. The cloud controllers have to see everything to manage everything, there is no Neo running around. Instead of scanning, we can directly pull state. And then use it for security 52

Identify Unmanaged Servers (for the audit) 1 Scan the network 2 Scan again and again for all the parts you missed 3 Identify all the servers as best you can 4 Pull a config mgmt report 5 Manually compare results

1. Get list of all servers from cloud controller (can filter on tags/os/etc). Single API call 2. Get list of all servers from Chef Single API call 3. Compare in code

Event Driven Security Cloud providers are creating hooks to trigger actions based on events inside the cloud. We can use these for near-instant security reactions. 55

Self-Healing Infrastructure (yes, for real) Change a security group Lambda Function analyzes and reverses Event Recorded to CloudTrail Passed to CloudWatch Log Stream Triggers an CloudWatch Event 56

Demo Watch a security group self heal in less than 10 seconds 57

Aspirin Applied Next week you should: Follow up this session by learning to use Git (or another source repo) and a build pipeline toolchain like Jenkins. In the first three months following this presentation you should: Be collaborating with dev/engineering/operations/security on something - anything! Even if you just keep basic account governance scripts in a repo that people can run, contribute to, track, build into pipelines, etc- have at least one key security capability wired up through a pipeline. Within six months you should: Be running audits out of the toolchain for at least a few key controls as they are applied to the cloud. 58

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback