How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How FINRA achieves DevOps agility while
securing its AWS environments
Daniel Koo
Senior Director
DevOps Products & Engineering
FINRA
G R C 3 3 9
Stephen Mele
Lead Developer
DevOps Products
FINRA
Jason Garbis
Vice President
Products
Cyxtera Technologies

Agenda
• FINRA introduction
• Secure development and DevOps practice at FINRA
• Gatekeeper and AppGate SDP integration
• Demo
• Cyxtera introduction
• Cyxtera’s AppGate SDP solution for AWS
• Q&A

Mission
Investor
protection
Market
integrity

Volume
brokers
12 634,000
markets/
exchanges
firms
3,800

Big data
FINRA maintains
150+
applications running in AWS
FINRA processes up to
135 billion
market events per day
FINRA processes and analyzes
trillions
of nodes and edges
FINRA manages
approximately
30 petabytes
of storage
FINRA runs up to
50,000
compute nodes
per day

Challenges
TransparencyGovernance
DevOps
Access control
Compliance
Transient platform

DevOps practice
ReleasedDev/testInception
Integrated
security
Standardization
Architecture
pattern
Self-service
Integrated
ops
Compliance
Kickstart
FINRA Images
Jenkins/F3
Jenkins/
F3
Fidelius
CloudPass Gatekeeper Aphelion
Nagios
FINRA
Images

Temporary access to
Amazon EC2 and
Amazon RDS
Gatekeeper
Secrets management in
AWS
Fidelius
Create resources in
AWS
Provision
Temporary token for
AWS
CloudPass
Security group
manager
Portus
Go API for uploading
RPM to yum
yum-nginx-api
Monitor AWS service
limits
Aphelion
Available
Coming soon
Open source
http://technology.finra.org/opensource.html

Compliance: Consistency, transparency
FINRA Provision
Compliant stack
configs
FINRA Portus
Approved security
groups
FINRA IAMUS
IAM role templates
Info and
application
security
Enterprise
architecture
Policies and
standards
Dev
teams
Automated
deploy
Automated
deploy
Configs/change events
Amazon
CloudWatch
AWS
CloudTrail
Reg SCI SOX SOC 2SEC

Cloud security
AWS KMS
Amazon EMR security
configurations
In transit
At rest
Encryption
Role-based access
Active Directory
integration (applications)
Group membership
AuthN and
AuthZ
*****
VPC isolation
Security groups
VPC endpoints
SDLC isolation (accounts)
Micro-segmentation
Isolation
AWS CloudTrail
Amazon CloudWatch
Splunk
Monitoring
IAM ADFS federation
Temporary STS token
Gatekeeper (temporary access
to Amazon EC2
and Amazon RDS)
Access
control

User M3Application
Load
Balancer
(ALB)
VPC
Gatekeeper UI
(AngularJS)
ALB M3
Gatekeeper services,
Amazon EC2 +
Amazon RDS
(Spring Boot)
Amazon RDS
Active Directory
Amazon EC2
C3 M3 M4SSM
Amazon RDS
VPC
Amazon EC2
C3 M3 M4SSM
Amazon RDS
VPC
Amazon EC2
C3 M3 M4SSM
Amazon RDS
Authenticate users
and search for
users
Connect to
Amazon RDS,
create/remove users
Call SSM to create
users on Amazon
EC2 instances
Store
requests
Gatekeeper architecture VPC

AppGate SDP primer

AppGate
client
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
MTLS
AppGate SDP primer

AppGate
client
AppGate
controller
VPC
AppGate
gateway
Identity
management
AWS Cloud
MTLS
AppGate SDP primer

AppGate
client
User logs into
AppGate
1
3
2
Secure MTLS
connection
to gateway
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
User logs into
Gatekeeper and
requests access to
AWS resources
Gatekeeper
5 Gateway enforces access policies
based on user groups
4
Gatekeeper creates
temporary users/key pairs
on selected resources
Instance: 67890
IP: 10.17.123.2
Gatekeeper + AppGate SDP: Current state

AppGate
client
User logs into
AppGate
1
2
Secure MTLS
connection
to gateway
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
Gatekeeper
5 Gateway enforces access policies based on
IPs provided by Gatekeeper request
Instance: 67890
IP: 10.17.123.2
Gatekeeper provides request data to
AppGate API (Amazon SNS, Amazon
SQS, AWS Lambda)
3
User logs into
Gatekeeper and
requests access to
AWS resources
Gatekeeper creates
temporary users/key pairs
on selected resources
4a
4b
Gatekeeper + AppGate SDP: Future state

Goals achieved
Self-service
Automated grant/removal
Leveraging of existing group membership
No hard users on instances, only temporary access
Multi-layer protection (AuthN/AuthZ, approval, security group, AppGate SDP)
Auditability and transparency

Cyxtera Essential Defense
Proactive,
online threat
identification and
mitigation aimed at
minimizing
enterprise
digital risk
Digital threat protection
Threat management and analytics
Software-defined perimeter & micro-segmentation
Identity-centric, network-enforced perimeter able to
secure any application, on any platform, in any location
Multi-factor authentication
Unified authentication for entire enterprise user population
through a comprehensive range of authentication factors
Reduce
Your attack surface
Secure
Your access
Neutralize
Your adversaries

2. Connect 3. Authenticate1. All resources
visible
TCP/IP
Connect first,
authenticate second
1. TCP/IP is a weak security foundation (implicit trust)

Should 192.168.4.11 have access to 10.5.0.3?
Yes or no?
2. TCP/IP has a poor policy language
192.168.4.11 10.5.0.3

1
Identity-centric
User- or device-based access control
Integration with directory services and IAM
Context sensitivity
Zero-trust model
Authentication before connection
Dynamically provisioned 1:1 connectivity
Completely dark unauthorized resources
2
Built like cloud, for cloud
Distributed, stateless, and highly scalable
Programmable and adaptive
Dynamic and on-demand
3
“By 2021, 60% of enterprises will phase out network VPNs for digital business communications in
favor of software-defined perimeters.”
A better approach to network security:
Software-defined perimeter

2. Connect 3. Authenticate1. All resources
visible
TCP/IP
Connect first,
authenticate second
1. Authenticate 2. Connect 3. Only authorized
resources are visible
Software-defined
perimeter
Authenticate first,
Connect second
AppGate SDP compensates for TCP/IP weaknesses

Should Jim have access to the SAP production server?
It depends
AppGate SDP has a rich policy language
Jim SAP production server

What’sourcurrent
securityposture?
Isthereanopenservice
deskticket?
WhereisJimconnecting
from?
Whattimeisit?
IsJim’smachinepatched?WhatprojectisJimworkingon?
Jim SAP production server

AppGate
client
AppGate
controller
VPC
AppGate
gateway
Policy model
Graphical admin console & APIs
Integration with IT/security Systems
(SIEM, IDS/IPS)
Identity management system
(SAML, LDAP, AD)
VPC
VPC
Instance: 67890
Tag: State=Dev
Tag: App=App3
MTLS AWS Cloud
Simple security group:
Allow all from Gateway,
deny all other traffic
Instance: 12345
Tag: State=Dev
Tag: App=App1
Instance: 33445
Tag: State=Dev
Tag: App=App1
Instance: 677889
Tag: State=Prod
Tag: App=App2
MTLS
AWS
Cloud
AppGate
gateway
SPA packet
MTLS
AppGate SDP primer

Software-defined perimeter for AWS
• Use cases
• Concurrent and transparent access across regions and accounts
• Dynamic, policy-based access
• Automatic access control based on metadata
• Additional scenarios
• Multi-factor authentication and step-up authentication
• ITSM integration
• Give it a try: Free trial in AWS Marketplace
https://aws.amazon.com/marketplace/pp/B01IWQFEHM
• More information
https://Cyxtera.com

Thank you!
Daniel Koo Stephen Mele Jason Garbis

How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019

Similar to How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019