More Related Content Similar to How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019 (20) More from Amazon Web Services (20) How FINRA achieves DevOps agility while securing its AWS environments - GRC339 - AWS re:Inforce 2019 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How FINRA achieves DevOps agility while
securing its AWS environments
Daniel Koo
Senior Director
DevOps Products & Engineering
FINRA
G R C 3 3 9
Stephen Mele
Lead Developer
DevOps Products
FINRA
Jason Garbis
Vice President
Products
Cyxtera Technologies
2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• FINRA introduction
• Secure development and DevOps practice at FINRA
• Gatekeeper and AppGate SDP integration
• Demo
• Cyxtera introduction
• Cyxtera’s AppGate SDP solution for AWS
• Q&A
4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Mission
Investor
protection
Market
integrity
5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Volume
brokers
12 634,000
markets/
exchanges
firms
3,800
6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Big data
FINRA maintains
150+
applications running in AWS
FINRA processes up to
135 billion
market events per day
FINRA processes and analyzes
trillions
of nodes and edges
FINRA manages
approximately
30 petabytes
of storage
FINRA runs up to
50,000
compute nodes
per day
7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges
TransparencyGovernance
DevOps
Access control
Compliance
Transient platform
8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
DevOps practice
ReleasedDev/testInception
Integrated
security
Standardization
Architecture
pattern
Self-service
Integrated
ops
Compliance
Kickstart
FINRA Images
Jenkins/F3
Jenkins/
F3
Fidelius
CloudPass Gatekeeper Aphelion
Nagios
FINRA
Images
9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Temporary access to
Amazon EC2 and
Amazon RDS
Gatekeeper
Secrets management in
AWS
Fidelius
Create resources in
AWS
Provision
Temporary token for
AWS
CloudPass
Security group
manager
Portus
Go API for uploading
RPM to yum
yum-nginx-api
Monitor AWS service
limits
Aphelion
Available
Coming soon
Open source
http://technology.finra.org/opensource.html
10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance: Consistency, transparency
FINRA Provision
Compliant stack
configs
FINRA Portus
Approved security
groups
FINRA IAMUS
IAM role templates
Info and
application
security
Enterprise
architecture
Policies and
standards
Dev
teams
Automated
deploy
Automated
deploy
Configs/change events
Configs/change events
Configs/change events
Amazon
CloudWatch
AWS
CloudTrail
Reg SCI SOX SOC 2SEC
11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud security
AWS KMS
Amazon EMR security
configurations
In transit
At rest
Encryption
Role-based access
Active Directory
integration (applications)
Group membership
AuthN and
AuthZ
*****
VPC isolation
Security groups
VPC endpoints
SDLC isolation (accounts)
Micro-segmentation
Isolation
AWS CloudTrail
Amazon CloudWatch
Splunk
Monitoring
IAM ADFS federation
Temporary STS token
Gatekeeper (temporary access
to Amazon EC2
and Amazon RDS)
Access
control
13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
User M3Application
Load
Balancer
(ALB)
VPC
Gatekeeper UI
(AngularJS)
ALB M3
Gatekeeper services,
Amazon EC2 +
Amazon RDS
(Spring Boot)
Amazon RDS
Active Directory
Amazon EC2
C3 M3 M4SSM
Amazon RDS
VPC
Amazon EC2
C3 M3 M4SSM
Amazon RDS
VPC
Amazon EC2
C3 M3 M4SSM
Amazon RDS
Authenticate users
and search for
users
Connect to
Amazon RDS,
create/remove users
Call SSM to create
users on Amazon
EC2 instances
Store
requests
Gatekeeper architecture VPC
14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate SDP primer
15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
MTLS
AppGate SDP primer
16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
MTLS
AppGate SDP primer
17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
AppGate
controller
VPC
AppGate
gateway
Identity
management
AWS Cloud
MTLS
AppGate SDP primer
18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
AppGate
controller
VPC
AppGate
gateway
Identity
management
AWS Cloud
MTLS
AppGate SDP primer
19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
User logs into
AppGate
1
3
2
Secure MTLS
connection
to gateway
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
User logs into
Gatekeeper and
requests access to
AWS resources
Gatekeeper
5 Gateway enforces access policies
based on user groups
4
Gatekeeper creates
temporary users/key pairs
on selected resources
Instance: 67890
IP: 10.17.123.2
Gatekeeper + AppGate SDP: Current state
21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
User logs into
AppGate
1
2
Secure MTLS
connection
to gateway
AppGate
controller
VPC
AppGate
gateway
AWS Cloud
Gatekeeper
5 Gateway enforces access policies based on
IPs provided by Gatekeeper request
Instance: 67890
IP: 10.17.123.2
Gatekeeper provides request data to
AppGate API (Amazon SNS, Amazon
SQS, AWS Lambda)
3
User logs into
Gatekeeper and
requests access to
AWS resources
Gatekeeper creates
temporary users/key pairs
on selected resources
4a
4b
Gatekeeper + AppGate SDP: Future state
23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals achieved
Self-service
Automated grant/removal
Leveraging of existing group membership
No hard users on instances, only temporary access
Multi-layer protection (AuthN/AuthZ, approval, security group, AppGate SDP)
Auditability and transparency
25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cyxtera Essential Defense
Proactive,
online threat
identification and
mitigation aimed at
minimizing
enterprise
digital risk
Digital threat protection
Threat management and analytics
Software-defined perimeter & micro-segmentation
Identity-centric, network-enforced perimeter able to
secure any application, on any platform, in any location
Multi-factor authentication
Unified authentication for entire enterprise user population
through a comprehensive range of authentication factors
Reduce
Your attack surface
Secure
Your access
Neutralize
Your adversaries
26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Connect 3. Authenticate1. All resources
visible
TCP/IP
Connect first,
authenticate second
1. TCP/IP is a weak security foundation (implicit trust)
27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Should 192.168.4.11 have access to 10.5.0.3?
Yes or no?
2. TCP/IP has a poor policy language
192.168.4.11 10.5.0.3
28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
1
Identity-centric
User- or device-based access control
Integration with directory services and IAM
Context sensitivity
Zero-trust model
Authentication before connection
Dynamically provisioned 1:1 connectivity
Completely dark unauthorized resources
2
Built like cloud, for cloud
Distributed, stateless, and highly scalable
Programmable and adaptive
Dynamic and on-demand
3
“By 2021, 60% of enterprises will phase out network VPNs for digital business communications in
favor of software-defined perimeters.”
A better approach to network security:
Software-defined perimeter
29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
2. Connect 3. Authenticate1. All resources
visible
TCP/IP
Connect first,
authenticate second
1. Authenticate 2. Connect 3. Only authorized
resources are visible
Software-defined
perimeter
Authenticate first,
Connect second
AppGate SDP compensates for TCP/IP weaknesses
30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Should Jim have access to the SAP production server?
It depends
AppGate SDP has a rich policy language
Jim SAP production server
31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’sourcurrent
securityposture?
Isthereanopenservice
deskticket?
WhereisJimconnecting
from?
Whattimeisit?
IsJim’smachinepatched?WhatprojectisJimworkingon?
Jim SAP production server
32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AppGate
client
AppGate
controller
VPC
AppGate
gateway
Policy model
Graphical admin console & APIs
Integration with IT/security Systems
(SIEM, IDS/IPS)
Identity management system
(SAML, LDAP, AD)
VPC
VPC
Instance: 67890
Tag: State=Dev
Tag: App=App3
MTLS AWS Cloud
Simple security group:
Allow all from Gateway,
deny all other traffic
Instance: 12345
Tag: State=Dev
Tag: App=App1
Instance: 33445
Tag: State=Dev
Tag: App=App1
Instance: 677889
Tag: State=Prod
Tag: App=App2
MTLS
AWS
Cloud
AppGate
gateway
SPA packet
MTLS
AppGate SDP primer
34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Software-defined perimeter for AWS
• Use cases
• Concurrent and transparent access across regions and accounts
• Dynamic, policy-based access
• Automatic access control based on metadata
• Additional scenarios
• Multi-factor authentication and step-up authentication
• ITSM integration
• Give it a try: Free trial in AWS Marketplace
https://aws.amazon.com/marketplace/pp/B01IWQFEHM
• More information
https://Cyxtera.com
35. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Daniel Koo Stephen Mele Jason Garbis