Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modern Security and Compliance Through Automation


Published on

Because the entire AWS cloud platform is programmable, it turns out that you can program security and compliance in advance of actually instantiating any actual workloads. In this session, we show how you can design a secure and compliant workload and even have it audited by a third-party auditor before creating it for the first time! Once it's created, other facilities provide mechanisms for detecting and alerting a drift from your baseline, and even automatically remediating the drift. Learn how the comprehensive automation available in AWS provides security and compliance professionals an entire new, more efficient, and more effective way to work.

Speaker: John Hildebrand, Solutions Architect, Amazon Web Services

Published in: Technology
  • Login to see the comments

Modern Security and Compliance Through Automation

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Modern Security and Compliance Through Automation John Hildebrandt, Solutions Architect, Amazon Web Services Bruce Haefele, GM Technology, Healthdirect Australia
  2. 2. The AWS cloud allows for advanced governance Manual auditing in a simple world Governance in a complex world Thick procedure manuals Software-enforced processes Periodic surveys Alarming/triggering Few truly automated controls Ubiquitous, software-driven, predictable controls Sample testing, hoping Full population monitoring, test of 1
  3. 3. Evolution of compliance at AWS AWS certifications Customer enabler docs Customer case studies Security and Compliance via Automation AWS CloudTrailAWS CloudHSM AWS IAM AWS KMS AWS Config
  4. 4. Shared Responsibility Model Customers are responsible for how they use AWS components in AWS Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/ Integrity/Identity) DatabaseStorageCompute Networking Edge Locations Regions Avail. Zones AWS Global Infrastructure Customer Responsible for security in the Cloud Responsible for security of the Cloud AWS
  5. 5. Compliance & Accreditation – Common Challenges How do I architect for compliance in AWS? Meet my compliance requirements (IRAP, NIST, PCI, HIPAA, CJIS, etc.) Make critical decisions to ensure a secure application when using the AWS Shared Responsibility Model. Take advantage of new services and features when designing for Cloud How can I make architecting for compliance repeatable? How can I validate that my architecture is compliant before deployment? How can I ensure continuous compliance in production? Mapping security controls to numerous AWS services How can I simplify my accreditation process and get to ATO?
  6. 6. Shared Responsibility Model Compliance in the Cloud: Examples Framework Control Description Implementation in AWS Architecture (Example) NIST 800-53 AU-9 The information system protects audit information and audit tools from unauthorized access, modification, and deletion AWS CloudTrail and/or log files in S3 buckets which have S3 bucket policies to prevent modification or deletion (write once read many) PCI DSS Requirement 4 Encrypt transmission of cardholder data Elastic load balancers must enforce HTTPS encryption using strong security policies enforcing TLS HIPAA - Tenancy requirement Requirement to use “dedicated” tenancy for EC2 instances storing or processing PHI data CJIS Policy Area 7 Configuration management Enforce use of hardened EC2 instance operating systems and/or pre-approved Amazon Machine Images (AMIs) DoD CSM Levels 4-5 No direct access from VPC to the Internet Amazon VPCs for Impact Levels 4-5 data require VPN connection, no Internet gateway (IGW)
  7. 7. Simplifying Compliance: Key Concepts Know your compliance framework(s) • Translate compliance controls to technical implementation • Create and manage a pre-approved common security controls mapping to use when architecting for security and compliance Take advantage of capabilities the Cloud provides • Infrastructure as Code • AWS services (CloudTrail, AWS Config, Amazon Inspector, etc.) • Partner solutions Automate standard implementations
  8. 8. Automation Why automate compliance? • Reduced time to ATO • Lower cost • Fewer resources required • Less human error • Consistency • Reproducible
  9. 9. Automating Compliance in AWS Infrastructure As Code • Managed and controlled like software • Validate pre-deployment • Test-driven development (TDD) for security and compliance Standardization • Predefined guidelines, mapped to security controls • Consistent, reusable architecture and configuration Compliance at scale • Enforce policies across accounts, workloads, systems • Shared services for security, logging, monitoring, access control Transparency • Everything is an API call! • Auditability, logging • Continuous monitoring (CM) for both applications and infrastructure
  10. 10. NIST QuickStart
  11. 11. Pre-Development Development Testing Production Architect for Compliance Architect for Compliance Provide Baselines Enterprise Accelerator for Compliance IATT ATO Develop Applications Enterprise Accelerator for Compliance AWS Service Catalog Submit SSP Validate Architecture for Compliance Continuous Monitoring Manage Security- Relevant Changes Integration Testing for Compliance Submit for ATO Accelerating the Journey to ATO Vulnerability Scanning AWS Code Pipeline Compliance Control Mapped to Implementation Method Developing with a predefined baseline implementing control Validation & Testing for Requirement Continuous Monitoring for Control Implementation Amazon InspectorAWS Config AWS Config AWS OpsWorks AWS Elastic Beanstalk
  12. 12. Pre-Development Understand your compliance requirements • Compliance type(s): IRAP, NIST 800-53, ICD 503, DoD CSM, PCI, HIPAA, etc. Architect for compliance • Map security controls to technical implementation Predefine baselines • Examples: VPC configuration, connectivity, AWS Identity and Access Management (IAM) configuration, logging/monitoring • Baselines align with governance model Pre-Development Architect for Compliance Provide Baselines Enterprise Accelerator for Compliance AWS Service Catalog Compliance Control Mapped to Implementation Method
  13. 13. Enforced Deployment with AWS Service Catalog § Standardize deployment § Allow push-button build of common architectures based on compliance and use case § Provide a self-service model for workload owners
  14. 14. Development Deploy predefined baseline environment • Service Catalog, CloudFormation Manage all AWS components as code • E.g. Version Control (AWS CodeCommit, Git, SVN) Take advantage of AWS services • AWS CodeDeploy/AWS CodePipeline • Elastic Beanstalk • CloudFormation, OpsWorks Development Architect for Compliance Develop Applications Enterprise Accelerator for Compliance Submit SSP Developing with a predefined baseline implementing control AWS OpsWorks AWS Elastic Beanstalk
  15. 15. AWS CloudFormation § Basic standard in AWS for automating deployment of resources § CloudFormation Template − JSON-formatted document which describes a configuration to be deployed in an AWS account − When deployed, refers to a “stack” of resources AWS CloudFormation
  16. 16. Example: Multi-tier Security Groups HTTP SSH DB-sync Ports 80 and 433 only open to the internet Engineering staff have SSH access to the App Tier, which acts as Bastion Authorized 3rd parties can be granted SSH access, such as the Database Tier All other internet ports blocked by default EC2 EC2 EC2 EBS Control: 0520; Revision: 5; Updated: Apr-15; should; Authority: AA Network access controls should be implemented on networks. Control: 1182; Revision: 2; Updated: Apr-15; should; Authority: AA Network access controls should be implemented to limit traffic within and between network segments to only those that are required for business operations.
  17. 17. Testing Unit testing • Validate before deployment • Check AWS CloudFormation templates for non- compliant configurations Integration testing • Deploy infrastructure code into AWS account • Run tests for validation (Config, Inspector, HBSS, partner products, etc.) Prepare for ATO • Submit predefined security controls mapping for simplified approval Testing Validate Architecture for Compliance Integration Testing for Compliance Submit for ATO Validation & Testing for Requirement
  18. 18. Testing Infrastructure Code Identify resource configurations in code that violate compliance • Example tools: Common points of compliance validation • Security group rules • Network Access Control List (network ACL) rules • IAM policies • S3 bucket policies • Elastic Load Balancing security policies "sg": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "SecurityGroupIngress": { "CidrIp": “", "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp" }, "VpcId": "vpc-12345678" } } } } Example: AWS CloudFormation template contains security group allowing unrestricted access to SSH
  19. 19. Production Authority to Operate (ATO) • …but compliance doesn’t end with ATO Continuous monitoring • Security-relevant changes to configuration Non-compliance • Continuously monitor for changes that violate compliance • Immediate notifications • Event-driven, automated remediation Production Continuous Monitoring Manage Security- Relevant Changes Vulnerability Scanning Continuous Monitoring for Control Implementation Amazon InspectorAWS Config
  20. 20. Validation – Closing the loop AWS Config Rules • AWS Config Rules: check whether your security design is deployed in existing environments • Accurate, complete audit • Continuous assessment, history • Cloud Governance Dashboard AWS Inspector • Identify Security Issues in Your Applications • Enforce your Organization’s Security Standards
  21. 21. Lifecycle of a Compliance Control: Example Control Pre-Development Development Testing Production SC-7(5) Boundary Protection - DENY BY DEFAULT/ALLOW BY EXCEPTION: The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (that is, deny all, permit by exception). Enterprise Accelerator defines required NIST 800- 53 compliance control and maps predefined to implementation in CloudFormation template Enterprise Accelerator as starting point for CloudFormation template development Automated unit testing with cfn-nag tool validates that control is not being violated in a template Integration testing with Config verifies Config rule continuously monitors for violations of this control and takes corrective action if a violation is detected Requirement: Rules with “ALL TRAFFIC” not permitted in security groups Base templates by default deny all ports except those required to be open Starting point in development with templates which Testing for security groups where all ports are open If security group changes, Config rule immediately evaluates and determines if rule changes violate control
  22. 22. Version Control Build/ Compile Code Dev Unit Test App Code IT Ops Test Prod Dev Application Write App Code Deploy App Package Application Continuous Integration/Delivery + Compliance Automation AMI Build AMIs Validate Infra Code Write Infra Code Deploy Infras Automate Deployment Artifact Repository Start with predefined baselines built for compliance Service Catalog portfolio of predefined architecture patterns Maintain a library of pre-validated base architectures for dev users to modify and deploy Validate infrastructure code using automated testing tools
  23. 23. Automating Compliance: Tools & Services § AWS Compliance Enterprise Accelerator § CloudFormation based customisable quickstart § Address security/compliance requirements and AWS best practices § Knowledge transfer on AWS security model § Standardized for specific use cases § Ready to be pre-approved by customer assessment organizations § Ready to deploy “out of the box” § CloudTrail, Config/Config rules, Inspector § AWS Trusted Advisor § Partner Solutions
  24. 24. AWS Enterprise Accelerator for Compliance Currently Available Quick Starts § NIST High baseline § (Featuring Trend Micro Deep Security) § NIST SP 800-53 (version 2.0) § DoD SRG (GovCloud) § Trusted Internet Connection § 800-171 § PCI DSS § Secure Commercial Cloud Architecture (SCCA) § Late July preview
  25. 25. Security Through Automation Bruce Haefele GM Technology Compliance at Healthdirect Australia
  26. 26. Healthdirect Australia Healthdirect Australia designs and delivers innovative services for governments to provide every Australian with 24/7 access to the trusted information and advice they need to manage their own health and health-related issues. About us
  27. 27. Healthdirect Australia No matter where people live, or what time of the day or night it is, they can talk to a professional, find trusted advice online about how to manage their issue, and locate the closest appropriate and open service that meets their needs. Sharing trusted knowledge mindhealthconnectMy Aged Care healthdirect Pregnancy, Birth and Baby Carer Gateway after hours GP helpline Quitline Get HealthyNational Health Services Directory
  28. 28. Current State • Platform accredited to ISM Unclassified DLM • Currently hold data up to Sensitive:Personal • 99.95% availability per month, missed once in 4 years in AWS • Host 8 major service lines and corporate IT in AWS • 1.6 million visits to websites and 30 million transactions against the National Health Services Directory per month • Direct integrations to 160+ content partners and 100+ directory partners • All services certified or in IRAP assessment to Unclassified DLM Healthdirect Platform and Services
  29. 29. Top Hacking Targets Government and Healthcare in particular are at risk TrendLabs 2015 Annual Security Roundup
  30. 30. Brand risk Increased privacy Political risk Complexity Compliance requirements Faster time to market Less money Higher expectations Greater change Better usability Do More with Less in Half the Time Need to strike a balance
  31. 31. Healthdirect Patterns for Security 1. Standard build and configuration 2. Configuration change management 3. Privileged access management 4. Vulnerability management Where automation in AWS helps address key ISM controls
  32. 32. Standard Build and Configuration Sample ISM Controls Section Topic Ctrl. Rev. Applicability Req. Auth. Control Statement Developing SOEs 1406 0 Apr-15 UD, P, C, S, TS must AA When developing a new SOE, agencies must use the Common Operating Environment Policy produced by the Department of Finance. 1407 1 May-16 UD, P, C, S, TS should AA Agencies should use the latest release of the operating system. Hardening SOE configurations 0383 4 Apr-15 UD, P, C, S, TS must AA Agencies must ensure that default operating system accounts are disabled, renamed or have their passphrase changed. 0380 5 Apr-15 UD, P, C, S, TS must AA Agencies should remove or disable unneeded operating system accounts, software, components, services and functionality. 1410 0 Apr-15 UD, P, C, S, TS must AA Local administrator accounts must be disabled. 0382 4 Apr-15 UD, P, C, S, TS must not AA Users must not have the ability to install, uninstall or disable software. Hardening application configurations 1411 0 Apr-15 UD, P, C, S, TS should AA Agencies should enable and configure any in-built security functionality in applications, and disable any unrequired functionality. Application whitelisting 0843 5 Apr-15 UD, P, C, S, TS must AA Agencies must use an application whitelisting solution within SOEs to restrict the execution of programs and DLLs to an approved set. 0845 5 Apr-15 UD, P, C, S, TS should AA Agencies should restrict users and system administrators to a subset of approved programs, DLLs, scripts and installers based on their specific duties. Software-based application firewalls 1416 0 Apr-15 UD, P, C, S, TS must AA Agencies must use software-based application firewalls within SOEs to limit both inbound and outbound network connections. Antivirus and internet security software 1417 0 Apr-15 UD, P, C, S, TS must AA Agencies must use antivirus or internet security software within SOEs.
  33. 33. Standard Operating Environment A sample of Healthdirect’s stack for SOE CIS Base AMI Host Intrusion Prevention/Detection/Antivirus/Antimalware Configuration Management Agent Monitoring Agent Logging Agent Privileged Access Management Agent Encryption Agent Hardening configuration
  34. 34. Standard Build and Configuration Continuous delivery of infrastructure as code Orchestration Manager Provisionin g Server Configuration Manager Configuration Repository CIS Hardenin g Config. Tomcat Config. Provisioning Repository Stack template Existing Environment VPC Nginx Config. Database Config. Provision Configure Test Server Test
  35. 35. Change Management ISM Control Section Topic Cntrl. Revision Applicability Req. Auth. Control Statement Change management process 1211 0 Sep-12 UD, P, C, S, TS must AA Agencies must have a formal change management process in place. 0912 4 Sep-12 UD, P, C, S, TS should AA Agencies should ensure their change management process includes: • a policy which identifies which changes need to go through the formal change management process • documenting the changes to be implemented • formal approval of the change request • maintaining and auditing logs of all changes • conducting vulnerability management activities when significant changes have been made to the system • testing and implementing the approved changes • updating the relevant information security documentation including the SRMP, SSP and SOPs • notifying and educating users of the changes that have been implemented as close as possible to the time the change is applied • continually educating users in regard to changes. 0115 2 Nov-10 UD, P, C, S, TS must AA Agencies must ensure that for routine and urgent changes: • the change management process, as defined in the relevant information security documentation, is followed • the proposed change is approved by the relevant authority • any proposed change that could impact the security of a system is submitted to the accreditation authority for approval • all associated information security documentation is updated to reflect the change. 0117 2 Nov-10 UD, P, C, S, TS must AA The change management process must define appropriate actions to be followed before and after urgent changes are implemented.
  36. 36. Change Management Continuous Configuration Monitoring Application Server Agent Configuration Manager session.timeout = 3600 Configuration Repository Fetch config ≠ Compare configs Restore config
  37. 37. Privileged Access Management Sample ISM Controls Section Topic Cntrl. Revision Applicability Req. Auth. Control Statement Use of privileged accounts 1175 2 May-16 UD, P, C, S, TS must AA Agencies must prevent users from using privileged accounts to read emails, open attachments, browse the Web or obtain files via internet services such as instant messaging or social media. 0445 5 Apr-15 UD, P, C, S, TS must AA Agencies must restrict the use of privileged accounts by ensuring that: • the use of privileged accounts are controlled and auditable • system administrators are assigned a dedicated account to be used solely for the performance of their administration tasks • privileged accounts are kept to a minimum • privileged accounts are used for administrative work only • passphrases for privileged accounts are regularly audited to check they meet • passphrase selection requirements • passphrases for privileged accounts are regularly audited to check the same • passphrase is not being reused over time or for multiple accounts (particularly between privileged and unprivileged accounts) • privileges allocated to privileged accounts are regularly reviewed. Restriction of management traffic flows 1386 1 Apr-15 UD, P, C, S, TS should AA Agencies should only allow management traffic to originate from network zones that are used to administer systems and applications. Hardening SOE configurations 1345 1 Apr-15 UD, P, C, S, TS must AA Agencies must disable devices from simultaneously connecting to two different networks.
  38. 38. Privileged Access Management Centralised Control and Audit of Privileged Users Privileged Access Manager User Policy Agent User Audit Agent Policy A Policy B Strong authentication, including MFA Credential managementPolicy based, least privilege access control Session recording, auditing, attribution Command filtering Application password management
  39. 39. Vulnerability Management Sample ISM Controls Section Topic Ctrl. Rev. Applicability Req. Auth. Control Statement Vulnerability management strategy 1163 1 Sep- 12 UD, P, C, S, TS should AA Agencies should implement a vulnerability management strategy by: • conducting vulnerability assessments on systems throughout their life cycle to identify vulnerabilities • analysing identified vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls • using a risk-based approach to prioritise the implementation of identified mitigations or treatments Patching vulnerabilities 1143 4 Apr-15 UD, P, C, S, TS must AA Agencies must develop and implement a patch management strategy covering the patching of vulnerabilities in operating systems, applications, drivers and hardware devices. 0297 3 Apr-15 UD, P, C, S, TS should AA Agencies should monitor relevant sources for information about new vulnerabilities and associated patches for operating systems, applications, drivers and hardware devices. When to patch vulnerabilities 1144 7 May-16 UD, P, C, S, TS must AA Security vulnerabilities in operating systems, applications, drivers and hardware devices assessed as extreme risk must be patched or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent 3rd parties, owners or users. 0940 6 Apr-15 UD, P, C, S, TS must AA Vulnerabilities in operating systems, applications, drivers and hardware devices assessed as below extreme risk must be patched or mitigated as soon as possible. How to patch vulnerabilities 0298 5 Apr-15 UD, P, C, S, TS should AA Where possible, a centralised and managed approach should be used to patch operating systems, applications, drivers and hardware devices. 0303 4 Apr-15 UD, P, C, S, TS must AA Agencies must use an approach for patching operating systems, applications, drivers and hardware devices that ensures the integrity and authenticity of patches as well as the processes used to apply them.
  40. 40. Vulnerability Management Automated Linux Patching Pattern RPM Repos Local RPM Repo Patch Manager ap-southeast-1 ap-southeast-2 Sync Configuration Manager Orchestration Manager Remove AZ1 nodes from ELB Test Server Provisioning Manager Provision new ELBs and routes Run automated test suite Patch nodes Update against Local RPM Restore original configuration
  41. 41. Vulnerability Management Automated compliance scanning Admin VPC Environment VPC Application A Application B Scanne r Complianc e Manager Publish
  42. 42. What does this mean? • Smarter continuous compliance through automation • Staff time spent on review and exception management NOT maintenance • More consistent application of controls • Detailed documentation through codification • Faster deployments – from weeks to minutes • Fewer mistakes, misconfiguration and mismatches between environments • Security designed and built into each iteration of a solution • Read-only access to Production for humans Benefits for Healthdirect in AWS
  43. 43. Where to next? • Containerised micro-services • Easier patch management • Improved security testing • Holistic change management • Better use of resources • Logging and monitoring for behavioural visibility • Metacontainer environments In progress at Healthdirect Australia
  44. 44. Summary • Choose products that have open APIs • Use AWS and Marketplace options • Design for human touchpoints in the process • Look to standardise and reuse • Start simple and iterate - evolve the code through Development, Test and Production • Look for the high-value low-effort fit • Manage everything in a repository – configuration = documentation • Build testing into the process Think like a coder!
  45. 45. Additional Resources AWS Risk & Compliance Whitepaper AWS Quick Start Reference Deployments AWS Compliance
  46. 46. AWS Training & Certification Intro Videos & Labs Free videos and labs to help you learn to work with 30+ AWS services – in minutes! Training Classes In-person and online courses to build technical skills – taught by accredited AWS instructors Online Labs Practice working with AWS services in live environment – Learn how related services work together AWS Certification Validate technical skills and expertise - identify qualified IT talent or show you are AWS cloud ready Learn more: