Find out how the Xero Cloud Security team deals with the accelerated pace of security brought about by cloud innovation occurring at Xero as they migrate “all-in” into the AWS cloud. Xero will share the Cloud Security team’s journey to the cloud, key success and learning points, as well as how they worked with Bulletproof to implement automated, repeatable and on-demand security with AWS that works at any scale. You will leave this session with actionable real-world knowledge & how to achieve AWS security posture best practices at minimal cost while delivering high value.

2. How Xero
Accelerated Security
Innovation on AWS

3. Hello!
Jeremy Vincent
Solution Architect
Bulletproof
Aaron McKeown
Lead Security Architect
Xero
Neil Ramsay
Cloud Engineer
Bulletproof

4. What can you expect today?
An overview of:
• Xero
• AWS Migration Project
• AWS Security Principles
• Key Project Learnings
• Bulletproof
• Cloud Security Considerations
• Secure by Design Guidance

5. Who are we?
• Cloud House merged with Bulletproof in 2016
• First Premier Partner in A/NZ
• ASX listed (ASX:BPF)
• Only Premier Partner in NZ
• End-to-end Cloud services provider.
• 700+ customers
• 16+ years of experience
• We help you disrupt, transform and innovate

6. Aaron McKeown,
Lead Security Architect
How Xero Accelerated
Security on AWS

7. Beautiful cloud-based
accounting software
Connecting people with the right numbers
anytime, anywhere, on any device

8. 1450+
Staff globally
$
474m
raised in capital
$
202m
sub revenue FY16
23m+
businesses have interacted
on the Xero platform
$
1tr
incoming and outgoing
transactions in past 12 mths
450m
incoming and outgoing
transactions in past 12 mths
All figures shown are in NZD

9. 2009 2010 2011 2012 2013 2014 2015 2016
Paying subscribers
700,000+
Subscribers globally

10. Public cloud
migration
Improving data protection
Eliminating scheduled downtime
Maintaining and improving security
Support the next wave of growth
Reducing our per customer cost

11. Security Considerations
in the Cloud

12. Approach: AWS Cloud Security
Security is a Journey
High Pace of Innovation with Cloud
Automation is key

13. How?
AWS Cloud Security
Focus on API Security
Fast rate of change
Cloud native systems with
consistent security capabilities

14. How?
AWS Cloud Security
Focus on API Security
AWS IAM
Fast rate of change
AWS
CloudFormation
Cloud native systems with
consistent security capabilities
AWS
KMS
AWS
CloudTrail
AWS
Config
CloudWatch
Logs
CloudWatch
Alarms
AWS IAM

15. How?
Automation
Version
Control
CI Server
Package
Builder
Deploy
Server
Commit to
Git/masterOps
Get /
Pull
Code
AMIs
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
Config
Install
Create
Repo
CloudFormation
Templates for Environment
Generate

16. Xero AWS Security
Overview

17. Key principles
Repeatable and
automated build and
management of
security systems
Accelerated pace of
security innovation
On-demand security
infrastructure that
works at any scale

18. Security as a service
VPN
connectivity
Host
Based
Security
Web
Application
Security
and
Delivery
Shared Key
Management
Services
Security
Operations
and
Consulting
Services
Secure
Bastion
Access
Proxy
Services

19. AWS Security Guidance
Recommendations

20. Secure by Design
AWS Cloud Security
Account structure VPC structureService mapping
Key services VisibilityLogging/Monitoring Secure Bastions

21. Secure by Design
Account Structure

22. Secure by Design
Account Structure
Billing
Non-Production
Development
Shared Services
UAT
Production
Production
Staging
Shared Services
Identity
Security

23. Secure by Design
Service Mapping

24. Secure by Design
Service Mapping
Non-Production
Development
Shared
Services
UAT
Security
Production
Staging
Shared
Services
Production
Identity
AWS IAM
AWS
KMS
IAM Roles
IAM Roles
IAM Policy
IAM Policy
Billing
IAM Roles
IAM Policy
AWS
CloudTrail
AWS
Config
Config
S3 Bucket
CloudTrail
S3 Bucket
CloudTrail
Glacier Vault
Config
Glacier Vault
IAM Users
CloudWatch Logs CloudWatch
Alarms
IAM Groups
SNS Email
Notifications

25. Secure by Design
VPC Structure

26. Secure by Design
VPC Structure
Production
Shared Services
Internet
Gateway
DMZ “Public” Zone
Protected “Private” Zone
Router
VPC
Peering
Secure
Bastion
WAF
NGFW
ADFS
Amazon
CloudFront
VPC
Peering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound
Proxy
NTP DNS
S3 VPC
Endpoint
IPSec VPN
Connection
Internet
Servers
Amazon
Route 53
VPC Flow Log
S3 VPC
Endpoint
VPC Flow Log
Static Assets
S3 Bucket
VPN
Gateway
Corporate Data Center
Customer
Gateway
VPN
Gateway
Backup
S3 Bucket

27. Secure by Design
VPC Peering
Production
Shared Services
Internet
Gateway
DMZ “Public” Zone
Protected “Private” Zone
Router
VPC
Peering
Secure
Bastion
WAF
NGFW
ADFS
Amazon
CloudFront
VPC
Peering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound
Proxy
NTP DNS
S3 VPC
Endpoint
IPSec VPN
Connection
Internet
Servers
Amazon
Route 53
VPC Flow Log
S3 VPC
Endpoint
VPC Flow Log
Static Assets
S3 Bucket
VPN
Gateway
Corporate Data Center
Customer
Gateway
VPN
Gateway
Backup
S3 Bucket

28. Secure by Design
VPC Endpoints
Production
Shared Services
Internet
Gateway
DMZ “Public” Zone
Protected “Private” Zone
Router
VPC
Peering
Secure
Bastion
WAF
NGFW
ADFS
Amazon
CloudFront
VPC
Peering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound
Proxy
NTP DNS
S3 VPC
Endpoint
IPSec VPN
Connection
Internet
Servers
Amazon
Route 53
VPC Flow Log
S3 VPC
Endpoint
VPC Flow Log
Static Assets
S3 Bucket
VPN
Gateway
Corporate Data Center
Customer
Gateway
VPN
Gateway
Backup
S3 Bucket

29. Secure by Design
Key Services

30. Secure by Design
CloudTrail
CloudTrail Settings
 All Regions (Multi-Region setting)
 Log File Integrity Validation
 Log File Encryption with KMS
S3 Bucket Policy
 Restrict Authorised Users to have Read-Only access
 Allow Only the CloudTrail service to have Write access
Day One
AWS
KMS
AWS
CloudTrail
CloudTrail
S3 Bucket
CloudTrail
Glacier Vault
S3 Lifecycle Rules

31. Secure by Design
Config
Config Settings
 All Regions (No multi-region setting, so Automate)
 Enable All available Resource Types for tracking
S3 Bucket Policy
 Restrict Authorised Users to have Read-Only access
 Allow Only the Config service to have Write access
Day One
AWS
Config
Config
S3 Bucket
Config
Glacier Vault
S3 Lifecycle Rules

32. Secure by Design
Identity and Access Management (IAM)

33. Secure by Design
Identity and Access Management (IAM)
AWS IAM
Amazon
EC2
AWS Elastic
Beanstalk
AWS
Lambda
Amazon
CloudFront
Amazon
S3
Amazon
DynamoDB
Amazon
RDS
Amazon
Redshift
Amazon
VPC
Amazon
Route 53

34. Identity and Access Management

35. IAM for Identity Account: Authentication

36. IAM for Identity Account: AWS Console
+

37. IAM for Identity Account: API
+

38. IAM for Identity Account: MFA for Humans

39. IAM Roles
Build
Repair
Audit

40. Identity
IAM Cross Account Roles
Non-Production
Production

41. IAM Guard Rails
customer
gateway
VPN
gateway
VPN
connection
CloudTrail Config KMS IAM

42. IAM Roles: Limited Time Only

43. Secure by Design
Logging and Monitoring

44. Logging/Monitoring
API
AWS
CloudTrail
CloudWatch
Logs
CloudTrail
S3 Bucket
CloudTrail
Glacier Vault
Lifecycle Rules
AWS Config Config S3
Bucket
Config
Glacier Vault
Lifecycle Rules
AWS
Lambda
CloudWatch
Alarms
CloudWatch
Metric Filters
SNS Email
Notifications
Alarm
Amazon Elasticsearch
Service
OR

45. Logging/Monitoring…
OS
Network
Storage Access Logs
Access Logs
S3 Bucket
Access Logs
Glacier Vault
Lifecycle Rules
S3 Bucket
Access Logs
Access Logs
S3 Bucket
Access Logs
Glacier Vault
Lifecycle Rules
Amazon
CloudFront
CloudWatch
Logs
CloudWatch
Alarms
CloudWatch
Metric Filters
SNS Email
NotificationsAmazon EC2
Log Events
Elastic Load
Balancing
Access Logs
Access Logs
S3 Bucket
Access Logs
Glacier Vault
Lifecycle Rules
VPC Flow Log CloudWatch
Logs
CloudWatch
Alarms
CloudWatch
Metric Filters
SNS Email
Notifications
Packets Log Events

46. Secure by Design
Visibility
• CloudTrail, Config and the AWS Console
provide a lot of great information
• Can be hard to find the needle in the
haystack...
• Enter Netflix OSS Security Monkey
“You can’t secure what you don’t know about…”

47. Secure by Design
Security Monkey

48. Security Monkey: Overview

49. Security Monkey: Overview - Search

50. Security Monkey: Overview - Resources

51. Security Monkey: Users with Admin

52. Security Monkey: Users with Admin

53. Security Monkey: Users with Admin – What Changed?

54. Security Monkey: VPCs with IGWs

55. Secure by Design
Secure Bastions

56. Challenge
Secure Bastions
RDP/SSH
Internet
Internet
Bastion
Your Data
SQL
Server
Pivot

57. Solution
Secure Bastions: Multi-Factor Authentication
RDP
Bastion
Secure
Bastion
HTTPS
Internet

58. Duo Login to Windows

59. Duo Login to Windows: MFA Prompt

60. Duo Login to Windows: Duo Mobile App

61. Duo Login to Linux

62. Solution
Secure Bastions: Dedicated
SQL Mgmt
RDP
RDP
SQL
Server
SQL Tools
Server
Secure
Bastion

63. Solution
Secure Bastions: Restrict Network Egress
RDP
Secure
Bastion
SQL Tools
Server
RDP
SQL
Server
Internet

64. Solution
Secure Bastions: Restrict EC2 Instance Profiles
RDP
Secure
Bastion
IAM Role
IAM Policy
Temporary
AWS CredsLogged-in
User
“Secure Bastion”
EC2 Instance
Profile
Delete RDS
SQL DB

65. Solution
Secure Bastions: Restrict EC2 Instance Profiles
SQL Tools
Server
Temporary
AWS Creds
Logged-in
User
RDP
Secure
Bastion
IAM Role
IAM Policy
Temporary
AWS CredsLogged-in
User
“Secure Bastion”
EC2 Instance
Profile
Delete RDS
SQL DB
Create RDS
SQL DB
“SQL Tools”
EC2 Instance
Profile

66. Solution
Secure Bastions: Disposable
7 Days
EBS Snapshot
Forensics
Secure
Bastion
Secure
Bastion
“Golden Image”
AMI
Deploy

67. Key learnings

68. Key learnings
Measure and Test, Monitor Everything
Welcome to the cloud -
"Where's my span port"?
Security by Design -
What's that?
Communication is Key -
Who are your spokespeople?

69. Final takeaways
Repeatable and
Automated build and
management of
Security Systems
Accelerated pace of
security innovation
On-Demand security
infrastructure that
works at any scale

70. What can I do today?

71. Things you can do right now
User MFA
Tokens
AWS
Config
AWS
CloudTrail

72. Things you should consider
Netflix
Security Monkey
Duo
MFA
Granular Roles

73. Only A/NZ AWS Premier Partner at the Summit

74. Over 700+ Happy Customers

75. What you can do today
• Visit us at stand: P2
• Contact us to discuss your requirements
salesnz@bulletproof.net | 0800 258 773
• Enter our draw to win an Amazon Echo

76. Beautiful accounting software
www.xero.com

77. Thank you
Visit us at stand P2 to ask questions