As more SaaS businesses come online it is critical they follow security architecture and operational best practices. The changing regulatory framework from agencies such as SEC, FTC and other agencies requires SaaS companies to implement security best practices.
Rice Manufacturers in India | Shree Krishna Exports
AWS Security Best Practices, SaaS and Compliance
1. Tuesday, 9th Feb 2016
AWS Security Best Practices, Real-world examples
and Common Mistakes
GP
CEO and Founder
www.stackArmor.com
@cloudpalgp
https://www.linkedin.com/in/gppal
gpal@stackarmor.com
2. SaaS, Security and AWS
2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR
Cloud Solutions Architect and Technology Strategist
• Focused on full-stack security and operations management
• Cloud automation and business process acceleration
• Cybersecurity Policies, Procedures and Tactics
Supported the first AWS cloud migration in 2009 for
Recovery.gov and have successfully led multiple large
enterprise cloud modernization programs in regulated
industries, Financial Services and Healthcare.
GP
CEO and Founder
www.stackArmor.com
@cloudpalgp
https://www.linkedin.com/in/gppal
gpal@stackarmor.com
4. Business Landscape
• Data breaches are “daily” news
• Regulators are starting to take notice
◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016
◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015
• NIST Cybersecurity Framework is “standard of care”
◦ http://www.nist.gov/cyberframework/
◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001
• Cybersecurity is a Board level issue
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4
5. Technology Landscape
• AWS/Cloud “takes care of everything”!!
◦ Shared Responsibility Model
• Managed Services and Processes required
◦ Patching and Vulnerability Management
◦ Boundary protection and monitoring
◦ Logging and Centralized log analysis
◦ Backups/Restore
• SaaS shops tend to be strong on the Dev but weak on Ops
• Network Engineering, Security Zoning, Boundary Protection
and Enclave Hardening are not well understood
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5
6. What??
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6
“…while doing cloud hosting cost analysis for a venture funded start-up, we
noticed heavy data egress charges. A simple analysis revealed that a hacker had
penetrated the platform and downloaded the firms’ database and IP. The
vulnerability was traced to an un-patched server”.
“The Technology team of a SaaS startup with Fortune 500 customers is operating
their environment in a cloud environment without any intrusion detection and
prevention systems such as web application firewalls thereby creating third-party
risk.”
“…a SaaS startup exposed their access secret key in their web application in plain
view for anyone to access. This could have caused someone to wipe out the firms
entire production and operational platform…”
8. Top Security “Booboos”
Common poor security mistakes Comment
1 Creating unnecessary access and secret keys
for IAM Users
Console users don’t need keys
2 Using developer keys instead of instance roles
for accessing instance
Use roles for to allow for credentials for accessing
AWS resources that provide temporary credentials
3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as
required
4 Lack of restrictions on production instances Any user can perform actions on production
instances. Provision IAM roles that allow for
separation of duties.
5 Poor segmentation and zoning of application
and data components through the use of
public and private sub-nets
Proper zoning through sub-nets allows for
segregating netflow and blackholing requests in the
event of an attack
6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions
7 Inconsistent patch management and
vulnerability scanning
Create an information security policy with a patching
schedule with roles, responsibilities and reporting
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 8
10. Logging and Monitoring…
• AWS VPC Flow Logs
◦ Most Talkers
◦ Rejected Traffic
• AWS CloudTrail
◦ Who deleted my instances?
◦ Who is asking for old or deleted keys?
• AWS Config
◦ Configuration Management
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 10
11.
12.
13.
14. Tools of our Trade
1 Web Application Firewalls Fortiweb, Sophos, AWS WAF
2 IDS Snort
3 Monitoring Splunk, Elasticsearch, Sensui, Pallera,
sumologic
4 Vulnerability Scanning Nessus, Retina, OpenVAS
5 Web Application Scanning Acunetix, Nessus
6 Compliance openSCAP
7 QA/Code Quality SonarQube
8 Static Code Scanning CheckMarx
9 Security Operations Center OpenSOC
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 14
15. Compliance
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 15
Document Description
Basic Security Policy
This document provides a basic set of high level security policies that allow
client to state that they have a security policy in place that can serve as an initial
baseline.
Assessment Plan
This is a checklist security assessment, basically a self-assessment with
questions asked by an experienced Information Assurance Analyst to
demonstrate understanding and maturity of Cybersecurity posture.
High Level Security
Assessment Report
Security Assessment Report (SAR) that summarizes the scope, approach, and
high level findings.
Vulnerability and
Penetration Testing
Automated scans with basic parameters with provided auto-generated reports.
This includes working with the technology team to perform a test to ensure that
any technical remediation that have been applied adequately addressed the
vulnerabilities found.
Attestation Letter
Generally speaking an external third-party should be engaged to execute the
assessment and be asked to provide an attestation letter that describes the
nature of the assessment, findings and remediation conducted.
17. Reference Links
- SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and
Procedures Prior To Breach
https://www.sec.gov/news/pressrelease/2015-202.html
- Dental Practice Software Provider Settles FTC Charges It Misled Customers About Encryption of
Patient Data
https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-
ftc-charges-it-misled
- FTC has power to police cyber security: appeals court
http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKCN0QT1UP20150824
- Contractor breach gave hackers keys to OPM data
http://www.federaltimes.com/story/government/omr/opm-cyber-report/2015/06/23/keypoint-usis-
opm-breach/28977277/
- Great security blog
http://krebsonsecurity.com/
PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 17