Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 337 times |
Download: | 0 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patrick McDowell, AWS
Tim Sandage, AWS
Jacobi Carter, Okta
November 29, 2016
Advanced Techniques for
Managing Sensitive Data in
the Cloud
GPST403
Build Your Own Self Defending Environment
• DevSecOps turns security and compliance into
code
• Security now moves at the speed of Lambda –
milliseconds!
• Serverless & AWS high level services (KMS,
Lambda, CWE) do the heavy lifting
• Automation IS your 24/7 SOC!
How can you protect 1000s of customer’s data?
• KMS gives you advanced Key Management via an API
• Built for the enterprise, simple enough for everyone!
• HSA Backed Service
• Integrates with EBS and S3 seamlessly
• You Control the Key Lifecycle
• Auditable via AWS CloudTrail
• Import Keys from On-Premises
“Key” Strategies for Dealing with N-customers
• Use one key per customer
• Gives Customers the guarantee that nobody else shares
their key
• Enable Rotation on an annual basis
Mapping KMS key hierarchy to Okta key hierarchy
• Region master key
• Unique per region
• Encrypts tenant master key
• Tenant master key
• Unique per tenant
• Encrypts tenant data key
• Tenant data key
• Encrypts data
Multiregion encryption and decryption
• Encrypt & store tenant key
encrypted by each region key
• Decrypt talks to closest KMS
region
• RSA public key used for
encrypt only
• Private key provided to
service only in event of KMS
outage
Service
KMS East KMS West
Region master keyRegion master key
Tenant master key
RSA Key
Region master key
DB
Separation of Duties for Cryptographic Keys
• Do not allow operators to manage key policies
• This gives too much power to operators, their ability should
only be ‘may use key X to perform Y function’
• Designate Key Custodians whom only manage the
lifecycle of keys
• Custodians can never operationalize keys
• Use IAM Roles to decrypt data via KMS Key
• Individuals should not have this power – leave it to your
application!
Use KMS for Crypto in Your Own Code
• Client Side Encryption is for YOUR engineering teams
• They need to generate a key and encrypt data
• Then protect that key after it was used
• Use the AWS Encryption SDK to make development of
applications handling secure data easy
• Use these tools to encrypt data anywhere in any service
• KMS is a publically available API
DevSecOps, KMS, and Incident Response
• Security is code. Response is automatic.
• Integrate KMS into your Security and Incident Response
Procedures
• KMS protects data in ways there were never possible
before
• Leverage CWE and Lambda to notify your security
teams and react instantly to key misuse
The Triggers: CloudWatch Events & CloudTrail
• Amazon CloudWatch Events delivers a near real-time
stream of system events
• AWS CloudTrail records AWS API calls
• Your threat model should include high impact events
from each source
• CWE adds velocity to your response
Critical KMS Events or Incidents to Automate
• Bulk decryption of data with a single key (E.g. entire
transaction history of a customer)
• Decryption of data across sets of customers from many
or all keys
• Key Deletion
• Uncorrelated App & AWS Logs
Security & Incident Response Scenario
• Privileged User or Role with access to KMS keys
• Typically this principal would operate within the confines
of a single key
• CWE starts notifying you of an unusual number of
‘Decrypt’ calls
Lambda, Serverless, and DevSecOps
• Parse CloudWatch Events through Lambda
• Lambda has the custom code to detect if bulk decryption
of data is occurring
• Lambda could then:
• Use SNS to fan out alerts to mail, SIEM Tools, ticketing
system, or APIs
• Stop suspicious behavior immediately via IAM ‘AttachPolicy’
• Correlate and enrich with CloudTrail
Your new 24/7 SOC is “Serverless”!
CloudTrail
KMS CloudWatch
Events
DynamoDB
Lambda
(detect)
Lambda
(respond)
SNS SNS
Advanced Use Cases for your 24/7 SOC
Anomaly Detection in CloudTrail Events
• Time of day
• novel or new events
• IP geolocation
Thinks outside of KMS as well:
• Security Groups
• Gateways
• IAM Admins….and Root Account!
Automating - Security RequirementsAWS has partnered with CIS Benchmarks to create consensus-based, technical security
configuration guide which align to multiple security frameworks globally.
https://www.cisecurity.org/
The Benchmarks are:
Technical security control rules/values for
hardening AWS services, auditing and
remediate configurations.
Automating and Enforcing IAM Configurations
Example CIS Check - The "root" account is has unrestricted access to all
resources in the AWS account. It is highly recommended that the use of this
account be avoided.
1.1 Avoid the use of the "root" account (Scored)
• CLI Audit command:
1.13 Ensure no root account access key exists (Scored)
• CLI Audit command:
Automated Security Operations
AWS Labs has created a GitHub repo:
awslabs/aws-config-rules
• Current release for AWS Config Rules
(http://amzn.to/2aFZZw2), periodic rules can now be
triggered without the need for a configuration snapshot.
Example Config Rules check:
https://github.com/awslabs/aws-config-rules
Automated Security Operations Cont…
2.1 Ensure CloudTrail is enabled in all regions (Scored)
2.2 Ensure CloudTrail log file validation is enabled (Scored)
• CLI Audit command:
• Ensure IsMultiRegionTrail is set too true
• Ensure LogFileValidationEnabled is set too true for each trail.
Example Config Rules check:
•