Date post: | 21-Jan-2018 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 123 times |
Download: | 1 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 13, 2017
How can I plan for security, risk, and compliance
before migrating to AWS?
Rob Barnes
Cloud Security Architect
Amazon Web Services
Tom OgnibenePrincipal Software Engineer
Blackbaud
Migration & Transformation TrackTuesday, June 13th - Room 201
8:45 - 9:35 AM119706 - My CIO Says That We are Going All-In and Migrating to AWS?
Now What?
9:40 - 10:30 AM125086 - Hybrid as a Stepping Stone: It’s Not All or Nothing for Your
Cloud Transformation Journey
2:00 - 2:50 PM119707 - Why do I need to plan for Security, Risk, & Compliance before
migrating to AWS?
3:30 - 4:20 PM119708 - How Can I Build a Landing Zone & Extend my Operations into
AWS to Support my Migration?
4:30 - 5:20 PM119709 - What Organizational & Governance Changes do I Need to Make
Prior to Migrating to AWS?
Risk.
Are you wondering about your
compliance right now?
Or do you just want to help?
Directive
PreventiveResponsive
Detective
Identity & Access
Management
Logging &
MonitoringInfrastructure
Security
Data
Protection
Incident
Response
But don’t take my word for it…
Tom Ognibene
Principal Software Engineer
24 years at Blackbaud
10 years payment solutions
PCI SME
Our Journey
Blackbaud began
with a vision to help one
organization
We now support the entire social good community
NonprofitsEducation
InstitutionsFoundationsCorporations
Individual
Change Agents
Blackbaud Payment Service
Service dedicated to securely processing credit card
transactions for our application
• Web servers
• Database servers
• Firewalls
• vLans
• SIEM solutions
• Monitoring
Blackbaud Payment Services
0
2,000
4,000
6,000
8,000
10,000
12,000
Blackbaud Payment Services
Why AWS
Why AWS
We have a good DR story
AWS has a better one!
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
We know how to build infrastructure
AWS can build it faster
Remove Default VPC
…[Amazon.EC2.Model.Vpc[]] $vpcList = Get-EC2Vpc -Filter @{Name="isDefault"; Values="true"} -Region $Region
if ($vpcList -ne $null) { [Amazon.EC2.Model.Vpc] $vpc = $vpcList[0][Amazon.EC2.Model.Filter] $vpcFilter = [Amazon.EC2.Model.Filter]::new("vpc-id", @($vpc.vpcId))
[Amazon.EC2.Model.Subnet[]] $subList = Get-EC2Subnet -Filter @($vpcFilter) -Region $RegionForEach ($sub in $subList) {
Remove-EC2Subnet -SubnetId $sub.SubnetId -Region $Region -Force}
$vpcFilter.Name = "attachment.vpc-id"[Amazon.EC2.Model.InternetGateway[]] $igList = Get-EC2InternetGateway -Filter @($vpcFilter) -Region $RegionForEach ($ig in $igList) {
ForEach ($igAttach in $ig.Attachments) { Dismount-EC2InternetGateway -VpcId $vpc.vpcId -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force
} Remove-EC2InternetGateway -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force
}
Remove-EC2Vpc -VpcId $vpc.vpcId -Region $Region -Force}
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
We know how to build infrastructure
AWS can build it faster
Right Choice
Is AWS the “right” one
Performance
Is AWS performant
Type of Migration
Lift and Shift
Product rewrite
How Many Environments
Application
SIEM
“Roles”
Who needs to use the environments
What do they need it for
Software Defined Infrastructure
Write software => Test software
Project Planning
Is AWS the best choice
Is it performant
How am I going to migrate
How many environments
How should I separate them
Who is going to access it
Other considerations
AWS Tech
Yikes
SSM deployment
[Object[]] $SSMDocumentFileList = Get-ChildItem -Path $((Get-Item $PSScriptRoot).Parent.FullName + "\Data\SSMCmdDocs") `-Filter "*.json"
ForEach ($SSMDocumentFile in $SSMDocumentFileList) { [String] $SSMDocumentName = "BB-" + $($SSMDocumentFile.BaseName) [String] $SSMDocumentFileContents = [System.IO.File]::ReadAllText($SSMDocumentFile.FullName) try {
[Amazon.SimpleSystemsManagement.Model.GetDocumentResponse] $SSMDocument = Get-SSMDocument -DocumentVersion "`$DEFAULT" `-Name $SSMDocumentName
if ($SSMDocumentFileContents -ne $SSMDocument.Content) { Write-Verbose -Message "Updating document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = Update-SSMDocument `
-Content $SSMDocumentFileContents -DocumentVersion "`$LATEST" -Name $SSMDocumentName
[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion
} } catch [Amazon.SimpleSystemsManagement.Model.InvalidDocumentException] {
Write-Verbose -Message "Adding document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = New-SSMDocument `
-Content $SSMDocumentFileContents -DocumentType ([Amazon.SimpleSystemsManagement.DocumentType]::Command) `-Name $SSMDocumentName
[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion
Implementation
Powershell/C# library
CIS AWS Foundations hardening standards
SSO/Saml integration
IAM Roles/Restrictive Policies
CloudTrail/AWS Config
Security Groups
ELB and Policies
VPC/VPC Peering
Today
Multiple AWS environments
Completed PCI assessment
Completed Multiple External Pen Tests
Migrate additional payment applications
Automation and Security
[ScriptBlock]$RemoveSMBv1 = { Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-NullSet-SmbServerConfiguration -EnableSMB1Protocol $false -ForceUninstall-WindowsFeature -Name FS-SMB1 -Restart | Out-Null
}
WannaCry
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!