Date post: | 11-Apr-2017 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 459 times |
Download: | 3 times |
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Modern Security and Compliance Through Automation
Brett Miller, Senior Consultant, Amazon Web ServicesMike Dixon, Senior Consultant, Amazon Web Services
June 21, 2016
Compliance & Accreditation
How do I architect for compliance in AWS?
How can I make architecting for compliance repeatable?
How can I validate that my architecture is compliant before deployment?
How can I ensure continuous compliance in production?
How can I simplify my accreditation process and get to ATO faster?
Compliance Frameworks
NIST SP 800-53 DoD CSM Levels 1-2 DIACAP/FISMA FedRAMP PCI DSS HIPAA MPAA CJIS
Shared Responsibility ModelCustomers are responsible for how they use AWS components in AWS
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data
Integrity Authentication
Server-side Encryption (File
System and/or Data)
Network Traffic Protection (Encryption/
Integrity/Identity)
DatabaseStorageCompute Networking
Edge Locations
Regions
Avail. ZonesAWS Global
Infrastructure
Customer
Responsible for security in’the Cloud
Responsible for security of the Cloud
AWS
Customer Challenges Meeting compliance requirements (NIST, PCI, HIPAA, CJIS, etc.)
Taking advantage of new services and features when designing for the Cloud
Making many critical decisions to ensure a secure application when using the AWS Shared Responsibility Model
Mapping security controls to numerous AWS services − Example: 400 NIST 800-53 Security Controls to 42 AWS services
Common Challenges in Compliance
Shared Responsibility ModelCompliance in the Cloud: Examples
Framework Control Description Implementation in AWS Architecture (Example)
NIST 800-53
AU-9 The information system protects audit information and audit tools from unauthorized access, modification, and deletion
AWS CloudTrail and/or log files in S3 buckets which have S3 bucket policies to prevent modification or deletion (write once read many)
PCI DSS Requirement 4 Encrypt transmission of cardholder data
Elastic load balancers must enforce HTTPS encryption using strong security policies enforcing TLS
HIPAA - Tenancy requirement Requirement to use “dedicated” tenancy for EC2 instances storing or processing PHI data
CJIS Policy Area 7 Configuration management Enforce use of hardened EC2 instance operating systems and/or pre-approved Amazon Machine Images (AMIs)
DoD CSM Levels 4-5 No direct access from VPC to the Internet
Amazon VPCs for Impact Levels 4-5 data require VPN connection, no Internet gateway (IGW)
Simplifying Compliance: Key Concepts Know your compliance framework(s)
− Translate compliance controls to technical implementation− Create and manage a pre-approved common security controls mapping (SCTM,
CRM, etc.) to use when architecting for security and compliance
Distinguish between inherited controls vs. customer controls− Establish (in advance) which controls are inherited by the global infrastructure
Take advantage of capabilities the Cloud provides− Infrastructure as Code− AWS services (CloudTrail, AWS Config, Amazon Inspector, etc.)− Partner solutions
Automate standard implementations
Automation Why automate compliance?
− Reduced time to ATO− Lower cost− Fewer resources required− Less human error− Consistency− Reproducible
Automating Compliance in AWS Infrastructure As Code
− Managed and controlled like software− Validate pre-deployment− Test-driven development (TDD) for security and compliance
Standardization− Predefined guidelines, mapped to security controls− Consistent, reusable architecture and configuration
Compliance at scale− Enforce policies across accounts, workloads, systems− Shared services for security, logging, monitoring, access control
Transparency − Everything is an API call! − Auditability, logging− Continuous monitoring (CM) for both applications and infrastructure
Demo
Pre-Development
Development
Testing
Production
Architect for Compliance
Architect for Compliance
Provide Baselines
Enterprise Accelerator for
Compliance
IATT ATO
Develop Applications
Enterprise Accelerator for
Compliance
AWS Service Catalog
Submit SSP
Validate Architecture for
Compliance
Continuous Monitoring
Manage Security-Relevant ChangesIntegration
Testing for Compliance
Submit for ATO
Accelerating the Journey to ATO
Vulnerability Scanning
AWS Code Pipeline
Compliance Control Mapped to
Implementation Method
Developing with a predefined baseline implementing control
Validation & Testing for Requirement
Continuous Monitoring for Control
Implementation
Amazon InspectorAWS ConfigAWS Config
AWS OpsWorks
AWS Elastic Beanstalk
Pre-Development Understand your compliance requirements
− Compliance type(s): NIST 800-53, ICD 503, DoD CSM, PCI, HIPAA, etc.
− Workload-specific: DoD CSM Levels 1-2, FedRAMP High, etc.
Architect for compliance− Map security controls to technical implementation
Predefine baselines− Examples: VPC configuration, connectivity, AWS Identity
and Access Management (IAM) configuration, logging/monitoring
− Baselines align with governance model
Pre-
Dev
elop
men
t
Architect for Compliance
Provide Baselines
Enterprise Accelerator for
Compliance
AWS Service Catalog
Compliance Control Mapped to
Implementation Method
Development
Deploy predefined baseline environment− Service Catalog
Manage all AWS components as code− Version Control (AWS CodeCommit, Git, SVN)
Take advantage of AWS services− AWS CodeDeploy/AWS CodePipeline− Elastic Beanstalk− OpsWorks
Submit for IATT (prepare for ATO)− Simplify the process of security controls
mapping
Dev
elop
men
t
Architect for Compliance
Develop Applications
Enterprise Accelerator for
Compliance
Submit SSP
Developing with a predefined baseline implementing control
AWS OpsWorks
AWS Elastic Beanstalk
Testing Unit testing
− Validate before deployment− Check AWS CloudFormation templates for
non-compliant configurations Integration testing
− Deploy infrastructure code into AWS account− Run tests for validation (Config, Inspector,
HBSS, partner products, etc.) Prepare for ATO
− Submit predefined security controls mapping for simplified ISSO/ISSM approval
Test
ing
Validate Architecture for
ComplianceIntegration Testing for
ComplianceSubmit for ATO
Validation & Testing for Requirement
Testing Infrastructure Code Identify resource configurations in
code that violate compliance− Example tools:
https://github.com/stelligent/cfn_nag
Common points of compliance validation− Security group rules− Network Access Control List (network ACL)
rules− IAM policies− S3 bucket policies− Elastic Load Balancing security policies
"sg": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "SecurityGroupIngress": { "CidrIp": “0.0.0.0/0", "FromPort": 22, "ToPort": 22, "IpProtocol": "tcp" }, "VpcId": "vpc-12345678" } } }}
Example: AWS CloudFormation template contains security group allowing
unrestricted access to SSH
Production Authority to Operate (ATO)
− …but compliance doesn’t end with ATO
Continuous monitoring− Security-relevant changes to configuration
Non-compliance− Continuously monitor for changes that violate
compliance− Immediate notifications− Event-driven, automated remediation
Prod
uctio
n Continuous Monitoring
Manage Security-Relevant Changes
Vulnerability Scanning
Continuous Monitoring for Control
Implementation
Amazon InspectorAWS Config
Automated Response to Noncompliant Changes with Config
Lifecycle of a Compliance Control: Example
Control Pre-Development Development Testing Production
SC-7(5)
Boundary Protection - DENY BY DEFAULT/ALLOW BY EXCEPTION: The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (that is, deny all, permit by exception).
Enterprise Accelerator defines required NIST 800-53 compliance control and maps predefined to implementation in CloudFormation template
Enterprise Accelerator as starting point for CloudFormation template development
Automated unit testing with cfn-nag tool validates that control is not being violated in a template
Integration testing with Config verifies
Config rule continuously monitors for violations of this control and takes corrective action if a violation is detected
Requirement: Rules with “ALL TRAFFIC” not permitted in security groups
Base templates by default deny all ports except those required to be open
Starting point in development with templates which
Testing for security groups where all ports are open
If security group changes, Config rule immediately evaluates and determines if rule changes violate control
Automating Compliance: Tools & Services
AWS Compliance Enterprise Accelerator Telos Xacta (partner solution) Config/Config rules Inspector AWS Trusted Advisor
AWS Compliance Enterprise Accelerator
AWS Compliance Enterprise Accelerator Address security/compliance requirements and AWS best practices Knowledge transfer on AWS security model Standardized for specific use cases Ready to be pre-approved by customer assessment organizations Ready to deploy “out of the box” Customizable
AWS Compliance Packages Include: Managed Automation –CloudFormation templates, automation scripts Detailed Documentation – User Guide, setup, customization Security Controls Matrix – Mapping of controls to implementation
AWS Enterprise Accelerator for ComplianceCurrently Available Quick Starts NIST High baseline
(Featuring Trend Micro Deep Security) NIST SP 800-53 (version 2.0)
DoD SRG (GovCloud) Trusted Internet Connection 800-171
PCI DSS Secure Commercial Cloud Architecture (SCCA)
Late July preview
http://aws.amazon.com/quickstart
Telos Xacta
Xacta IT Governance, Risk, Compliance (GRC) product suite Automatically map inherited security controls Generate documentation Expedite approvals Automate risk assessment, remediation, and compliance reporting
Simplifying Security Controlswith Telos Xacta
Additional Resources
AWS Risk & Compliance Whitepaperhttps://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
AWS Quick Start Reference Deploymentshttps://aws.amazon.com/quickstart/
AWS Compliancehttps://aws.amazon.com/compliance/
Telos Corporation Expedites Secure and Compliant Cloud Deployments on AWS Cloudhttp://bit.ly/1PoQA8O
Continuous Security: Security in the Continuous Delivery Pipeline (Stelligent) http://bit.ly/1sCaQPq