Top 5 Ways to Secure Your Business on the Cloud

v

Top 5 Ways to Secure Your Business on the Cloud

Shaun Ray – Enterprise Solutions Architect

What we will cover today 1.  Understanding shared responsibility for security

2.  Building a secure virtual private cloud

3.  Using AWS Identity and Access Management

4.  Protecting your content on AWS

5.  Building secure applications on AWS






v

Every Customer Gets the Same AWS Security Foundations

v

AWS looks after the security OF

the platform

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones Edge Locations

Encryption Key Management Client and Server Encryption Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Content C

usto

mer

s Security is shared between AWS and Customers

Customers are responsible for their security IN

the Cloud

v 1.  Security is our number one priority

2.  Every customer receives the same security

3.  We do not have access to your data or guest OS

4.  Reduce the scope of your own compliance audits

5.  You can focus on securing your own content

To Summarise…….

What we will cover next 1.  Understanding shared responsibility for security





v Region

US-‐WEST (N. California) EU-‐WEST (Ireland)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-‐WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-‐EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

Customers can use any AWS region around the world

EU-‐CENTRAL (Frankfurt)

v Availability Zone

Each region offers resilience and high-availability

US-‐WEST (N. California)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-‐WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-‐EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

EU-‐WEST (Ireland)

EU-‐CENTRAL (Frankfurt)

v Edge LocaLons

Dallas(2)

St.Louis Miami

Jacksonville Los Angeles (2)

Palo Alto

Seattle

Ashburn(2)

Newark New York (2)

Dublin

London(2) Amsterdam

Stockholm

Frankfurt Paris(2)

Singapore(2)

Hong Kong (2)

Tokyo

Sao Paulo

South Bend

San Jose

Osaka Milan

Sydney

Chennai Mumbai

Use edge locations to serve content close to your customers

Rio de Janeiro

Melbourne

Taipei Manila

v

Build your own resilient, fault tolerant solutions

AWS delivers scalable, fault tolerant services •  Build resilient solutions operating in multiple datacenters •  AWS helps simplify active-active operations

All AWS facilities are always on •  No need for a “Disaster Recovery Datacenter” when you can have

resilience •  Every one managed to the same global standards

AWS has robust connectivity and bandwidth •  Each AZ has multiple, redundant Tier 1 ISP Service Providers •  Resilient network infrastructure

v

Each AWS Region has multiple availability zones

Avai

labi

lity

Zone

A

Avai

labi

lity

Zone

B

v

Your VPC spans every availability zone in the Region

Avai

labi

lity

Zone

A

Avai

labi

lity

Zone

B

v

Customers control their VPC IP address ranges

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

Avai

labi

lity

Zone

B

Choose your VPC address range •  Your own private, isolated

section of the AWS cloud •  Every VPC has a private IP

address space •  That maximum CIDR block you

can allocate is /16 •  For example 10.0.0.0/16 – this

allows 256*256 = 65,536 IP addresses

Select IP addressing strategy •  You can’t change the VPC

address space once it’s created •  Think about overlaps with other

VPCs or existing corporate networks

•  Don’t waste address space, but don’t’ constrain your growth either

v

We will concentrate on a single availability zone just now

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

v

Segment your VPC address space into multiple subnets

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

NAT

10.0.5.0/24 10.0.4.0/24

EC2

EC2 Web

v

Place your EC2 instances in subnets according to your design

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

v

Use VPC security groups to firewall your instances

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App

“Web servers can connect to app servers on port 8080”

Log

EC2 Web

v

Each instance can be in up to five security groups

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App


“Allow outbound connections to the log server”

Log

EC2 Web

v

Use separate security groups for applications and management

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App


“Allow outbound connections to the log server”

“Allow SSH and ICMP from hosts

in the Jump Hosts security group”

Log

EC2 Web

v

Security groups are stateful with both ingress and egress rules

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

Security groups •  Operate at the instance level •  Supports ALLOW rules only •  Are stateful •  Max 50 rules per security group

v

The VPC router will allow any subnet to route to another in the VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

v

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

v

Use Network Access Control Lists to restrict internal VPC traffic

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

“Deny all traffic between the web server subnet and the database

server subnet”

v

Use Network Access Control Lists for defence in depth

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web

NACLs are opLonal •  Applied at subnet level, stateless and

permit all by default •  ALLOW and DENY •  Applies to all instances in the subnet •  Use as a second line of defence

v

Use Elastic Load Balancers to distribute traffic between instances

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web

Elas?c Load Balancer

v

Elastic Load Balancers are also placed in security groups

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web EC2 EC2 EC2 Web


v

Your security can scale up and down with your solution

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

Router

NAT

10.0.5.0/24

Jump

10.0.4.0/24

EC2 App Log

EC2 Web EC2 Web EC2 EC2 Web

ElasLc load balancers •  Instances can automaLcally be

added and removed from the balancing pool using rules

•  You can add instances into security groups at launch Lme


Auto scaling

v

Connecting your VPC to the Internet

v

Add an Internet Gateway to route Internet traffic from your VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Internet Gateway

VPC Router

v

You choose what subnets can route to the Internet

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App


Internet Gateway

VPC Router

Internet rouLng •  Add route tables to subnets to

control Internet traffic flows – these become Public subnets

•  Internet Gateway rouLng allows you to allocate a staLc Elas?c IP address or use AWS-‐managed public IP addresses to your instance

v

NAT instances allow outbound Internet traffic from private subnets

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Internet Gateway

VPC Router

Internet rouLng •  Use a NAT instance to provide

Internet connecLvity for private subnets -‐ required to access AWS update repositories

•  This will also allow back-‐end servers to route to AWS APIs – for example storing logs on S3, or using Dynamo, SQS, SNS and SWS

NAT

v

Integrating your VPC with your existing infrastructure

Your premises

v

Add a Virtual Private Gateway to route traffic to your premises

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App

EC2 Web EC2 Web EC2 EC2 Web VPC Router

Virtual Private Gateway

Your premises

v

You can create multiple IPSEC tunnels to your own VPN endpoints

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Virtual Private Gateway

Customer Gateway

Your premises

v

You can also connect privately using AWS Direct Connect

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App


Direct Connect Virtual Private

Gateway

Customer Gateway

Your premises

v

You can also create VPNs over Direct Connect if required

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Customer Gateway

Your premises

v

You can route VPC Internet connections through your own gateways

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Customer Gateway

Your premises

v

You can have both Internet and private connectivity to your VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

NAT

10.0.4.0/24

EC2 App



Gateway

Internet Gateway

Amazon S3 DynamoDB NAT

Customer Gateway

Your premises

v

You have full control in designing robust hybrid solutions

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A

EC2

EC2

NAT

EC2 EC2 VPC Router


Gateway

Internet Gateway

Amazon S3 DynamoDB NAT

Your premises


Web

Public subnet

Private subnet

Web Auto scaling

Master

EC2

Failover

v 1.  Your VPC is private until you decide to make it public

2.  Security groups block horizontal as well as vertical traffic

3.  You can use your own internet in your DC

4.  Protect your instances with NAT and ELB

5.  Create hybrid architectures with Direct Connect

To Summarise…….



3.  Securing and auditing your account



v §  Enable multi-factor authentication to secure your root account for login

§  Manage risk by not putting services and instances in your root account

§  Enable CloudTrail alerting and logging for auditing changes

§  Create roles to assign temporary access to your resources

§  Federate users with on-premise sign on solutions to reduce administration

Controlling your Root account

v

Segregate duties between roles with IAM

Region

Internet Gateway

Subnet 10.0.1.0/24

Subnet 10.0.2.0/24

VPC A - 10.0.0.0/16

Availability Zone

Availability Zone

Router

Internet

Customer Gateway

You get to choose who can do what in

your AWS environment and

from where

A web server can access S3 to read static images from your private subnet

Simon can create snapshots for RDS. But cannot restore data from them.

Cloudtrail can log all interactions with AWS API’s for your account.

v

Federate with on-premise directories like Active Directory or another SAML 2.0 compliant identity provider

Federate AWS IAM with your existing directories

v Increase your visibility of what happened in your AWS environment – who did what and when, from where CloudTrail will record access to API calls and save logs in your S3 buckets, no ma^er how those API calls were made

Use AWS CloudTrail to track access to APIs and IAM

v

AWS CloudTrail logs can be used for many powerful use cases

CloudTrail can help you achieve many tasks

•  Security analysis

•  Record changes to AWS resources, for example VPC security groups and NACLs

•  Compliance – understand AWS API call history

•  Troubleshoot operaLonal issues – quickly idenLfy the most recent changes to your environment

v

Amazon CloudWatch Logs can monitor your system, applicaLon and custom log files. Monitor your web server h^p log files and use CloudWatch Metrics filters to idenLfy 404 errors and count the number of occurrences within a specified Lme period Alarm when thresholds are reach and automaLcally generate a Lcket for invesLgaLon.

Monitor everything with CloudWatch logs

v

Use AWS Config to audit changes to your environment

v

AWS Config Integration






v

AWS has many different content storage services

EBS

S3 S3

RDS

REDSHIFT

Simple Storage Service (S3) for static objects and web hosting

Redshift for data warehousing of large datasets

Relational Database Service (RDS) for hosting managed SQL databases

Elastic Block Store (EBS) for storing workloads on EC2

v

AWS Key Management Service

Customer Master Key(s)

Data Key 1

Amazon S3 Object

Amazon EBS Volume

Amazon Redshie Cluster

Data Key 2 Data Key 3 Data Key 4

Custom ApplicaLon

AWS KMS

v Configure S3 access controls at bucket and object level •  Restrict access and rights as tightly as possible and regularly review access logs •  Use versioning for important file, with MFA required for delete

Use S3 cryptographic features •  Use HTTPS to protect data in transit •  S3 server side encryption

•  AWS will transparently encrypt your objects using AES-256 and manage the keys on your behalf, or manage those keys using AWS Key Management Service (KMS)

•  Use S3 client side encryption •  Encrypt information before sending it to S3 •  Build yourself or use the AWS Java SDK

Use MD5 checksums to verify the integrity of objects loaded into S3 over long periods of time

Making use of available Amazon S3 security features

v

Understanding Amazon RedShift security features

Redshift has one-click full disk encryption as standard •  If chosen, backups to S3 are also encrypted

•  You can use the AWS CloudHSM to store your keys or supply keys from AWS Key Management Service (KMS)

You can build end-to-end encryption for your data pipeline •  Use S3 client side encryption to load data into S3

•  Pass RedShift the same key and it will decrypt when loading

Configure security groups and consider deploying within VPC •  RedShift loads data from S3 over SSL

•  Limit access to those S3 buckets and consider the end-to-end data load process from source

Use SSL to protect data in transit if querying over the Internet

v

Making the most of Amazon RDS security features

RDS can reduce the security burden of running your databases •  Limit security group access to RDS instances

•  Limit RDS management plane access with AWS IAM permissions

Encrypt data in flight •  Oracle Native Network Encryption, SSL for SQL Server, MySQL

and PostgreSQL – especially if the database is accessible from the Internet

Encrypt data at rest in sensitive table space

•  Native RDS via SQL Server and Oracle Transparent Data Encryption

•  Encrypt sensitive information at application level or use a DB proxy

Configure automatic patching of minor updates – let AWS do the heavy lifting for you within a maintenance window you choose

DBA

RDS

v

Encrypting EBS volumes on Amazon EC2 instances

Use AWS native encryption, roll your own or use commercial solutions from AWS partners

•  AWS EBS native encryption at the click of a mouse. Encryption keys are managed and visible using AWS Key Management Service

•  Use Windows BitLocker or Linux LUKS for encrypted volumes

•  SafeNet Protect-V, Trend Secure Cloud, Voltage – some vendors offer boot volume encryption, including hardware key storage options

Managing encryption keys is critical and difficult!

•  How will you manage keys and make sure they are available when required, for example at instance start-up?

•  How will you keep them available and prevent loss? How will you rotate keys on a regular basis and keep them private?

EBS

v

AWS CloudHSM can integrate with on-premise SafeNet HSMs

Your premises

Applica?ons

Your HSM NAT CloudHSM NAT CloudHSM

Volume, object, database encryp?on

Transac?on signing / DRM / apps

EC2

H/A PAIR SYNC

EBS

S3 Amazon S3

Amazon Glacier






v

Traditional network intrusion detection and prevention is less relevant now •  Dude, where’s my SPAN port? •  Attackers have moved to layer 7 (HTTP) so we need to follow them there •  You can still build an effective DMZ within the VPC using a wide-range of

open source or AWS technology partner solutions

Drop bad traffic before it hits your application and databases •  Can be deployed in two-way configuration to implement simple DLP, for

example scan outgoing traffic for Credit Card Numbers •  Design for scale and high-availability using ELBs •  Scale fast and wide to cope with huge traffic volumes •  Build a solution designed to cope with volumetric attacks Lets build an example in the next slides

Block threats to your application

v

Building a scalable threat protection layer in your VPC

VPC A - 10.0.0.0/16

Avai

labi

lity

Zone

A


Avai

labi

lity

Zone

B

WAF

Public subnet

EC2

EC2

Private subnet

Private subnet

WAF Auto scaling

Web Applica?on

Web Applica?on


Private subnet

Elas?c Load Balancer Public subnet

WAF

Private subnet

WAF


Private subnet

EC2 Private subnet

Web Applica?on

Web Applica?on

Auto scaling

Auto scaling

Auto scaling

Internet Gateway

v

Use VPC peering to build common security gateways

Web App (HTTP/S)

Amazon S3

APIs

Internet users / customers

VPC Peering

Provides secure access to APIs

from applications

All customer access is routed through WAF web applications

Web App (HTTP/S)

Web App (HTTP/S)

Web App (HTTP/S)

WAF Service (HTTP/S)

Apps and OperaLons Team Security Team

Proxy Service (HTTP/S)

v

You don’t have to be alone when facing volumetric attacks

v

You can build a solution that can scale and offload attacks

Player one: your VPC

Auto scaling

v

You can build a solution that can scale and offload attacks


Auto scaling

Vital statistics You can scale your VPC up to your financial threshold •  You have AWS scale and bandwidth at your disposal

•  Auto-scale your application

•  Use queues and worker instances to process traffic

•  Think how you can shard your databases

v

You can also bring AWS resources to assist you


Auto scaling CloudFront

Route 53

S3

Player two: AWS

v

You can also bring AWS resources to assist you

CloudFront

Route 53

S3

Player two: AWS

Vital statistics AWS provides large-scale Global endpoints

•  52 CloudFront edge locations and growing all the time

•  100% Route53 availability SLA

•  24x7 dedicated teams responding

•  Drop malformed requests •  Soaking up load and watching your back

v

Your VPC can use auto-scaling to serve dynamic content

EC2

EC2

EC2

Customers

v

Serve your static content from S3

EC2

EC2

EC2

Region

Amazon S3

S3 is processing more than a million requests/s

Customers

v

Use CloudFront to cache your origin servers

EC2

EC2

EC2

Amazon S3

CloudFront Edge

Loca?on

CloudFront has over 52 global edge loca?ons

Customers

Region

v

CloudFront can also proxy your dynamic content

EC2

EC2

EC2

Amazon S3

Customers

Customers

Customers

Region

v

CloudFront will unload volume from your VPC and drop bad requests

EC2

EC2

EC2

Amazon S3

Distributed aYackers



Region

v

Route 53 is a global, resilient DNS to keep your traffic coming

EC2

EC2

EC2

Amazon S3




Route53

Region

v

AWS is delivering and defending large-scale endpoints 24x7

EC2

EC2

EC2

Amazon S3




Route53

Region

v

You can out-scale your attacker until their resources diminish

EC2

EC2

EC2

Amazon S3

Customers

Customers

Customers

Route53

Region

v

Route 53 can also load balance traffic across multiple AWS Regions

SYDNEY

Avai

labi

lity

Zone

A

NAT

EC2

EC2

NAT EC2

DUBLIN

Avai

labi

lity

Zone

A

NAT

EC2

EC2

Avai

labi

lity

Zone

B

NAT EC2

Route 53

Avai

labi

lity

Zone

B

v

You can use health-checks to failover Regions or even just VPCs

SYDNEY

Avai

labi

lity

Zone

A

NAT

EC2

EC2

NAT EC2

DUBLIN

Avai

labi

lity

Zone

A

NAT

EC2

EC2

Avai

labi

lity

Zone

B

NAT EC2

Route 53

Avai

labi

lity

Zone

B

v

DNS is hard and complex from a security viewpoint • Route 53 lets AWS take care of the heavy-lifting • Customers just have to configure DNS entries •  Latency-based routing and app health-checking

•  Fall back to static website if main site down • Round-robin load balance across VPCs / Regions

Security best practices for Route 53 • DNS is a critical service – understand and limit who can

access and change Route 53 configurations using AWS IAM

• Use two-factor authentication for those users • Use new Private DNS features to limit internal domain

visibility

Amazon Route53 makes DNS easy and reliable

v

Amazon CloudFront will deliver your content from the nearest edge

Use CloudFront to increase your solutions performance and availability • Cache more than static content – now with more supported

HTTP verbs • Highly reliable global network of edge locations • Can help absorb volumetric attack and drop bad HTTP

requests Security best practices for CloudFront • Use private content option to authorise only signed requests • Use SSL when POSTing sensitive information • Review logs for attack intelligence – are you being targeted? •  Lock CloudFront to specific S3 origin buckets when possible • Configure HTTPS only for downloads

v

AWS partners can help you build and implement secure solutions

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Fine-grained IAM capability

+ =AWS partner solutions

These products and more are available on the AWS marketplace -‐ WAF, VPN, IPS, AV, API gateways, data encrypLon, user management

Your secure AWS soluLons

v

Browse and read AWS security whitepapers and good practices •  http://blogs.aws.amazon.com/security •  http://aws.amazon.com/compliance •  http://aws.amazon.com/security •  Risk and compliance, including CSA questionnaire response •  Security best practices •  Audit and operational checklists to help you assess security

before you go live •  Regularly check Trusted Advisor Sign up for AWS support •  http://aws.amazon.com/support •  Get help when you need it most – as you grow •  Choose different levels of support with no long-term commitment

Where you can go for help and further information

Date post:	16-Jul-2015
Category:	Technology
Upload:	amazon-web-services
View:	381 times
Download:	0 times

Top 5 Ways to Secure Your Business on the Cloud

Technology