Post on 23-Mar-2020
1
Kourosh Amin-Tehrani Pete Mauro
ktehrani@encore-c.com pmauro@encore-c.com
AWS Certified Professional President
www.encore-c.com
Encore Consulting Services, Inc
2
AboutMr. Amin-Tehrani has over two decades of Network/Information Systems Design and Implementation experience. He has successfully developed architectures and implemented innovative cloud computing solutions. He is an experienced solutions architect for cloud initiatives and production environments for various markets like healthcare and government.You can expect a personalized service that is tailored to your organization's needs.
3
System Driven Approach
• Business and Technical requirements drive strategy and
architecture.
• Capturing requirements is essential.
• Leverage know best practices in the industry.
• Define key principles/policies/critical success factors for IT.• Security from the beginning (upfront).
• Agile is key (multiple phases / MVPs)
Approach
4
Approach
5
Approach• Assist in designing, building, operating/monitoring, and auditing, a cloud security architecture and
secure platform• Assist in qualifying outside AWS security / Big Data firm to execute again above• Coach in detailed design and implementation, as well as helping with decision making around work
products, scope changes, etc.• Assist in FISMA Moderate certification of the environment by an outside firm, chosen by Security.• Assist in any subsequent software assessment(s) to round out our toolset, e.g. Cloud Access Security
Broker (CASB) software for on-going validation and monitoring, or if/as determined• Assurance and testing strategy and methods• Other duties as necessary, AKA, all of the things we don’t yet know we need• Build the framework for operating, monitoring and auditing, as well as setting up the training to make it
possible for either outside firms are internal folks to perform the work.
6
V Lifecycle Approach(with an Agile / DevOps Framework)
7
Security Compliance on AWS· Amazon API Gateway · Amazon Glacier· Amazon Aurora [MySQL, PostgreSQL] · Amazon Inspector· AWS Batch · AWS Key Management Service
· Amazon CloudFront [including Lambda@Edge] · Amazon Kinesis Streams· AWS CloudHSM · AWS Lambda· Amazon CloudWatch Logs · Amazon Redshift
· Amazon Cognito · Amazon Relational Database Service · Amazon Connect · Amazon Route 53
· AWS Database Migration Service · AWS Shield [Standard and Advanced]
· AWS Direct Connect · Amazon Simple Notification Service (SNS)
· AWS Directory Services excluding Simple AD and AD Connector · Amazon Simple Queue Service (SQS)
· Amazon DynamoDB · Amazon Simple Storage Service (S3)· Amazon EC2 Container Service (ECS) · AWS Snowball· Amazon EC2 Systems Manager · AWS Snowball Edge· Amazon ElastiCache · AWS Snowmobile· Amazon Elastic Block Store (Amazon EBS) · AWS Storage Gateway
· Amazon Elastic Compute Cloud (Amazon EC2) · Amazon Virtual Private Cloud (VPC)
· Elastic Load Balancing · AWS Web Application Firewall (WAF)· Amazon Elastic MapReduce (Amazon EMR) · Amazon WorkDocs
· Amazon WorkSpaces
8
FedRAMP vs. FISMA
9
FedRAMP vs. FISMA
10
Evaluating alternative Architecture- Assess current state- Meet stakeholders to involve them in the project scope- Evaluate current security controls- Propose future-state architecture
11
AWS Secure Cloud Architecture
AWS Security Levels of Separation:
1. AWS Account
2. AWS VPC
3. AWS Subnets
Centralized vs Decentralized vs Security Needs vs Developer Needs
Note: AWS Architecture always changes
12
DevOps
13
DevSecOps
14
Cloud Governance