AWS Security Best Practices Real-world examples and …files.meetup.com/19805711/stackArmor...

AWS Security Best Practices Real-world examples and Common Mistakes

AWS Frederick MeetupTuesday, 19th July 2016

Gaurav Pal & Madhu Joshi

SaaS, Security and AWS

2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR

Cloud Solutions Architect and Technology Strategist• Focused on full-stack security and operations management • Cloud automation and business process acceleration• Cybersecurity Policies, Procedures and Tactics

Supported the first AWS cloud migration in 2009 for Recovery.gov and have successfully led multiple large enterprise cloud modernization programs in regulated industries, Financial Services and Healthcare.

GPCEO and Founder

www.stackArmor.com@cloudpalgp

https://www.linkedin.com/in/[email protected]

https://www.linkedin.com/in/gppal

mailto:[email protected]

AWS Automation & Security

3PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR

Cloud Solutions Architect and Technology Strategist• Focused on full-stack security and operations management • Cloud automation and business process acceleration• Educator, training and professor at JHU

Madhu JoshiCTO

[email protected]


What we do

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4

Business Landscape• Data breaches are “daily” news

• Regulators are starting to take notice◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015

• NIST Cybersecurity Framework is “standard of care”◦ http://www.nist.gov/cyberframework/◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001

• Cybersecurity is a Board level issue


http://www.nist.gov/cyberframework/

Technology Landscape

• AWS/Cloud “takes care of everything”!!◦ Shared Responsibility Model

• Managed Services and Processes required◦ Patching and Vulnerability Management◦ Boundary protection and monitoring◦ Logging and Centralized log analysis◦ Backups/Restore

• Most SaaS shops are strong on the Dev but weak on Ops

• Network Engineering, Security Zoning, Boundary Protection and Enclave Hardening are not well understood


What??


“…while doing cloud hosting cost analysis for a venture funded start-up with $8million of VC capital, we noticed heavy data egress charges. A simple analysisrevealed that a hacker had penetrated the platform and downloaded the firms’database and IP. The vulnerability was traced to an un-patched server”.

“The Technology team of a SaaS startup with Fortune 500 customers is operatingtheir environment in a cloud environment without any intrusion detection andprevention systems such as web application firewalls thereby creating third-partyrisk.”

“…a SaaS startup exposed their access secret key in their web application

in plain view for anyone to access. This could have caused someone to

wipe out the firms entire production and operational platform…”

Hmm…


Top Security “Boo boos”Common poor security mistakes Comment

1 Creating unnecessary access and secret keys for IAM Users

Console users don’t need keys

2 Using developer keys instead of instance roles for accessing instance

Use IAM roles to separate access to AWS resources that provide temporary credentials

3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as required

4 Lack of restrictions on production instances Any user can perform actions on production instances. Provision IAM roles that allow for separation of duties.

5 Poor segmentation and zoning of application and data components through the use of public and private sub-nets

Proper zoning through sub-nets allows for segregating netflow and blackholing requests in the event of an attack

6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions

7 Inconsistent patch management and vulnerability scanning

Create an information security policy with a patching schedule with roles, responsibilities and reporting


Vulnerability Scanning


• Good operational hygiene keeps the hacker away!?!

Logging and Monitoring…

• AWS VPC Flow Logs◦ Most Talkers

◦ Rejected Traffic

• AWS CloudTrail◦ Who deleted my instances?

◦ Who is asking for old or deleted keys?

• AWS Config◦ Configuration Management


Full-stack Approach


Advanced VPC Connectivity Options

• VPC Refresher

• VPC Peering

• Transit VPC

• Shared Services VPC

• Partial-Mesh

• Direct Connect, Transitive VPC


VPC Refresher


VPC Refresher


Destination Target

10.0.0.0/16 local

VPC Refresher


Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw

Destination Target

10.0.0.0/16 local

VPC Refresher


Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw

Destination Target

10.0.0.0/16 local

0.0.0.0/0 nat-instance-id

VPC Refresher


VPC Peering


Shared-Services VPC


Transit VPC


Virtual Appliances such as

Cisco 1000V, Fortigate,

Palo Alto, Sophos

Partial-Mesh VPC


Direct-Connect, Transitive VPC


DoD STIG Process


• Defense Information Systems Agency (DISA) maintains security posture for DoD IT systems

• Security Technical Implementation Guides (STIGs) are guidelines for hardening◦ OS

◦ Databases

◦ Applications

◦ Web Servers

• Recommendations change the configuration settings and parameters of these services

DoD STIG Process


• Potentially hundreds of settings / recommendations

• ID # and severity category (CAT 1 – CAT 3)

• Most of the changes need to be manual

• Verification of STIG compliance is daunting◦ GoldDisk scan tool for automated verification

◦ NIST Security Content Automation Protocol (SCAP)

• Automated tools can provide remediation and/or fix

• Contact us if you need help with STIG process for AWS GovCloud deployments

Tools of our Trade

1 Web Application Firewalls Fortiweb, Sophos, AWS WAF

2 IDS Snort

3 Monitoring Splunk, Elasticsearch, Sensui, Pallera

4 Vulnerability Scanning Tenable Nessus, Retina, OpenVAS

5 Web Application Scanning Acunetix

6 Compliance openSCAP

7 QA/Code Quality SonarQube

8 Static Code Scanning CheckMarx


Compliance


Document Description

Basic Security PolicyThis document provides a basic set of high level security policies that allow client to state that they have a security policy in place that can serve as an initial baseline.

Assessment PlanThis is a checklist security assessment, basically a self-assessment with questions asked by an experienced Information Assurance Analyst to demonstrate understanding and maturity of Cybersecurity posture.

High Level Security Assessment Report

Security Assessment Report (SAR) that summarizes the scope, approach, and high level findings.

Vulnerability and Penetration Testing

Automated scans with basic parameters with provided auto-generated reports. This includes working with the technology team to perform a test to ensure that any technical remediation that have been applied adequately addressed the vulnerabilities found.

Attestation LetterGenerally speaking an external third-party should be engaged to execute the assessment and be asked to provide an attestation letter that describes the nature of the assessment, findings and remediation conducted.

Trusted Cloud Solutions


Many organizations are looking for trusted and secure cloud hosting solutions and need the agility to quickly consume cloud application services. stackArmor has developed https://stackbuilder.stackArmor.com as an easy to use deployment automation service that incorporates advanced security capabilities, pre-configured VPC and management services as well as support services.

https://stackbuilder.stackarmor.com/

questions?

Gaurav “GP” Pal

Founder

www.stackArmor.com

Tel: (571) 271 4396

Email: [email protected]

29

Madhu Joshi

CTO

www.stackArmor.com

Tel: (703) 402-6105

Email: [email protected]

http://www.stackarmor.com/


http://www.stackarmor.com/


AWS Security Best Practices Real-world examples and …files.meetup.com/19805711/stackArmor...

Documents

Transcript of AWS Security Best Practices Real-world examples and …files.meetup.com/19805711/stackArmor...