How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit...
-
Upload
amazon-web-services -
Category
Technology
-
view
123 -
download
1
Transcript of How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit...
![Page 1: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
June 13, 2017
How can I plan for security, risk, and compliance
before migrating to AWS?
Rob Barnes
Cloud Security Architect
Amazon Web Services
Tom OgnibenePrincipal Software Engineer
Blackbaud
![Page 2: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/2.jpg)
Migration & Transformation TrackTuesday, June 13th - Room 201
8:45 - 9:35 AM119706 - My CIO Says That We are Going All-In and Migrating to AWS?
Now What?
9:40 - 10:30 AM125086 - Hybrid as a Stepping Stone: It’s Not All or Nothing for Your
Cloud Transformation Journey
2:00 - 2:50 PM119707 - Why do I need to plan for Security, Risk, & Compliance before
migrating to AWS?
3:30 - 4:20 PM119708 - How Can I Build a Landing Zone & Extend my Operations into
AWS to Support my Migration?
4:30 - 5:20 PM119709 - What Organizational & Governance Changes do I Need to Make
Prior to Migrating to AWS?
![Page 3: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/3.jpg)
Risk.
![Page 4: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/4.jpg)
Are you wondering about your
compliance right now?
![Page 5: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/5.jpg)
Or do you just want to help?
![Page 6: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/6.jpg)
Directive
PreventiveResponsive
Detective
![Page 7: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/7.jpg)
Identity & Access
Management
Logging &
MonitoringInfrastructure
Security
Data
Protection
Incident
Response
![Page 8: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/8.jpg)
But don’t take my word for it…
![Page 9: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/9.jpg)
Tom Ognibene
Principal Software Engineer
24 years at Blackbaud
10 years payment solutions
PCI SME
![Page 10: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/10.jpg)
Our Journey
![Page 11: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/11.jpg)
Blackbaud began
with a vision to help one
organization
![Page 12: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/12.jpg)
We now support the entire social good community
NonprofitsEducation
InstitutionsFoundationsCorporations
Individual
Change Agents
![Page 13: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/13.jpg)
Blackbaud Payment Service
Service dedicated to securely processing credit card
transactions for our application
• Web servers
• Database servers
• Firewalls
• vLans
• SIEM solutions
• Monitoring
![Page 14: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/14.jpg)
Blackbaud Payment Services
0
2,000
4,000
6,000
8,000
10,000
12,000
![Page 15: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/15.jpg)
Blackbaud Payment Services
![Page 16: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/16.jpg)
Why AWS
![Page 17: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/17.jpg)
Why AWS
We have a good DR story
AWS has a better one!
![Page 18: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/18.jpg)
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
![Page 19: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/19.jpg)
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
![Page 20: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/20.jpg)
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
We know how to build infrastructure
AWS can build it faster
![Page 21: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/21.jpg)
Remove Default VPC
…[Amazon.EC2.Model.Vpc[]] $vpcList = Get-EC2Vpc -Filter @{Name="isDefault"; Values="true"} -Region $Region
if ($vpcList -ne $null) { [Amazon.EC2.Model.Vpc] $vpc = $vpcList[0][Amazon.EC2.Model.Filter] $vpcFilter = [Amazon.EC2.Model.Filter]::new("vpc-id", @($vpc.vpcId))
[Amazon.EC2.Model.Subnet[]] $subList = Get-EC2Subnet -Filter @($vpcFilter) -Region $RegionForEach ($sub in $subList) {
Remove-EC2Subnet -SubnetId $sub.SubnetId -Region $Region -Force}
$vpcFilter.Name = "attachment.vpc-id"[Amazon.EC2.Model.InternetGateway[]] $igList = Get-EC2InternetGateway -Filter @($vpcFilter) -Region $RegionForEach ($ig in $igList) {
ForEach ($igAttach in $ig.Attachments) { Dismount-EC2InternetGateway -VpcId $vpc.vpcId -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force
} Remove-EC2InternetGateway -InternetGatewayId $ig.InternetGatewayId -Region $Region -Force
}
Remove-EC2Vpc -VpcId $vpc.vpcId -Region $Region -Force}
![Page 22: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/22.jpg)
Why AWS
We have a good DR story
AWS has a better one!
Our infrastructure can handle the current demand
AWS can do it more cheaply
We have a good SIEM solution
AWS can improve on it
We know how to build infrastructure
AWS can build it faster
![Page 23: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/23.jpg)
Right Choice
Is AWS the “right” one
![Page 24: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/24.jpg)
Performance
Is AWS performant
![Page 25: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/25.jpg)
Type of Migration
Lift and Shift
Product rewrite
![Page 26: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/26.jpg)
How Many Environments
Application
SIEM
![Page 27: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/27.jpg)
“Roles”
Who needs to use the environments
What do they need it for
![Page 28: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/28.jpg)
Software Defined Infrastructure
Write software => Test software
![Page 29: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/29.jpg)
Project Planning
Is AWS the best choice
Is it performant
How am I going to migrate
How many environments
How should I separate them
Who is going to access it
Other considerations
![Page 30: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/30.jpg)
AWS Tech
Yikes
![Page 31: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/31.jpg)
SSM deployment
[Object[]] $SSMDocumentFileList = Get-ChildItem -Path $((Get-Item $PSScriptRoot).Parent.FullName + "\Data\SSMCmdDocs") `-Filter "*.json"
ForEach ($SSMDocumentFile in $SSMDocumentFileList) { [String] $SSMDocumentName = "BB-" + $($SSMDocumentFile.BaseName) [String] $SSMDocumentFileContents = [System.IO.File]::ReadAllText($SSMDocumentFile.FullName) try {
[Amazon.SimpleSystemsManagement.Model.GetDocumentResponse] $SSMDocument = Get-SSMDocument -DocumentVersion "`$DEFAULT" `-Name $SSMDocumentName
if ($SSMDocumentFileContents -ne $SSMDocument.Content) { Write-Verbose -Message "Updating document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = Update-SSMDocument `
-Content $SSMDocumentFileContents -DocumentVersion "`$LATEST" -Name $SSMDocumentName
[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion
} } catch [Amazon.SimpleSystemsManagement.Model.InvalidDocumentException] {
Write-Verbose -Message "Adding document $SSMDocumentName"[Amazon.SimpleSystemsManagement.Model.DocumentDescription] $SSMDocumentDescription = New-SSMDocument `
-Content $SSMDocumentFileContents -DocumentType ([Amazon.SimpleSystemsManagement.DocumentType]::Command) `-Name $SSMDocumentName
[Amazon.SimpleSystemsManagement.Model.DocumentDefaultVersionDescription] $docVersion = Update-SSMDocumentDefaultVersion `-Name $SSMDocumentName -DocumentVersion $SSMDocumentDescription.LatestVersion
![Page 32: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/32.jpg)
Implementation
Powershell/C# library
CIS AWS Foundations hardening standards
SSO/Saml integration
IAM Roles/Restrictive Policies
CloudTrail/AWS Config
Security Groups
ELB and Policies
VPC/VPC Peering
![Page 33: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/33.jpg)
Today
Multiple AWS environments
Completed PCI assessment
Completed Multiple External Pen Tests
Migrate additional payment applications
![Page 34: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/34.jpg)
Automation and Security
[ScriptBlock]$RemoveSMBv1 = { Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-NullSet-SmbServerConfiguration -EnableSMB1Protocol $false -ForceUninstall-WindowsFeature -Name FS-SMB1 -Restart | Out-Null
}
![Page 35: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/35.jpg)
WannaCry
![Page 36: How Can I Plan for Security, Risk, & Compliance Before Migrating to AWS? | AWS Public Sector Summit 2017](https://reader033.fdocuments.net/reader033/viewer/2022052915/5a6488677f8b9a63568b4921/html5/thumbnails/36.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!