GPS - Cloud Security Overview Presentation

Cloudy with a Chance of Security
Cloud Security Alliance

April 13, 2015
"2015"GuidePoint"Security,"LLC""""""
CONFIDENTIAL"AND"PROPRIETARY"""
Agenda
About GuidePoint Security

AWS Overview
AWS Security 101
AWS Security Best Practices
Common AWS Security Issues
Questions
"2013"GuidePoint"Security"
About Me
Bryan Orme
Principal, Information Assurance Services for
GuidePoint Security
Previously Director of Information Security at Capital
One
Extensive background in Application Security,
Mobile Security, PCI DSS compliance, Security
Program and Strategy
Degrees and Certifications:
Certified Information Systems Security Professional
(CISSP)
Certified Information Systems Manager (CISM)
Qualified Security Assessor (QSA)
GuidePoints AWS Experience

Cloud Architecture and Design
Cloud Migration
Roadmap & Standards Development
Security Assessments & Compliance
Certification
Technology Selection & Integration
Cloud Governance & Visibility

vSOC MSSP with Splunk in AWS
Cloud Computing Overview
AWS Overview
Attractive to organizations because of...
Easier Administration
Lower Cost
Improved Collaboration
Improved data handling (...and security!?)
CONFIDENTIAL"AND"PROPRIETARY"
AWS Overview
Unattractive to organizations because of...
Lack of Knowledge
Increased or New Costs
Data Security
Lack of Trust
Lack of Control
AWS Overview
AWS Security 101
KPMG: If youre out of the Cloud, youre out of the game.

AWS Security 101

Operating System Security
AWS guest (instance) operating system
Customer controlled
AWS console administrators cannot login, requires
Amazon EC2 key pairs
Customer is responsible for hardening & patching
Puppet (www.puppetlabs.com)
Chef (www.opscode.com/chef)
Fabric/Cuisine (www.fabfile.org)
CFEngine (www.cfengine.com)
SCM
(technet.microsoft.com/en-us/library/cc677002.aspx)
AWS Security 101

OS Firewalls
Native OS solutions available
iptables/netfilter - Linux/Unix
Windows Firewall
UFW - Ubuntu Linux
Look to Automation tools for managing nonWindows OS firewalls

Windows OS firewalls managed via GPOs or
Powershell scripts
AWS Security 101

Applications
Running on AWS guests (instances)
Customer controlled
No interaction via AWS console
Customer is responsible for security

Traditional application security safeguards apply
Security Assessments, Source Code Reviews, etc.
Many traditional solutions work in AWS

Imperva (www.imperva.com)
ModSecurity (www.modsecurity.org)
Fortinet (www.fortinet.com)
AWS Security 101

Security Groups- virtual firewall to control traffic for
one or more instances
Elastic Cloud Computing (EC2)
EC2 Classic Security Groups (ingress only)
Specified at launch, cant change security group
EC2 VPC Security Groups (ingress and egress)
Specified at launch but can change
Relational Database Service (RDS)

DB Security Groups only
No VPC
Virtual Private Cloud (VPC)

Security Groups (ingress and egress)
Network Access Control Lists (ACLs)
Subnet level
AWS Security 101

Security Groups - Tiered Security Groups
AWS Security 101

Network Configuration
Only available option to Public
instances is Security Groups
(ingress) and OS Firewalls
VPC instances are also
subject to egress Security
Groups & Network ACLs
Mirror controls available for
traditional on-prem devices
that utilize Layer 3 ACLs
AWS Security 101

Account Management
Multiple accounts can be created
to isolate different AWS
resources
You can isolate AWS resources
based on
Environment (i.e. dev, test & prod)
Major systems (ERP, Financial,
etc.)
Line of business/function
(Accounting, HR, etc.)
Customer (Client A, Client B)
Risk level (DMZ)
And more...
AWS Security 101

Account Management
Identity & Access Management console provides
ability to manage accounts
Accounts have unique security credentials
Access keys (Scripts, 3rd party tools, etc.)
AWS Console logins (Environment Administrators)
Multi-factor authentication (Hardware/Software Tokens)
Policies are applied to accounts and can control

access to AWS resources (RBAC)
AWS Enterprise Admin
Read-Only (i.e. Auditors account)
Federation / Identity brokering available

AWS Security 101

Biggest bang... do this!
VPCs afford the following vs.
Public instances
Extension of your existing network
Outbound (egress) control via
Security Groups
Network topology control
(including ACLs)
Network Address Translation
(NAT)
3rd party appliances &
applications
Multiple interfaces
AWS Security 101

Organizations should use a VPC for the following:
As an extension of their existing networks

When a multi-tiered architecture is required
For servers/solutions that require static IPs
Increased security and compliance
Tested manufacturers supporting VPC VPNs

Static
Cisco, Juniper, Yamaha, MSFT Server 2008 R2
Dynamic (BGP)
Cisco, Juniper, Yamaha, Astaro, PAN, Vyatta

Examples of existing security best
practices that still apply to AWS resources
include:
Secure coding standards & developer training
Network & application layer vulnerability assessments
and penetration testing
Anti-virus/Anti-malware (where appropriate)
Event logging & correlation
VPC environments facilitate utilization of

mature security best practices

Amazon discusses the following areas in their
Security Best Practices white paper
Layered approach to network security
Protecting data in transit (SSL/TLS & IPSec)
Protecting data at rest (EFS, TrueCrypt, ZFS, dmcrypt, etc.)
Protecting AWS credentials (Key Management)
Managing Multiple Users (via IAM)
Securing Applications (via Security Groups)
Patch Management (Manual/Script Process)

Layered Approach to Network Security
Security Groups
Inbound only with Public instances
Outbound available for VPC instances
Network ACLs (VPC Only)

OS Firewalls*
Application Layer Firewalls
VPN Gateway
Network IDS/IPS*
Host IDS/IPS*
* requires non-AWS solution
Authentication & Authorization

Instance Sprawl
Improper or lack of instance hardening
Data Security
Asset management / Configuration Management
Patching
Logging and Monitoring
Application & Network Security
Vulnerability Management
Compliance

Authentication and Authorization
Amazon Identity and Access Management (IAM)
Password policies
Identity Federation
AWS <> Corporate Directory
Web ID Federation (AMZ, Google, Facebook)
Temporary Security Credentials

Multifactor Authentication
AWS Request Authentication
User directory AMI

Instance Hardening
Hardening can be accomplished within AWS
using mature techniques and technologies
Gold master
Puppet, Chef, CFEngine
MSFT SCM for SCCM, GPO
CloudPassage Halo
Launch scripts are an easy way to automate

hardening for instances regardless of how the
instance is launched

Data security and Data Residency
Ionic Security
S3 Server Side Encryption
Client-side Encryption (AWS
SDKs for Java & Ruby)
OS Level (e.g. TrueCrypt,
BitLocker)
Transparent Data Encryption
(MSSQL & Oracle)
SSL/TLS
Data Leakage Prevention
CloudLock (SaaS)
Elastica (SaaS)
Verdasys (SaaS)
Websense (SaaS)

Asset Management
Rapid deployment of instances via decentralized
administration and limited documentation can
make identifying assets within AWS a difficult task
Majority of clients utilize existing solutions such
as Altiris for asset management
CloudPassage
Dome9
Other clients have utilized Vulnerability

Management solutions for asset management in
AWS
Formalized Change Management Program is a
great way to herd AWS assets

Patch Management
Patching is just as challenging for AWS
instances as it is for on-premise servers
SCCM is good for Windows only
environments (and can also be used for
Hardening & Asset Management)
Tivoli (BigFix) has been deployed to manage
several clients AWS environments
Integrating AWS patch management into
existing Change Management Programs is
essential

Logging
The trouble with logging AWS instances is the
amount of volume that must traverse back to
existing solutions
Several clients have implemented indexers/
collectors within AWS to capture logs within
AWS and avoid costly data transfers
Successful integrations have been observed
with Splunk (Virtualized Indexers)

Security Groups & Network ACLs are only part of
a layered approach to Network Security and can
quickly become unmanageable
CheckPoint offers a true Unified Threat
Management (UTM) AWS virtual appliance that
can perform Firewall, IDS, VPN, DLP, Application
Control and Mobile Access features
Integrates with existing on-premise CheckPoint
management solutions for centralized
management

Other point solutions exist, such as:
IDS
Snort (VRT) / Sourcefire
CloudPassage
Alert Logic Threat Manager (w/ PCI ASV scanning)
OS Firewall Management
CloudPassage
Puppet
MSFT Powershell
Application Layer Firewalls

Imperva
F5 BIG-IP ASM (VE)
Fortiweb

Vulnerability Management
Existing solutions can extend into the cloud
provided VPCs are utilized
Nessus, Nexpose implementations have been
observed
QualysGuard virtual appliance
CloudPassage Halo
All currently require AWS authorization prior to
testing (Approvals average 48 hour turnaround)
Core Security offers CloudInspect for penetration
testing, but currently not a mature solution
Is a pre-authorized solution
Questions?
Bryan Orme, Principal

bryan.orme@guidepointsecurity.com
"2013"GuidePoint"Security"

GPS - Cloud Security Overview Presentation

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

GPS - Cloud Security Overview Presentation

Загружено:

Авторское право:

Доступные форматы

Cloudy with a Chance of Security

Cloud Security Alliance

About GuidePoint Security

GuidePoints AWS Experience

Cloud Governance & Visibility

Cloud Computing Overview

AWS Security 101

KPMG: If youre out of the Cloud, youre out of the game.

AWS Security 101

Customer is responsible for hardening & patching

AWS Security 101

Look to Automation tools for managing nonWindows OS firewalls

AWS Security 101

Customer is responsible for security

Many traditional solutions work in AWS

AWS Security 101

Relational Database Service (RDS)

Virtual Private Cloud (VPC)

AWS Security 101

AWS Security 101

AWS Security 101

AWS Security 101

Policies are applied to accounts and can control

Federation / Identity brokering available

AWS Security 101

AWS Security 101

As an extension of their existing networks

Tested manufacturers supporting VPC VPNs

AWS Security Best Practices

VPC environments facilitate utilization of

AWS Security Best Practices

AWS Security Best Practices

Network ACLs (VPC Only)

Common AWS Security Issues

Authentication & Authorization

Common AWS Security Issues

Temporary Security Credentials

Common AWS Security Issues

Launch scripts are an easy way to automate

Common AWS Security Issues

Common AWS Security Issues

Other clients have utilized Vulnerability

Common AWS Security Issues

Common AWS Security Issues

Common AWS Security Issues

Common AWS Security Issues

Application Layer Firewalls

Common AWS Security Issues

Bryan Orme, Principal

Вам также может понравиться