A cloud adoption framework - a security perspective Andrew Kiggins Security Solutions Architect Amazon Web Services
Agenda • Understand the security benefits of the cloud • Strategy and approach to cloud adoption • Implementing and delivering cloud security • Security best practices
Perspectives • Business • People • Organization • Security • Maturity • Process • Platform
Benefits of cloud security Cloud Services can potentially offer many advantages including the following: • economies of scale • cost-savings • access to quality system administration • operations that adhering to uniform security standards and best practices • flexible, fast and agile resource scaling for institutions as usage requirements change
• enhanced system resilience during location-specific disasters or disruptions
Benefits of cloud security • designed for security • leverage best practices from multiple industries • pay for the security you need
• highly automated and flexible • shared security
Shared responsibility model • Of the cloud (Cloud provider) • Compute resources • Storage • Physical security
• In the cloud (Cloud user) • Encryption • Application security • Identity management
Define your strategy • Review and assess current strategy • Map responsibilities to your infrastructure • Control framework • RACI model • Risk register
• Define principles
Key Controls 1. Encryption & Tokenisation 2. Dedicated resources/Virtual Private Cloud 3. Change Management 4. Virtualized Environment Security 5. User Access Management 6. Collaborative DR 7. SIEM 8. Penetration Testing 9. Administrative Remote Access 10. SDLC 11. Securing Logs & Backups
Delivering a program • Core components • • • • •
Identity and access management Logging and monitoring Infrastructure security Data protection Incident response
Delivering a program • Additional components • • • • •
DevSecOps Compliance validation Resilience Configuration and vulnerability analysis Security big data and analytics
Approach Understand Security Best Practices
Build Strong Compliance Foundations
Integrate Identity & Access Management
Enable Detective Controls
Establish Network Security
Implement Data Protection
Optimize Change Management
Automate Security Functions
Best Practices • • • • • • •
Understand the security responsibilities Manage accounts, user, groups and policies Manage access to resources Secure your data Secure your operating systems and environment Secure your infrastructure Manage security monitoring, alerting, audit trail and incident response
Security Certifications and Assurance Programs
Integrate identity management • Policies, users, groups, roles • Lightweight Directory Access Protocol (LDAP) • Security Assertion Markup Language (SAML2.0) • OpenID Connect (OIDC) • Active Directory
Enable detective controls • Vulnerability assessment • Access control monitoring • Network • User
• Credentials use • Audit logs • Evaluation
• Data Loss Prevention
Establish network security • Defense in depth • Firewalls • Intrusion Prevention/Detection System (IPS/IDS) • Proxies
• Scalable • Resource based • Performance based
• Flexible • Code based deployment
Implement data protection • Encryption • Access control • Identity monitoring • Segmentation • Tokenization
Optimize change management • Integrate with source control and Continuous Integration/Development (CI/CD) • Reduce human interaction • Smaller changes/lower security risk • Update control framework to continuous assessment
Automate security functions • Security as code • CI/CD pipeline • Scales with production deployment • Automatic detect and response Dev
CloudFormation Templates for Environment
Continuous Scan Config Code Config Tests
Validate Git-Secrets
Package Builder
Checksum AMIs Audit/Validate Test Env
Version Control
Get / Pull Code
CI Server
Send Build Report to Security Stop everything if audit/validation failed
Promote Process
Staging Env Prod Env
Log for audit
Security operations - tenets • Use the cloud to protect the cloud • Ensure cloud awareness • Use APIs • Automate
Security is job number 1 • It’s everyone’s job • It’s cultural • It’s implicit • It’s encouraged • It’s cooperative
Thank you ! Contributors: Andrew Kiggins -
[email protected] Myles Hosforth –
[email protected]