A cloud adoption framework - a security perspective Andrew Kiggins Security Solutions Architect Amazon Web Services

Agenda • Understand the security benefits of the cloud • Strategy and approach to cloud adoption • Implementing and delivering cloud security • Security best practices

Perspectives • Business • People • Organization • Security • Maturity • Process • Platform

Benefits of cloud security Cloud Services can potentially offer many advantages including the following: • economies of scale • cost-savings • access to quality system administration • operations that adhering to uniform security standards and best practices • flexible, fast and agile resource scaling for institutions as usage requirements change

• enhanced system resilience during location-specific disasters or disruptions

Benefits of cloud security • designed for security • leverage best practices from multiple industries • pay for the security you need

• highly automated and flexible • shared security

Shared responsibility model • Of the cloud (Cloud provider) • Compute resources • Storage • Physical security

• In the cloud (Cloud user) • Encryption • Application security • Identity management

Define your strategy • Review and assess current strategy • Map responsibilities to your infrastructure • Control framework • RACI model • Risk register

• Define principles

Key Controls 1. Encryption & Tokenisation 2. Dedicated resources/Virtual Private Cloud 3. Change Management 4. Virtualized Environment Security 5. User Access Management 6. Collaborative DR 7. SIEM 8. Penetration Testing 9. Administrative Remote Access 10. SDLC 11. Securing Logs & Backups

Delivering a program • Core components • • • • •

Identity and access management Logging and monitoring Infrastructure security Data protection Incident response

Delivering a program • Additional components • • • • •

DevSecOps Compliance validation Resilience Configuration and vulnerability analysis Security big data and analytics

Approach Understand Security Best Practices

Build Strong Compliance Foundations

Integrate Identity & Access Management

Enable Detective Controls

Establish Network Security

Implement Data Protection

Optimize Change Management

Automate Security Functions

Best Practices • • • • • • •

Understand the security responsibilities Manage accounts, user, groups and policies Manage access to resources Secure your data Secure your operating systems and environment Secure your infrastructure Manage security monitoring, alerting, audit trail and incident response

Security Certifications and Assurance Programs

Integrate identity management • Policies, users, groups, roles • Lightweight Directory Access Protocol (LDAP) • Security Assertion Markup Language (SAML2.0) • OpenID Connect (OIDC) • Active Directory

Enable detective controls • Vulnerability assessment • Access control monitoring • Network • User

• Credentials use • Audit logs • Evaluation

• Data Loss Prevention

Establish network security • Defense in depth • Firewalls • Intrusion Prevention/Detection System (IPS/IDS) • Proxies

• Scalable • Resource based • Performance based

• Flexible • Code based deployment

Implement data protection • Encryption • Access control • Identity monitoring • Segmentation • Tokenization

Optimize change management • Integrate with source control and Continuous Integration/Development (CI/CD) • Reduce human interaction • Smaller changes/lower security risk • Update control framework to continuous assessment

Automate security functions • Security as code • CI/CD pipeline • Scales with production deployment • Automatic detect and response Dev

CloudFormation Templates for Environment

Continuous Scan Config Code Config Tests

Validate Git-Secrets

Package Builder

Checksum AMIs Audit/Validate Test Env

Version Control

Get / Pull Code

CI Server

Send Build Report to Security Stop everything if audit/validation failed

Promote Process

Staging Env Prod Env

Log for audit

Security operations - tenets • Use the cloud to protect the cloud • Ensure cloud awareness • Use APIs • Automate

Security is job number 1 • It’s everyone’s job • It’s cultural • It’s implicit • It’s encouraged • It’s cooperative

Thank you ! Contributors: Andrew Kiggins - [email protected] Myles Hosforth – [email protected]