AWS Security Best Practices, SaaS and Compliance

Tuesday, 9th Feb 2016

AWS Security Best Practices, Real-world examples and Common Mistakes

GPCEO and Founder

www.stackArmor.com@cloudpalgp

https://www.linkedin.com/in/gppalgpal@stackarmor.com

SaaS, Security and AWS

2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR

Cloud Solutions Architect and Technology Strategist• Focused on full-stack security and operations management • Cloud automation and business process acceleration• Cybersecurity Policies, Procedures and Tactics

Supported the first AWS cloud migration in 2009 for Recovery.gov and have successfully led multiple large enterprise cloud modernization programs in regulated industries, Financial Services and Healthcare.

GPCEO and Founder

www.stackArmor.com@cloudpalgp

https://www.linkedin.com/in/gppalgpal@stackarmor.com

What we do

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 3

Business Landscape• Data breaches are “daily” news

• Regulators are starting to take notice◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015

• NIST Cybersecurity Framework is “standard of care”◦ http://www.nist.gov/cyberframework/◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001

• Cybersecurity is a Board level issue

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4

Technology Landscape

• AWS/Cloud “takes care of everything”!!◦ Shared Responsibility Model

• Managed Services and Processes required◦ Patching and Vulnerability Management◦ Boundary protection and monitoring◦ Logging and Centralized log analysis◦ Backups/Restore

• SaaS shops tend to be strong on the Dev but weak on Ops

• Network Engineering, Security Zoning, Boundary Protection and Enclave Hardening are not well understood

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5

What??

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6

“…while doing cloud hosting cost analysis for a venture funded start-up, wenoticed heavy data egress charges. A simple analysis revealed that a hacker hadpenetrated the platform and downloaded the firms’ database and IP. Thevulnerability was traced to an un-patched server”.

“The Technology team of a SaaS startup with Fortune 500 customers is operatingtheir environment in a cloud environment without any intrusion detection andprevention systems such as web application firewalls thereby creating third-partyrisk.”

“…a SaaS startup exposed their access secret key in their web application in plainview for anyone to access. This could have caused someone to wipe out the firmsentire production and operational platform…”

Hmm…

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 7

Top Security “Booboos”Common poor security mistakes Comment

1 Creating unnecessary access and secret keys for IAM Users

Console users don’t need keys

2 Using developer keys instead of instance roles for accessing instance

Use roles for to allow for credentials for accessing AWS resources that provide temporary credentials

3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as required

4 Lack of restrictions on production instances Any user can perform actions on production instances. Provision IAM roles that allow for separation of duties.

5 Poor segmentation and zoning of application and data components through the use of public and private sub-nets

Proper zoning through sub-nets allows for segregating netflow and blackholing requests in the event of an attack

6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions

7 Inconsistent patch management and vulnerability scanning

Create an information security policy with a patching schedule with roles, responsibilities and reporting

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 8

Vulnerability Scanning

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 9

• Good operational hygiene keeps the hacker away!?!

Logging and Monitoring…

• AWS VPC Flow Logs◦ Most Talkers

◦ Rejected Traffic

• AWS CloudTrail◦ Who deleted my instances?

◦ Who is asking for old or deleted keys?

• AWS Config◦ Configuration Management

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 10

Tools of our Trade

1 Web Application Firewalls Fortiweb, Sophos, AWS WAF

2 IDS Snort

3 Monitoring Splunk, Elasticsearch, Sensui, Pallera, sumologic

4 Vulnerability Scanning Nessus, Retina, OpenVAS

5 Web Application Scanning Acunetix, Nessus

6 Compliance openSCAP

7 QA/Code Quality SonarQube

8 Static Code Scanning CheckMarx

9 Security Operations Center OpenSOC

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 14

Compliance

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 15

Document Description

Basic Security PolicyThis document provides a basic set of high level security policies that allow client to state that they have a security policy in place that can serve as an initial baseline.

Assessment PlanThis is a checklist security assessment, basically a self-assessment with questions asked by an experienced Information Assurance Analyst to demonstrate understanding and maturity of Cybersecurity posture.

High Level Security Assessment Report

Security Assessment Report (SAR) that summarizes the scope, approach, and high level findings.

Vulnerability and Penetration Testing

Automated scans with basic parameters with provided auto-generated reports. This includes working with the technology team to perform a test to ensure that any technical remediation that have been applied adequately addressed the vulnerabilities found.

Attestation LetterGenerally speaking an external third-party should be engaged to execute the assessment and be asked to provide an attestation letter that describes the nature of the assessment, findings and remediation conducted.

A questionnaire coming soon…

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 16

Reference Links- SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach

https://www.sec.gov/news/pressrelease/2015-202.html

- Dental Practice Software Provider Settles FTC Charges It Misled Customers About Encryption of Patient Data

https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles-ftc-charges-it-misled

- FTC has power to police cyber security: appeals court

http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKCN0QT1UP20150824

- Contractor breach gave hackers keys to OPM data

http://www.federaltimes.com/story/government/omr/opm-cyber-report/2015/06/23/keypoint-usis-opm-breach/28977277/

- Great security blog

http://krebsonsecurity.com/

PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 17

questions?

Gaurav “GP” Pal

Founder

www.stackArmor.com

Email: gpal@stackarmor.com

18