cloud wor kflows: achieving studio -grade ......cloud wor kflows: achieving studio -grade security...
TRANSCRIPT
C L O U D W O R K F L O W S :A C H I E V I N G S T U D I O - G R A D E S E C U R I T Y
Ted Harrington
@SecurityTed
Eli Mezei
@ISESecurity
2
About ISE slide(s)
Agenda
3
1) Context
2) Security Models
3) Applying Principles
Agenda
4
1) Context
2) Security Models
3) Applying Principles
WORKFLOWS DRIVE SECURITY!
• Security must support the workflow, not the other way around
• The workflow must be understood in depth before security controls can be defined
• The simplest solution is generally the most secure
5
Example Workflow: Burst Rendering
6
Private Compute and Storage Subnet 10.0.2.0/24
AWS Batch
Spot Fleet
Spot Instances
instances
VPN Subnet 10.0.1.0/24
router
Bastion ServerAmazon CloudWatch
AWS KMS
Content Ingress/
Egress
Amazon EFS
route table
On-premises network
192.168.0.0/16
customer gateway
Active
Directory
Region
Amazon VPC
VPN gateway
VPN connection
route table
Compute Subnet
Render Farm Compute
Domain
ControllerAD
Connect
Sync
Access Control
Agenda
7
1) Context
2) Security Models
3) Applying Principles
TRUST MODEL VS. THREAT MODEL
KNOW YOUR ADVERSARY
SECURE DESIGN PRINCIPLES
10
Secure Design Principles
ISE Proprietary
Principle: universally accepted truth
Secure Design Principle: those upon which systems resilient against attack are built
Agenda
12
1) Context
2) Security Models
3) Applying Principles
PRINCIPLE(S): LEAST PRIVILEGE & PRIVILEGE SEPARATION
13
Privilege
ISE Confidential - not for distribution
LEAST PRIVILEGE PRIVILEGE SEPARATION
Privilege Control
Governance/Control Identity Management Key Mgmt/Custody Networking
AWS
IAM KMSVPC
Azure
Azure AD Key Vault VPN Gateway
GCP
IAM KMS Organizations
15
Example Implementation
16
PRINCIPAL: DEFENSE IN DEPTH
17
Defense in Depth
ISE Confidential - not for distribution
Defense in Depth
Governance/Control Direct Connect Account Segregation MFA
AWS
DirectConnect AWS OrganizationsMulti-factor Auth.
Azure
ExpressRoute
Azure Subscription and
Service Management +
Azure RBAC Multi-factor Auth.
GCP
DirectConnect Google Authenticator
19
Example Implementation
20
Azure Vnet
10.0.0.0/16
Azure Vnet
10.0.0.0/16
Gateway subnet
10.0.255.224/27
User
Defined
Routes
Private DMZ in
10.0.0.0/27
N
I
C
N
I
C
Private DMZ out
10.0.0.32/27
Network
Appliance
Network
Appliance
Network
Appliance
Network
Appliance
NSGNSGN
I
C
N
I
C
NSGNSG
Availability set
On-premises network
192.168.0.0/16
Gateway
VM Based Render Farm
10.0.1.0/24
Render Farm ComputeN
SG
N
SG
VM Based Render Farm
10.0.1.0/24
Render Farm ComputeN
SG
Domain
Controller
Domain
Controller
Azure AD
Connect
Sync
Azure AD
Connect
Sync
AD DS subnet
10.0.4.0/27
Availability set
NSGNSG
AD DS subnet
10.0.4.0/27
Availability set
NSG
Azure Batch
10.0.2.0/24
Azure BatchNS
G
NS
G
Azure Batch
10.0.2.0/24
Azure BatchNS
G
ADRequest
Management subnet
10.0.10.128/25
Bastion Host Bastion Host
NS
G
NS
G
Rendering Data
Active Directory Sync Data
Authentication request
PRINCIPLE: TRUST RELUCTANCE(ASSUME HOSTILITY)
21
Trust Reluctance
ISE Confidential - not for distribution
Logging and Monitoring Services and Intelligence
Governance/Control Log Aggregation &
Monitoring
Policy Center
AWSCloudTrail Inspector
AzureLog Analytics Security Center
GCPCloud Audit Log StackDriver
23
Example Implementation
24
Virtual private cloud
Amazon VPC
flow logsAmazon CloudWatch
bucket
AWS CloudTrail
Monitor API
VPC Logs
Asset Subnet
AWS KMS
route table
S3 Bucket
Encryptionkeys
Logging data
Key Logging
Logging datainstance with
CloudWatch
Amazon
Elasticsearch
Service
Event drive analytics
analytics'
Amazon RedshiftData warehousequeries
AWS LambdaCentralized Logging Proxy
Proxy ServerAdministrator
Log Management
API Calls
Secure Design Principles
• Defense in Depth
• Least Privilege
• Privilege Separation
• Trust Reluctance
• Open Design
• Economy of Mechanism
• Complete Mediation
• Least Common Mechanism
• Psychological Acceptability
• Fail Secure
ISE Proprietary
Takeaways
• Security must support the workflow
• Build security in
• Think like an attacker!
26
