Building a Scalable Security
Blueprint for the AWS Cloud Created by: Nick Holmes
6th September 2016
2
• Password Harvesting (Dropbox)
• State Sponsored Attacks
• $44 Million lost (Leoni AG)
• OSX Malware (Bittorrent client)
Just this week….
3
Nick Holmes – brief synopsis
Internet native “[email protected]” – 25 years ago
20 years in Systems, Software Development, largely from the Web side
AWS Architect in the KCOM Cloud Practice
Certified AWS Architect Professional
Working with a number of clients to deliver AWS environments &
solutions, several including Trend deployments
4
Nick Holmes – brief synopsis
Internet native “[email protected]” – 25 years ago
20 years in Systems, Software Development, largely from the Web side
AWS Architect in the KCOM Cloud Practice
Certified AWS Architect Professional
Working with a number of clients to deliver AWS environments &
solutions, several including Trend deployments
5
Structure
• The Threat
• Security in AWS
• KCOM, Trend and AWS
• Customer Challenges
• Security as a Service
• Autoscaling
• In Action
• KCOM
6
The Threat
There are numerous actors we need to consider
• Organised Crime
• Competitors
• State players
• ‘Script kiddies’
• Employees
• Developers not thinking “Security, Security, Security”
Its hard to deal with a threat that remains intangible until you have been attacked.
7
The Criminal’s Opportunity
Our clients have several concerns
• Access into the business
• Jump-off points to other businesses
• Access to customer data – relationships with financial companies
• Competitor access to data or code
• Disruption of line of business activities – immediate effects
“Can *I* do that?”
8
Cloud Security at AWS
AWS brings several security components that you can make use of & has a commitment
to the shared security model – taking their layer very seriously
• WAF – hardening component
• CloudFront – DDoS mitigation
• Route 53 – DNS attacks
• Scalability – attack / load mitigation
• Security Groups – resource protection
• Network Access Control Layers – resource protection
9
Defence in Depth
Defence in depth is necessary to ensure that a breach does not make your networks the
intruder’s playground
• AWS provides many components on the perimeter
• Breaches _will_ happen
• In AWS:
• Networking resources are typically in the AWS layer and are not available for user management
• Network Tap IDS is not available
• Hypervisor agents are not available
Trend Micro Deep Security brings the facets of
endpoint security to every instance & provides a set of
technologies that can be deployed to defeat and detect
attacks
10
KCOM in Context
• AWS Premier Partner for five years
• In the top 5% of AWS partners worldwide
• Trend DS users for the past three years
• Formally Trend Micro Partners & Resellers for the past two years
• Work very closely with Trend Micro UK
• KCOM is a “Key Integrator” & partner of choice for Trend Micro & AWS
• Business established in 1989
• Formerly Smart421 - part of the KCOM Group since 2006
• KCOM - 1500 people, 340 Million turnover
11
The Partnership
I have used the quote “You only know that your security controls are insufficient when
they fail” to describe the somewhat unusual sell we make to our customers when selling
security solutions and technical controls into their projects.
With Trend DS embedded in all our infrastructure projects, I can now say “You only know
that your traditional security controls are insufficient when Trend DS steps in and tells you
in real-time how is it managing an intrusion event.”
- Jonathan Jenkyn (Security Practice Lead, KCOM)
12
Customer Challenges
• Large numbers of servers
• Transient fleets
• High value resources
• Decentralised ownership of and responsibility for server fleets
• Happening more often with the introduction of Agile and Dev-Ops & on demand provisioning
• Security isn’t front and centre for application teams
• Updates & refreshes still need to be applied
13
KCOM – Security as a Service
• Bronze / Silver / Gold
• Bronze – reactive, Trend AV provision
• Silver - reactive, Trend full provision
• Gold – proactive, Trend full provision
14
Deployment
Marketplace instance
Turnkey installation and instant licensing
Great for getting up and running
Limited licensing options
Ec2 Deployment
Automated deployment
More flexible licensing
KCOM is a reseller, making this the
deployment of choice for the more mature
client.
15
Deployment Topology
Deployments with DSM installed into each environment – separate purposes of environments &
transience make this an easier approach
Common Environment model for more distributed security topology
General VPC
Amazon RDSTrend DSM
Application Instances
ElasticLoad Balancing
Common VPC
Amazon RDSTrend DSM
Application VPC
Application Instances
VPC peering
Application VPC
Application Instances
VPC peering
16
Autoscaling in AWS
Driven by:
• Queue length
• CPU load
• Other CloudWatch metrics
Featuring:
• Lifecycle hooks
• Bootstrap from AMI, not an installed pool
• Standby state for troubleshooting
17
Scale Out and Scale Back
How we rise to the challenge of Autoscaling
• Agent baked into base AMIs for use within organisation
• Applications deployed baked over the top
• Activated on instance build configured from dsm
• Frequent deactivation scans for terminated instances
Puppet, Chef or Ansible used for DevOps deployment of agents
• Typically in serverless deployments using Masterless Puppet and Chef Zero
• Available as an installation mechanism where AMIs have not been generated
18
Management
• Support teams use a runbook for each service level
• Verification of agent coverage in the environment
• Proactive Support and Implementation processes using scan recommendations & experience of
the platform
• Implementation of patching recommendations, ideally through Configuration Management
• Virtual patching is being discussed more, but we don’t yet see much uptake.
19
In Action
• Trend DS AV is our Baseline for security and it goes into every proposal
• Three major customers with current deployments
• Minimum of 100 instances under DS management for each of these customers
Airline industry – development environment for self service & fast to market
disruption support service
Rail Industry – Security to protect £2bn revenue in ticketing & train
information systems, further projects in the pipeline.
Insurance Industry – To protect migration into AWS Cloud from datacentre for
a broad selection of workloads, plus greenfields developments
20
When
What happens when Trend DS starts waving flags that an intrusion is in progress?
Using Autoscaling and Gold Image we gain clean service recovery that is:
• Rapid
• Safe
• Reliable
• Tested
Using scripted deployment together with the rigours of Autoscaling we have options to
Recover/manage in place, or move to a DR scenario, either partial or complete.
Take the opportunity to gather logs and other forensics from instances and AWS layers.
Instigate higher alert levels in other parts of the business.
21
Summary
• Intrusion is a matter of when not if
• Defence in Depth is necessary to manage events effectively
• KCOM uses Trend Micro DS as its core Cloud Security offering
• We have several successful, large scale deployments, including production use
• Use in autoscaling environments is recommended & low overhead
• Inclusion of autoscaling & similar practices improves recovery capability
22