Application Security Best Practices. Matt Tavis Principal Solutions Architect



Similar documents
Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Security Essentials & Best Practices

319 MANAGED HOSTING TECHNICAL DETAILS

TECHNOLOGY WHITE PAPER Jan 2016

TECHNOLOGY WHITE PAPER Jun 2012

Using ArcGIS for Server in the Amazon Cloud

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Alfresco Enterprise on AWS: Reference Architecture

Opsview in the Cloud. Monitoring with Amazon Web Services. Opsview Technical Overview

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Securing the Microsoft Platform on Amazon Web Services

Building Energy Security Framework

Using ArcGIS for Server in the Amazon Cloud

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Cloud models and compliance requirements which is right for you?

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Famly ApS: Overview of Security Processes

DoD-Compliant Implementations in the AWS Cloud

Web Application Hosting in the AWS Cloud Best Practices

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager

Web Application Hosting in the AWS Cloud Best Practices

Running Oracle Applications on AWS

CLOUD COMPUTING WITH AWS An INTRODUCTION. John Hildebrandt Solutions Architect ANZ

How To Create A Virtual Private Cloud On Amazon.Com

How To Protect Your Data From Harm

Amazon Elastic Beanstalk

Servers. Servers. NAT Public Subnet: /20. Internet Gateway. VPC Gateway VPC: /16

Cloud S ecurity Security Processes & Practices Jinesh Varia

Reliable Data Tier Architecture for Job Portal using AWS

Every Silver Lining Has a Vault in the Cloud

Running Oracle on the Amazon Cloud

Amazon Web Services: Overview of Security Processes May 2011

Managing Multi-Tiered Applications with AWS OpsWorks

Chapter 11 Cloud Application Development

Deploy Remote Desktop Gateway on the AWS Cloud

Primex Wireless OneVue Architecture Statement

ArcGIS 10.3 Server on Amazon Web Services

AWS Directory Service. Simple AD Administration Guide Version 1.0

Run SAP for Savings and Speed in the Cloud Presentation for ASUG, September 28, 2011

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect

RemoteApp Publishing on AWS

Introduction to DevOps on AWS

How AWS Pricing Works

Best Practices for Siebel on AWS

Securing Amazon Web Services (AWS) and Simple Storage Service (Amazon S3) Security David Boland

FortiGate-AWS Deployment Guide

Live Guide System Architecture and Security TECHNICAL ARTICLE

T2 IaaSand PCI Compliance. Robert Zigweid, IOActive

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Financial Services Grid Computing on Amazon Web Services January 2013 Ian Meyers

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

How To Achieve Pca Compliance With Redhat Enterprise Linux

Overview and Deployment Guide. Sophos UTM on AWS

Design for Failure High Availability Architectures using AWS

CompTIA Cloud+ 9318; 5 Days, Instructor-led

Appendix C Pricing Index DIR Contract Number DIR-TSO-2724

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Jinesh Varia Technology Evangelist Architectural Design Patterns in Cloud Computing

twilio cloud communications SECURITY ARCHITECTURE

Cloud Computing with Amazon Web Services and the DevOps Methodology.

Virtual Data Centre. User Guide

How AWS Pricing Works May 2015

KeyLock Solutions Security and Privacy Protection Practices

Security Overview Enterprise-Class Secure Mobile File Sharing

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples

Getting Started with Clearlogin A Guide for Administrators V1.01

Network Virtualization Network Admission Control Deployment Guide

Deploying for Success on the Cloud: EBS on Amazon VPC. Phani Kottapalli Pavan Vallabhaneni AST Corporation August 17, 2012

Enterprise Applications on AWS

vcloud Director User's Guide

Centrify Cloud Connector Deployment Guide

Firewall Environments. Name

WE RUN SEVERAL ON AWS BECAUSE WE CRITICAL APPLICATIONS CAN SCALE AND USE THE INFRASTRUCTURE EFFICIENTLY.

Amazon WorkDocs. Administration Guide Version 1.0

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Security Gateway R75. for Amazon VPC. Getting Started Guide

Tibbr Installation Addendum for Amazon Web Services

Logentries Insights: The State of Log Management & Analytics for AWS

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

How To Deploy Sangoma Sbc Vm At Amazon Cloud Service (Awes) On A Vpc (Virtual Private Cloud) On An Ec2 Instance (Virtual Cloud)

Cloud Models and Platforms

Financial Services Grid Computing on Amazon Web Services. January, 2016

Amazon WorkSpaces. Administration Guide Version 1.0

IAN MASSINGHAM. Technical Evangelist Amazon Web Services

Deep Security For Service Providers

Transcription:

Application Security Best Practices Matt Tavis Principal Solutions Architect

Application Security Best Practices is a Complex topic! Design scalable and fault tolerant applications See Architecting for the Cloud Most traditional best practices still apply There are ways AWS can help

Built Around the Shared Responsibility Model AWS Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Customer Operating System Application Security Groups OS Firewalls Network Configuration Account Management

and AWS Certifications AWS Environment SAS70 Type II Audit ISO 27001 Certification Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider FedRAMP (FISMA) Customers have deployed various compliant applications: Sarbanes-Oxley (SOX) HIPAA (healthcare) FISMA (US Federal Government) DIACAP MAC III Sensitive IATO

Resources and data are in your control Specify what Region and AZ to launch in Customize your AMIs Create distinct Security Groups groups of EC2 Instances use rules for controlling access between layers restrict external access to specific IP ranges Use AWS Identity & Access Management (IAM) upload your own keys use MultiFactor Authentication (MFA) AWS personnel can t login to your Instances

Protect your data with encryption Encrypt data in-transit (SSL/TLS) Encrypt data at-rest Encrypt records before writing in database Encrypt objects before storing them Consider encrypted file systems for sensitive data Windows Bitlocker Truecrypt dm-crypt SafeNet

Traditional Network Topologies in VPC Create multiple Subnets specify IP Ranges Specify Instance private IP Address Manage Routing Inbound & Outbound filters Security Groups: stateful Network Access Control Lists (ACLs): stateless Use NAT Instances Enhance NAT Instances with software VPNs, IDS, logging, etc

Security best practices still apply Secure coding standards Perform penetration testing http://aws.amazon.com/security/penetration-testing/ Antivirus where appropriate Intrusion Detection Host-based Intrusion Detection (e.g., OSSEC) Log events Role-based access control AWS Identity & Access Management LDAP and/or Active Directory for Operating Systems & Applications

AWS Credential and Key Management Tips Create limited IAM Users for application needs Don t package privileged key in Instance Periodic key rotation One way to pass the application key to an Instance On the Instance Decryption key IAM User with read-only access to a private S3 Bucket that contains the encrypted key Retrieve the full key and then decrypt it Use Bucket Logging to monitor attempts to access the key

Extend Your Credentials into AWS Often done in VPC easier with static IP for DCs use egress control Use Read-only Domain Controllers to scale better Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/e C2_ADFS_howto_2.0.pdf

New Security Opportunities Arise on AWS Issue Spending too much time troubleshooting issues? Found questionable log entries? Tired of patching? High risk site in your datacenter? Opportunity Throw it away and just replace it. Launch an EMR job and find correlating events. Use minimal OS and introduce puppet/chef/etc... Create new AMIs and launch replacements. Move it to AWS and reduce threat vectors to other applications.

Security Belongs In Every Layer

Using AWS Account Isolation to Protect Resources Environment development, test, integration, performance, production Major system Line of business / function Customer Risk level Consolidated Billing lets you bring it all together under one bill!

Leverage Multiple Layers of Defense Feature Standard EC2 Virtual Private Cloud Security Groups Inbound Inbound and Outbound Network ACLs n/a Inbound and Outbound Operating System firewalls Use as-is Use as-is Border firewall Manual configuration* NAT Instance VPN Manual configuration* VPN Gateway Bastion Host Enforce via Security Groups Enforce via Security Groups or Network ACLs IDS HIDS* HIDS* & NAT Instance * Third-party tools / solutions

Public EC2 Multi-tier Security Group Approach Web Tier ssh Application & Bastion Tier ssh Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh Sync with on-premises database Amazon EC2 Security Group Firewall All other Internet ports blocked by default

You may still need to patch! Most traditional tools will work Emerging options puppet (www.puppetlabs.com) chef (www.opscode.com/chef/) fabric/cuisine (www.fabfile.org) capistrano (https://github.com/capistrano/capistrano/wiki)

Monitoring Tools Cloud Watch (now with console!) Application Monitoring Cacti CloudWatch User Metrics Instance Monitoring CloudWatch Nagios Nagios CloudWatch plugin https://github.com/j3tm0t0/check_cloudwatch

Approaches to Log Management Distributed Approach Highly scalable, but not always real-time Instance-based (push to S3) Facebook s Scribe Centralized Approach Real-time, but not highly scalable syslog Windows Event Logging Service Analytics Custom EMR jobs Splunk (www.splunk.com)

Example Application www.example.com DNS (Route 53) ELB Auto-scaling group : Web Tier Web Server Web Server Auto-scaling group : Web Tier Web Server Web Server SLB SLB App Server App Server Tomcat Auto-scaling group : App Tier App Server App Server Tomcat Auto-scaling group : App Tier Cloud Front RDS Master Availability Zone #1 RDS Slave Availability Zone #2 S3 Availability Zone #n

Example: Build Security into Every Layer HA Architecture Security Characteristics: - Route 53 (highly scalable DNS) - Autoscaling Groups - Security Groups - ELB Security Group - OS Firewalls (on Instances) - RDS - DB Security Groups - backup window - snapshots - multi-az - CloudFront - Private Distribution - pre-signed URLs - S3 Bucket Policies - private bucket Auto-scaling group : Web Tier Web Server App Server www.example.com DNS (Route 53) SLB Auto-scaling group : App Tier RDS Master Web Server App Server Tomcat Availability Zone #1 ELB Auto-scaling group : Web Tier Web Server App Server SLB Web Server App Server Tomcat Auto-scaling group : App Tier RDS Slave Availability Zone #2 Cloud Front S3 Availability Zone #n

Thank You! More reading: Security Center: http://aws.amazon.com/security

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information