선도 금융사들의 aws security 활용 방안...
TRANSCRIPT
![Page 1: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/1.jpg)
Re:Inventing Security Landscape
Eugene Yu, Global Security, Risk and ComplianceAWS Professional Services
Time : 02:20 – 03:00
![Page 2: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/2.jpg)
Cloud focuses on differentiation
![Page 3: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/3.jpg)
Reasons Cloud Computing is Gaining Traction in FinServ
Lower the time spent on infrastructure
Dedicate more resources to innovation
Concentrate on new business initiatives
![Page 4: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/4.jpg)
Cloud Security What’s different & what’s the same?
![Page 5: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/5.jpg)
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones Edge Locati
ons
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Cus
tom
ers
Security is a shared responsibility
Customers are responsible for their security IN the
Cloud
AWS is responsible for the security OF
the Cloud
![Page 6: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/6.jpg)
Accreditation & Compliance, Old and New
Old world• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year
• Workload-specific compliance checks
New world• Functionally necessary – high watermark
of requirements
• Audits done by third party experts
• Accountable to everyone
• Superior security drives broad compliance
• Continuous monitoring
• Compliance approach based on all workload scenarios
![Page 7: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/7.jpg)
OR
Move Fast
Stay Secure & Compliant
![Page 8: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/8.jpg)
AND
Move Fast
Stay Secure & Compliant
![Page 9: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/9.jpg)
Making life easier
Choosing security does not mean giving up on convenience or introducing complexity
![Page 10: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/10.jpg)
Strengthen your security posture
Get native functionality and tools at no additional charge
Over 30 global compliancecertifications and accreditations
Leverage security enhancements gleaned from 1M+ customer experiences
Benefit from AWS industry leading security teams 24/7, 365 days a year
Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
![Page 11: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/11.jpg)
Access a deep set of cloud security toolsEncryption
KeyManagement
Service
CloudHSM Server-sideEncryption
Networking
Virtua l Private Cloud
Web Appl ication
Fi rewal l
Compliance
ConfigCloudTra i lServiceCata log
Identity
IAM ActiveDirectory In tegration
SAMLFederation
![Page 12: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/12.jpg)
Evolving the Practice of Security Architecture• Security architecture as a separate function can no longer exist
• Static position papers, architecture diagrams & documents
• UI-dependent consoles and “pane of glass” technologies
• Auditing, assurance, and compliance are decoupled, separate processes
Current Security Architecture
Practice
![Page 13: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/13.jpg)
Evolving the Practice of Security Architecture• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts (design choices, narrative, etc.) committed to common repositories
• Complete solutions account for automation
• Solution architectures are living audit/compliance artifacts and evidence in a closed loop
Evolved Security Architecture Pract
ice
![Page 14: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/14.jpg)
Leveraged by FSI & Enterprises Worldwide
![Page 15: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/15.jpg)
Cloud Security Design Patterns
![Page 16: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/16.jpg)
Access rights just-in-time
Security Token ServiceIdentity and Access Management
+
![Page 17: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/17.jpg)
AWS IAM enables to securely control access to AWS services and resources• Control who can do what and when from where• Fine grained control of user permissions, resources and
actions• Add multi factor authentication
• Hardware token or smartphone apps• Test out new policies using the IAM policy simulator
Grained control of your AWS environment
![Page 18: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/18.jpg)
Segregate duties between roles with IAM
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
Choose who can do what in your AWS environment and from where
AWS account
owner (master)
Network
management
Security
management
Server
management
Storage
management
Manage and operate
![Page 19: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/19.jpg)
Amazon S3AWS CloudTrail Amazon Glacier
Consolidated Logging
Amazon CloudWatchEvents
+
![Page 20: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/20.jpg)
AWS CloudTrail logs for many powerful use cases
CloudTrail achieves many tasks• Security analysis
• Track changes to AWS resources, for example VPC security groups and NACLs
• Compliance – understand AWS API call history
• Troubleshoot operational issues – quickly identify the most recent changes to your environment
![Page 21: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/21.jpg)
Consolidated Logging:Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and upload to AmazonRedshift
Amazon EC2 instances
Analyze with standardBI tools
Archive to Amazon Glacier
AWS CloudTrail
Encrypted end to end!
![Page 22: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/22.jpg)
AWS CloudHSMAWS KMS
DIY
GlacierS3 EBS
RDS Redshift CloudTrail
Ubiquitous Encryption
+
![Page 23: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/23.jpg)
Ubiquitous Encryption
AWS CloudTrail
AWS IAM
EBS
RDS
S3
Encrypted in transit
Encrypted at rest
Fully auditable
Fully managedkeys
Restricted access
AWS KMS
![Page 24: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/24.jpg)
Amazon Auto-scaling GroupsAWS Elastic Compute Cloud
Non-Persistent & Elastic
+
![Page 25: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/25.jpg)
Amazon VPC
+Security Group
+AWS Direct Connect
Network Architecture Agility
![Page 26: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/26.jpg)
You can also connect privately using AWS Direct ConnectA
vaila
bilit
y Zo
ne A
EC2
EC2
NAT
EC2Jump
EC2WebEC2WebEC2EC2Web VPC Router
DirectConnectVirtual Private
Gateway
Customer Gateway
Your premises
![Page 27: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/27.jpg)
AWS Lambda
Monitor and React
+AWS
CloudWatch
![Page 28: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/28.jpg)
Enforcing Encryption with CloudWatch Events
CloudWatch Event
SNS
Check if instance is encrypted
Not EncryptedEC2
RDSLambda
Enforcement / remediation actions
![Page 29: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/29.jpg)
Log-in anomaly event – Detect
• "ConsoleSignInAnomalyMetricFilter": {• "Type": "AWS::Logs::MetricFilter",• "Properties": {• "LogGroupName": { "Ref" : "LogGroupName" },• "FilterPattern": "{ ($.eventName = ConsoleLogin) && ($.sourceIPAddress != 55.55.*) }",• "MetricTransformations": [• {• "MetricNamespace": "CloudTrailMetrics",• "MetricName": "ConsoleSignInAnomalyCount",• "MetricValue": "1"• }• ]• }• },
![Page 30: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/30.jpg)
Log-in anomaly event – Recover
Add null IAM policy to the user (Deny all permissions):
{"Version": "2012-10-17","Statement": [
{"Effect": "Deny","Action": [
"*"],"Resource": [
"*"]
}]
}
![Page 31: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/31.jpg)
Log-in anomaly event – Investigate
Look in CloudTrail – Determine what events happened after the ConsoleLogin.
![Page 32: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/32.jpg)
Log-in anomaly event – Protect
Add Condition statements to IAM
"Condition" : {"IpAddress" : {
"aws:SourceIp" : [”55.55.0.0/16”]}
}
![Page 33: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/33.jpg)
+AWS CloudFormation AWS SDK
Standardized Environments & Security as Code
![Page 34: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/34.jpg)
Security Control Matrix•Security Control Responsibility Matrix (CRM)
![Page 35: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/35.jpg)
Standardized Architecture
![Page 36: 선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance Seminar](https://reader033.vdocuments.net/reader033/viewer/2022042611/5878c3de1a28ab26728b599d/html5/thumbnails/36.jpg)
What you do in any IT environment• Firewall rules• Network ACLs• Network time pointers• Internal and external subnets• NAT rules• Golden OS images• Encryption algorithms for data
in transit and at rest
Security Translation to AWSAWS JSON translation
Golden OS
Network ACLs, subnets, firewall
rules