application security best practices - cloud object · pdf fileapplication security best...

21
Application Security Best Practices Matt Tavis | Principal Solutions Architect

Upload: tranphuc

Post on 30-Mar-2018

217 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Application Security Best Practices

Matt Tavis | Principal Solutions Architect

Page 2: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Application Security Best Practices is a Complex topic!

• Design scalable and fault tolerant applications

– See Architecting for the Cloud

• Most traditional best practices still apply

• There are ways AWS can help

Page 3: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Built Around the Shared Responsibility Model…

AWS

• Facilities

• Physical Security

• Physical Infrastructure

• Network Infrastructure

• Virtualization Infrastructure

Customer

• Operating System

• Application

• Security Groups

• OS Firewalls

• Network Configuration

• Account Management

Page 4: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

…and AWS Certifications

• AWS Environment– SAS70 Type II Audit

– ISO 27001 Certification

– Payment Card Industry Data Security Standard (PCI DSS) Level 1

Service Provider

– FedRAMP (FISMA)

• Customers have deployed various compliant applications:– Sarbanes-Oxley (SOX)

– HIPAA (healthcare)

– FISMA (US Federal Government)

– DIACAP MAC III Sensitive IATO

Page 5: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Resources and data are in your control

• Specify what Region and AZ to launch in• Customize your AMIs• Create distinct Security Groups groups of EC2 Instances

– use rules for controlling access between layers– restrict external access to specific IP ranges

• Use AWS Identity & Access Management (IAM)– upload your own keys– use MultiFactor Authentication (MFA)

• AWS personnel can’t login to your Instances

Page 6: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Protect your data with encryption

• Encrypt data “in-transit” (SSL/TLS)• Encrypt data “at-rest”

– Encrypt records before writing in database– Encrypt objects before storing them– Consider encrypted file systems for sensitive data

• Windows Bitlocker• Truecrypt• dm-crypt• SafeNet

Page 7: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Traditional Network Topologies in VPC

• Create multiple Subnets

– specify IP Ranges

• Specify Instance private IP Address

• Manage Routing

• Inbound & Outbound filters

– Security Groups: stateful

– Network Access Control Lists (ACLs): stateless

• Use NAT Instances

– Enhance NAT Instances with software VPNs, IDS, logging, etc…

Page 8: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Security best practices still apply

• Secure coding standards

• Perform penetration testing

– http://aws.amazon.com/security/penetration-testing/

• Antivirus where appropriate

• Intrusion Detection

– Host-based Intrusion Detection (e.g., OSSEC)

• Log events

• Role-based access control

– AWS Identity & Access Management

– LDAP and/or Active Directory for Operating Systems & Applications

Page 9: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

AWS Credential and Key Management Tips

• Create limited IAM Users for application needs

• Don’t package privileged key in Instance

• Periodic key rotation

• One way to pass the application key to an Instance

– On the Instance

• Decryption key

• IAM User with read-only access to a private S3 Bucket that contains

the encrypted key

– Retrieve the full key and then decrypt it

– Use Bucket Logging to monitor attempts to access the key

Page 10: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Extend Your Credentials into AWS

• Often done in VPC

– easier with static IP for DCs

– use egress control

• Use Read-only Domain Controllers to scale better

• Whitepaper: Using Windows ADFS for Single Sign-On to EC2 http://media.amazonwebservices.com/EC2_ADFS_howto_2.0.pdf

Page 11: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

New Security Opportunities Arise on AWS

Issue Opportunity

Spending too much time

troubleshooting issues?

Throw it away and just replace it.

Found questionable log entries? Launch an EMR job and find

correlating events.

Tired of patching? Use minimal OS and introduce

puppet/chef/etc...

Create new AMIs and launch

replacements.

High risk site in your datacenter? Move it to AWS and reduce threat

vectors to other applications.

Page 12: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Security Belongs In Every Layer

Page 13: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Using AWS Account Isolation to Protect Resources

• Environment

– development, test, integration, performance, production

• Major system

• Line of business / function

• Customer

• Risk level

Consolidated Billing lets you bring it all together under one bill!

Page 14: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Leverage Multiple Layers of Defense

Feature Standard EC2 Virtual Private Cloud

Security Groups Inbound Inbound and Outbound

Network ACLs n/a Inbound and Outbound

Operating System

firewalls

Use as-is Use as-is

Border firewall Manual configuration* NAT Instance

VPN Manual configuration* VPN Gateway

Bastion Host Enforce via Security

Groups

Enforce via Security

Groups or Network ACLs

IDS HIDS* HIDS* & NAT Instance

* Third-party tools / solutions

Page 15: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Public EC2 Multi-tier Security Group Approach

Web Tier

Application & Bastion Tier

Database Tier

Ports 80 and 443 only open to the Internet

Engineering staff have ssh

All other Internet ports blocked by default

Sync with on-premises database

Amazon EC2 Security Group Firewall

ssh

ssh

Page 16: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

You may still need to patch!

• Most traditional tools will work• Emerging options

– puppet (www.puppetlabs.com)

– chef (www.opscode.com/chef/)

– fabric/cuisine (www.fabfile.org)

– capistrano (https://github.com/capistrano/capistrano/wiki)

Page 17: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Monitoring Tools

• Cloud Watch (now with console!)• Application Monitoring

– Cacti

– CloudWatch User Metrics

• Instance Monitoring

– CloudWatch

– Nagios

• Nagios CloudWatch plugin

https://github.com/j3tm0t0/check_cloudwatch

Page 18: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Approaches to Log Management

• Distributed Approach

– Highly scalable, but not always real-time

– Instance-based (push to S3)

– Facebook’s Scribe

• Centralized Approach

– Real-time, but not highly scalable

– syslog

– Windows Event Logging Service

• Analytics

– Custom EMR jobs

– Splunk (www.splunk.com)

Page 19: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Example Application

Availability Zone #n

Auto-scaling group : App Tier

Auto-scaling group : Web TierAuto-scaling group : Web Tier

RDSMaster

Web Server

www.example.com

App Server CloudFront

ELB

Web Server

SLB

TomcatApp Server

Web Server

Web Server

Auto-scaling group : App Tier

App Server

SLB

TomcatApp Server

RDSSlave

DNS (Route 53)

S3

Availability Zone #2Availability Zone #1

Page 20: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Example: Build Security into Every Layer

Availability Zone #n

Auto-scaling group : App Tier

Auto-scaling group : Web TierAuto-scaling group : Web Tier

RDSMaster

Web Server

www.example.com

App Server CloudFront

ELB

Web Server

SLB

TomcatApp Server

Web Server

Web Server

Auto-scaling group : App Tier

App Server

SLB

TomcatApp Server

RDSSlave

DNS (Route 53)

S3

Availability Zone #2

HA Architecture

Security Characteristics:

- Route 53 (highly scalable

DNS)

- Autoscaling Groups

- Security Groups

- ELB Security Group

- OS Firewalls (on Instances)

- RDS

- DB Security Groups

- backup window

- snapshots

- multi-AZ

- CloudFront

- Private Distribution

- pre-signed URLs

- S3 Bucket Policies

- private bucketAvailability Zone #1

Page 21: Application Security Best Practices - Cloud Object · PDF fileApplication Security Best Practices is a Complex topic! • Design scalable and fault tolerant applications –See Architecting

Thank You!• More reading:

– Security Center: http://aws.amazon.com/security