bulletproof & xero presentation - aws summit auckland
TRANSCRIPT
How Xero
Accelerated Security
Innovation on AWS
Hello!
Jeremy Vincent
Solution Architect
Bulletproof
Aaron McKeown
Lead Security Architect
Xero
Neil Ramsay
Cloud Engineer
Bulletproof
What can you expect today?
An overview of:
• Xero
• AWS Migration Project
• AWS Security Principles
• Key Project Learnings
• Bulletproof
• Cloud Security Considerations
• Secure by Design Guidance
Who are we?
• Cloud House merged with Bulletproof in 2016
• First Premier Partner in A/NZ
• ASX listed (ASX:BPF)
• Only Premier Partner in NZ
• End-to-end Cloud services provider.
• 700+ customers
• 16+ years of experience
• We help you disrupt, transform and innovate
Aaron McKeown,
Lead Security Architect
How Xero Accelerated Security on AWS
Beautiful cloud-based
accounting softwareConnecting people with the right numbers
anytime, anywhere, on any device
1450+
Staff globally
$474mraised in capital
$202msub revenue FY16
23m+
businesses have interacted
on the Xero platform
$1trincoming and outgoing
transactions in past 12 mths
450mincoming and outgoing
transactions in past 12 mths
All figures shown are in NZD
2009 2010 2011 2012 2013 2014 2015 2016
Paying subscribers
700,000+
Subscribers globally
Public cloud
migrationImproving data protection
Eliminating scheduled downtime
Maintaining and improving security
Support the next wave of growth
Reducing our per customer cost
Security Considerations
in the Cloud
Approach: AWS Cloud Security
Security is a Journey
High Pace of Innovation with Cloud
Automation is key
How?
AWS Cloud Security
Focus on API Security
Fast rate of change
Cloud native systems with
consistent security capabilities
How?
AWS Cloud Security
Focus on API Security
AWS IAM
Fast rate of changeAWS
CloudFormation
Cloud native systems with
consistent security capabilitiesAWS KMS
AWSCloudTrail
AWSConfig
CloudWatchLogs
CloudWatch Alarms
AWS IAM
How?
Automation
Version
ControlCI Server
Package
Builder
Deploy
ServerCommit to
Git/masterOps
Get /
Pull
Code
AMIs
Distributed Builds
Run Tests in parallel
Staging Env
Test Env
Code
Config
Tests
Prod Env
Push
ConfigInstall
Create
Repo
CloudFormation
Templates for Environment
Generate
Xero AWS Security Overview
Key principles
Repeatable and automated build and
management of security systems
Accelerated pace of security innovation
On-demand security infrastructure that works at any scale
Security as a service
VPN
connectivity
Host
Based
Security
Web
Application
Security
and
Delivery
Shared Key
Management
Services
Security
Operations
and
Consulting
Services
Secure
Bastion
Access
Proxy
Services
AWS Security Guidance
Recommendations
Secure by Design
AWS Cloud Security
Account structure VPC structureService mapping
Key services VisibilityLogging/Monitoring Secure Bastions
Secure by Design
Account Structure
Secure by Design
Account Structure
Billing
Non-Production
Development
Shared Services
UAT
Production
ProductionStaging
Shared Services
Identity
Security
Secure by Design
Service Mapping
Secure by Design
Service MappingNon-Production
Development
Shared Services
UAT
Security
Production
Staging
Shared Services
Production
Identity
AWS IAM
AWS KMS
IAM Roles
IAM Roles
IAM Policy
IAM Policy
Billing
IAM Roles
IAM Policy
AWSCloudTrail
AWSConfig
ConfigS3 Bucket
CloudTrailS3 Bucket
CloudTrailGlacier Vault
ConfigGlacier Vault
IAM Users
CloudWatch Logs CloudWatch Alarms
IAM Groups
SNS Email Notifications
Secure by Design
VPC Structure
Secure by Design
VPC Structure
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPC Endpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
VPC Peering
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPCEndpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
VPC Endpoints
Production
Shared Services
Internet Gateway
DMZ “Public” Zone
Protected “Private” ZoneRouter
VPCPeering
Secure Bastion
WAF
NGFW
ADFS
Amazon CloudFront
VPCPeering
Production
EC2 Workloads
PKI
AD
Staging
EC2 Workloads
Outbound Proxy
NTP DNS
S3 VPC Endpoint
IPSec VPN Connection
Internet
Servers
AmazonRoute 53
VPC Flow Log
S3 VPC Endpoint
VPC Flow Log
Static AssetsS3 Bucket
VPN Gateway
Corporate Data Center
CustomerGateway
VPN Gateway
BackupS3 Bucket
Secure by Design
Key Services
Secure by Design
CloudTrail
CloudTrail Settings
All Regions (Multi-Region setting)
Log File Integrity Validation
Log File Encryption with KMS
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the CloudTrail service to have Write access
Day One
AWS KMS
AWSCloudTrail
CloudTrailS3 Bucket
CloudTrailGlacier Vault
S3 Lifecycle Rules
Secure by Design
Config
Config Settings
All Regions (No multi-region setting, so Automate)
Enable All available Resource Types for tracking
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the Config service to have Write access
Day One
AWSConfig
ConfigS3 Bucket
ConfigGlacier Vault
S3 Lifecycle Rules
Secure by Design
Identity and Access Management (IAM)
Secure by Design
Identity and Access Management (IAM)
AWS IAM
Amazon
EC2
AWS Elastic
Beanstalk
AWS
Lambda
Amazon
CloudFrontAmazon
S3
Amazon
DynamoDB
Amazon
RDS
Amazon
Redshift
Amazon
VPC
Amazon
Route 53
Identity and Access Management
IAM for Identity Account: Authentication
IAM for Identity Account: AWS Console
+
IAM for Identity Account: API
+
IAM for Identity Account: MFA for Humans
IAM Roles
Build
Repair
Audit
Identity
IAM Cross Account Roles
Non-Production
Production
IAM Guard Rails
customer
gateway
VPN
gateway
VPN
connection
CloudTrail Config KMS IAM
IAM Roles: Limited Time Only
Secure by Design
Logging and Monitoring
Logging/Monitoring
APIAWS
CloudTrail
CloudWatch Logs
CloudTrailS3 Bucket
CloudTrailGlacier Vault
Lifecycle Rules
AWS Config Config S3 Bucket
ConfigGlacier Vault
Lifecycle Rules
AWSLambda
CloudWatchAlarms
CloudWatchMetric Filters
SNS Email Notifications
Alarm
Amazon ElasticsearchService
OR
Logging/Monitoring…
OS
Network
Storage Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
S3 Bucket
Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
Amazon CloudFront
CloudWatch Logs
CloudWatch Alarms
CloudWatchMetric Filters
SNS Email NotificationsAmazon EC2
Log Events
Elastic LoadBalancing
Access Logs
Access Logs S3 Bucket
Access LogsGlacier Vault
Lifecycle Rules
VPC Flow Log CloudWatch Logs
CloudWatch Alarms
CloudWatchMetric Filters
SNS Email Notifications
Packets Log Events
Secure by Design
Visibility
• CloudTrail, Config and the AWS Console
provide a lot of great information
• Can be hard to find the needle in the
haystack...
• Enter Netflix OSS Security Monkey
“You can’t secure what you don’t know about…”
Secure by Design
Security Monkey
Security Monkey: Overview
Security Monkey: Overview - Search
Security Monkey: Overview - Resources
Security Monkey: Users with Admin
Security Monkey: Users with Admin
Security Monkey: Users with Admin – What Changed?
Security Monkey: VPCs with IGWs
Secure by Design
Secure Bastions
Challenge
Secure Bastions
RDP/SSH
Internet
Internet
Bastion
Your Data
SQLServer
Pivot
Solution
Secure Bastions: Multi-Factor Authentication
RDP
BastionSecureBastion
HTTPS
Internet
Duo Login to Windows
Duo Login to Windows: MFA Prompt
Duo Login to Windows: Duo Mobile App
Duo Login to Linux
Solution
Secure Bastions: Dedicated
SQL Mgmt
RDP
RDP
SQLServer
SQL ToolsServer
SecureBastion
Solution
Secure Bastions: Restrict Network Egress
RDP
SecureBastion
SQL ToolsServer
RDP
SQLServer
Internet
Solution
Secure Bastions: Restrict EC2 Instance Profiles
RDP
SecureBastion
IAM Role
IAM Policy
TemporaryAWS CredsLogged-in
User
“Secure Bastion”EC2 Instance
Profile
Delete RDS SQL DB
Solution
Secure Bastions: Restrict EC2 Instance Profiles
SQL ToolsServer
TemporaryAWS Creds
Logged-inUser
RDP
SecureBastion
IAM Role
IAM Policy
TemporaryAWS CredsLogged-in
User
“Secure Bastion”EC2 Instance
Profile
Delete RDS SQL DB
Create RDS SQL DB
“SQL Tools”EC2 Instance
Profile
Solution
Secure Bastions: Disposable
7 Days
EBS Snapshot
Forensics
SecureBastion
SecureBastion
“Golden Image”AMI
Deploy
Key learnings
Key learnings
Measure and Test, Monitor Everything
Welcome to the cloud -"Where's my span port"?
Security by Design -What's that?
Communication is Key -Who are your spokespeople?
Final takeaways
Repeatable and Automated build and
management of Security Systems
Accelerated pace of security innovation
On-Demand security infrastructure that works at any scale
What can I do today?
Things you can do right now
User MFA Tokens
AWS
Config
AWSCloudTrail
Things you should consider
NetflixSecurity Monkey
DuoMFA
Granular Roles
Only A/NZ AWS Premier Partner at the Summit
Over 700+ Happy Customers
What you can do today
• Visit us at stand: P2
• Contact us to discuss your requirements
[email protected] | 0800 258 773
• Enter our draw to win an Amazon Echo
Beautiful accounting software
www.xero.com
Thank you
Visit us at stand P2 to ask questions