Cloud computing offers many advantages, such as the ability to scale your web applications or website on demand. But how do you scale your security and compliance infrastructure along with the business? Join this session to understand best practices for scaling your security resources as you grow from zero to millions of users. Specifically, you learn the following: How to scale your security and compliance infrastructure to keep up with a rapidly expanding threat base. The security implications of scaling for numbers of users and numbers of applications, and how to satisfy both needs. How agile development with integrated security testing and validation leads to a secure environment. Best practices and design patterns of a continuous delivery pipeline and the appropriate security-focused testing for each. The necessity of treating your security as code, just as you would do with infrastructure. The services covered in this session include AWS IAM, Auto Scaling, Amazon Inspector, AWS WAF, and Amazon Cognito.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Eugene Yu – AWS Managing Consultant
Eric Gifford – Cambia Security Architect
Brad Davidson – Cambia Security Engineer
November 29, 2016
SEC305
Scaling Security Resources for
Your First 10 Million Customers

2. What to expect from the session
• Scale your security and compliance infrastructure
• Agile development with integrated security testing and
validation
• Treating your security as code

3. How do you scale
your security
resources?
workload
customers

4. No customer
One workload
workload
customers
security
resources

5. More customers
More workloads
workload
customers
Security appliances
Bigger boxes
security
resources

6. More customers
More workloads
workload
customers
More security appliances
Bigger boxes
Increased security staff

7. workload
customers
security
resources
Scaling is
hard…
More customers
More workloads

8. Security resources must scale to
keep pace with the business.
AWS
CLOUDTRAIL
AMAZON
INSPECTOR
AMAZON
VPC
AWS WAF AWS IAM
AWS KEY
MANAGEMENT
SERVICE
SERVER-SIDE
ENCRYPTION
ENCRYPTION
SDK

9. WhatsCat™
Connecting One Cat at a Time
WhatsCat™
LOL cats »

10. Application Development
Simple social media
application for Cats
WhatsCat™
LOL cats »

11. Let’s hope
this mobile app is
successful…
WhatsCat™
LOL cats »

12. WhatsCat TM
Launch Day (0 Cat)
 One AWS account
 One workload Workload
Amazon EC2 Instance
Amazon
Route 53
Time to establish
baseline security

13. Core Security Control
AWS IAM
Workload
Amazon EC2 Instance
Amazon
Route 53
AWS
IAM
MFA token
Developer
Network
User

14. Core Security Control
Amazon VPC
Workload
Amazon EC2 Instance
Amazon
Route 53

15. Core Security Control
Security Groups
Workload
Amazon EC2 Instance
Amazon
Route 53

16. Core Security Control
AWS CloudTrail
Workload
Amazon EC2 Instance
Amazon
Route 53
AWS
CloudTrail
Amazon S3

17. Core Security Control
Amazon CloudWatch
Workload
Amazon EC2 Instance
Amazon
Route 53
Amazon
CloudWatch

18. Cats > 1000
WhatsCat™

19. Adding a New Feature
Sharing photos with
other Cats
WhatsCat™
LOL cats »
Cat photos »

20. Resiliency
Multiple Availability Zones Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone

21. Auto Scaling
Configure Auto Scaling to
scale to handle increased
traffic
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone

22. Data Protection
Web
instance
Amazon RDS DB
instance
active (Multi-AZ)
Availability Zone
Web
instance
Amazon RDS DB
instance standby
(Multi-AZ)
Elastic Load
Balancing
Amazon
Route 53
Availability Zone
AWS KMS
Amazon
S3

23. SEC305- Scaling Security Resources for Your
First 10 Million Customers
Presenters:
Eric Gifford – Security Architect
Brad Davidson – Security Engineer
© 2014 Cambia Health Solutions, Inc.
Our story

24. 2424
Our Cause
• Cambia - Born from an inspired idea
• Catalyst -> transform healthcare
• Person-focused & economically sustainable
• Embracing cloud innovation to provide personalized & intuitive experiences
• On AWS: Web applications, micro-services, data lake, data science capabilities
© 2016 Cambia Health Solutions, Inc.

25. 2525
Cloud Security & Automation Principles
• Embrace HIPAA-compliant Cloud & DevOps
• Automation: reduce deviations & risk
• Leverage the shared responsibility model by aligning to serverless
and managed services
• Build guardrails, not gates!
• Continuously monitor
© 2016 Cambia Health Solutions, Inc.

26. 2626 © 2016 Cambia Health Solutions, Inc.

27. 2727
Continuously monitor Cloud environments
λ functions to detect non-compliance:
1) MFA disabled
2) Unauthorized region
3) CloudTrail disabled
4) VPC flow logs disabled
And more…
© 2016 Cambia Health Solutions, Inc.

28. 2828
A good start?
Pros
• Simple
• Independent λ functions
Cons
• Customization in each λ
• Lack of context in CloudTrail
events
How to address this?
Keep building!
© 2016 Cambia Health Solutions, Inc.

29. 2929
Decouple & scale
• Move to a 3-tier Lambda
• Design for:
• Efficiency
• Context
• Flexibility
© 2016 Cambia Health Solutions, Inc.

30. 3030 © 2016 Cambia Health Solutions, Inc.

31. 3131
Good enough?
Pros
• Enrich event data for granularity
• Centralize policy/signature database
• Optimize λ for speed
Cons
• Complex to use, support, & maintain
• Need for regression testing
How to turn over to Ops and let them operate?
Keep building!
© 2016 Cambia Health Solutions, Inc.

32. 3232
What’s next for us?
• UI to manage policies, dashboard for reporting
• “Simulation mode” (aka Dry Run)
• Keep enrichment db current
• Integration with ticketing systems
• Apply secure configurations at creation
• VPC Flow Logs + Threat intel?
© 2016 Cambia Health Solutions, Inc.

33. 3333
Demo time!
© 2016 Cambia Health Solutions, Inc.

34. Cats > 100,000
WhatsCat™

35. Adding a New Feature
Simple social media
application for Cats
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »

36. Security Infrastructure as Code
 Manage security infrastructure
just like your business
workloads
 Strong change management
processAWS
CodeCommit

37. Security Infrastructure as Code
AWS
CodeCommit
Security infrastructure code
• IAM, VPC, Logging,
Application
• Security architecture
document
• Threat modeling analysis
• Security controls document

38. Security Infrastructure as Code
IAM stack
Infrastructure
stack
Logging
stack
IAM configuration with custom policies, groups,
and roles
VPC, security groups, network ACL, NAT gateway
configuration
AWS CloudTrail, Amazon S3 buckets, and bucket
policies for logging and archive data, Amazon
CloudWatch alarms for security-related CloudTrail
events

39. Why Security Infrastructure as Code?
Assurance
and visibility
Traceability
and change
management
Knowledge
management
Version and
Source control

40. Security CI/CD
Pipeline
 Integrates and delivers your workloads
 Is your most sensitive security workload
Product Release
App Code
Infrastructure Code
Security Code

41. Security of the CI/CD pipeline
Securing the application starts with securing the pipeline
• Least privilege access
• Logging and monitoring of the pipeline
AWS
IAM
AWS
CloudTrail
Amazon
CloudWatch
Security CI/CD
Pipeline

42. Security in the CI/CD pipeline
Integrated security testing and validation
• Security unit test
• Vulnerability management
Amazon
Inspector
Security and Compliance
Unit Tests
Security CI/CD
Pipeline

43. AMI Lifecycle Management
InstancePublic
AMI
Golden
AMI
Launch
instance EC2
Configure
instance
Hardened
instance
Bake AMI
Hardening and
configuration
User administration
Operating system
Running
instances
Launch
AWS
Config
AWS
Lambda
Automate AMI
baking
Amazon
Inspector
Amazon
Inspector
Amazon
Inspector
Decommission

44. Cats > 1million
WhatsCat™
Cats > 1 million

45. Adding a New Feature
Buy Cat Food feature
WhatsCat™
LOL cats »
Cat photos »
Cats near me (4) »
Buy
Cat Food!

46. Encrypting
Customer Data Elastic Load
Balancing
Amazon
Route 53
AWS KMS
DynamoDB
Application
 Encrypt using client-
side library for
DynamoDB in Github
 Encrypt data in
applications using the
AWS encryption SDK
in your application

47. Multi-region Customers

48. Multi-region Deployments
Amazon
CloudFront
Amazon
CloudFront
Elastic Load
Balancer
DynamoDB
Application
Amazon RDS
Elastic Load
Balancer
DynamoDB
Application
Amazon RDS
Elastic Load
Balancer
DynamoDB
Application
Amazon RDS

49. AWS WAF
Good Cats
Bad Dogs AWS
WAF
Amazon
CloudFront
Elastic Load
Balancing
Amazon
Route 53
Amazon
DynamoDB
Application
Amazon RDS

50. Cats > 10 million
WhatsCat™

51. • Assess current incident
response processes and
procedures
• Test the cloud incident
response process via a
simulated exercise
Security Incident Response Simulation

52. A security practitioner's job is
to answer tough questions
Automate the way security
practitioners answer these
questions
WhatsCat™

53. Thank you!

54. Remember to complete
your evaluations!

55. Related sessions
• ARC201 - Scaling Up to Your First 10 Million Users
• SEC313 - Automating Security Event Response, from
Idea to Code to Execution
• SAC312 - Architecting for End-to-End Security in the
Enterprise
• DEV302 - Automated Governance of Your AWS
Resources