Más contenido relacionado Más de Amazon Web Services (20) Cloud Security for Regulated Industries - MSC301 - re:Invent 20171. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud Security for Regulated
Industries
M S C 3 0 1
N o v e m b e r 2 8 , 2 0 1 7
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a secure, healthcare-compliant
framework to accelerate the adoption of
cloud-first strategy on AWS
Agenda
• Introductions
• A brief history of our journey to the cloud
• Establishing a Cloud Center of Excellence
• Heuristics: cloud-first and security by design
• Automation in all things
• Building a gold base AMI
• Scanning for compliance
• Q&A
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Torsten Kablitz
VP of IT, Cloud Engineering
Change Healthcare
tkablitz@changehealthcare.com
Benjamin Andrew
Global Leader, Security & Network
Infrastructure
AWS Marketplace, Amazon Web Services
benand@amazon.com
Introductions
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Change healthcare
C h a m p i o n i n g i m p r o v e m e n t b e f o r e , a f t e r , a n d i n b e t w e e n c a r e
e p i s o d e s , a n d h e l p i n g t o p r o v i d e a v i s i b l e m e a s u r e o f q u a l i t y a n d
v a l u e
5,500
Hospitals
130,000
Dentists
2,100
Payer Connections
12 billion
Healthcare Transactions
$2.0 trillion
Healthcare Claims
1 in 5
US Patient Records
800,000
Physicians
600
Laboratories
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What we hear from our customers
Challenges
• Software entitlement and deployment
models
• Complex agreement management
• Constant renewal and replacement
• Out-of-date procurement mechanisms
• No single approved catalog of software
in place
Customers want to
• Rapidly innovate by buying and
deploying software solutions on-demand
• Simplify and streamline purchasing,
license management, and invoicing
• Upgrade on demand
• Reduce cost while picking new standards
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Marketplace
fi nd , buy, d epl oy, and manage software i n the cl oud
• Deploy software on demand
• Curated software from trusted vendors
• 1280+ ISVs
• 4200+ product listings
• Simplified procurement and deployment
• Billed through AWS account
• Deployed in 15 regions around the world
• 160,000 active customers
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A brief history of our journey to the cloud
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A brief history of our journey to the cloud
2015
2 Accounts
20 VPCs
Production
Non-Prod
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A brief history of our journey to the cloud
2015 2016
2 Accounts
20 VPCs
29 Accounts
62 VPCs
Production
Non-Prod
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A brief history of our journey to the cloud
2015 2016 2017
2 Accounts
20 VPCs
29 Accounts
62 VPCs
35 Accounts
35 VPCs
Production
Non-Prod
Shared Services
Security
Data Center
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where we are today
AWS cloud
virtual private cloud
VPC subnet
Shared Services
Security
corporate data
center
AWS IAM AWS KMS Amazon
CloudWatch
AWS
CloudTrail
AWS
Config
DNS
AWS Direct
Connect
AMI
SSO Log
Analysis
Logging
flow logs
VPC
peering
Auto Scaling group
Amazon
EC2
Elastic Load
Balancing
Amazon
RDS
Amazon
S3
Amazon
SES
Amazon
SQS
security group
Non-Prod Prod
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where we are today
Shared Services
Security
Data Center
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Heuristics: cloud-first & security by design
Establishment of Engineering Heuristics—rules you won’t break
• Cloud-First—the cloud is not just another data center with virtual machines
• Leverage managed services
• For every problem, ask: how do we best solve this in the cloud using current best
practices?
• Let the modern tools solve the old hard problems
• Security by Design
• Secure every part all the time
• Apply the principle of Least Privilege
• Automate Everything
• Build everything as Infrastructure as Code
• Do not log in to the console and make changes
• Never log in to a server
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Heuristics: cloud-first & security by design
Secure Managed Standards
Documented Infrastructure as Code
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security & compliance is a shared responsibility
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA
ENCRYPTION &
DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM
AND/OR DATA)
NETWORK TRAFFIC
PROTECTION
(ENCRYPTION/
INTEGRITY/IDENTITY)
COMPUTE STORAGE DATABASE NETWORKING
AWS GLOBAL
INFRASTRUCTURE
REGIONS
EDGE LOCATIONS
AVAILABILITY ZONES
Customer
Responsible
for Security
IN the Cloud
AWS
Responsible
for Security
OF the
Cloud
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security solutions in AWS Marketplace
In addition to the already secure AWS Cloud, AWS
Marketplace offers industry-leading security solutions
to help you secure operating systems, platforms,
applications, and data that can integrate with existing
controls in your AWS cloud and hybrid environments
• Deploy when you need it, one-click launch in multiple
regions around the world
• Ready-to-run on AWS—both preconfigured and
customizable for your unique needs
• Metered pricing by the hour. Pay only for what you use.
Volume licensing available
Keep your applications and data safe
from threats
Monitor all the activities in your
application infrastructure
Uncover vulnerabilities within your apps
and get expert remediation advice
Keep your data safe from unauthorized
disclosure and modification
INFRASTRUCTURE
SECURITY
LOGGING
& MONITORING
CONFIGURATION &
VULNERABILITY ANALYSIS
DATA
PROTECTION
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security subcategories
NETWORK
SECURITY
SECURITY
INTELLIGENCE
IDENTITY & ACCESS
MANAGEMENT
SERVER / ENDPOINT
Provides customers with
uncompromised
protection against all
types of threats, reduces
security complexity and
lowers total cost of
ownership.
With Sumo Logic, you can
collect, compress, and
securely transfer all of
your log data regardless
of volume, type, or
location
Easy, fast and secure way
to search, analyze and
visualize massive data
streams
OneLogin, the
innovator in Identity
and Access
Management-as-a-
Service (IDaaS)
Dome9 automates AWS
security groups and adds an
extra layer of protection
against hackers
Proactive security from a
single agent designed for
AWS
Okta is an integrated identity
and mobility management
service
Protection of data,
digital identities, payments,
and transactions from
the edge to the core
DATA SECURITY
Other popular solutions:
Fortinet
Other popular solutions:
Bitium, ClearLogin,
Ping Identity
Other popular solutions:
HyTrust, CTERA
Quickly create a hybrid
architecture that extends
your existing data center
into AWS via encrypted
tunnels
Get hourly proactive
protection for your AWS
workloads with Trend Micro
Deep Security
SECURITY
ORCHESTRATION
Cloud-native infrastructure
security solution providing
full coverage of all AWS
accounts, services and
regions
Other popular solutions:
Tenable, Qualys
Other popular solutions:
Symantec, Unisys
APPLICATION
SECURITY
Many AWS-hosted
applications choose
Barracuda, an AWS Preferred
Security Competency Partner,
due to its continuous
monitoring and policy tuning
by world-class security
experts
Imperva SecureSphere WAF
for AWS extends all of the
security and management
capabilities of the world's
most-trusted web
application firewall to
Amazon Web Services
environments
Other popular solutions:
Fortinet
Other popular solutions:
Check Point, Fortinet,
Alert Logic
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Allgress regulatory product mapping tool
RPM Product Explorer identifies
solutions in AWS Marketplace
and can partially or fully
implement the requirements of
a security control. The screen
below illustrates several AWS
Marketplace solutions which can
help remediate control
requirements.
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Product Explorer overview view Product Explorer zoomed view
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Product Explorer zoomed view
Vendor products are mapped
directly to the associated
compliance controls. A customer
can select an individual vendor
and quickly see all the
compliance controls that the
vendor fulfills.
The customer can then generate
a report of their selected
products or choose to go
directly to the vendor’s
marketplace listing or vendor
website.
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate Everything—Gold Base AMI
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building a private catalog
AWS Marketplace AWS Service Catalog
Build Validate Approve Distribute
Approved AppStack
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the gold base AMI
Instance
Base AMI
Instance
Candidate AMI
Scripts
Updates
Software
Scan
SSM
Automation
Document
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the gold base AMI
Instance
Base AMI
Gold AMI
Ansible AMI
Ansible Instance
ssh keys
Execute Playbook Download Playbook
SSM
Automation
Document
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the gold base AMI
Instance
Base AMI
SSM
Automation
Document Validation Tool
Email
Notification
SSM
Parameter
Store
Approve
Approver
AMI ID
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the gold base AMI
Instance
Base AMI
SSM
Automation
Document
Email
Notification
SSM
Parameter
Store
Approve
Approver
AMI ID
Amazon
Inspector
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Region
us-east-1
Region
us-west-2
Region
ca-central-1
Distributing across regions and accounts
CIE Team Dev Team A Dev Team B
Copy
Share
SSM
PS
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scanning
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scanning for compliance
We use CloudHealth
to scan for CIE
security benchmarks
and AWS best
practices compliance
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tools change healthcare likes…
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Torsten Kablitz
VP of IT, Cloud Engineering
Change Healthcare
tkablitz@changehealthcare.com
Benjamin Andrew
Global Leader, Security &
Network Infrastructure
AWS Web Services
benand@amazon.com