Arquitectura para seguridad punto a punto en la empresa

Arquitectando la seguridad de
punta a punta a nivel corporativo
Mayo, 2017

© 2017, Amazon Web Services
¿Qué esperar de esta sesión?

Management VPC
Users
Archive Logs
Bucket
S3 Lifecycle
Policies to
Glacier
CloudTrailAWS Config
Rules
CloudWatch
Alarms
NAT
us-east-1b
Bastion
us-east-1c
Potential use
for security
appliances for
monitoring,
logging, etc.
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/overview.html

•Arquitectura de Seguridad
• Framework
• Puntos claves
•¿Qué significa ”punta a punta”?
• Definición
• Habilidades de traducción
•Ejemplos de controles de seguridad implementados
de ”punta a punta”

Tema recurrente: ”Todo es código”

Arquitectura de Seguridad como práctica

People
Perspective
Process
Perspective
Security
Perspective
Platform
Perspective
Operating
Perspective
Business
Perspective
Identity &
Access
Management
Detective
Controls
Infrastructure
Security
Data
Protection
Incident
Response
1
2
3
4
5
Perspectiva de
Seguridad
COMPONENTES:
• Establecer las directivas de
seguridad
• Identificar medidas
preventivas
• Inspeccionar y detectar
posibles infraccciones a las
políticas
• Crear playbooks para
responder a eventos de
seguridad
SecDevOps
CI/CD
Compliance /
Validation
Resilience
Config &
Vulnerability
Analysis
Cloud Adoption
Framework (CAF)
Security Big
Data &
Analytics
6
7
8
9
10
A U G M E N T E D
S E C U R I T Y
E P I C S

La seguridad como ”Epics” y flujo de
”Sprints”
Sprint
1
Sprint
2
Sprint
3
Sprint
4
Sprint
5
Sprint
6
Sprint
7
Sprint
8
Entradas / PreWork
Security &
Compliance
Workshop
Security IR
Simulation
Seguridad &
Cumplimiento
1. Share Resp. Model
2. Security Cartography
3. 3rd Party Oversight
Identity & Access Mgt.
Detective Controls
Infrastructure Security
Data Protection
Incident Response
Requerimientos

Modelo de Responsabilidad
Compartida
https://aws.amazon.com/compliance/shared-responsibility-model/

Puntos claves – Hitos
Entregables para no perder el rumbo

Puntos claves – Métricas
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

¿Qué significa ”Punta a Punta”?

Criterios de ”Punta a Punta”: Trazabilidad

Mapeo de Controles
http://docs.aws.amazon.com/quickstart/latest/accelerator-nist/welcome.html

Criterios de ”Punta a Punta”: Feedback
Ciclo de mejorías
- Ampliar alcance, mayor eficiencia
- Corregir deficiencias, remediar

Habilidades de traducción
•Leer el ”Código Fuente”
•Personas de compliance pueden
codificar/Desarrolladores pueden leer frameworks
de control
•Documentar, documentar, documentar…...

Ejemplos de controles de seguridad
(implementados de ”punta a punta”)

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Identity & Access Management

Habilidades de traducción – Gestión de
cuentas
NIST 800-53 Access Control Family (AC)
AC-2 Account Management
Control: The organization:
a. […];
b. Assigns account managers for information system accounts;
c. Establishes conditions for group and role membership;
d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and
other attributes (as required) for each account;
e. Requires approvals by for requests to create information system accounts;
f. Creates, enables, modifies, disables, and removes information system accounts [...];
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

cuentas (reducción de palabras)
NIST 800-53 Access Control Family (AC)
• AC-2 Account Management
• Control: The organization:
• a. […];
• b. Assigns account managers for information system accounts;
• c. Establishes conditions for group and role membership;
• d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e.,
privileges) and other attributes (as required) for each account;
• e. Requires approvals by for requests to create information system accounts;
• f. Creates, enables, modifies, disables, and removes information system accounts [...];
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

cuentas (reducción de palabras)
Verbos Sustantivos
Asignar Gestores de cuentas
Establecer Grupos y roles
Especificar Privilegios y atributos
Requerir Aprobaciones
Crear, habilitar/deshabilitar,
modificar, eliminar
Cuentas

Gestión de cuentas: ”Punta a Punta”
Ciclo de mejorías
- Menor privilegio, NeedToKnow

Política de IAM - Ejemplo
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html

Portal
BD
Roles
Roles
Cuenta central
Seguridad
Cuenta de recursos
Cuenta de recursos
Federación de acceso Cross-Account

A6
Development Test Production
A8A1
A5
A4A3
A2
A9
A7
Security
AWS Organizations

Amazon Organizations:
Service Control Policies (SCP)
• Define los servicios que pueden ser accedidos
• SCPs pueden ser aplicadas a nivel de:
- Organización
- OUs
- Cuenta AWS
• SCPs son heredadas (Cuenta AWS, OU, Organización)

A6
Development Test Production
A8A1
A5
A4A3
A2
A9
A7
Security
AWS Organizations 32
Amazon Organizations

Controles de Detección

NIST 800-53 Audit & Accountability Family (AU)
AU-6 Audit Review, Analysis, and Reporting
• Control: The organization:
• a. Reviews and analyzes information system audit records for indications of organization-defined
inappropriate or unusual activity.
• b. Reports findings to organization-defined personnel or roles.
• [1] – NIST Special Publication 800-53 Revision 4; Security and Privacy Controls for Federal Information Systems and Organizations,
Habilidades de traducción – Controles de
detección

Controles de detección: ”Punta a Punta”
Ciclo de mejorías
- Nuevas reglas, Extensión de alcance

Análisis exploratorio – Usando VPC Flow Logs para
detectar comportamiento anormal (beaconing)
Histograma: Granularidad en segundos
Histograma: Granularidad de 20 minutos
• Analizando el flujo en una escala
de seg. o ms no muestra un
patrón.
• Consolidando los datos con
granularidad de 20 minutos
permite una visualización clara del
patrón.

2.AmazonKinesis
Firehose
6 Cluster History by Host
Communication
5a.SparkDataPrep
Applicationand
StoreinS3
5c–k-Means
7. Cluster
Changed Alarm
3.StorerawdatainS3
5.bStoreEnriched
datainS3
5.EMR
20MinBatch
8.EMR
RunDaily
9.SparkDataPrep
Applicationand
StoreinS3
10.DailyBatch
SparkStreamingK-
Means
4. Amazon Glacier
5d.–Identify
Changes
11.HiveMetastore
12.PrestoOnDemand
EMRandSparkCluster
13.
Zeppelin
Notebook
EC2
1-1Lambda
Runson
Schedule
1-2.Lambda–
CollectENIData
peracct
MVP 1 – Procesamiento en Batch: 20min y diario
Flow
Logs

Seguridad de Infraestructura

NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current
baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related
aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or
configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems.
Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook
computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and
configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining
baseline configurations requires creating new baselines as organizational information systems change over time.[1]
Configuración

NIST 800-53 Configuration Management Family (CM)
CM-2 Baseline Configuration
Control: The organization develops, documents, and maintains under configuration control, a current
baseline configuration of the information system.
This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems.
Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration
items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include
information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network
components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration
settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline
configurations requires creating new baselines as organizational information systems change over time.[1]
Configuración

• Baseline configurations are documented, formally reviewed and agreed-upon
sets of specifications
• Palabras Clave (Sustantivos): “Documented […] sets of specifications”
Configuración
Componente Documentación
Red Tablas de enrutamiento
Reglas de FW
Políticas de balanceador
Subredes
Sistema Operativo Versión
Librerías
Nivel de patches
Aplicaciones Código
Parámetros de build
Dependencias
Archivos de configuración

• Baseline configurations are documented, formally reviewed and agreed-
upon sets of specifications
• Palabras Clave (Verbos): “ […] formally reviewed and agreed-upon […] ”
Configuración
Componente Revisión
Red Tickets
Requerimientos de servicios
Commit de código
Pull request
Sistema Operativo Master Image
Commit de código
Build
Aplicaciones Tickets
Commit de código
Build
Pull request

Gestión de Configuración: ”Punta a Punta”
Ciclo de mejorías
- Aumentar el alcance, Service Catalog

Gestión de Configuración: ”Punta a Punta”
Ejemplo de arquitectura
AWS
CloudFormation
AWS
CodeCommit
AWS
CodePipeline Template
Diseño del Control Implementación del Control
AWS
CloudTrail
AWS
Config
Validación
de
Efectividad
EC2
VPC
SecGroups
RDS
APIGW

Remember to complete
your evaluations!
¡No olvide llenar su
evaluación!

¡GRACIAS!

Arquitectura para seguridad punto a punto en la empresa

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Arquitectura para seguridad punto a punto en la empresa

Similar a Arquitectura para seguridad punto a punto en la empresa (20)

Más de Amazon Web Services LATAM

Más de Amazon Web Services LATAM (20)

Último

Último (20)

Arquitectura para seguridad punto a punto en la empresa