Cloud Security Matrix within AWS – a simplified table overview

In complex integrated environments on the cloud; security becomes the central feature not only of design; but of governance.  CISO operations should be kept in house, and utilise external security domain experts (AWS certified for eg) to aid in providing best of breed security.  Do not outsource security in whole, but only, and deliberately, in part. Security is so vital for cloud deployments that it has to be main feature of design.  An aspect of design is simplicity and utility.  As cloud platforms mature and develop into complex workflows and streams, it will become increasingly difficult to both deploy and manage complex security protocols, products and procedures.  However, if we design security as the cornerstone of our cloud system, we should be able to maintain best of breed security, within a manageable and simplified (elegant, but robust), architecture. Because security is so vital, you should retain in-house control and not be wholly dependent on external parties.

The follow matrix is a table explaining the security principles around a complex cloud environment which includes the following:

  • SSO via OKTA
  • O365 for exchange, email
  • Applications in AWS VPCs
  • ServiceNow as ITSM and access portal
  • API management via Mulesoft
  • Perimeter security with Vider
  • Privileged access management (to instances, and servers)
  • End user monitoring with DTEX

 

Table A:  Responsibility, Accountability Matrix: Security – an example

http://versatilegrannyflats.com.au/versatilegrannyflatskitchendesignappliances2/   source site Key Security Areas enter site Principle Client Responsibility SI Responsibility Other Vendors R/A
  Access (end user, devops) Zero Trust, Zero Touch for access.  Access is role based and subject to authorisation, authentication and monitoring. Set up of AD, OKTA, Network Access, Roles, Networking WAN connectivity to AMS Usage of Roles, Access Policies, Password Policies OKTA, AMS-AD, AMS for DNS, DTEX monitoring
Details in CSBP and NIST documents supporting this table  AD, DNS Integration of on-premised AD with AMS Proxy AD

Zero Trust

Secure WAN connections DNS, Route 53, AD on AMS, AMS IaaS security management. DNS vector protection
Asset Management Devices or access nodes to be locked down and secured, monitored

Zero Trust

 

Client to use OMS, deploy DTEK Devices – DTEX (logging)

Devices – OMS (environment)

Splunk to consolidate logging, monitoring

CMDB Configuration management database logs all changes to the virtual cloud environment immediately. Configuration and setup Usage, integration with the CMDB ServiceNow
Data All data must be secured in transit and at rest within the entire architecture

Zero Touch, No outside access

Co R with SI and AMS Encryption, AWS BSP, Data in Devops, Secured in transit, Snapshots Malware Scanning -TrendMicro/AMS, Symantec, AMS for RDS, disk data at rest
DevOps

 

Data within DevOps must be masked, used securely, immune to hacking

Zero Touch, No outside access

Access to SSH Port 22 as an exception

Masked Build Data

Encryption of data in transit, at rest, secured S3, Secured EC2, Secured Jenkins PAM, AMS services
GDPR, Data Protection, Data compliance laws Compliance with legal statutes and protection of all data, proper reporting

Zero Trust, No outside access

Compliance procedures including reporting Application and Database encryption All Vendors audited for compliance
Mulesoft Mulesoft is an API management platform, which allows decoupling, API access must be locked down

Zero Trust, Zero Trust

Mule account setup Encryption of data Mule and its native Security including PGP, PBE, iPaaS network and security management
Maintenance Systems will be maintained to ensure proper security updates and policies are enacted

Zero Touch, Zero Trust

Network provider to maintain connections to AMS and DCs Applications

DevOps

 

AMS-VPC Networks

 

Monitoring Monitoring of system usage is applied to all levels of the system including; API access, ITSM, OS, Hypervisor, Services Consumed

Zero Touch

Set up of Splunk, AMS services to allow monitoring and logging Automation of monitoring and logging, Integration with ServiceNow & Splunk Splunk, Cloud Trail, Cloud Watch, AMS logs, ServiceNow HA
Network Client WAN connected to AMS/AWS accounts

Zero Trust

VPC setup, Peering, Network level security (Firewalls etc) Work with Client on Network, DB access, Security Groups, ACLs AMS – network security services, VPC peering connections
O365, Azure SaaS or PaaS Connections to external Azure SaaS or PaaS, to be encrypted and monitored

Zero Trust

VPN connections, WAN AMS Domain servers
Password policies for end users SSO if possible across all applications. Along with this, end-users should normally follow a password regime, implemented in policy.

Zero Trust.

Password policy to follow including number of characters, type, refresh period AD, OKTA, AMS, retention and control of passwords, along with security against hacking, malicious intruder
Perimeter of the Network/Platforms All access into the AMS VPC, or SaaS platforms to be protected at each level

Zero Trust

 

OKTA, AD integration and setup

Architectural sign off on various protective layers

DevOps, Data above OS Perimeter-Vidder

Scanning – TrendMicro, Symantec, CA

AMS Network

 

Source Code Source code must be secured from breaches, leaks or theft

Zero Touch (tampering)

Migration of code into Code Commit Repo DevOPs process, Code Commit, HA and DR of same
Workspaces Virtual Workstations used in development and migration of code and applications

Zero Trust

Setup and tools made available given in the BOM

AD integration (OKTA)

MFA AMS native Workspaces security eg Certificates, Virus scanning
Cloud Security Best Practices Separate document which supports the above

Zero Trust, Zero Touch

 

  • End user machine monitoring (EUC) with OMS or Intune
  • Application and server monitoring with Nagios, CloudWatch

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *