4
SECURITY SUMMARY cloud TurningPoint Amazon Web Services (AWS) Amazon Web Services (AWS) is a leading provider of cloud-based services and solutions. There are several important reasons that Turning Technologies chose AWS to be our cloud hosting provider for the TurningPoint Cloud system, including web-based response option ResponseWare: Secure: In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides the appropriate security features in those services, and documents how to use those features. Scalable and Elastic: Organizations can quickly add and subtract AWS resources to their applications in order to meet customer demand and manage costs. Experienced: When using AWS, organizations can leverage Amazon’s more than 15 years of experience delivering large-scale, global infrastructure in a reliable, secure fashion.

Tcp security white paper

Tags:

Embed Size (px)

Citation preview

Page 1: Tcp security white paper

SECURITY SUMMARY

c l o u dTurningPoint

Amazon Web Services (AWS)Amazon Web Services (AWS) is a leading provider of cloud-based services and solutions. There are several important reasons thatTurning Technologies chose AWS to be our cloud hosting provider for the TurningPoint Cloud system, including web-based response option ResponseWare: • Secure: In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides the appropriate security features in those services, and documents how to use those features. • Scalable and Elastic: Organizations can quickly add and subtract AWS resources to their applications in order to meet customer demand and manage costs. • Experienced: When using AWS, organizations can leverage Amazon’s more than 15 years of experience delivering large-scale, global infrastructure in a reliable, secure fashion.

Page 2: Tcp security white paper

c l o u dTurningPoint

SECURITY SUMMARY

SecuritySecurity is one of the fundamental design requirements of the TurningPoint Cloud application. This requirement is comprised of several key aspects that, when combined, create a secure system.

Data PrivacyThe protection of customer data is a very important requirement of the TurningPoint Cloud system. TurningPoint Cloud contains Personal Identifying Information (PII) in the form of first and last name, email address and (potentially) student identification number. In order to secure this PII data at rest, these fields are encrypted within the AWS Relational Data Store (RDS) database using industry “best practice” encryption technologies.

Network SecurityAll communication between the end user and the TurningPoint Cloud application is performed over the HTTPS “Secure Socket Layer” (SSL) protocol. In the event that an end user makes a regular HTTP request, TurningPoint Cloud will automatically rewrite the non-secure HTTP request into an HTTPS request before allowing the end user to access the information. TurningPoint Cloud utilizes AWS firewalls and security groups to limit communication between service layers and between individual servers. TurningPoint Cloud is hosted by our own Virtual Private Cloud (VPC) within the AWS infrastructure. This VPC architecture provides additional isolation for the TurningPoint Cloud application.4

Service SecurityIndividual AWS services and hosted servers are secured using AWS Identity and Access Management (IAM). IAM provides a role-based system for controlling access to services and servers. The TurningPoint Cloud architecture utilizes IAM roles to limit the group of administrators that are authorized to sign in to the hosted services and servers. IAM roles are also utilized to control the actions that each type of hosted server is allowed to perform within the AWS service environment.5

Physical SecurityPhysical security encompasses limiting access to actual hardware computing infrastructure. This is one of the most important tenants of application security, as a failure at this level can render security controls at other levels useless. Law #3 of the “Microsoft 10 Immutable Laws of Security” article states: “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”2

Page 3: Tcp security white paper

c l o u dTurningPoint

SECURITY SUMMARY

AWS takes many steps to ensure the physical security of their data centers. The first of these measures involves “limiting knowledge of the location of the data centers to those within Amazon who have a legitimate business reason for this information.”1 Foremployees that are authorized to access the data center, “physical access is strictlycontrolled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.”3

In addition to these access controls, AWS provides fire detection and suppression, uninterrupted power supplies, climate and temperature management and preventative building maintenance. These items are detailed in the “Amazon Web Services: Overview of Security Processes” white paper.3

ScalabilityDue to the often large, but always varying size of the participant user base, it is important that the TurningPoint Cloud applica-tion is able to scale to meet user demand. AWS provides two mechanisms that help TurningPoint Cloud meet this requirement.

Auto Scaling GroupsThe TurningPoint Cloud application is hosted on application servers. Each application server is able to provide service to a limited number of clients. AWS Auto Scaling Groups (ASG) allow the system to automatically increase or decrease the number of available application servers to meet user demand. ASGs utilize AWS performance metrics, such as average response time, CPU utilization and request counts in order to provide a high quality of service for the user while minimizing excess capacity.6

Elastic Load BalancingThe AWS Elastic Load Balancer (ELB) is an essential component of the auto scaling process. All requests that are destined for the TurningPoint Cloud application pass through the ELB. The ELB utilizes perfor-mance metrics to distribute the request workload amongst the available application server instances.7

ReliabilityThe TurningPoint Cloud application is designed to be a highly available and reliable system. TurningPoint Cloud utilizes multiple AWS availability zones to meet this requirement.

Page 4: Tcp security white paper

c l o u dTurningPoint

SECURITY SUMMARY

Availability ZonesWithin each region, AWS offers multiple availability zones. Each availability zone is an isolated infrastructure segment that is connected via a low-latency link to the other availability zones in the region.8 In the event of an infrastructure failure, it is unlikely that the failure would affect multiple availability zones. TurningPoint Cloud is designed to utilize services in many different availability zones to minimize application service disruption.

Data Segregation We ensure that our software is coded correctly to properly handle multiple tenants and follow best practice coding standards as well as QA standards to ensure that the data remains separated by tenant. Controls we implement provide assurance that data integrity is maintained through all phases including transmission, storage and processing.

AWS has implemented security management processes, PCI controls and other security controls designed to isolate each customer from other customers. AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software. This architecture has been validated by an independent PCI Qualified Security Assessor (QSA) and was found to be in compliance with all requirements.

Data BreachIn the case that Turning Technologies becomes aware that a data breach has occurred on AWS, we will leverage email notifications as well as account dashboards to alert our customers. We will include all necessary instructions to our customers and continue to provide updated information until we believe the situation has been remedied.

References1. Varia, J. & Mathew, S. (2014, January). Overview of Amazon Web Services. Retrieved from http://media.amazonwebservices.com/AWS_Overview.pdf

2. Microsoft 10 Immutable Laws of Security. (2014, January). Technet.Microsoft.com. Retrieved from http://technet.microsoft.com/library/cc722487.aspx#EIAA

3. Amazon, Inc. (2014, November). Amazon Web Services: Overview of Security Processes. Retrieved from http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

4. Amazon VPC. (2014, January). AWS.Amazon.com. Retrieved from http://aws.amazon.com/vpc/

5. AWS Identity and Access Management (IAM). (2014, January). AWS.Amazon.com. Retrieved from http://aws.amazon.com/iam/

6. Auto Scaling. (2014, January). AWS.Amazon.com. Retrieved from http://aws.amazon.com/autoscaling/

7. Elastic Load Balancing. (2014, January). AWS.Amazon.com. Retrieved from http://aws.amazon.com/elasticloadbalancing/

8. Regions and Availability Zones. (2013, October). Docs.AWS.Amazon.com. Retrieved from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html


Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass

Documents
Network Security CSC 482/582: Computer Security. Network Security 1. TCP/IP Basics 2. Spoofing 3. TCP Session Hijacking 4. Packet Fragmentation 5. Denial

Network Security CSC 482/582: Computer Security. Network Security 1. TCP/IP Basics 2. Spoofing 3. TCP Session Hijacking 4. Packet Fragmentation 5. Denial

Documents
Security Management System - Configuring TCP-IP MODBUS … View - Configuring TCP-IP... · Security Management System - Configuring TCP-IP MODBUS Inputs Page 1 of 8 Security Management

Security Management System - Configuring TCP-IP MODBUS … View - Configuring TCP-IP... · Security Management System - Configuring TCP-IP MODBUS Inputs Page 1 of 8 Security Management

Documents
CSCE 813 Internet Security TCP/IP

CSCE 813 Internet Security TCP/IP

Documents
White Paper Security

White Paper Security

Technology
Design and Implementation of Industrial Firewall for ... › vol11 › jcp1105-08.pdfbased on Modbus/TCP protocol, combining "white list" security policies with deep packet inspection

Design and Implementation of Industrial Firewall for ... › vol11 › jcp1105-08.pdfbased on Modbus/TCP protocol, combining "white list" security policies with deep packet inspection

Documents
Embedded TCP/IP-Security - Hitex: Start · 2017-11-20 · TCP/IP Stack Security TCP/IP-Stack Application Layer SSH FTP IMAP4 HTTP SNTP POP3 SNMP SMTP DNS Telnet TFTP DHCP UDPTransport

Embedded TCP/IP-Security - Hitex: Start · 2017-11-20 · TCP/IP Stack Security TCP/IP-Stack Application Layer SSH FTP IMAP4 HTTP SNTP POP3 SNMP SMTP DNS Telnet TFTP DHCP UDPTransport

Documents
TCP/IP SECURITY - Valencia Collegefaculty.valenciacollege.edu/hhennel/cssia/Instructor Docs...issued in 1981, standardizing TCP/IP version 4 for the ARPANET. In 1982, TCP/IP replaced

TCP/IP SECURITY - Valencia Collegefaculty.valenciacollege.edu/hhennel/cssia/Instructor Docs...issued in 1981, standardizing TCP/IP version 4 for the ARPANET. In 1982, TCP/IP replaced

Documents
Network Security Via Reverse Engineering of TCP Code

Network Security Via Reverse Engineering of TCP Code

Documents
Accelerating IPSec for Oracle DatabaseNov 20, 2017  · RDS-TCP: A Reliable Datagram Socket over TCP 12. Security considerations for kernel managed TCP and UDP sockets TCP socket in

Accelerating IPSec for Oracle DatabaseNov 20, 2017  · RDS-TCP: A Reliable Datagram Socket over TCP 12. Security considerations for kernel managed TCP and UDP sockets TCP socket in

Documents
WHITE PAPER Security White Paper

WHITE PAPER Security White Paper

Documents
Networking for Offensive Security TCP

Networking for Offensive Security TCP

Documents
CONFIGURING TCP/IP ADDRESSING AND SECURITY

CONFIGURING TCP/IP ADDRESSING AND SECURITY

Documents
Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos

Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos

Documents
Network Security Elements of Network Security Protocols ...TCP/UDP header + data Network Security Gianluca Dini 19 IPsec Header TCP/UDP header + data IPv4 Header (originale) IPv4 Header

Network Security Elements of Network Security Protocols ...TCP/UDP header + data Network Security Gianluca Dini 19 IPsec Header TCP/UDP header + data IPv4 Header (originale) IPv4 Header

Documents
11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11

11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11

Documents
TCP Security Vulnerabilities Phil Cayton CSE 581 2002

TCP Security Vulnerabilities Phil Cayton CSE 581 2002

Documents
05 - TCP/IP Transport, Applications & Network Security

05 - TCP/IP Transport, Applications & Network Security

Documents
Security Problems in TCP-IP

Security Problems in TCP-IP

Documents
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit

TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit

Documents
ITD 2323 TCP/IP – Security Chapter #4

ITD 2323 TCP/IP – Security Chapter #4

Documents
Server Core Security, TCP/IP, File Systems, RPC, stb. Server Core Security, TCP/IP, File Systems, RPC, stb. Server.Net Framework, Shell, Tools, stb. Server.Net

Server Core Security, TCP/IP, File Systems, RPC, stb. Server Core Security, TCP/IP, File Systems, RPC, stb. Server.Net Framework, Shell, Tools, stb. Server.Net

Documents
Module 16 - Network Security TCP-IP

Module 16 - Network Security TCP-IP

Documents
Multipath TCP as Security Solution

Multipath TCP as Security Solution

Education
MANAGING TCP/IP NETWORKS: TECHNIQUES, TOOLS, AND SECURITY

MANAGING TCP/IP NETWORKS: TECHNIQUES, TOOLS, AND SECURITY

Documents
A Study in TCP/BGP Session Security

A Study in TCP/BGP Session Security

Documents
security problems in the tcp/ip protocol suite

security problems in the tcp/ip protocol suite

Education
MODBUS/TCP Security · 2018-08-29 · SSL Secure Socket Layer TCP Transport Control Protocol TLS Transport Layer Security 99 . 100 . Modbus.org MB-TCP-Security-v21_2018-07-24 6

MODBUS/TCP Security · 2018-08-29 · SSL Secure Socket Layer TCP Transport Control Protocol TLS Transport Layer Security 99 . 100 . Modbus.org MB-TCP-Security-v21_2018-07-24 6

Documents
TCP LED Volumetric Luminaires - TCP Lighting · The TCP LED volumetric luminaire is constructed of rugged cold-rolled steel, post painted with a highly diffuse white finish, and an

TCP LED Volumetric Luminaires - TCP Lighting · The TCP LED volumetric luminaire is constructed of rugged cold-rolled steel, post painted with a highly diffuse white finish, and an

Documents
Unix Security Features and TCP/IP Primer Unix Security ...auto.tuwien.ac.at/~chris/teaching/slides/LinuxAndTcpIp.pdf · Automation Systems Group Unix Security Features and TCP/IP

Unix Security Features and TCP/IP Primer Unix Security ...auto.tuwien.ac.at/~chris/teaching/slides/LinuxAndTcpIp.pdf · Automation Systems Group Unix Security Features and TCP/IP

Documents