Mais conteúdo relacionado Semelhante a Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AWS re:Inforce 2019 (20) Mais de Amazon Web Services (20) Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AWS re:Inforce 2019 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tax returns in the cloud: The journey
of Intuit’s data platform
Amit Matety
Principal Software Engineer
Intuit
S D D 3 3 0
Ben Covi
Staff Software Engineer
Intuit
5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intuit data platform
• Multi-tenant platform for storing Intuit customers' data
• Supports key-value and document store use cases
• Managed service that provides out of the box:
• Access control
• Encryption
• Auditing
• Data lifecycle management
• Multi-modal integrations
• Analytics integrations
• High availability/disaster recovery
• Supports the TurboTax ecosystem and other critical experiences within Intuit
6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intuit data platform - logical architecture
8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principles
• Highly available and secure
• Never lose data
• Keep it simple
• Leverage existing patterns
• Refactor to accelerate
• Automate everything
9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Big boulders
• Technology evaluation
• Security strategy
• Porting the application
• Operations
• HA/DR strategy
• Data migration
10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technology evaluation
Corporate data center AWS
Application
server hosting VM Amazon EC2
Key-value store Cassandra on Bare Metals Cassandra on Amazon EC2 + EBS
Document store IBM Cleversafe Amazon S3
Encryption
provider
Gemalto SafeNet Intuit Data Protection Service (IDPS) +
KMS
11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy
• Infrastructure
• Data handling
• Partitioning
• Access
• Threat modelling
• Pen testing
13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
• Intuit Cloud Operations
• Deploys accounts, Amazon VPCs, subnets
• Patterns are enforced during onboarding
• We deploy into this structure
• Application
• Datastore
14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - data handling
• What data will you encrypt?
• Classify your data: Public, Restricted, Sensitive, Highly Sensitive, Secret
• Where will you encrypt the data?
• Application Level Encryption
• Encryption At Rest
• Application Level Encryption (ALE)
• Intuit Data Protection Service (IDPS)
• Symmetric-key encryption
• AES-256
• Probabilistic
• Key rotation
• Re-encrypting old data
• Encryption At Rest
• AWS KMS
22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - what is Intuit data protection service?
• Intuit’s key management/HSM solution
• Features
• Generation and secure storage of high-quality cryptographic keys and application secrets
• Encryption and decryption with symmetric and asymmetric algorithms
• Key versioning
• Support for a large number of keys, rapid key rotation, and re-encryption
• Access control
• Policy-based authentication
23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - partitioning
Business unit
Functional
group
Key-value
store
Table
Document
store
Amazon S3
bucket
24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - access
• Platform runtime
• Strict ‘NO’ on usage of access and secret key
• ONLY instance profile based access
• Policy rules to restrict access
• AWS region
• AWS service
• IAM Role
• Amazon VPC
• Resource operations
• Platform operations
• ‘Olympus’ for all human access
• What is ‘Olympus’?
• AWS access management tool for Intuit
workforce
• Integrated with IAM to provide predefined roles
to workforce users
• Read only
• Application operations
• Power user
• SSH access
• Ability for teams to create custom role mapping
on a need basis
• Provides out of box capabilities like security
monitoring, audit, and compliance
25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - threat modelling
Attack vectors
Initial risk summary
Mitigation controlsResidual risk
summary
Playbook
crawl/walk/run
26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - pen testing
• What?
• External testing
• Assets visible on the internet
• Internal testing
• Assets behind the firewall
• Who?
• Internal security team
• External vendor
• Collaboration
27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operations - continuous deployment
• Secure SDLC Tools in the CICD Pipeline
• Threat modeling, static analysis, composition analysis, interactive application security testing
• Code, artifacts, dependencies all scanned
• Restricted orchestration
• Jenkins runs the pipeline from a separate account, deploys with Terraform
• Temporary AssumeRole creds are used to silo access to other accounts
• The target role is limited in scope
• Mandatory restacking
• Intuit generates baseline AMIs, monitors their use
• AMIs deprecated every 30 days
• Cert and key rotation
28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operations - monitoring
• Centralized logging and monitoring
• Bastion logs indexed by Splunk
• Named Olympus sessions authenticated by CA
• Security visibility
• Agent baked into the Baseline AMI, forwards events for analysis
• Policy engine
• Framework for Cloud Custodian, uses AWS Lambda and Amazon CloudWatch via cross-account roles
• Alerts account owners to rule violations
• Deprecated libraries
• The SSDLC tools in the pipeline all generate reports
• Deprecated AMIs
• Central database of baseline images, instance IDs
30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lessons learnt
• Identify the biggest blockers to adoption and address them first
• Identify and plan for the long poles
• Security related testing, monitoring and alerting should never be an
afterthought
• Business continuity planning is a cornerstone to a successful migration
• Prepare your team
• Learn and optimize along the way
31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Three key takeaways
• Security strategy is ever evolving
• Automation should never be an afterthought
• Leverage your partnership with AWS