Jobvite: A Holistic Approach to Security
5 likes772 views
Jobvite is a leading recruiting platform founded in 2006, serving over 1,900 customers and 50 million job seekers globally. The document details their advancements in recruiting technology, including mobile and social recruiting, as well as significant improvements in hiring efficiency. It also highlights AWS security practices and strategies for ensuring continuous security and compliance in cloud environments.
Jobvite: A Holistic Approach to Security
- 1. Jobvite: Keeping You One Step Ahead Theodore Kim, VP Technical Operations & Security April 28th, 2016
- 2. EngageHire VideoEngage 2 About Us © 2015-2016 Jobvite, Inc. Leading Recruiting Platform Founded in 2006 1900+ Customers 50 Million Job Seekers 160+ Countries
- 3. Better Candidates Faster At Lower Cost 18% increase in referral hiring(1) 27% faster time-to-hire(2) 30% lower candidate acquisition cost(3) Average Jobvite Customer ROI 1) Source: Jobvite database, 2011 – 2015 2) Source: Jobvite database, 2011-2015 3) Source: Independent third party study conducted in April, 2015 © 2015-2016 Jobvite, Inc. 3
- 4. 4 Industry Awards and Recognition © 2015-2016 Jobvite, Inc. Jobvite was Named a Leader in the Forrester Wave™ Report
- 5. We received top scores for both current offering and strategy. 5 Jobvite Named a Leader in the Forrester Wave™ Key differentiators: • Mobile recruiting • Recruiting analytics • Strong social recruiting tools • Seamlessly integrated ATS and TRM “…a cutting edge company leading the way in the talent acquisition space.” © 2015-2016 Jobvite, Inc.
- 6. 6 Jobvite Customers © 2015-2016 Jobvite, Inc.
- 9. AWS Compliance & Certifications
- 10. So…My Application Is Certified, Right? Nice TryNo
- 11. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
- 12. Your Applications AWS Global Infrastructure AWS Global Infrastructure AWS Global Infrastructure AWS Global Infrastructure AWS Global Infrastructure Regions Availability Zones Edge Locations Foundation Services Application Services Deployment & Management Compute Storage Networking Databases Content Delivery Applications Distributed Computing Libraries & SDK’s EC2 S3 EBS Glacier Storage Gateway VPC Direct Connect ELB Route53 RDS ElastiCacheDynamo RedShift CloudFront SES SNS SQS Elastic Transcoder CloudSearch SWF EMR CloudWatch Monitoring BeanStalk OpsWorks Cloud Formation DataPipe Deployment & Automation IAM Federation Identity & Access Management Console Billing Web Interface Human Interaction Mechanical Turk AWS Global Infrastructure Enterprise Applications Workspaces Zocalo Virtual Desktop Document Collaboration Overview of AWS Services
- 13. There Are Two Security Tracks Compliance Security Headline Security
- 14. There’s a Big Gap Between Compliance & Security Compliance Security
- 15. Security Lifecycle Increased Velocity of Change Management Agile Development Continuous Integration / Continuous Delivery
- 17. Security Lifecycle • Security must be ongoing & continuous • Point in time security is virtually useless
- 18. AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015 1. Disable root API access key and secret key. 2. Enable MFA tokens everywhere. 3. Reduce number of IAM users with admin rights. 4. Use roles for EC2. 5. Least privilege: limit what IAM entities can do with strong/explicit policies. 6. Rotate all the keys regularly. 7. Enable CloudTrail wherever available. 8. Use Auto Scaling to handle traffic spikes. 9. Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you mean it. 10. Watch world-readable/listable S3 bucket policies. (Based on our experience with Incident Response, top 10 to implement ASAP.) Top 10 AWS security best practices
- 19. But are you really secure?
- 20. Advanced Threat Analysis Application Security Identity and AccessMgmt SIEMEncryption Network Security Vulnerability & Pen Testing Security Tool Chest AWS Inspector AWS IAM AWS KMS
- 21. Advanced Threat Analysis • Build via Jenkins • Invoke Evident API • Invoke Checkmarx • Threat Report • Block Deployment or • Note for Next Build • Deploy • QA • Repeat DevOps Continuous Integration (CI)
- 22. Advanced Threat Analysis AWS Inspector • Near real-time security assessments • Supports pre-defined Rules packages • Requires installed agent • Linux support only • Mostly a compliance tool
- 23. Application Security Web Application Firewalls • Web Application Firewalls can protect against most OWASP Top-10 vulnerabilities. • Most WAFs require in-line deployment causing single point of failure. • When is AWS WAF going to support ELB? “A well written web application should not require a WAF. Unfortunately, there are very few examples in the real world”
- 24. Identity Management • Use IAM for central point of account management (IAM/AD/LDAP integration). • Use roles for applications that run on Amazon EC2 instances. • Assign IAM group policies. • Enable Multi-Factor Authentication (MFA) instead of password aging. • Restrict privileged access further with policy conditions.
- 25. Encryption • Encrypt all EBS/S3 data stores to enforce data sovereignty. • Enable encryption at rest for all supported database stores (RedShift, RDS). • Manage encryption keys via KMS • Software defined encryption • API support • Don’t hardcode keys!!!
- 26. Network Security • Do I need a firewall in AWS? (Answer: maybe) • Do I need separate IDS & IPS systems? (Answer: NO!) • Do I need both a WAF and IDS/IPS systems? (Answer: maybe) The dangers of inline & clustered network security systems!
- 27. Security Information & Event Management (SIEM) • Quite possibly the least sexy & loved security tool. • And yet absolutely necessary for compliance (PCI, SOC II, ISO 27001). • Essential for security breach root cause analysis. • No one wants to pay for Splunk!!! • Can you mangle your ELK stack into a SIEM? (Answer: kinda) Compliance DevOpsSecurity SIEM
- 28. Vulnerability & Penetration Testing • Point in time testing is virtually useless in today’s security landscape. • Chose a continuous scanning solution. • Don’t pay for expensive consulting companies. Crowdsource through bounty programs.
- 29. What problems did we face?
- 30. Floating Keys • IAM Access Keys baked into your app configs and/or code. • Keys needed to be rotated. • Keys would end up in the log files. • Keys could end up in config files. • Keys could leak to unauthorized individuals.
- 31. Need for a Web Application Firewall & Threat Manager • How can we create security detection/prevention rules for certain types of web requests? • How can we block unauthorized traffic (SQLi, HTTP Host header attacks, XSS, etc)? • How can we easily filter and visualize detection and prevention data? • How can we ensure safety from latest CVEs? AWS WAF Challenges • AWS WAF only ties to CloudFront distributions. • CloudFront has a 60 second timeout limitation. • No L1 team to analyze and re-rule to reduce false alarms. Jobvite VPC
- 32. A Sea of Logs • Too many logs • No central logging location • No real plan of action
- 33. Rapid Infrastructure Changes • Continuous rapid deployments introduce risk. • Do you constantly invoke security scans? • Who receives dangerous security events? • Is there a plan when they’re received?
- 34. SOLUTIONS OVERVIEW • Benefits of Instance profiles vs Access Keys • Installed a 3rd Party WAF • Detect and alert on events with a SIEM • Introduce Infrastructure Security Scans into the build system
- 35. INSTANCE PROFILES • Define roles and granular policies. • Attach profiles to the EC2 and ASG. • AWS SDKs and CLI support instance profiles. • No more keys in the wild. • Removed all API keys associated to IAM app users • Enforced MFA on all remaining user accounts. • Ensured IAM service was in scope of Evident.IO vulnerability scans.
- 36. IAM ROLES WITH POLICIES • Default access denied • Explicitly define which instances are allowed access to certain AWS resources. • Explicit deny supersedes explicit allow. • Roles • Multiple policies can be applied to roles. • Instance Profiles • Assumes a role. • Access key and temporary token are stored in instance metadata. Role: Prod-Hire Policy: prod-platform Policy: prod-hire Hire Auto- Scaling Read access to s3://builds-bucket Write Access to arn:aws:sqs:us- east-1::hire-resumes
- 37. ALERT LOGIC WAF & THREAT MANAGER • RPM based installation • Dashboard View • Managed L1 provider Web request S3://jobvite-repo/RPMS/ Puppet Master Web/Proxy Servers Safe
- 38. Centralized Logging & Notifications • Centalized logging via Logstash. • Organization of logs (app, system security, service security, etc) • Notification of security events via SIEM script on top ElasticSearch.
- 39. SECURITY INFORMATION AND EVENT MANAGEMENT • Tomcats and IIS apps use log4J and log4net to send JSON formatted logs to Logstash. • CloudTrail, rsyslog for login events, Windows event logs via nxlog are sent to Logstash. • Logstash sends the filtered results into the Logstash ElasticSearch cluster. • Our home grown check_siem script searches ElasticSearch for event counts hooked into Nagios. • Conditional matches are sent to SNS where emails and Pager escalations are subscribed. CloudTrail Tomcat / IIS Rsyslog/NXLOG Proxy logs Logstash ES Cluster Kibana SNS Topic
- 40. SECURITY DASHBOARDS • CloudTrail Events • Login Events • HTTP / TLS info • Application Errors • Vulnerability scans • Build/Deploy
- 43. Q & A SESSION
Editor's Notes
- #3: Here is more information about Jobvite. We deliver the leading and most comprehensive Recruiting Platform in the market. We have 10 years of experience in the recruiting and a track record of success.
- #4: Today, we are here to talk with you about how we can help you deliver tangible results to your organization. We are focused on helping companies hire better candidates, faster, and at a lower cost. These statistics highlight the average results we see across our customer base.
- #5: Jobvite has been recognized in the industry and received numerous awards for our growth, the strength of our products and the level of service we deliver to our customers. In particular, we are very proud of the distinction awarded to use by Forrester, a highly regarded industry research firm.
- #6: Jobvite was recognized as a leader in the Forrester Wave for Talent Acquisition. Forester evaluated players in the Talent Acquisition market and narrowed down to 12 vendors based on inclusion criteria such as product fit, customer success and demand for the solution. These 12 vendors were evaluated against Forester’s 45 criteria that assessed strength of current offering, strategy and market presence. The evaluation process included an in-depth product demonstration and interviews with Jobvite customers. Jobvite emerged as a leader among all vendors.
- #7: Here is a small sample of Jobvite’s 1900+ customers many of whom are leaders in their space and count on Jobvite to help them stay one step ahead of their recruiting challenges.
- #8: Add your name and title to this slide. Please do not change fonts or size. A lot of companies make HR platforms that keep track of employees, do training, things related to HR. Any such software has been lumped into HR systems. However, recruiting is an entirely different thing. And it is so important that it deserves its own system
- #12: We look after the security OF the cloud, and you look after your security IN the cloud.
- #24: AWS WAF closer to VPC Infrastructure.
- #25: Create and use IAM users instead of your root account Grant least privilege Manage permissions with groups Restrict privileged access further with policy conditions Enable AWS CloudTrail to get logs of API calls
- #31: Keys leaking beyond authorized employees. Keys end up in application logging. Key rotation requirements. Keys in the log files.
- #32: Keys leaking beyond authorized employees. Keys end up in application logging. Key rotation requirements. Keys in the log files.
- #33: There are GB to TB of logs flowing through businesses. Who gets notified? What criteria triggers the notification? What grouping of technologies are required to interact with each other to identify and notify properly? How do you sort through all the log events to accurately notify?
- #34: NOTE: NOT penetration testing. AWS Resource vulnerability scanning and Application vulnerability scanning. Migration to the cloud enabled more rapid deployments. Migration to the cloud enabled code as infrastructure / programmatic infrastructure. How do you ensure that the latest code which was just built and deployed into your CI/CD system doesn’t manipulate AWS resources in a way that opens a security hole?
- #36: Roles: created by app that exists. Policies: Platform policy, app specific policy.
- #37: Roles: created by app that exists. Policies: Platform policy, app specific policy.
- #38: Roles: created by app that exists. Policies: Platform policy, app specific policy.
- #39: There are GB to TB of logs flowing through businesses. Who gets notified? What criteria triggers the notification? What grouping of technologies are required to interact with each other to identify and notify properly? How do you sort through all the log events to accurately notify?
- #43: Need to change this slide image…. - GIT to SVN (or we can leave it as GIT I guess) - Change unit tests to Junit tests - Build should point to Maven, not Ant API call remains after deploy, but it should be an API call to Evident.IO API call invokes an AWS resources scan on security groups, permissions, vulnerbailities in resource configs, etc. We would also want to introduce a sourcecode based scan for vulnerabilities.... Like we saw last night. Something like CheckMarx
- #44: Roles: created by app that exists. Policies: Platform policy, app specific policy.