AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Work for You

1,099 views
879 views

Published on

The Amazon Web Services (AWS) cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. However, because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure. Alert Logic has more than a decade of experience implementing cloud solutions that are secure, flexible and designed to work with hosting and cloud service providers.

In this webinar, you'll learn from Alert Logic strategies for making this shared security model work for your web applications. The webinar includes a live demo of Alert Logic Web Security Manager. In this webinar, you’ll learn:
- How to access Alert Logic Web Security Manager via AWS Marketplace for the quickest and easiest path to web application protection
- How to integrate web application security in your AWS environment
- An attractive approach to auto scaling web security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,099
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Work for You

  1. 1. Web App Security on AWS: How to Make Shared Security Work for You
  2. 2. Welcome Ryan Holland Solutions Architect Amazon Web Services
  3. 3. Webinar Overview  Submit Your Questions using the Q&A tool.  A copy of today’s presentation will be made available on:  AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/  AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT- nPlVzJI-ccQXlxjSvJmw
  4. 4. Ryan Holland Solutions Architect Amazon Web Services Johnathan Norman Solutions Architect AlertLogic Introducing
  5. 5.  Amazon Web Services security overview  How to access Alert Logic Web Security Manager via AWS Marketplace  How to integrate web application security in your AWS environment  Q&A What We’ll Cover
  6. 6. Ryan Holland Sr Manager, Partner Solution Architects
  7. 7. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints • Customers configure AWS security features • Get access to a mature vendor marketplace • Can implement and manage their own controls • Gain additional assurance above AWS controls Security is a shared responsibility between AWS and our customers
  8. 8. Every customer has access to the same security capabilities AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Security • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • HIPAA and MPAA capable Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  9. 9. Let AWS take care of the heavy lifting for you Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration AuthN & acct management Authorization policies + = Customer Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
  10. 10. AWS partners can help you build secure solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability + = AWS partner solutions These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management Your secure AWS solutions
  11. 11. Public Cloud Security - AWS Johnathan Norman Cloud Solutions Architect
  12. 12. The Web Application Attack Threat 12 Web Application Attacks are Prevalent and Dangerous • Half of all environments will be impacted by web application attacks 30 times in a year1 • 83% of websites have at least one serious vulnerability2 • Web-based attacks increased 30% in 20123 • Web application security measures required by PCI DSS Application Vulnerabilities are Common • On average, 12.1 security issues affect every web application4 • The average web site has 56 serious vulnerabilities5 • The application layer is responsible for over 90% of all security vulnerabilities6 1 Alert Logic State of Cloud Security – Spring 2013 2 Frost & Sullivan: The Growing Hacking Threat to Websites 3 Symantec Corporation: Internet Security Threat Report 2013 4 Context Information Security - Web Application Vulnerability Statistics 2013 5 WhiteHat Website Security Report, May 2013 6 Ponemon Institute - The State of Application Security, August 2013
  13. 13. Public Cloud Shared Security Model Cloud Service Provider Responsibility Foundation Services Hosts • Logical network segmentation • Perimeter security services • External DDoS, spoofing, and scanning prevented • Hardened hypervisor • System image library • Root access for customer • Access management • Patch management • Configuration hardening • Security monitoring • Log analysis Apps • Secure coding and best practices • Software and virtual patching • Configuration management • Access management • Application level attack monitoring • Network threat detection • Security monitoring Networks Customer Responsibility Compute Storage DB Network
  14. 14. Example: SQL Injection 14 … /showitem.asp Choose a category: Select an item: Winter Coats Fleece Jacket Group=10 Item=4534 A customer makes selections in a shopping cart application:
  15. 15. Example: SQL Injection 15 … /showitem.asp?group=10&item=4534 Choose a category: Select an item: Winter Coats Fleece Jacket Group=10 Item=4534 User choices translated into application input
  16. 16. Example: SQL Injection 16 … /showitem.asp?group=10&item=4534;drop table products Choose a category: Select an item: Winter Coats Fleece Jacket An attacker injects harmful code into the URL
  17. 17. Source: Verizon Data Breach Investigation Report, 2013 Result: Downtime, Data Loss 17
  18. 18. Solutions Address Specific Compliance Mandates Alert Logic Solution PCI DSS SOX HIPAA & HITECH Alert Logic Web Security Manager • 6.5.d Have processes in place to protect applications from common vulnerabilities such as injection flaws, buffer overflows and others • 6.6 Address new threats and vulnerabilities on an ongoing basis by installing a web application firewall in front of public-facing web applications. • DS 5.10 Network Security • AI 3.2 Infrastructure resource protection and availability • 164.308(a)(1) Security Management Process • 164.308(a)(6) Security Incident Procedures Alert Logic Log Manager • 10.2 Automated audit trails • 10.3 Capture audit trails • 10.5 Secure logs • 10.6 Review logs at least daily • 10.7 Maintain logs online for three months • 10.7 Retain audit trail for at least one year • DS 5.5 Security Testing, Surveillance and Monitoring • 164.308 (a)(1)(ii)(D) Information System Activity Review • 164.308 (a)(6)(i) Login Monitoring • 164.312 (b) Audit Controls Alert Logic Threat Manager • 5.1.1 Monitor zero day attacks not covered by anti-virus • 6.2 Identify newly discovered security vulnerabilities • 11.2 Perform network vulnerability scans quarterly by an ASV or after any significant network change • 11.4 Maintain IDS/IPS to monitor and alert personnel; keep engines up to date • DS5.9 Malicious Software Prevention, Detection and Correction • DS 5.6 Security Incident Definition • DS 5.10 Network Security • 164.308 (a)(1)(ii)(A) Risk Analysis • 164.308 (a)(1)(ii)(B) Risk Management • 164.308 (a)(5)(ii)(B) Protection from Malicious Software • 164.308 (a)(6)(iii) Response & Reporting Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
  19. 19. Alert Logic Web Security Manager WAF Page 19 Active Protection for Web Applications, Management Included Positive & Negative Security Active protection using signatures and leading learning engine Key Compliance Coverage Supports PCI 6.6 and OWASP Top 10 risks Management Included 24x7 management by experienced security analysts AWS Auto Scaling Protection scales dynamically with your web apps Security Where You Need It Works wherever you have your datacenter
  20. 20. 20 Engineered for AWS Environments Engineered for AWS  Supports auto-scaling & role aware  Automatable with APIs and scripts  Available across multiple regions  Manageable at scale  IP address & topology independant  Usage based utility pricing  Marketplace transactable  AMI and agent deployment options  Network and system visibility  Proven reference architectures Runs on AWS
  21. 21. Web Security Manager Demo
  22. 22. replicatio n AWS Infrastructure Web Traffic Web Server Web Server Web Server Web Server Web Server Web Server Web Server Web Server Database Read Replica Database Read Replica Database Master replica tion VPC A B Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
  23. 23. replicatio n AWS Infrastructure + Web Security Manager Amazon S3 Configuration Master Auto Recover Elastic Load Balancer Web Traffic Alert Logic Managemen t Web Server Web Server Web Server Web Server App Server App Server App Server App Server Database Database Database replica tion VPC A B Worker Worker Worker Elastic Load Balancer Elastic Load Balancer Elastic Load Balancer
  24. 24. Web Security Manager Free Trial
  25. 25. WAF Free Trial on AWS Marketplace VISIT AWS MARKETPLACE FOR FREE TRIAL: JUNE 10TH – JULY 10TH
  26. 26. Thank You Johnathan Norman Cloud Solutions Architect
  27. 27. Contacts and Q&A Contacts: Alert Logic Info: info@alertlogic.com AWS Contact: aws.amazon.com/contact-us

×