AWS Chicago user group meetup on June 24, 2014


Published on

All presentation slides for the Chicago AWS user group meetup held at Mediafly on June 24, 2014. Thanks to speakers:
Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen
Bryan Murphy, Technical Architect at Mediafly @bryanmurphy
Aaron Botsis, Lead Product Manager at ThreatStack @aaronb
Mattew Long, Founder and CEO at roZoom, Inc @mlong168

Thanks to sponsors:
Hosts: Mediafly
Beers and drinks: ThreatStack
Pizza: el el see
Organizers: CohesiveFT

See you in July!
RSVP here:

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AWS Chicago user group meetup on June 24, 2014

  1. 1. Organizer ! Margaret Walker
 CohesiveFT ! ! Tweet: @MargieWalker
 #AWSChicago Sponsored by Hosted by #AWSChicago
  2. 2. ! AWS Chicago Meetup ! July?
  3. 3. 6:00 pm Introductions 6:10 pm Lightning Talks ! Live from DC! - Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen "Securing your AWS installation" - Bryan Murphy,Technical Architect at Mediafly @bryanmurphy "Advanced Monitoring and Detection on Linux-based workloads in AWS" - Aaron Botsis, Lead Product Manager at ThreatStack @aaronb "AWS Security best practices" - Mattew Long, Founder and CEO at roZoom, Inc @mlong168 ! 6:30 pm Q & A 7:00 pm Networking, drinks and pizza Agenda Sponsored by Hosted by #AWSChicago
  4. 4. “Live from DC!” ! Ben Hagen Senior Cloud Security Engineer at Netflix ! Tweet: @benhagen
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  5. 5. “Securing your AWS installation” ! Bryan Murphy Technical Architect at Mediafly ! Tweet: @bryanmurphy
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  6. 6. Safe Harbor Statement: Our discussions may include predictions, estimates or other information that might be considered forward-looking. While these forward-looking statements represent our current judgment on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our opinions only as of the date of this presentation. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward- looking statements in light of new information or future events. Throughout today’s discussion, we will attempt to convey some important factors relating to our business that may affect our predictions. © 2006-2014 Mediafly, Inc. | Confidential Infrastructure Security Best Practices On Amazon Web Services Bryan Murphy
  7. 7. © 2006-2014 Mediafly, Inc. | Confidential Mediafly, Inc. Technical Architect Back-end services, video processing, scaling and architecture Mobitrac, Inc. Senior Developer Travelling salesman problem, routing algorithms, and mapping RBC/Centura Mortgage Lead Web Developer Online loan officer hosting platform and rate search engine Who am I?
  8. 8. © 2006-2014 Mediafly, Inc. | Confidential Who are we? “The Content Mobility Cloud” We process and store highly sensitive content for Fortune 500 customers, and deliver that content to white-labeled mobile apps and the web • Sales presentations and selling collateral • Pre-release/pre-air video Customers include: • Global banks • Leading consumer-packaged goods companies • TV and theatrical studios Small, passionate, growing team • We are hiring! Search mediafly careers
  9. 9. © 2006-2014 Mediafly, Inc. | Confidential Infrastructural Security Three major areas: Content Infrastructure Operations ● Keeping content encrypted from ingest through delivery ● E.g. key exchange, at-rest encryption, DRM, more ● Hardening server security while ensuring reliability, performance and low cost ● E.g. users and roles, VPC, server bootstrapping ● Ensuring procedures and personnel keep content secure ● E.g. managing account termination, principles of least privilege
  10. 10. © 2006-2014 Mediafly, Inc. | Confidential Secure All Communication The cloud is a hostile environment • Service limitations (no private load balancers, security group limits) • Network limitations (no multicast, no shared ip addresses, etc.) • Noisy neighbors • Malicious third parties What to do: • SSL/TLS everywhere • Encrypt: transports, configuration, data, binaries • Use standard tools (openssl/gnupg) • Implement authorization for internal services
  11. 11. © 2006-2014 Mediafly, Inc. | Confidential Authorization and Access Control Restricted Access • Many credentials, limited permissions • Restricted one-time-use accounts or accounts with expiration where possible Protecting Credentials • Use public key cryptography • Store encrypted credentials in source control IAM Accounts vs. Roles • Roles: good for isolated servers, boot • Accounts: good for services, users DENIED!
  12. 12. © 2006-2014 Mediafly, Inc. | Confidential Isolate Services and Customers Isolation • Isolate services and environments from each other using bulkheads • Examples: VPN, ssh proxy, REST API, message queues Stateless Servers • Deliver credentials as needed using public key cryptography • Execute in sandbox • Purge sandbox on completion
  13. 13. © 2006-2014 Mediafly, Inc. | Confidential Verification Automated Security Testing Regular Audits • Manual internal audits • Third party automated testing • Third party security audits Logging Monitoring
  14. 14. © 2006-2014 Mediafly, Inc. | Confidential Infrastructural Security is a Balancing Act Secure Flexible
  15. 15. © 2006-2014 Mediafly, Inc. | Confidential Thank you! Bryan Murphy
  16. 16. “Advanced Monitoring and Detection on Linux-based workloads in AWS” ! Aaron Botsis Lead Product Manager at ThreatStack ! Tweet: @aaronb
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  17. 17. ADVANCED SECURITY MONITORING FOR THE CLOUD Aaron Botsis @aaronb, @threatstack
  18. 18. who is logging into my (machines|applications|SaaS accounts) ! what are they are running ! of running apps, what are making network activity, and where ! every kernel module loaded every library every file created/modified/removed everything!!!! but why stop there?
  19. 19. but aaron, why?
  20. 20. ! prevention fails
  21. 21. thanks, aaron
  22. 22. step 1: audit all of the things logins processes network activity file access kernel modules shared libraries
  23. 23. // `curl` emits this: ! { id: 1018103008, start: 1399236274, end: 1399236275, duration: 1, protocol: 'tcp', byte_count: 1195, packet_count: 11, src_ip_numeric: 3232300674, dst_ip_numeric: 1127355157, src_ip: '', dst_ip: '', src_port: 37814, dst_port: 80 } by thinking inside the box
  24. 24. step 2: build behavior profiles does apache always spawn a shell? does that shell always switch privs to root? does root always make network connections to China?
  25. 25. thinking outside the box
  26. 26. step 3: anomalies help prevent devs know app best behavior deviations help identify attack new vectors create rules to looks for known misbehavior disable behavioral detection programmatically
  27. 27. Why DevOps.! (…a tangent)
  28. 28. bonus: detection
  29. 29. thank you.
  30. 30. “AWS Security best practices” ! Mattew Long Founder and CEO at roZoom, Inc ! Tweet: @mlong168
 #AWSChicago ! Sponsored by Hosted by #AWSChicago
  31. 31. About Me President & CEO @roZoom Twitter @mlong168 Linkedin:
  32. 32. AWS Security: Act One
  33. 33. To ensure a secure global infrastructure, AWS configures infrastructure components and provides services and features you can use to enhance security, such as the Identity and Access Management (IAM) service, which you can use to manage users and user permissions in a subset of AWS services. To ensure secure services, AWS offers shared responsibility models for each of the different type of service that we offer: ● Infrastructure services ● Container services ● Abstracted services
  34. 34. Infrastructure Services
  35. 35. Container Services
  36. 36. Abstracted Services
  37. 37. Security Best Practices AWS Management Console/IAM
  38. 38. Security Best Practices AWS Management Console: Enable Two Factor Authentication
  39. 39. Security Best Practices AWS OS-Level Access to EC2 ● Options for security of encryption keys: ○ Store of on encrypted media ○ CloudHSM ○ LDAP/IAM Bridge: ○ Gazzang: ● Options for Os-Level Authentication ○ LDAP/Active Directory/Kerbose, etc.. ○ Two-Factor auth: Google Authenticator (http: //,Wikid, RSA ○ LDAP/IAM Bridge:
  40. 40. Security Best Practices Protecting Data at Rest For regulatory or business requirement reasons, you might want to further protect your data at rest stored in Amazon S3, on Amazon EBS, Amazon RDS, or other services from AWS. ● Accidental information disclosure ● Data integrity compromise ● Accidental deletion ● System, infrastructure, hardware or software availability
  41. 41. Security Best Practices Protecting Data at Rest: S3
  42. 42. Security Best Practices Protecting Data at Rest: EBS
  43. 43. Security Best Practices Protecting Data at Rest: RDS/Databases/EMR,etc ● Ensure you encrypt any sensitive information on disk or at the database level ● Always segment out data layer from application layer ● If access if require from outside of AWS regions or network, make sure you use SSL or VPC to encrypt data
  44. 44. Security Best Practices Protecting Data in Transit
  45. 45. Security Best Practices Network Layering
  46. 46. Security Best Practices Other Topics ● DDoS Protection: Black Swan, Cloudflare, Cloudfront ● Monitoring and Alerting: Garylog2, Fluentd, Splunk, Cloudtrail ● Unified Threat Management : AlienVault ● Vulnerability Scanning: MetaSploit, Nessus ● IDS: Snort, OSSEC ● Web Application Firewalls: Imperva, Modsecurity ● Data Loss Prevention ● AWS VPC or Direct connect for on-premise network access ● AWS Trusted Advisor Scanning or Nessus
  47. 47. Credits Credits go to the following: AWS Security Best Practices: http://bit. ly/T97y3I
  48. 48. Q & A ! ! Pizza’s almost here! ! ! Sponsored by Hosted by #AWSChicago