Modern businesses recognize one of the greatest challenges they face on a day-to-day basis is meeting the demand for security at speed without jeopardizing protection; this is especially true in high-growth environments. This session will deliver IT and security professionals actionable, real-world insights aimed to improve AWS security strategies at minimal cost while delivering high value.
(Source : RSA Conference USA 2017)
3. Beautiful cloud-based
accounting software
Connecting people with the right numbers
anytime, anywhere, on any device
3
1,450+ staff globally
$474m raised in capital
$202m sub revenue FY16
$1tr incoming and outgoing transactions in past 12 mths
450m incoming and outgoing transactions in past 12 mths
All figures shown are in NZD
5. #RSAC
Public Cloud Migration
5
Supporting
the next wave
of growth
Reducing our
cost to serve
Improving data
protection
Eliminating
scheduled
downtime
Maintaining and
improving
security
6. #RSAC
Key Challenges
6
Skills are scarce
Regional representation
and recommendations
Application architecture
has to change
Automation is
key
Third-party commercial models
need to change
Need to focus on
visibility
7. #RSAC
Challenge #1: Skills are scarce
7
Challenge #1: Skills are scarce
Make an initial investment in education
Join industry groups and forums
Selective engagement of contractors
Promotion of industry wide cyber skills
8. #RSAC
Challenge #2: Regional representation
8
Challenge #2: Regional representation and recommendations
Build a strong relationship with AWS
Reach out to your contacts
Look at alternatives
Build a communication path to remote organizations
9. #RSAC
Challenge #3: Application architecture changes
9
Challenge #3: Application architecture has to change
Work in cross-functional teams
Deliver in short, frequent cycles
Communicate quickly and effectively
Build and deliver “security as a service”
10. #RSAC
Challenge #4: Automation is key
10
Challenge #4: Automation is key
Make automation a core principle
Start with basic use of CloudFormation
Use a code repository
Build a Continuous Integration (CI) and
Continuous Delivery (CD) system
11. #RSAC
Challenge #5: Focus on visibility
11
Challenge #5: Need to focus on visibility
CloudTrail is enabled by default for all accounts
Track configuration drift
Get the development teams invested
Extended into a virtual team
12. #RSAC
Challenge #6: Third-party commercial models
12
Challenge #6: Third-party commercial models need to change
Do what we advise others to do, use the cloud
Work with our technology partners and vendors
Move from perpetual licenses, to core based licenses
Address commercial and legal issues first
15. #RSAC
Key Learnings: Security by design
15
Security by
design-
what’s that?
Build security into every layer
Treat your infrastructure as code
Iterate, iterate, iterate
Build security into the product lifecycle
16. #RSAC
Key Learnings: Communication is key
16
Communication is
key
Make everyone a spokesperson
Evangelize and sell your service
Communicate success (as well as failure)
Documentation is critical
17. #RSAC
Key Learnings: Measure everything
17
Measure & test,
monitor everything
How do you know what normal looks like?
Continually track configuration drift
Do a gap analysis
Perform internal and external testing
18. #RSAC
Key Learnings: Where’s my span port?
18
Welcome to the
cloud - “Where’s
my span port?”
Change your way of thinking
Expand your scope of responsibility
It is a shared journey for all
Use cross-functional teams
19. #RSAC
The New Paradigm of Shared Responsibility
19
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity & Access
Control
Network
Security
Xero Applications & Content
Security IN the Cloud
Security OF the Cloud
Xero +
Partner
Ecosystem Inventory
& Config
Data Encryption
20. #RSAC
Security as a Service
20
VPN
connectivity
Host Based
Security
Web
Application
Security and
Delivery
Shared Key
Management
Services
Secure
Bastion
Access
Proxy
Services
Security
Operations
and
Consulting
Services
21. #RSAC
Multi-Factor Authentication
21
The decision to utilize MFA was a core component of security design
User awareness was initially an issue
Some users refused to utilize the system
Multiple MFA systems already in place
Enable the MFA enhanced features
22. #RSAC
Configuration Drift Management
22
Finding the needle in an automated and freedom-to-deploy haystack
Used Netflix Security Monkey to track, monitor, and action key AWS
resource changes
Watchers configured across all AWS accounts
Started as an internal Cloud Security tool
Adoption was driven by the product teams
Risk and compliance utilization for best practice review
23. #RSAC
Host Security Automation
23
Next layer of defense at the host level
Used to monitor, notify, and action instance-level
configurations, vulnerabilities and integrity
Automated roll-out and integration with all hosts
Make use of the cloud
Adopt elasticity and automation
Accelerated pace of development
24. #RSAC
Apply What You Have Learned Today
24
• Activate multi-factor
authentication
• Enable CloudTrail
• Start your first
automation!
• Define your principles
• Develop a security
architecture
• Start to track your
configuration drift
• Measure, test &
monitor everything
• Build a culture of
communication
• Automate more!
WEEK
1
MONTH
3
MONTH
6