Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

3 Secrets to Becoming a Cloud Security Superhero

370 views

Published on

While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline four strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools.

Andrew Watts-Curnow, Solutions Architect, Amazon Web Services, ASEAN
Justin Foster, CISSP Head of Cloud Workload Security, Trend Micro

Published in: Technology
  • Be the first to comment

3 Secrets to Becoming a Cloud Security Superhero

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Paul Hidalgo Solutions Architect, ASEAN Trend Micro 3 secrets to becoming a cloud security superhero
  2. 2. This is you…
  3. 3. Shapeshift Design a workload-centric security architecture Superpower #1
  4. 4. Cloud
  5. 5. Before Firewall IPS Load Balancer Web Tier App Tier DB Tier On-premises
  6. 6. S3 DynamoDB RDS … After Firewall IPS AWS Web Tier on EC2 App Tier on EC2 Elastic Load Balancer VPC & Security Groups Load Balancer DB Tier Web Tier App Tier IAM CloudTrail
  7. 7. Traditional Responsibility Model You Physical Infrastructure Network Virtualization Operating System Applications Data Service Configuration
  8. 8. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating System Applications Data Service Configuration More at aws.amazon.com/security
  9. 9. Hybrid IT
  10. 10. Crypt-o
  11. 11. Crypt-o
  12. 12. EC2
  13. 13. 24h 48h 72h Attack Source IP – CVE-2014-6271, 7169, 6277, 6278 Disclosure
  14. 14. 24h 48h 72h Attack Source IP – CVE-2014-6271, 7169, 6277, 6278 Disclosure
  15. 15. 24h 48h 72h Disclosure Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
  16. 16. Don’t Replicate… Warning: Single Point of Failure Limited Throughput
  17. 17. Shapeshift Mission Accomplished: No Single Point of Failure UN-Limited Throughput
  18. 18. VPC & Security Groups S3 DynamoDB RDS … AWS Web Tier on EC2 App Tier on EC2 Elastic Load Balancer IAM CloudTrail
  19. 19. Shapeshift for Amazon Web Services • Security inside each workload • Protect instance-to-instance traffic • Make it context sensitive (fast and low false-positive) • No bottleneck • No single point of failure = CLOUD FRIENDLY IPS
  20. 20. Invisibility Automate and blend in, don’t bolt on Superpower #2
  21. 21. Creating an audit trail, before Servers Storage Area Network On-premises Firewall IPS Central logging Change Records Report
  22. 22. Payment Client Data On-premises AWS Amazon CloudTrail EC2 instances Central management Amazon S3 Amazon CloudFrontAmazon RDS Creating an audit trail, after Report
  23. 23. Audit-o CloudTrail & AWS Config Security Tools
  24. 24. Make Security Invisible for Amazon Web Services • Build it in, not bolt on • Fully automate security • Automate record keeping for auditors = SECURITY DESIGNED FOR AWS
  25. 25. X-Ray Vision Improve visibility of AWS and hybrid environments Superpower #3
  26. 26. Integrity Monitoring
  27. 27. Use X-ray vision on Amazon Web Services • Use Integrity Monitoring and Log monitoring to see inside instances • Detect suspicious changes that are indicators of compromise and unintended changes = Total visibility
  28. 28. AWS is continuously independently audited GxP ISO 13485 AS9100 ISO/TS 16949 AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud
  29. 29. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & content Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud Security is shared betweenAWS and customers Customers Partner solutions – including Trend Micro
  30. 30. SANS/CIS TOP 20 CRITICAL SECURITY CONTROLS 1. Inventory of Authorized & Unauthorized Devices 11. Secure Configurations for Network Devices 2. Inventory of Authorized & Unauthorized Software 12. Boundary Defense 3. Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers 13. Data Protection 4. Continuous Vulnerability Assessment & Remediation 14. Controlled Access Base on the Need to Know 5. Controlled Use of Administrative Privileges 15. Wireless Access Control 6. Maintenance, Monitoring, & Analysis of Audit Logs 16. Account Monitoring & Control 7. Email and Web Browser Protections 17. Security Skills Assessment & Appropriate Training to Fill Gaps 8. Malware Defenses 18. Application Software Security 9. Limitation and Control of Network Ports, Protocols, and Services 19. Incident Response Management 10. Data Recovery Capability 20. Penetration Tests & Red Team Exercises
  31. 31. Better Security
  32. 32. Your new superpowers… Shapeshifting X-ray VisionInvisibility
  33. 33. Inspired by real-life Security Superheros
  34. 34. Gartner Best Practices Best Practices for Securing Workloads in Amazon Web Services http://bit.ly/1pxaFTL
  35. 35. trendmicro.com/aws

×