Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)

782 views

Published on

Cloud computing offers many advantages, such as the ability to scale your web applications or website on demand. But how do you scale your security and compliance infrastructure along with the business? Join this session to understand best practices for scaling your security resources as you grow from zero to millions of users. Specifically, you learn the following:

How to scale your security and compliance infrastructure to keep up with a rapidly expanding threat base.
The security implications of scaling for numbers of users and numbers of applications, and how to satisfy both needs.
How agile development with integrated security testing and validation leads to a secure environment.
Best practices and design patterns of a continuous delivery pipeline and the appropriate security-focused testing for each.
The necessity of treating your security as code, just as you would do with infrastructure.

The services covered in this session include AWS IAM, Auto Scaling, Amazon Inspector, AWS WAF, and Amazon Cognito.

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Customers (SEC305)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Eugene Yu – AWS Managing Consultant Eric Gifford – Cambia Security Architect Brad Davidson – Cambia Security Engineer November 29, 2016 SEC305 Scaling Security Resources for Your First 10 Million Customers
  2. 2. What to expect from the session • Scale your security and compliance infrastructure • Agile development with integrated security testing and validation • Treating your security as code
  3. 3. How do you scale your security resources? workload customers
  4. 4. No customer One workload workload customers security resources
  5. 5. More customers More workloads workload customers Security appliances Bigger boxes security resources
  6. 6. More customers More workloads workload customers More security appliances Bigger boxes Increased security staff
  7. 7. workload customers security resources Scaling is hard… More customers More workloads
  8. 8. Security resources must scale to keep pace with the business. AWS CLOUDTRAIL AMAZON INSPECTOR AMAZON VPC AWS WAF AWS IAM AWS KEY MANAGEMENT SERVICE SERVER-SIDE ENCRYPTION ENCRYPTION SDK
  9. 9. WhatsCat™ Connecting One Cat at a Time WhatsCat™ LOL cats »
  10. 10. Application Development Simple social media application for Cats WhatsCat™ LOL cats »
  11. 11. Let’s hope this mobile app is successful… WhatsCat™ LOL cats »
  12. 12. WhatsCat TM Launch Day (0 Cat)  One AWS account  One workload Workload Amazon EC2 Instance Amazon Route 53 Time to establish baseline security
  13. 13. Core Security Control AWS IAM Workload Amazon EC2 Instance Amazon Route 53 AWS IAM MFA token Developer Network User
  14. 14. Core Security Control Amazon VPC Workload Amazon EC2 Instance Amazon Route 53
  15. 15. Core Security Control Security Groups Workload Amazon EC2 Instance Amazon Route 53
  16. 16. Core Security Control AWS CloudTrail Workload Amazon EC2 Instance Amazon Route 53 AWS CloudTrail Amazon S3
  17. 17. Core Security Control Amazon CloudWatch Workload Amazon EC2 Instance Amazon Route 53 Amazon CloudWatch
  18. 18. Cats > 1000 WhatsCat™
  19. 19. Adding a New Feature Sharing photos with other Cats WhatsCat™ LOL cats » Cat photos »
  20. 20. Resiliency Multiple Availability Zones Web instance Amazon RDS DB instance active (Multi-AZ) Availability Zone Web instance Amazon RDS DB instance standby (Multi-AZ) Elastic Load Balancing Amazon Route 53 Availability Zone
  21. 21. Auto Scaling Configure Auto Scaling to scale to handle increased traffic Web instance Amazon RDS DB instance active (Multi-AZ) Availability Zone Web instance Amazon RDS DB instance standby (Multi-AZ) Elastic Load Balancing Amazon Route 53 Availability Zone
  22. 22. Data Protection Web instance Amazon RDS DB instance active (Multi-AZ) Availability Zone Web instance Amazon RDS DB instance standby (Multi-AZ) Elastic Load Balancing Amazon Route 53 Availability Zone AWS KMS Amazon S3
  23. 23. SEC305- Scaling Security Resources for Your First 10 Million Customers Presenters: Eric Gifford – Security Architect Brad Davidson – Security Engineer © 2014 Cambia Health Solutions, Inc. Our story
  24. 24. 2424 Our Cause • Cambia - Born from an inspired idea • Catalyst -> transform healthcare • Person-focused & economically sustainable • Embracing cloud innovation to provide personalized & intuitive experiences • On AWS: Web applications, micro-services, data lake, data science capabilities © 2016 Cambia Health Solutions, Inc.
  25. 25. 2525 Cloud Security & Automation Principles • Embrace HIPAA-compliant Cloud & DevOps • Automation: reduce deviations & risk • Leverage the shared responsibility model by aligning to serverless and managed services • Build guardrails, not gates! • Continuously monitor © 2016 Cambia Health Solutions, Inc.
  26. 26. 2626 © 2016 Cambia Health Solutions, Inc.
  27. 27. 2727 Continuously monitor Cloud environments λ functions to detect non-compliance: 1) MFA disabled 2) Unauthorized region 3) CloudTrail disabled 4) VPC flow logs disabled And more… © 2016 Cambia Health Solutions, Inc.
  28. 28. 2828 A good start? Pros • Simple • Independent λ functions Cons • Customization in each λ • Lack of context in CloudTrail events How to address this? Keep building! © 2016 Cambia Health Solutions, Inc.
  29. 29. 2929 Decouple & scale • Move to a 3-tier Lambda • Design for: • Efficiency • Context • Flexibility © 2016 Cambia Health Solutions, Inc.
  30. 30. 3030 © 2016 Cambia Health Solutions, Inc.
  31. 31. 3131 Good enough? Pros • Enrich event data for granularity • Centralize policy/signature database • Optimize λ for speed Cons • Complex to use, support, & maintain • Need for regression testing How to turn over to Ops and let them operate? Keep building! © 2016 Cambia Health Solutions, Inc.
  32. 32. 3232 What’s next for us? • UI to manage policies, dashboard for reporting • “Simulation mode” (aka Dry Run) • Keep enrichment db current • Integration with ticketing systems • Apply secure configurations at creation • VPC Flow Logs + Threat intel? © 2016 Cambia Health Solutions, Inc.
  33. 33. 3333 Demo time! © 2016 Cambia Health Solutions, Inc.
  34. 34. Cats > 100,000 WhatsCat™
  35. 35. Adding a New Feature Simple social media application for Cats WhatsCat™ LOL cats » Cat photos » Cats near me (4) »
  36. 36. Security Infrastructure as Code  Manage security infrastructure just like your business workloads  Strong change management processAWS CodeCommit
  37. 37. Security Infrastructure as Code AWS CodeCommit Security infrastructure code • IAM, VPC, Logging, Application • Security architecture document • Threat modeling analysis • Security controls document
  38. 38. Security Infrastructure as Code IAM stack Infrastructure stack Logging stack IAM configuration with custom policies, groups, and roles VPC, security groups, network ACL, NAT gateway configuration AWS CloudTrail, Amazon S3 buckets, and bucket policies for logging and archive data, Amazon CloudWatch alarms for security-related CloudTrail events
  39. 39. Why Security Infrastructure as Code? Assurance and visibility Traceability and change management Knowledge management Version and Source control
  40. 40. Security CI/CD Pipeline  Integrates and delivers your workloads  Is your most sensitive security workload Product Release App Code Infrastructure Code Security Code
  41. 41. Security of the CI/CD pipeline Securing the application starts with securing the pipeline • Least privilege access • Logging and monitoring of the pipeline AWS IAM AWS CloudTrail Amazon CloudWatch Security CI/CD Pipeline
  42. 42. Security in the CI/CD pipeline Integrated security testing and validation • Security unit test • Vulnerability management Amazon Inspector Security and Compliance Unit Tests Security CI/CD Pipeline
  43. 43. AMI Lifecycle Management InstancePublic AMI Golden AMI Launch instance EC2 Configure instance Hardened instance Bake AMI Hardening and configuration User administration Operating system Running instances Launch AWS Config AWS Lambda Automate AMI baking Amazon Inspector Amazon Inspector Amazon Inspector Decommission
  44. 44. Cats > 1million WhatsCat™ Cats > 1 million
  45. 45. Adding a New Feature Buy Cat Food feature WhatsCat™ LOL cats » Cat photos » Cats near me (4) » Buy Cat Food!
  46. 46. Encrypting Customer Data Elastic Load Balancing Amazon Route 53 AWS KMS DynamoDB Application  Encrypt using client- side library for DynamoDB in Github  Encrypt data in applications using the AWS encryption SDK in your application
  47. 47. Multi-region Customers
  48. 48. Multi-region Deployments Amazon CloudFront Amazon CloudFront Elastic Load Balancer DynamoDB Application Amazon RDS Elastic Load Balancer DynamoDB Application Amazon RDS Elastic Load Balancer DynamoDB Application Amazon RDS
  49. 49. AWS WAF Good Cats Bad Dogs AWS WAF Amazon CloudFront Elastic Load Balancing Amazon Route 53 Amazon DynamoDB Application Amazon RDS
  50. 50. Cats > 10 million WhatsCat™
  51. 51. • Assess current incident response processes and procedures • Test the cloud incident response process via a simulated exercise Security Incident Response Simulation
  52. 52. A security practitioner's job is to answer tough questions Automate the way security practitioners answer these questions WhatsCat™
  53. 53. Thank you!
  54. 54. Remember to complete your evaluations!
  55. 55. Related sessions • ARC201 - Scaling Up to Your First 10 Million Users • SEC313 - Automating Security Event Response, from Idea to Code to Execution • SAC312 - Architecting for End-to-End Security in the Enterprise • DEV302 - Automated Governance of Your AWS Resources

×