More Related Content Similar to AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta AWS Summit (20) More from Amazon Web Services (20) AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta AWS Summit1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
David McNeely
VP of Product Strategy, Centrify
AWS Security Best Practices
in a Zero Trust Security Model
DEM06
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Security and your part of Shared Responsibility Model
• Zero Trust Security overview
• Centrify best practices for AWS security
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shared Responsibility Model
YOU:
AWS:
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VERIFY
THE USER
VALIDATE
THEIR DEVICE
LIMIT ACCESS
& PRIVILEGE
LEARN & ADAPT
Centrify Zero Trust Security
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
MATURITY
MORE
SECURE
DANGER
Too Many Passwords
Too Much Privilege
Zero Trust Security Maturity Model
Analyze Risk
Monitor Sessions
Integrate with SIEM
AUDIT
EVERYTHING
Just-in-Time Privilege
Just Enough Privilege
Don’t Break Glass
Lifecycle Management
ENFORCE
LEAST PRIVILEGE
Establish Access Zones
Trusted Endpoints
Conditional Access
Minimize VPN Access
No DevOps Passwords
LIMIT
LATERAL MOVEMENT
Consolidate Identities
MFA Everywhere
Risk-based Access
SSO Everywhere
ESTABLISH
IDENTITY ASSURANCE
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centrify Best Practices for Securing AWS workloads
Common Security
Model
Eliminate Shared
Amazon EC2 Key Pairs
Ensure
Accountability
Least Privilege
Access
MFA Everywhere Audit Everything
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional security for AWS Management Console access
Lock down the “root” or billing account
Establish Federated login
Enforce Role-based temporary privileges
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enforce IAM Role-based Temporary Privileges
Delegate AWS privileges by AWS Role Mapping
Enable Request-based Access to enable temporary access rights
Centrify User Portal provides SSO access to the AWS Console
AWS CLI tools and PowerShell Access
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control Access to Amazon EC2 Instances
Extend Enterprise IAM to Amazon EC2
Enforce Least Privilege
Require Multi-Factor Authentication
Site to Site
VPN
Active Directory
ENTERPRISE
Active Directory
VPC
AD 1-way
Trust
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centrify Privilege Service for Amazon EC2 Instances
Secure Remote Access
Access Request Workflow
Lock down root accounts
Application Password Management
Active Directory
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Enterprise IAM and MFA for Hosted Applications
Extend Enterprise IAM for Apps
Require Multi-Factor Authentication
Single Sign-on for Users
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Docker Hosts
IAM and PAM for Linux Docker Host or CoreOS
Container Linux
Docker Group Management
PAM for Docker
IT Ops
Containers
Container Host
Docker
AD
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Apps in Containers
IAM and PAM for DevOps login access to Containers
• Developers login to container via SSH independent of the host
• Ops will most likely need break-glass access
AAPM and Service Accounts for Apps Containers
Container
Host
Docker
Developers
AD
Containers
Container
Host
Docker
Centrify
Infrastructure
Services
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Your Container Management Platforms
IAM Services for Container Management
Active Directory Integration for on-premises
deployments
Containers
Container
Host
Docker
DevOps
Staff
Container
Orchestration
AD
Linux
Host with
Centrify
LDAP
Proxy
DevOps
Staff
Centrify
Service
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Additional Resources
Centrify Solutions for AWS
• www.centrify.com/aws
TechCenter for AWS
• community.centrify.com/aws
Script Repository
• github.com/centrify
White Papers:
• Centrify’s Six Best Practices for Securing AWS Environments
• http://www.centrify.com/resources/six-best-practices-for-securing-amazon-web-services/
• AWS IAM Best Practices and Use Cases
• http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
• Gartner “How to Make Cloud IaaS Workloads More Secure Than Your Own Data Center”
• https://www.gartner.com/doc/3352444/make-cloud-iaas-workloads-secure
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app!
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank You!
Please stop by Centrify booth #201
David.McNeely@Centrify.com