Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Summit Auckland Sponsor Presentation - Dome9


Published on

AWS Summit Auckland Sponsor Presentation - Dome9

Published in: Technology
  • Be the first to comment

  • Be the first to like this

AWS Summit Auckland Sponsor Presentation - Dome9

  1. 1. Taking IAM protection to the next level with Dome9
  2. 2. Quick poll Is it possible that one of your AWS users or team members will have their credentials compromised sometime in the future? What if this compromised account belongs to a privileged user?
  3. 3. What is this session about? IAM best practices and core principles that will allow you to prepare in advance for extreme scenarios
  4. 4. Why IAM? Why this session? 30 years of isolated IT islands are converging now into a software defined data center. AWS IAM policy governs that converged IT and becomes the single most critical security policy in your organization.
  5. 5. About me Roy Feintuch @royfein 30 years fiddling with SW, 15 professionally, 10 in security systems, 5 in cloud sec CTO / Co-founder of Dome9 Security An AWS Advanced Technology partner with Security Competency focusing on Network Security and IAM protection
  6. 6. To our user... In a software defined world a compromised privileged user account can mean: Data theft - cloning databases, S3 buckets, files DNS hijacking - redirecting traffic to rogue sites Deleting / encrypting data, infrastructure, encryption keys, backups Managing users - preventing legit admins from accessing their environments, adding new accounts
  7. 7. Our user is already fatally compromised, but you don't have to be. Let's take a trip back in our time machine to see what we could have done differently...
  8. 8. 2 main courses of actions 1. Preventative actions 2. Detection and containment measures We need them both!
  9. 9. Preventative Measures (1) • Create and use IAM users instead of your root account • Enable multi-factor authentication (MFA) for all users • Configure a strong password policy • Rotate security credentials regularly • Remove unused security credentials that are not needed
  10. 10. Preventative Measures (2) • Use IAM roles to share access: • For EC2 instances (and other AWS services) • For multi-account / federated access scenarios • For 3rd party service providers • Manage permissions with groups
  11. 11. Detection & Containment • Enable AWS CloudTrail to get logs of API calls • Grant least privilege • Restrict privileged access further with policy conditions • Use multiple AWS accounts to segregate between dev/test/prod and between different sub-systems with different security requirements
  12. 12. Still, something is missing... Adversaries constantly target our users One of our users will eventually make mistake Someone will break in A new breed of solution is needed
  13. 13. Meet Dome9 IAM Safe Dome9 IAM Safe is an AWS IAM Dynamic Authorization solution, providing protection and detection against malicious cloud control plane attacks and unintentional privileged user errors.
  14. 14. IAM Safe Added layer of IAM protection Prevents accidental or malicious invocation of risky actions “Just In time” authorization Out of band authorization via mobile application Multiple AWS accounts & regions SaaS delivered
  15. 15. Containing the Blast Radius Because IAM Safe users work at a lesser privilege day-to-day, the results of stolen credentials & compromises are limited to non- catastrophic actions. IAM Safe ensures that the riskiest AWS operations (as deemed by you) cannot be executed without Dome9 IAM Safe multi-factor authorization. Not all workloads are equal! Leverage the power of AWS IAM policy language to define specific actions and add conditions based on sensitivity, tags, etc...
  16. 16. Summary IAM is critical for AWS Security Apply AWS best practices Utilize the breadth of AWS partners ecosystem to take your posture to the next level The moment of the breach is too late - take ownership regarding your future and start preparing now!