Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices for Public Sector AWS Security Posture

161 views

Published on

With recent data exposures at large Fortune 500 enterprises, IT security has become increasingly concerned with protecting infrastructure-as-a-service (IaaS) data. And with IaaS market growth reaching 42.8% last year — twice that of software as a service, according to Gartner — it's no surprise that public and private sector organizations are turning to the cloud. Join Slawomir Ligier, VP of Engineering at McAfee MVISION Cloud (formerly Skyhigh Networks), and AWS Public Sector Solutions Architect Tres Vance to explore best practices for securing your AWS environment. Plus, learn how McAfee can help bridge the gap with your on-premises solutions and provide the needed visibility and control customers should expect as they migrate to the cloud. This session is sponsored by McAfee.

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Best Practices for Public Sector AWS Security Posture

  1. 1. P U B L I C S E C T O R S U M M I T WASHINGTON,DC
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T New Rules for Cloud Security Slawomir Ligier VP, Engineering McAfee 3 1 9 4 9 9 Tres Vance Senior Solution Architect AWS
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Agenda Shared Responsibility Model - AWS Preventative, Detective, Responsive Controls – AWS CASB Overview – McAfee Threat Vectors - McAfee Use Cases - McAfee
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Shared Responsibility Model
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security of the Cloud Media Sanitization Climate management Fire Suppression Physical Security
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Cloud Adoption Framework – Security Perspective
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Preventative - Identity and Access Management (and AWS Identity and Access Management (IAM)) MFA for Privileged Users (Especially Root) IAM Roles for programmatic access AWS Secrets Manager or AWS Systems Manager to manage secrets
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Preventative - Infrastructure Networking Network Boundaries System Security Access Management Patch Management Monitoring Log Management
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Preventative - Infrastructure Data in Transit Encryption Integrity Data at Rest Fine Grained Policy Least Privilege Encryption Integrity Backup
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Preventative - Infrastructure AWS CloudTrail Enable CloudTrail (Before you do anything else) Capture Logs Change Control Log Monitoring System Monitoring Network, System Logs, Track State, Config Monitor Applications
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Automating Response AWS Lambda Really any Compute Use Detective Sources API Automation Change Control Log Monitoring System Monitoring Take Corrective Action
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Resources Well Architected Framework https://aws.amazon.com/architecture/well-architected/ AWS Security Best Practices Whitepaper https://aws.amazon.com/whitepapers/aws-security-best-practices/ IAM Best Practices https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  18. 18. Where Enterprise Sensitive Data is in the Cloud This knowledge is driving our innovation Salesforce Office 365, Google Suite Google Docs Slack, Teams AWS, Azure, Google Custom Apps Box, Dropbox ServiceNow High-Risk Shadow Med/Low-Risk Shadow 31% 13% 11% 16% 8% 5% 5% 7% 2% 2%
  19. 19. Where Enterprise Sensitive Data is in the Cloud This knowledge is driving our innovation Salesforce Office 365, Google Suite Google Docs Slack, Teams AWS, Azure, Google Custom Apps Box, Dropbox ServiceNow High-Risk Shadow Med/Low-Risk Shadow 31% 13% 11% 16% 8% 5% 5% 7% 2% 2% Collaboration SaaS, 42% Shadow IT, 10% IaaS/PaaS, 24% Business SaaS, 24%
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Infrastructure as a Service (IaaS) Fastest Growing Segment of Cloud IaaS 38.4% CAGR SaaS 20.3% CAGR IaaS 38.4% CAGR Software as a Service (SaaS) 20.3% CAGR
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Custom Apps Rapidly Moving to Public IaaS Percentage of Custom Apps Hosted in each Environment 60.9% 36.9% 22.6% 73.6% Datacenter Public cloud +51% YoY -24% YoY Today In 12 months
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T The average enterprise has 526 custom apps today
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Shared Responsibility Model Customer’s responsibility in securing IaaS is much greater than in SaaS
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T IT Security not Involved in 62% of Custom App Deployments Why is IT Security not Involved in Custom Apps Deployments? 63.6% 45.5% 36.4% 67.6% 18.2% Not included in the process by development Not included in the process by devops Not included in the process by operations Not included in the process by the line of business
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Account Misconfiguration = Negative Results Attack Strategies • Identify publicly readable, writeable or AWS user readable, writeable buckets • Identify publicly modifiable or AWS user modifiable ACLs • Plant malware in the publicly accessible AWS buckets Threat Objectives • Extract data from Amazon Simple Storage Service (Amazon S3) Buckets • Distribute malware using trusted-IaaS instances • Use Amazon Virtual Private Cloud (Amazon VPC) for intense resourcing (ex. crypto mining) • Exploit misconfigurations while customer pays the bill
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Real World IaaS Security and Compliance Use Cases Credit card data posted in unprotected notes field in custom app on AWS, violating PCI Car Rental  DLP  Activity Monitoring Security incidents occurred in custom apps on IaaS and proved impossible to investigate Insurance  Activity Monitoring  Threat Protection  Privileged User Audit Discovered incredibly valuable IP in publicly accessible Amazon S3 buckets Agriculture  AWS Configuration Audit  DLP
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Shared Responsibility Model Custom Apps & SaaS Guard the Front Door IaaS Guard the Back Door, Too
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T IaaS Use Case IaaS  Configuration Audit - Identify IaaS resources with security settings that are non-compliant  Visibility of Confidential Data - Visibility of regulated/high-value data stored in Amazon S3/Azure Blobs  Advanced Threat Protection - Detect compromised accounts, privileged user threats, malware 14 misconfigured IaaS services running at the average company 5.5% of Amazon S3 buckets have “world read” access privileges 100s of DLP incidents per month on IaaS/PaaS
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Data Exfiltration Vectors—IaaS Infrastructure and Apps Compromised AccountsMisconfiguration Rogue User Confidential Data Leaks Rogue IaaS Accounts IaaS
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How It’s Done IaaS Integrate natively via API CASB API Custom Apps No API – need AI to map apps CASB Gateway
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Gartner Recommended Best Practice Extend CASB protection to IaaS and Platform as a Service (PaaS) “CASBs can gather and analyze risky configurations by assessing the security posture of the cloud infrastructure (for example, data stores exposed to the public internet) — ideally, this would replace the need for cloud infrastructure security posture assessment (CISPA) point products”
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Custom Apps Key CASB Use Cases 1. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 3. DLP Control what data is uploaded into a cloud service 2. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations 4. Access Control Define access to the application based on user device, location, or role
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T IaaS Key CASB Use Cases 6. Amazon S3 Bucket and Azure Storage Analysis Discovery of third-party Amazon S3 buckets Configured for World Reads/World Writes 3. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 1. Managing Rogue AWS Instances Discover shadow AWS usage and reclaim control of risky IaaS usage 5. Visibility of Confidential Data Gain visibility of regulated/high-value data stored in Amazon S3 and Azure Storage 2. Security Configuration Monitoring of AWS Resources Identify AWS resources that are non-compliant to CIS Level 1, 2 policies 4. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations
  34. 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T WHAT’S NEXT—Integrating Security Into The DevOps Process • “SHIFT LEFT” • Security Scans for AWS CloudFormation Templates • Resolve Security Issues at the source • Pre-emptive Risk Avoidance ensures compliance and mitigates data loss
  35. 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Free AWS Security Resources AWS Vulnerability Assessment Definitive Guide to AWS Security eBook Gartner CASB MQ
  36. 36. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Slawomir Ligier @Sligier | Twitter Tres Vance @TresVance | Twitter | LinkedIn
  37. 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T

×