More Related Content Similar to Humans and Data Don't Mix- Best Practices to Secure Your Cloud (20) More from Amazon Web Services (20) Humans and Data Don't Mix- Best Practices to Secure Your Cloud1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Stephen Schmidt
Humans and Data Don’t Mix
Best Practices to Secure Your Cloud
@AWSSecurityInfo
Vice President and Chief Information Security Officer
Amazon Web Services (AWS)
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Get Humans Away from Your Data
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Security Blind Spots
Disparate sources
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Lack of rigorDisparate sources
Security Blind Spots
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Can’t scaleLack of rigorDisparate sources
Security Blind Spots
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
CodeBuild
AWS
Step Functions
AWS
Step Functions
AWS
CodePipeline
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
AWS
CodeBuild
AWS
CodePipeline
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD TESTING &
STAGING
PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Security in the CI/CD Pipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
AWS
CodeBuild
AWS
CodePipeline
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Source Control
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
AWS
CodeCommit
AWS
CloudFormation
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
VS.
SOURCE
CONTROL
Infrastructure as Code
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Seek Vendors Who Embrace APIs
SOURCE
CONTROL
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Build
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
BUILD ARTIFACTS
AWS
CodeBuild
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*”
},
{
"Effect": "Allow",
"NotAction":"sns:Delete*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:*",
"Resource": "*”
},
{
"Effect": ”Deny",
"Action": "sns:Delete*",
"Resource": "*"
}
]
}
Policy A Policy B
Is Policy A more permissive than Policy B?
BUILD
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Testing & Staging
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
BUILD ARTIFACTS
TESTING &
STAGING
DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeBuild
AWS
CodePipeline
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Finding Weaknesses & Defects
TESTING
& STAGING
Amazon
Inspector
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES
SOURCE
CONTROL
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Deployment & Production
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit AWS
CloudFormation
BUILD
AWS
CodeCommit
AWS
CloudFormation
BUILD ARTIFACTS
TESTING &
STAGING
DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
DEPLOY TO
PRODUCTION ENVIRONMENT
PRODUCTION
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS
CodeBuild
AWS
CodePipeline
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Original Amazon EC2 Host Architecture
SERVER
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Amazon EC2 C3 Instances
SERVER
NITRO
SYSTEM
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Hypervisor
Amazon EC2 C4 Instances
SERVER
NITRO
SYSTEM
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Management,
Security, and
Monitoring
Storage
Customer Instances
Network
Nitro Hypervisor
Amazon EC2 C5 Instances
SERVER
NITRO
SYSTEM
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
No Shell Access!
23
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
COMMIT CHANGES BUILD ARTIFACTS DEPLOY TO TEST ENVIRONMENT
RUN INTEGRATION, SECURITY,
LOAD AND OTHER TESTS
DEPLOY TO
PRODUCTION ENVIRONMENT
MANAGE RUNTIME
SOURCE
CONTROL BUILD PRODUCTION MAINTAIN
CONTINUOUS INTEGRATION CONTINUOUS DELIVERY
Maintaining Runtime Environment
AWS
CodeStar
AWS
CodePipeline
AWS
CodeStar
AWS
CodePipeline
AWS
CodeCommit
AWS
CloudFormation
AWS
Step Functions
AWS
Step Functions
AWS
X-Ray
AWS
CodeDeploy
AWS
Elastic Beanstalk
AWS EC2
Systems Manager
Amazon
GuardDuty
TESTING &
STAGING
AWS
CodeBuild
AWS
CodePipeline
25. Automate Answering the Tough Questions
• What data do I have in the cloud?
• Where is it located?
• Where does my sensitive data exist?
• What’s sensitive about the data?
• What PII/PHI is possibly exposed?
• How is data being shared and stored?
• How and where is my data accessed?
• How can I classify data in near-real time?
• How do I build workflow remediation for my security and compliance
needs?
26. AWS CloudTrail
Track user
activity and API
usage
Automation: Log Data Inputs
VPC Flow Logs
IP traffic to/from
network
interfaces in your
VPC
CloudWatch Logs
Monitor apps using
log data, store &
access log files
DNS Logs
Log of DNS
queries in a VPC
when using the
VPC DNS resolver
27. Amazon
GuardDuty
Intelligent threat detection
and continuous monitoring
to protect your AWS
accounts and workloads
Automation: Machine Learning
Amazon Macie
Machine learning-powered
security service to discover,
classify, & protect sensitive
data
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Using NLP and ML together
Understand
your data
Natural Language
Processing (NLP)
Understand data
access
Predictive User
Behavior Analytics
(UBA)
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Content Classification with NLP
PII and personal data
Source code
SSL certificates, private keys
iOS and Android app signing keys
Database backups
OAuth and Cloud SaaS API Keys
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Use ML and Scaled Services
• Use behavioral
analytics to
baseline normal
behavior patterns
• Contextualize by
value of data being
accessed
34. • Asynchronously
execute commands
• No need to SSH/RDP
• Commands and output
logged
Remediating Threats on Amazon EC2 Instances
Amazon EC2 Systems Manager -
Run Command
EC2 Instances
Lambda
function
AWS Systems
Manager
Amazon
EC2
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Tools we use: COEs
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
Call to Action – Do Try This at Home
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
Call to Action – Do Try This at Home
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now (1-3
months).
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now (1-3
months).
• Begin to document every instance of human interaction with
systems that process data. Let engineering & operations teams
drive this goal. (1-6 months).
Call to Action – Do Try This at Home
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for
as many days as you can (and not just the appsec team) (1-2
months).
• Catalog the controls and visibility into CI/CD pipelines. That’s
where change management and control happens now. Set clear
goals with owners to harden the pipeline (1-3 months).
• Begin to document every instance of human interaction with
systems that process data. Let engineering & operations teams
drive this goal. (1-6 months).
• Set and achieve a goal to reduce human access to systems that
process sensitive data by 80% (1-2 years).
Call to Action – Do Try This at Home
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
• In your company, deeply understand how software is created and
shipped. Sit security team members with a development team for as
many days as you can (and not just the appsec team) (1-2 months).
• Catalog the controls and visibility into CI/CD pipelines. That’s where
change management and control happens now. Set clear goals with
owners to harden the pipeline (1-3 months).
• Begin to document every instance of human interaction with systems
that process data. Let engineering & operations teams drive this goal.
(1-6 months).
• Set and achieve a goal to reduce human access to systems that
process sensitive data by 80% (1-2 years).
• Set and achieve a goal to drive workload deployment from source
code. Catalog the % of workloads that are built on automation vs.
those built with manual steps (1 year).
Call to Action – Do Try This at Home
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark
More Information
Visit the AWS Booth: Exhibit Hall #805
AWS Security Twitter: @AWSSecurityInfo
AWS Security Blog: aws.amazon.com/blogs/security/