This document discusses keeping security scalable with application demand in the cloud. It discusses how AWS infrastructure is constantly monitored and highly available across multiple regions. AWS and customers share responsibility for security. The document recommends automating logging and monitoring, simplifying access controls, enabling encryption, and enforcing authentication. It also discusses how security needs to scale elastically with workloads in the cloud.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Keeping Security In-Step with your Application Demand Curve
1. Keeping Security In-Step with your
Application Demand Curve
Nick Matthews, Solutions Architect, AWS
Rob Ayoub, Research Director, IDC
Dave Morrissey, Director – Cloud Service Providers, Fortinet
2. $6.53M 56% 70%
https://www.csid.com/resources/stats/data-breaches/
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
Average cost of a
data breach
Your Data and IPAre Your Most Valuable Assets
3. In June 2015, IDC released a report which found that most customers
can be more secure in AWS than their on-premises environment. How?
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication
AWS Can Be More Secure than
Your Existing Environment
5. Constantly Monitored
The AWS infrastructure is protected by extensive
network and security monitoring systems:
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
6. Highly Available
The AWS infrastructure footprint helps protect your data from costly
downtime
43 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like Route 53
Dynamically grow to meet unforeseen demand
using Auto Scaling
7. Integrated with Your Existing Resources
AWS enables you to improve your security using many
of your existing tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
27. Cloud Security Adoption: Customer Preferences
Q: What are your customer preferences for on-premises and
SaaS/cloud SECURITY solutions?
Prefer on-
premise
security
solutions
37%
Prefer cloud
security
solutions
21%
Prefer adopting a
hybrid security
approach
42%
Cloud, mobility, and Big Data adoption
has increasingly impacted enterprise’s
security strategies. They add complexity
and drive investments in IT infrastructure
and data protection.
The rising number of cyberattacks and
increasing complexities have led to
demand for managed security services
and more sophisticated security solutions.
29. Dynamic Security for AWS
Workloads
Dave Morrissey, Director – Cloud Service Providers, Fortinet
30. Fortinet Facts
Devices shipped
>3.1M
Unit share worldwide
#1
Patents
380
Patents pending
298
In Network Security (IDC)
Founded
2000
FY16 Revenue
$1.3B
Customers
>310K
Sunnyvale, CA
Advanced AWS partner
31. Security Must Be Flexible in the Cloud
Environment Flexibility
Elastic Flexibility
Deployment Flexibility
32. Global Security Scaling
Supported in all 16 AWS Regions.
Cloud Formation Templates
accessible from GitHub.
New Deployments
Cloud Formation Templates built
specifically for new AWS VPC
deployments.
Existing AWS Networks
Cloud Formation Templates built
specifically for existing AWS VPC
augments.
Flexibility to Scale Security in any Environment
33. You select the
scale-in/out trigger
CPU Utilization
Memory Utilization
Concurrent Sessions
Adds to Security Groups
Complements your use of Security
Groups Network Segmentation &
NACLs.
Advanced Security Layers
Application
Control
Antivirus
Antispam
IPS
Flexible Scaling Criteria
Threat
Research
DLP
WAF
VPN
34. Flexible Deployment Options
Multiple Auto Scaling Cloud
Formation Templates
Use the License you
already Own
On Demand
Pay-as-you-Go
BYOL
New VPC – Two options
Existing VPC – Two options
Use your BYOL license as
your primary instance in each
Availability Zone
Create On Demand Auto
Scale Groups that Build on
your BYOL License
Create primary instances and
Auto Scale Groups with
Hourly or Annual usage rates
On Demand Hourly will
ALWAYS be used as the Auto
Scaling Group – true Elasticity
35. FortiGate Firewall Auto Scaling…Made Easy
Integrates with AWS Services
AWS Cloud Formation Template: automates
Auto Scaling deployment
Amazon CloudWatch: alarms trigger scale-
up/down
AWS Elastic Load Balancing: distributes
inbound traffic equally
Amazon Simple Que Service: lifecycle hook
posts scaling events
Amazon EC2: creates a worker node
AZs: launches (2) FortiGates in (2) AZs in a High
Availability architecture
AWS Identify and Access Management (IAM):
creates dynamic roles for EC2 launch and SQS
for Auto Scaling lifecycle hook
Management Console: enables the Cloud
Formation Template deployment
36. Q & A
Moderators
Nick Matthews, nickmatt@amazon.com
John Jacobs, jjacobs@fortinet.com
Speakers
Rob Ayoub, rayoub@idc.com
Dave Morrissey, dmorrissey@fortinet.com
37. Resources
Learn More: www.Fortinet.com/aws
Contact Fortinet: awssales@fortinet.com
Auto Scaling Guide:
https://www.fortinet.com/content/dam/fortinet/assets/solutio
ns/aws/dg-fortigate-autoscaling.pdf
Configuring your FortiGate Firewall:
http://cookbook.fortinet.com/creating-security-policies/
services like Route 53
Admin Guide for your FortiGate Firewall:
http://docs.fortinet.com/fortigate/admin-guides
Editor's Notes
Rob (IDC) hand-off
Introduce Dave Morrissey
Dave intros self and takes over
Cloud, aerospace, NASA, Rocket
Rob (IDC) hand-off
Introduce Dave Morrissey
Dave intros self and takes over
I’d like to start with a quick introduction to Fortinet.
Fortinet is a US based company that has been providing advanced network security solutions for over 15 years.
Fortinet surpasses $1billion in revenue, is highly profitable with $1.4B in cash and zero debt and continues as the #1 Network Security vendor with over 3.1million products shipped to over 310,000 global customers.
In fact, Fortinet has 2 TIMES more security products shipped than its closest competitor.
From a customer perspective:
Fortinet has a large footprint in enterprise, small to mid-sized companies, government, education and healthcare.
This is extended to a global customer base of Fortune Companies with 8 of the Top 10 in EMEA and 9 of the Top 10 in APAC.
50 of the 60 worlds largest companies and ALL 10 of the top global Telecom Carriers have chosen Fortinet to protect their networks.
Rob and IDC hit upon three key areas that Fortinet addresses:
Security vendors should allow for environment flexibility – supporting new and existing VPC environments in global regions
Elasticity should be flexible – allowing the use of customer defined scale criteria that layers onto existing AWS security
Deployment should be flexible – leveraging Cloud Formation Templates to AUTOMATE scaling and simplify the deployment set-up
Add notes
Add notes
Add notes
Takes minutes
…ad 1-2 items to call out
In summary: Fortinet has created a set of Cloud Formation Templates that facilitate flexibility in:
Your new or existing environment
How you set-up the scaling criteria
Auto Scaling automation and deployment
By creating Templates that enable the use of BYOL licenses in conjunction with On Demand instances – our customers get the best of both worlds with a fixed asset that is always on linked to a dynamic asset that only scales when needed for a true Pay-As-You-Go model and maximum operational and capital efficiency. We look forward to working with you on creating new or augmenting existing VPCs that include Scalable Security capabilities.
Thank you…