Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using Security to Build with Confidence in AWS

1,161 views

Published on

You don’t need to be a security expert to protect your organizations data in the cloud. You don’t need to be a security expert to protect your workloads on AWS. You just need to be informed of the many security tools available in AWS, and learn how to use them.

Taking a highly automated approach to security, you can use key features of the AWS Cloud to transform security in your organization. As with infrastructure as an API, security as an API allows you to move rapidly & stay secure. From AWS security groups, to virtual private networks, to security tools, you need to learn how to automate and accelerate.

In this talk, you’ll see how various AWS features and cloud-aware security controls can work together to protect your deployments. Using real-world examples, you’ll come away with an understanding of steps you can take to ensure that you maximize the security of your deployment while minimizing the work it takes to keep it secure.

You will learn a logical approach to modern security that you can immediately apply to your own AWS deployments. You will learn how to use security tools and techniques to help you build with confidence.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using Security to Build with Confidence in AWS

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Using Security to Build with Confidence in AWS Mark Nunnikhoven for Trend Micro @marknca
  2. 2. Mark Nunnikhoven @marknca aws.trendmicro.com
  3. 3. The Story More at aws.trendmicro.com 2012 re:Invent SPR203: Cloud Security Is a Shared Responsibility http://bit.ly/2012-spr203 2013 re:Invent SEC208: How to Meet Strict Security and Compliance Requirements in the Cloud http://bit.ly/2013-sec208 SEC307: How Trend Micro Built Their Enterprise Security Offering on AWS http://bit.ly/2013-sec307 2014 re:Invent SEC313: Updating Security Operations for the Cloud http://bit.ly/2014-sec313 SEC314: Customer Perspectives on Implementing Security Controls with AWS http://bit.ly/2014-sec314
  4. 4. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating system Applications Data Service configuration More at aws.amazon.com/security
  5. 5. Shared Responsibility Model AWS Physical Infrastructure Network Virtualization You Operating system Applications Data Service configuration More at aws.amazon.com/security
  6. 6. Vulnerability Respond Repair
  7. 7. Vulnerability ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
  8. 8. by Andreas Lindh (@addelindh)
  9. 9. bash is a common command line interpreter
  10. 10. a:() { b; } | attack 10 | 10 vulnerability. Widespread and easy to exploit
  11. 11. Shellshock Impact
  12. 12. 1989 Fantastic summary by David A. Wheeler at http://www.dwheeler.com/essays/shellshock.html#timeline
  13. 13. "MicroTAC" by Redrum0486 at English Wikipedia 12.3oz
  14. 14. Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 1 day, 22:19:13 More details React 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 5 days, 9:16:35 Limited disclosure :: CVE-2014-6271 React 2 days, 4:37:25 More details React 3:44:00 More details React 0:27:51 Public disclosure React 0:36:30 More details React
  15. 15. Important Shellshock Events Time Since Last Event Event Action Action Timeline 1989-08-05 8:32 Added to codebase 27 days, 10:20:00 Released to public 9141 days, 21:18:35 Initial report React Clock starts 2 days, 7:30:12 Official patch :: CVE-2014-6271 Patch 4 days, 5:49:25 3:29:09 Official patch :: CVE-2014-7169 Patch 9 days, 19:17:00 3:15:00 Official patch :: CVE-2014-7186, CVE-2014-7187 Patch 4 days, 17:30:00 1 day, 11:55:00 Official patch :: CVE-2014-6277 Patch 1 day, 11:55:00
  16. 16. Respond ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Day 1
  17. 17. aws.amazon.com/architecture: Web application hosting
  18. 18. aws.amazon.com/architecture : Web application hosting
  19. 19. TCP : 443TCP: 443 TCP: 4433TCP: 4433 Primary workflow for our deployment
  20. 20. AWS VPC Review
  21. 21. AWS VPC Checklist Review AWS Identity and Access Management (IAM) roles Security groups Network segmentation Network access control lists (NACL) More in the Auditing Security Checklist for Use of AWS, media.amazonwebservices.com/AWS_Auditing_Security_Checklist.pdf
  22. 22. TCP: 443TCP: 443 TCP: 4433TCP: 4433 Primary workflow for our deployment
  23. 23. HTTPSTPS Intrusion prevention can look at each packet and then take action depending on what it finds
  24. 24. aws.amazon.com/architecture: Web application hosting
  25. 25. Intrusion Prevention in Action
  26. 26. Review All instances covered Workload appropriate rules Centrally managed Security controls must scale out automatically with the deployment
  27. 27. Repair ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Day 2
  28. 28. aws.amazon.com/architecture: Web application hosting
  29. 29. All instances deployment from task-specific AMI TCP: 443TCP: 443 TCP: 4433TCP: 4433
  30. 30. Workflow should be completely automated Instantiate DestroyConfigure AMI Creation Workflow Bake Instantiate Test
  31. 31. AMI Creation
  32. 32. aws.amazon.com/architecture: Web application hosting
  33. 33. Instances tend to drift from the known good state; monitoring key files and processes is important AMI Instance AlertIntegrity Monitoring
  34. 34. Integrity Monitoring
  35. 35. Keys Respond Review configuration Apply intrusion prevention Repair Patch vulnerability in new AMI Leverage integrity monitoring
  36. 36. Keys Automation
  37. 37. Build With Confidence
  38. 38. SAN FRANCISCO

×