Find out how the Xero Cloud Security team deals with the accelerated pace of security brought about by cloud innovation occurring at Xero as they migrate “all-in” into the AWS cloud. Xero will share the Cloud Security team’s journey to the cloud, key success and learning points, as well as how they worked with Bulletproof to implement automated, repeatable and on-demand security with AWS that works at any scale. You will leave this session with actionable real-world knowledge & how to achieve AWS security posture best practices at minimal cost while delivering high value.
4. What can you expect today?
An overview of:
• Xero
• AWS Migration Project
• AWS Security Principles
• Key Project Learnings
• Bulletproof
• Cloud Security Considerations
• Secure by Design Guidance
5. Who are we?
• Cloud House merged with Bulletproof in 2016
• First Premier Partner in A/NZ
• ASX listed (ASX:BPF)
• Only Premier Partner in NZ
• End-to-end Cloud services provider.
• 700+ customers
• 16+ years of experience
• We help you disrupt, transform and innovate
8. 1450+
Staff globally
$
474m
raised in capital
$
202m
sub revenue FY16
23m+
businesses have interacted
on the Xero platform
$
1tr
incoming and outgoing
transactions in past 12 mths
450m
incoming and outgoing
transactions in past 12 mths
All figures shown are in NZD
10. Public cloud
migration
Improving data protection
Eliminating scheduled downtime
Maintaining and improving security
Support the next wave of growth
Reducing our per customer cost
12. Approach: AWS Cloud Security
Security is a Journey
High Pace of Innovation with Cloud
Automation is key
13. How?
AWS Cloud Security
Focus on API Security
Fast rate of change
Cloud native systems with
consistent security capabilities
14. How?
AWS Cloud Security
Focus on API Security
AWS IAM
Fast rate of change
AWS
CloudFormation
Cloud native systems with
consistent security capabilities
AWS
KMS
AWS
CloudTrail
AWS
Config
CloudWatch
Logs
CloudWatch
Alarms
AWS IAM
17. Key principles
Repeatable and
automated build and
management of
security systems
Accelerated pace of
security innovation
On-demand security
infrastructure that
works at any scale
18. Security as a service
VPN
connectivity
Host
Based
Security
Web
Application
Security
and
Delivery
Shared Key
Management
Services
Security
Operations
and
Consulting
Services
Secure
Bastion
Access
Proxy
Services
22. Secure by Design
Account Structure
Billing
Non-Production
Development
Shared Services
UAT
Production
Production
Staging
Shared Services
Identity
Security
24. Secure by Design
Service Mapping
Non-Production
Development
Shared
Services
UAT
Security
Production
Staging
Shared
Services
Production
Identity
AWS IAM
AWS
KMS
IAM Roles
IAM Roles
IAM Policy
IAM Policy
Billing
IAM Roles
IAM Policy
AWS
CloudTrail
AWS
Config
Config
S3 Bucket
CloudTrail
S3 Bucket
CloudTrail
Glacier Vault
Config
Glacier Vault
IAM Users
CloudWatch Logs CloudWatch
Alarms
IAM Groups
SNS Email
Notifications
30. Secure by Design
CloudTrail
CloudTrail Settings
All Regions (Multi-Region setting)
Log File Integrity Validation
Log File Encryption with KMS
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the CloudTrail service to have Write access
Day One
AWS
KMS
AWS
CloudTrail
CloudTrail
S3 Bucket
CloudTrail
Glacier Vault
S3 Lifecycle Rules
31. Secure by Design
Config
Config Settings
All Regions (No multi-region setting, so Automate)
Enable All available Resource Types for tracking
S3 Bucket Policy
Restrict Authorised Users to have Read-Only access
Allow Only the Config service to have Write access
Day One
AWS
Config
Config
S3 Bucket
Config
Glacier Vault
S3 Lifecycle Rules
46. Secure by Design
Visibility
• CloudTrail, Config and the AWS Console
provide a lot of great information
• Can be hard to find the needle in the
haystack...
• Enter Netflix OSS Security Monkey
“You can’t secure what you don’t know about…”
68. Key learnings
Measure and Test, Monitor Everything
Welcome to the cloud -
"Where's my span port"?
Security by Design -
What's that?
Communication is Key -
Who are your spokespeople?
69. Final takeaways
Repeatable and
Automated build and
management of
Security Systems
Accelerated pace of
security innovation
On-Demand security
infrastructure that
works at any scale
75. What you can do today
• Visit us at stand: P2
• Contact us to discuss your requirements
salesnz@bulletproof.net | 0800 258 773
• Enter our draw to win an Amazon Echo