Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Operational Complexity:
The Biggest Security Threat to
Your AWS Environment
Security is kind of
a big deal…
We’ve all got them.
Are we doing the right thing to secure
them?
ON-PREMISESIN THE CLOUD H...
And it’s no
different in AWS
Managing tightly-
controlled user access
in AWS is too complex.
But it’s hard.
And complexity...
Why is it
so complex?
There are 6 main reasons
User access is IP-centric, and
their IP addresses change
Predicting where those users are
going to be when accessing your
...
Dynamic environments cause
extra administrative burdens2
As virtual machines and services
within AWS are spun up, expanded...
Complexity leads to shortcuts3
A lot of the time shortcuts are taken
that compromise the security
posture in the footprint...
Forced use of VPN connectivity
to manage access control4
And it can create performance issues
for your end users and force...
Logging correlation
complexities5
So when it comes to audit and
compliance, you have a
tremendously difficult task on your...
Shared AWS
responsibility model6
Do you know where AWS’s
responsibility for the cloud
ends – and yours begins?
Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
https://aws.amazon...
Customer Data
Platform, Apps, Identity & Access Management
OS, Network & Firewall Configuration
Client-Side Data
Encryptio...
Anytime you take advantage of
the resources and build virtual
machines, deploy data into S3
buckets or use a feature like ...
Security
Groups
So we turn to
You can use
Security Groups,
but they introduce
operational complexity
with negative consequences.
We either give
wide-open access
and end up with this…
No
accountability/
visibility
Increased risk
of security
breaches
Ma...
Or
tightly controlled access
and end up with this…
Reduced
business agility
Friction for
DevOps
Inefficient
approval proce...
Consider
this scenario
Security
Groups
Four users access the
Amazon environment from
a known source.
1
73.68.25.22124
Their public IP address is
the known source. The
security groups are
configured appropriately.
2
Security
Groups
Four user...
The challenge is when
users try to access from
other locations.
73.68.25.22124
Security
Groups
Security
Groups
Do you:
Allow
wide open
access from
anywhere?
73.68.25.22124
Or tightly control
access – force
users to VP...
There’s a
better way
to do it.
It’s called a
Software-Defined
Perimeter
A Software-Defined Perimeter gives
every user on your network –
whether an internal employee or a third-party
working for ...
And it’s a
big deal
Industry experts
suggest using it
Legacy, perimeter-based
security models are ineffective
against attacks. Security and ri...
A Software-Defined Perimeter gives you:
Individualized perimeters for each user –
a Segment of One
A Software-Defined Perimeter gives you:
Fine-grained authorization to on-premises and cloud
A Software-Defined Perimeter gives you:
Context-aware driven authentication, then access
A Software-Defined Perimeter gives you:
Simpler firewall and security group rules
A Software-Defined Perimeter gives you:
Dynamic authorization adjusting to the user to access
new cloud server instances
A Software-Defined Perimeter gives you:
Consistent access policies across heterogeneous
environments
A Software-Defined Perimeter
puts the person back into the
security model.
… by taking the source IP
concept out of the eq...
The person, their identity,
the device they’re on,
the network they’re
connected to, and just about
anything else you coul...
Once a person is authorized to view
resources, everything else on the
network becomes invisible.
Cryptzone delivers a
Software-Defined
Perimeter Solution
for AWS
Digital
Identity
AppGate
Imagine a user wants to access the company’s ERP system
Managed Networks
Cloud, On-premises or Hy...
AppGate
Digital
Identity
First we look at both context and identity.
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VIRUS
LOCATION: OF...
AppGate
Digital
Identity
We confirm it matches your policies before granting access.
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VI...
Managed Networks
Cloud, On-premises or Hybrid
V
Secured
Email
ERP
CRM Group
File Share
Executive
Files
Enterpris
e Finance...
And make everything else (the
applications and the rest of the
network) invisible to the user.
Digital
Identity
DEVICE TIM...
Digital
Identity
And if the user goes home and wants to
continue working, AppGate automatically checks
“user-context” agai...
The result?
Locked-down secured access to
AWS resources that is operationally
simple to manage and maintain.
Let’s look at...
Current Model
AWS Security Groups
We all know about AWS Security
Groups. The current Security
Group model is complicated a...
AWS Security Groups & AppGate
Using AppGate, there are multiple gateways, protecting multiple
cloud providers with split f...
AWS Security Groups & AppGate
AppGate defines protected destinations, called Entitlements and protects
simple IP addresses...
AWS Security Groups & AppGate
AppGate offers a new Security Model inside AWS, redefining the Security Group so that
protec...
AWS Security Groups & AppGate
Authentication Policy
• If users are on corporate
network allow Single-
Factor Authenticatio...
Because there is just
one IP address,
managing security
just got easier.
AppGate Model
Access policies across
hybrid environments
are consistent
Access is tightly secured
with a Segment
of One
Compliance
repor...
Sally M
Developer
Project Eagle
Charlie S
DB Admin
Joe R
Developer
Project Hawk
Coffee Shop
Consultant
Enterprise Headquar...
Learn more about AppGate
AWS Security
Simplify, Scale, &
Secure User Access
WEBINAR
The Zero Trust Model of
Information Se...
FREE TRIAL | START NOW
Email: info@cryptzone.com
Twitter: @Cryptzone
LinkedIn:
linkedin.com/company/cryptzone
GET IN TOUCH...
Paul Campaniello
Chief Marketing Officer
Cryptzone
Upcoming SlideShare
Loading in …5
×

Operational Complexity: The Biggest Security Threat to Your AWS Environment

1,245 views

Published on

Managing tightly-controlled user access in AWS is complex. And complexity leads to errors and sloppiness. There are six main reasons why this operational complexity is the biggest security threat to your AWS Environment. Paul Campaniello at Cryptzone discusses in this eBook.


Published in: Software
  • Be the first to comment

Operational Complexity: The Biggest Security Threat to Your AWS Environment

  1. 1. Operational Complexity: The Biggest Security Threat to Your AWS Environment
  2. 2. Security is kind of a big deal… We’ve all got them. Are we doing the right thing to secure them? ON-PREMISESIN THE CLOUD HYBRID ENVIRONMENTS
  3. 3. And it’s no different in AWS Managing tightly- controlled user access in AWS is too complex. But it’s hard. And complexity leads to errors and sloppiness.
  4. 4. Why is it so complex? There are 6 main reasons
  5. 5. User access is IP-centric, and their IP addresses change Predicting where those users are going to be when accessing your network is a very big challenge; and almost impossible if you have a mobile workforce. 1 Think office to home, to mobile, to a coffee shop, to a plane…
  6. 6. Dynamic environments cause extra administrative burdens2 As virtual machines and services within AWS are spun up, expanded or contracted, being able to dynamically allocate security policies to these resources becomes a real challenge.
  7. 7. Complexity leads to shortcuts3 A lot of the time shortcuts are taken that compromise the security posture in the footprint of a particular environment.
  8. 8. Forced use of VPN connectivity to manage access control4 And it can create performance issues for your end users and force unnecessary hops from environment to environment just to ensure that people are coming at the environment from appropriate locations. If you’re at all into the networking space within your organization, you know that the use of VPNs is also not a trivial task. VPN
  9. 9. Logging correlation complexities5 So when it comes to audit and compliance, you have a tremendously difficult task on your hands to correlate these logs and figure out who is doing what, who is accessing which application, what time of day and under what context they are doing it. All of this hopping around and all of these different technologies lead to logging correlation issues.
  10. 10. Shared AWS responsibility model6 Do you know where AWS’s responsibility for the cloud ends – and yours begins?
  11. 11. Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations https://aws.amazon.com/compliance/shared-responsibility-model AWS Shared Responsibility Model AWS is responsible for this… Responsible for security ‘of’ the cloud
  12. 12. Customer Data Platform, Apps, Identity & Access Management OS, Network & Firewall Configuration Client-Side Data Encryption and Data Integrity Authentication Server-Side Encryption (File System and/or Data) Network Traffic Protection (Encryption/ Integrity/Integrity) Customer Responsible for security ‘in’ the cloud And you’re responsible for this…
  13. 13. Anytime you take advantage of the resources and build virtual machines, deploy data into S3 buckets or use a feature like AWS Snowball to push data into the environment, security becomes your responsibility. Anything in the cloud is your responsibility AWS gives you tools, but you have to implement them. AWS’s responsibility ends with the physical components of the cloud…the data center, the servers, the storage. You are responsible for everything that leverages those physical components – all the configured services, data, deployed applications. This includes network access security.
  14. 14. Security Groups So we turn to
  15. 15. You can use Security Groups, but they introduce operational complexity with negative consequences.
  16. 16. We either give wide-open access and end up with this… No accountability/ visibility Increased risk of security breaches Managing compliance is virtually impossible
  17. 17. Or tightly controlled access and end up with this… Reduced business agility Friction for DevOps Inefficient approval process
  18. 18. Consider this scenario
  19. 19. Security Groups Four users access the Amazon environment from a known source. 1 73.68.25.22124
  20. 20. Their public IP address is the known source. The security groups are configured appropriately. 2 Security Groups Four users access the Amazon environment from a known source. 1 73.68.25.22124
  21. 21. The challenge is when users try to access from other locations. 73.68.25.22124 Security Groups
  22. 22. Security Groups Do you: Allow wide open access from anywhere? 73.68.25.22124 Or tightly control access – force users to VPN into a known office and through a 73 dot IP address?
  23. 23. There’s a better way to do it.
  24. 24. It’s called a Software-Defined Perimeter
  25. 25. A Software-Defined Perimeter gives every user on your network – whether an internal employee or a third-party working for you – an individualized perimeter around themselves and the network resources that they’re allowed to access.
  26. 26. And it’s a big deal
  27. 27. Industry experts suggest using it Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.” “ It is easier and less costly to deploy than firewalls, VPN concentrators and other bolt-in technologies.” SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems. “ “
  28. 28. A Software-Defined Perimeter gives you: Individualized perimeters for each user – a Segment of One
  29. 29. A Software-Defined Perimeter gives you: Fine-grained authorization to on-premises and cloud
  30. 30. A Software-Defined Perimeter gives you: Context-aware driven authentication, then access
  31. 31. A Software-Defined Perimeter gives you: Simpler firewall and security group rules
  32. 32. A Software-Defined Perimeter gives you: Dynamic authorization adjusting to the user to access new cloud server instances
  33. 33. A Software-Defined Perimeter gives you: Consistent access policies across heterogeneous environments
  34. 34. A Software-Defined Perimeter puts the person back into the security model. … by taking the source IP concept out of the equation.
  35. 35. The person, their identity, the device they’re on, the network they’re connected to, and just about anything else you could think of to analyze before you allow access resources on your network, is checked. 73.68.25.22124
  36. 36. Once a person is authorized to view resources, everything else on the network becomes invisible.
  37. 37. Cryptzone delivers a Software-Defined Perimeter Solution for AWS
  38. 38. Digital Identity AppGate Imagine a user wants to access the company’s ERP system Managed Networks Cloud, On-premises or Hybrid V Secured Email ERP CRM Group File Share Executive Files Enterpris e Finance EXEC_S ERVER SharePoint
  39. 39. AppGate Digital Identity First we look at both context and identity. DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATION: OFFICEAPPLICATION PERMISSIONS
  40. 40. AppGate Digital Identity We confirm it matches your policies before granting access. DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATION: OFFICEAPPLICATION PERMISSIONS
  41. 41. Managed Networks Cloud, On-premises or Hybrid V Secured Email ERP CRM Group File Share Executive Files Enterpris e Finance EXEC_S ERVER SharePoint Digital Identity We then create a dynamic Segment of One (1:1 firewall rule). DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATION: OFFICEAPPLICATION PERMISSIONS ENCRYPTED & LOGGED AppGate
  42. 42. And make everything else (the applications and the rest of the network) invisible to the user. Digital Identity DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS APPLICATION PERMISSIONS ENCRYPTED & LOGGED AppGate Managed Networks Cloud, On-premises or Hybrid ERP LOCATION: OFFICE
  43. 43. Digital Identity And if the user goes home and wants to continue working, AppGate automatically checks “user-context” again, and applies the correct “home-based” policy. DEVICE TIME CUSTOM ATTRIBUTES ANTI-VIRUS LOCATION: HOMEAPPLICATION PERMISSIONS ENCRYPTED & LOGGED AppGate Managed Networks Cloud, On-premises or Hybrid ERP
  44. 44. The result? Locked-down secured access to AWS resources that is operationally simple to manage and maintain. Let’s look at this more closely…
  45. 45. Current Model AWS Security Groups We all know about AWS Security Groups. The current Security Group model is complicated and unpredictable.
  46. 46. AWS Security Groups & AppGate Using AppGate, there are multiple gateways, protecting multiple cloud providers with split functionality. Current Model
  47. 47. AWS Security Groups & AppGate AppGate defines protected destinations, called Entitlements and protects simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names. Current Model
  48. 48. AWS Security Groups & AppGate AppGate offers a new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate Gateway, ensuring all users access those resources through the contextual controls provided by AppGate. AppGate Model
  49. 49. AWS Security Groups & AppGate Authentication Policy • If users are on corporate network allow Single- Factor Authentication • If users are not on corporate network require Multi-Factor Authentication POLICY Device Policy • Allow access if Anti- Virus is running • Allow access if Device Firewall is enabled • Allow access if OS patch level is current POLICYPOLICY Developer Access Policy • Allow TCP Access • On Port 22 • For all servers tagged Dev-Project • If users are in group Development Users are tied to the entitlements through Policies where we can enforce contextual awareness before allowing specific users access to specific entitlements. This combination allows us to get very granular on who can access what and under what circumstances.
  50. 50. Because there is just one IP address, managing security just got easier. AppGate Model
  51. 51. Access policies across hybrid environments are consistent Access is tightly secured with a Segment of One Compliance reporting is easier and faster Operational agility is boosted DevOps can work faster Infrastructure changes are dynamically protected AppGate from Cryptzone provides user control, operational agility and compliance
  52. 52. Sally M Developer Project Eagle Charlie S DB Admin Joe R Developer Project Hawk Coffee Shop Consultant Enterprise Headquarters AWS Security… Simplified! User-centric security policies…because people are not IP addresses
  53. 53. Learn more about AppGate AWS Security Simplify, Scale, & Secure User Access WEBINAR The Zero Trust Model of Information Security WHITEPAPER Forrest Report No More Chewy Centers: AppGate VIDEO
  54. 54. FREE TRIAL | START NOW Email: info@cryptzone.com Twitter: @Cryptzone LinkedIn: linkedin.com/company/cryptzone GET IN TOUCH Get access to a 15 day free trial on AWS marketplace. Would you like to know more?
  55. 55. Paul Campaniello Chief Marketing Officer Cryptzone

×