10. Design for Failure: Foundation
Let’s start from Day 1, User 1:
• Amazon Route 53 for DNS
• A single Elastic IP
• A single Amazon EC2 instance
With full stack on this host:
Web app
Database
Management
And so on… Amazon EC2
instance
Elastic IP
User
Amazon
Route 53
10
11. Design for Failure: Foundation
• We could potentially get to a
few hundred to a few thousand
depending on application
complexity and traffic, but…
• No failover
• No redundancy
• Too many eggs in one basket
11
Amazon EC2
instance
Elastic IP
User
Amazon
Route 53
12. Design for Failure: Foundation
First, let’s separate out our single host
into more than one:
• Web
• Improve scaling capabilities
• Database
• Make your life easier: use RDS
Web
instance
Elastic IP
RDS DB
instance
User Amazon
Route 53
12
13. Design for Failure: Foundation
Next, let’s address our lack of
failover and redundancy issues:
Add another web instance
Use a different Availability Zone
RDS Multi-AZ deployment
Elastic Load Balancing (ELB)
Web
Instance
RDS DB Instance
Active (Multi-AZ)
Availability Zone Availability Zone
Web
Instance
RDS DB Instance
Standby (Multi-AZ)
ELB
Balancer
13
14. Design for Failure: Foundation
Best Practices
Use multiple Availability Zones
Use Elastic Load Balancing
Configure CloudWatch alerts for
real-time monitoring
Consider cross-region replication of
crucial data using read replicas
Web
Instance
RDS DB Instance
Active (Multi-AZ)
Availability Zone Availability Zone
Web
Instance
RDS DB Instance
Standby (Multi-AZ)
ELB
Balancer
14
43. The Good:
Customers benefit from an environment built for the most security
sensitive organizations
AWS manages and validates testing against more than 3000
security controls so you don’t have to
You get to define the right security controls for your workload
sensitivity
You always have full ownership and control of your data
44. The Bad: Attackers Are Focused on Your Network, Hosts, and Apps
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Configuration
best practices
Service
Providers
Responsibility
45. Challenges of Security for Hybrid Cloud
- Legacy security tools don’t deploy or work well in the cloud
- Hard to find good security people that ‘get’ cloud
- Different threat surface
Cloud Environment Breaches On Premise
Source: Alert Logic CSR 2016
42%
25%
19%
8%
4% 2%
Application-Attack
Brute-Force
Suspicious Activity
Recon
Trojan-Activity
DOS
18%
51%
22%
3% 5% 1%
Application-Attack
Brute-Force
Suspicious Acitivity
Recon
Trojan-Activity
DOS
46. 5
47
74
89
184
289
277
222
207
571
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Security risk is shifting to unprotected web applications
Web app attacks are now the
#1 source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon DBIR 2017
n= 1,935
UP 300% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30%
Source: Gartner
Web App
Attacks
47. Design for security from Day One
Design for security:
• Role Based IAM
• No root access
• MFA Everywhere (!)
• Encrypt Everywhere (!)
• Keys are like Fruit – they go bad quickly
49. Trust No One / Automate
Trust No One
• Least Privilege Model
• Only what you need, nothing more.
• Strict EC2 Roles
Automate:
• Cattle not Pets
• Be Immutable
50. Use the Tools
Amazon provides high quality security controls:
• VPC
• Code Deploy
• Cloud Formation Templates
• CloudFront
• Route 53
• AWS KMS
• Amazon Inspector
• AWS Config
• …. More
51. Leaders
28
8
6
4
10
25
3
5
5
11
8
10
15
24
Other
Amazon
Check Point
Chronicle Data
Cisco
Fortinet
Intel Security
Okta
Symantec
Barricade
JumpCloud
Evident.io
Palerra
Microsoft
CloudPassage
CloudCheckr
FortyCloud
ThreatStack
Alert Logic
A recognized security leader
“Alert Logic has a
head start in the cloud,
and it shows.”
PETER STEPHENSON
SC Magazine review
“…the depth and breadth
of the offering’s analytics
and threat management
process goes beyond
anything we’ve seen…”Who is your primary
in-use vendor for Cloud
Infrastructure Security?
Who are the top vendors
in consideration for Cloud
Infrastructure Security?
Alert Logic
52. Best Practices and Policies for Improving TCO
of Your AWS Environment
Presenter:
• Bob Kilbride, Director of Channel Sales, CloudHealth Technologies
June 2017
The ability to maintain state and versioning and treat your infrastructure as an application
State Machine & Versioned & an essential part of the deployment process (every time you deploy code, deploying your infrastructure is a critical part of that) vs. Scripted / One-off
What is NOT infrastructure as code: Just a way to quickly script an environment
This here is the most basic set up you would need to serve up a web application.
Any user would first hit Route53 for DNS resolution.
Behind the DNS service is an EC2 instance running our webapp and database on a single server,
We will need to attach an Elastic IP so Route53 can direct traffic to our webstack at that IP Address with an A record.
To scale this infrastructure, the only real option we have is to get a bigger EC2 instance…
So while we could reach potentially a few hundred or few thousand users supported by this single instance, its not a long term play.
So for this scenario today and based upon our discussion, we’re going to go with RDS and MYSQL as our database engine.
Next up we need to address the lack of failover and redundancy in our infrastructure.
We’re going to do this by adding in another webapp instance, and enabling the Multi-AZ feature of RDS, which will give us a standby instance in a different AZ from the Primary.
We’re also going to replace our EIP with an Elastic Load Balancer to share the load between our two web instances
Now we have an app that is a bit more scalable and has some fault tolerance built in as well.
Talking Points
Examples for each layer
Attackers are wising up to the fact that businesses are not aware of the extent of their responsibilities – some of which may be beyond their existing capabilities
They are focusing their attention on the areas that fall to the customer to address, in particular the web application layer where we have see a large increase in the number of targeted attacks
**insert banner with Cloud Security report stats**
Web application attacks were the #1 attack vector causing data breaches, tripling as a proportion of all breaches from 9.4% to 30% from 2014-2017. – ( Verizon 2017 ). These stats are reflected in Alert Logic, where application attacks comprise the Top 5 attacks seen in the SOC – averaging 72% of all attacks across our customer base.
Yet, businesses today are spending less than 5% of their security budgets protecting these valuable assets. (Gartner)
Discovery:
- About how many web applications do you run, whether on premises or in the cloud?
- Which web applications would most impact your business if they were breached?
- What other applications are you hosting in cloud environments that should be considered?
Industry analysts and influencers including Gartner, Forrester, 451 Group and SC Magazine have continually applauded and recognized our leadership position in protecting cloud application workloads.
451 is interesting – they just asked companies who they were using for cloud infrastructure security, and without prompting we topped the list.
Gartner Magic Quadrants and Forrester Waves are either about software vendors or managed services vendors so our unique combination doesn’t fit perfectly in either one. But Forrester believes strongly enough in our combined approach that they placed us into their MSSP Wave where they credit us with having the strongest offering due to our cloud expertise, customer satisfaction, and usability. While we aren’t the traditional MSSP, Forrester’s ranking us as the leading MSSP the first year we were evaluated is a strong testament to the value of our approach and innovation.
Discovery:
Have you considered any of these service or tool-only vendors for cloud application workload security?
To apply these pillars, you really need to look holistically at cost management.
Consider – security, availability, performance and usage
Analyze cost by business groups
Evaluate workloads for migration
Rightsize existing infrastructure
Invest in Reserved Instances
Implement good governance – tagging, decommission what’s not needed lights on / lights off
Automation where possible
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Pyramid – with 4 sections add the content from each phase to each corresponding section.
One slide w/ signs, next w/ prescription
Pyramid – with 4 sections add the content from each phase to each corresponding section.
One slide w/ signs, next w/ prescription
Gain visibility
Leverage basic cost optimizations
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Align cost and usage to business
Remove obsolete infrastructure
Tighten security policies
Leverage elasticity
Standardize on tool
Raise stakeholder cloud IQ
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Continuously monitor workloads
Continuously standardize workloads
Adopt continuous monitoring.
Adopt continuous optimization process.
Automate optimization
Assign people/roles.
Pyramid – with 4 sections add the content from each phase to each corresponding section.
Pyramid – with 4 sections add the content from each phase to each corresponding section.