Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building security from scratch

147 views

Published on

This talk is about one of the most overhyped topics nowadays. It is about building security posture from scratch.
We will talk about business needs of building security, consider and take examples what the omissions of security misunderstanding and misconfigurations leads.
We will define your role in shared responsibility model of cloud security aspects and address such AWS services as Security Hub, Config, Guard Duty, Inspector, Macie

Published in: Internet
  • Be the first to comment

Building security from scratch

  1. 1. BUILDING SECURITY IN CLOUD FROM SCRATCH Raman Zelenko, Lead Security System Engineer @Flo Health
  2. 2. • 6 years experience in domain • Focused mostly in AppSec aspects (SAST, DAST) cloud solutions for mitigation security breaches on application side (WAF) and vulnerabilities management there. Roman Zelenko Lead Security System Engineer in Flo SELF-REPRESENTATION
  3. 3. Cloud Security ✔ Where to begin… and how to improve ✔ The ways of building ✔ Why it is important nowadays ✔ Value for You and your Business WHAT WE WILL TALK ABOUT
  4. 4. Regulations & Compliance Standard WHY IT IS IMPORTANT NOWADAYS
  5. 5. Up to €20 million or up to 4% of its entire global turnover of the preceding fiscal year, whichever is higher. PENALTIES GDPR
  6. 6. PENALTIES States vs Uber $148M British authority vs British Airways $230M CFBP & States vs US Equifax $275M $5B FTC vs Facebook $700M
  7. 7. CLOUD SECURITY also known as cloud computing security is a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data and infrastructure. (wiki) Cloud Security DEFINITION DR/BC Planning Gover- nance Identity & Access Manage- ment Data Security Availability Compliance
  8. 8. SECURITY IN CLOUD CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) CUSTOMER Responsibility for security ‘in’ the cloud SOFTWARE HARDWARE/AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE NETWORKINGDATABASE AWS Responsibility for security ‘of’ the cloud
  9. 9. AWS MISCONFIGURATION BREACHES 100 million people – $150 M former AWS employee Hacked AWS Capital One DB RDS snapshot + public EC2 with API key to RDS Password hashes API keys SSL certs S3 bucket configured for public access 12 GB MSSQL database file 1.8 million Chicago voters
  10. 10. Proper Security is … COMPROMISE DEFINITION
  11. 11. Security Assessment Penetration Testing WHERE TO BEGIN
  12. 12. The Cloud Security Assessment is part of a Cloud Cybersecurity Strategy to secure critical assets and technologies that you own and using in cloud. During a Cloud Security Assessment, you evaluate your Cloud Security posture. WHERE TO BEGIN
  13. 13. CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) WHAT SHOULD I AUDIT?
  14. 14. EXTERNAL AUDIT One time or Regular basis Nearest result: ~2 months INFOSEC TEAM Nearest result: ~2 months Build security controls Create bugs and report stakeholders Build team WAYS OF BUILDING
  15. 15. EXTERNAL AUDIT One time or Regular basis Nearest result: ~2 months INFOSEC TEAM Nearest result: ~2 months Build security controls Create bugs and report stakeholders DEVOPS Nearest result: ~1 week Enable existing security controls AWS provided Enabling monitoring for configuration changes DEVSECOPS WAYS OF BUILDING
  16. 16. GuardDutySecurity Hub MacieInspector Config HOW TO MAKE IT Services In GCP
  17. 17. CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) WHAT SHOULD I AUDIT?
  18. 18. Guard Duty Service uses machine learning to automatically discover, classify, and protect sensitive data in AWS such as: ● Personally Identifiable Information (PII) ● Protected Health Information PHI ● Regulatory documents ● API keys ● Secret keys ● Intellectual property AWS MACIE CUSTOMER DATA
  19. 19. CUSTOMER DATA ● No IaC solution (terraform we are interested) Cons: FLO data example annual cost: Pros: ● GDPR Security Monitoring Compliant ● Easily for enabling ● Finished service out of the box ● It cost like a small jet… or ship ($50/1GB) $600 000 AWS MACIE
  20. 20. Guard DutyAutomated Security Assessment Service to help improve the security and compliance of applications deployed on AWS AWS INSPECTOR OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
  21. 21. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT Guard Duty • Network Reachability Rules Packages Network assessments: • Common Vulnerabilities and Exposures • Center for Internet Security (CIS) Benchmarks • Security Best Practices for Amazon Inspector Host assessments: AWS INSPECTOR
  22. 22. Guard Duty AWS INSPECTOR OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
  23. 23. PROS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION • Finalized solution out of the box • Certified Service for vulnerability management • Easily for implementation • Cost. but It is tricky AWS INSPECTOR
  24. 24. CONS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION • Requires Inspector agent on EC2 for Host assessment • Usually you lock on some AMI. It create a challenge in patch management for you. • Can be replaced with AWS Config rules • Can decrease performance of the service AWS INSPECTOR
  25. 25. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT IDS for AWS GUARD DUTY
  26. 26. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT GuardDuty LAMBDA IPS GUARD DUTY
  27. 27. PROS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT • Finalized solution out of the box • Easily for implementation and support • Cost. but It is also tricky =) It depends on count of logs GUARD DUTY
  28. 28. I did not find any cons ¯_(ツ)_/¯ OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT GUARD DUTY CONS
  29. 29. AWS Config is a service that enables you to acсess, audit, and evaluate the configurations of your AWS resources. CONFIG sss
  30. 30. SIEM for AWS services CONFIG
  31. 31. ● Network (restricted ssh, default SG usage, etc) ● S3 rules (public-read prohibit, replication enabled, etc) ● IAM (root access key check, mfa enabled for iam console access) ● EC2 (ec2-instance-no-public-ip) MIN SET OF RULES CONFIG SIEM for AWS services
  32. 32. SECURITY HUB SIEM for AWS services
  33. 33. SIEM for AWS services SECURITY HUB
  34. 34. SECURITY HUB
  35. 35. What if I say that you can enable all these features using just couple rows of code
  36. 36. AWS CONFIG
  37. 37. GUARD DUTY
  38. 38. SECURITY HUB
  39. 39. WHAT’S NEXT? HOW TO IMPROVE?
  40. 40. WHAT’S NEXT? HOW TO IMPROVE?
  41. 41. WHAT’S NEXT? HOW TO IMPROVE?
  42. 42. LEGAL COMPLIANCE It helps you to avoid compliance penalties Proactive steps are cost effective in future. Save your and your business money COST EFFECTIVE Attack mitigation helps to improve service stability, availability and decrease reputational risks IMPROVE SERVICE QUALITY VALUE FOR YOU AND YOUR BUSINESS
  43. 43. Q&A
  44. 44. THANK YOU! Join us and contribute to the global health! https://flo.health/ careers https://www.linkedin.com/in/ roman-zelenko-1a755153/

×