SlideShare a Scribd company logo

COSAC 2021 presentation - AWS Zero Trust

Download as PPTX, PDF
Frans Sauermann
Frans Sauermann

This slide deck served as presentation material for the talk with the same name at the 2021 COSAC security architecture conference. It provides an architecture for applying zero trust networking on Amazon Web Services (AWS). We take a pragmatic approach to ensure that we link the theoretical components to implementation candidates. This relies on application of graph theory to establish traceability, which we can subsequently use to verify the logical integrity of the architecture. Our literature review indicates that the first imperative is to establish a reference model that describes zero-trust networking. The zero-trust reference model is subsequently mapped to relevant AWS services that realizes the components. This establishes traceability in terms of implementation requirements for each service. We see as part of this review that AWS is mature in its ability to support zero trust capabilities and that we can realize many aspects of zero trust using off-the-shelf AWS services. The correct configuration of these services however is crucial. The research is useful in providing solution architects with the logical components that can drive further stages in architecture development to support zero trust initiatives on AWS tenants.

Technology
1 of 13
Application of zero trust security architecture on Amazon Web Services Frans Sauermann & Ernest Ketcha
Agenda • Introduction • Problem Statement • Zero Trust Architecture • Analysis • Results • Conclusion and Outlook
Introduction & Motivation • Perimeter is Disappearing • Enterprise users are no longer in office • Work from home is the norm for organizations post COVID • Cloud adoption is on the rise • Moving data to Edge through Edge computing is becoming crucial • Enterprises are now adopting a multi-cloud strategy to support their digital transformation strategy • On-premise data centers are also accessed by third parties • Cloud Migration • Workload migration to the cloud to reduce operational cost • Requirement to ensure the same level of security pre and post migration should be maintained
The Problem • Two main drivers motivate for the application of zero trust security on Amazon web services: Migration of traditional IT to cloud services; and the inversion of security architecture approaches towards zero-trust security architecture and Continuous Adaptive Risk and Trust Assessment (CARTA). • An architecture in this space will assist Solution architects and developers to realize zero-trust on customer AWS tenants. • This paper discusses the Zero Trust reference model and indicates how it can be achieved using AWS services.
Zero Trust Architecture • Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. • Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. • A zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero-trust architecture plan. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
Zero Trust Architecture – Principles • All data sources and computing services are considered resources. • All communication is secured regardless of network location. • Access to individual enterprise resources is granted on a per-session basis. • Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. • The enterprise monitors and measures the integrity and security posture of all owned and associated assets. • All resource authentication and authorization is dynamic and strictly enforced before access is allowed. • The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
Logical Components of a ZTA (NIST model) Untrusted zone Contextual trust zone Policy Enforcement Point Enterprise Resources Policy decision point Policy Engine Policy Administrator 3rd parties capabilities Internal capabilities and policies Control pane Data pane ZTA Variations: • ZTA Using Enhanced Identity Governance • ZTA Using Micro-Segmentation • ZTA Using Network Infrastructure and Software Defined Perimeters Zero Trust: Network View • The entire enterprise private network is not considered an implicit trust zone. • Devices on the network may not be owned or configurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure. • Remote enterprise subjects and assets cannot fully trust their local network connection. • Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.
Analysis – Business & Application Layers
Analysis – Application and Network Layers
Results and Findings AWS Model AWS GuardDuty AWS IAM AWS Inspector
Logical Overview
Conclusion and outlook • NIST Zero Trust model outlines components to be considered for alignment in a ZTA. • ZTA model and principles need to be mapped to its realization. • Services need to be aligned to match overall ZTA overlay • AWS services can support the realization of ZTA.
The End Thank You!

Recommended

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 

Recommended

Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Amazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Landing Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsLanding Zones - Creating a Foundation for Your AWS Migrations
Landing Zones - Creating a Foundation for Your AWS MigrationsAmazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018
AWS Landing Zone Deep Dive (ENT350-R2) - AWS re:Invent 2018Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatch
(DVO315) Log, Monitor and Analyze your IT with Amazon CloudWatchAmazon Web Services
 
Aws cloud watch
Aws cloud watchAws cloud watch
Aws cloud watchMahesh Raj
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS SecurityAmazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
AWS Application Discovery Service
AWS Application Discovery ServiceAWS Application Discovery Service
AWS Application Discovery ServiceAmazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trailzekeLabs Technologies
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture Maganathin Veeraragaloo
 
AWS core services
AWS core servicesAWS core services
AWS core servicesNagesh Ramamoorthy
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security FundamentalsAmazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing ZoneAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
AWS Service Catalog
AWS Service CatalogAWS Service Catalog
AWS Service CatalogAmazon Web Services
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 

More Related Content

What's hot

Aws cloud watch
Aws cloud watchAws cloud watch
Aws cloud watchMahesh Raj
 
AWS Application Discovery Service
AWS Application Discovery ServiceAWS Application Discovery Service
AWS Application Discovery ServiceAmazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWSAmazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 

What's hot (20)

Aws cloud watch
Aws cloud watchAws cloud watch
Aws cloud watch
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
 
AWS Application Discovery Service
AWS Application Discovery ServiceAWS Application Discovery Service
AWS Application Discovery Service
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
AWS Cloud Security Fundamentals
AWS Cloud Security FundamentalsAWS Cloud Security Fundamentals
AWS Cloud Security Fundamentals
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
Introduction to the Well-Architected Framework and Tool - SVC208 - Anaheim AW...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
AWS core services
AWS core servicesAWS core services
AWS core services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...
 
Setting Up a Landing Zone
Setting Up a Landing ZoneSetting Up a Landing Zone
Setting Up a Landing Zone
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
AWS Service Catalog
AWS Service CatalogAWS Service Catalog
AWS Service Catalog
 

Similar to COSAC 2021 presentation - AWS Zero Trust

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...RahulJain989779
 
Cloud Computing Introduction and Awareness
Cloud Computing Introduction and AwarenessCloud Computing Introduction and Awareness
Cloud Computing Introduction and Awarenesswlammert
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKMaganathin Veeraragaloo
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management ArchitecturePradeep Ballal
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectATMOSPHERE .
 
Cloud Computing Gets Put to the Test
Cloud Computing Gets Put to the TestCloud Computing Gets Put to the Test
Cloud Computing Gets Put to the TestAvere Systems
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxkkhhusshi
 
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...Amazon Web Services
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
 

Similar to COSAC 2021 presentation - AWS Zero Trust (20)

(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...
10-IoT Data Analytics, Cloud Computing for IoT, Cloud Based platforms, ML for...
 
Cloud Computing Introduction and Awareness
Cloud Computing Introduction and AwarenessCloud Computing Introduction and Awareness
Cloud Computing Introduction and Awareness
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
PayPal Decision Management Architecture
PayPal Decision Management ArchitecturePayPal Decision Management Architecture
PayPal Decision Management Architecture
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Cloud Navigator
Cloud NavigatorCloud Navigator
Cloud Navigator
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Software Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE projectSoftware Defined Networking in the ATMOSPHERE project
Software Defined Networking in the ATMOSPHERE project
 
Cloud Computing Gets Put to the Test
Cloud Computing Gets Put to the TestCloud Computing Gets Put to the Test
Cloud Computing Gets Put to the Test
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Cloud Analytics and VDI
Cloud Analytics and VDICloud Analytics and VDI
Cloud Analytics and VDI
 
Zero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptxZero trust model for cloud computing.pptx
Zero trust model for cloud computing.pptx
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detail
 
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...
The System Administrator Role in the Cloud Era: Better Than Ever (ENT212) | A...
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

COSAC 2021 presentation - AWS Zero Trust

  • 1. Application of zero trust security architecture on Amazon Web Services Frans Sauermann & Ernest Ketcha
  • 2. Agenda • Introduction • Problem Statement • Zero Trust Architecture • Analysis • Results • Conclusion and Outlook
  • 3. Introduction & Motivation • Perimeter is Disappearing • Enterprise users are no longer in office • Work from home is the norm for organizations post COVID • Cloud adoption is on the rise • Moving data to Edge through Edge computing is becoming crucial • Enterprises are now adopting a multi-cloud strategy to support their digital transformation strategy • On-premise data centers are also accessed by third parties • Cloud Migration • Workload migration to the cloud to reduce operational cost • Requirement to ensure the same level of security pre and post migration should be maintained
  • 4. The Problem • Two main drivers motivate for the application of zero trust security on Amazon web services: Migration of traditional IT to cloud services; and the inversion of security architecture approaches towards zero-trust security architecture and Continuous Adaptive Risk and Trust Assessment (CARTA). • An architecture in this space will assist Solution architects and developers to realize zero-trust on customer AWS tenants. • This paper discusses the Zero Trust reference model and indicates how it can be achieved using AWS services.
  • 5. Zero Trust Architecture • Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. • Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. • A zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero-trust architecture plan. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
  • 6. Zero Trust Architecture – Principles • All data sources and computing services are considered resources. • All communication is secured regardless of network location. • Access to individual enterprise resources is granted on a per-session basis. • Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. • The enterprise monitors and measures the integrity and security posture of all owned and associated assets. • All resource authentication and authorization is dynamic and strictly enforced before access is allowed. • The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture. Untrusted zone Contextual trust zone Policy Decision/ Enforcement Point Target Resource/ System/ Data/Application
  • 7. Logical Components of a ZTA (NIST model) Untrusted zone Contextual trust zone Policy Enforcement Point Enterprise Resources Policy decision point Policy Engine Policy Administrator 3rd parties capabilities Internal capabilities and policies Control pane Data pane ZTA Variations: • ZTA Using Enhanced Identity Governance • ZTA Using Micro-Segmentation • ZTA Using Network Infrastructure and Software Defined Perimeters Zero Trust: Network View • The entire enterprise private network is not considered an implicit trust zone. • Devices on the network may not be owned or configurable by the enterprise. • No resource is inherently trusted. • Not all enterprise resources are on enterprise-owned infrastructure. • Remote enterprise subjects and assets cannot fully trust their local network connection. • Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.
  • 8. Analysis – Business & Application Layers
  • 9. Analysis – Application and Network Layers
  • 10. Results and Findings AWS Model AWS GuardDuty AWS IAM AWS Inspector
  • 12. Conclusion and outlook • NIST Zero Trust model outlines components to be considered for alignment in a ZTA. • ZTA model and principles need to be mapped to its realization. • Services need to be aligned to match overall ZTA overlay • AWS services can support the realization of ZTA.