Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Protect your AWS Environment

264 views

Published on

Emind's Public Best Practice for Secure AWS Environemnt

Published in: Technology
  • Be the first to comment

How to Protect your AWS Environment

  1. 1. How to Protect Your AWS Environment Lahav Savir, CEO & Architect Emind Cloud Experts
  2. 2. A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
  3. 3. Top Level Partnership
  4. 4. A “Cloud-native” MSP Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015) “Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.” https://www.gartner.com/doc/3157620/market-guide-managed-service-providers “Common Types of MSPs (on AWS) with Example References ● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS- specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
  5. 5. The future is all about cloud computing. Report shows how by 2018, over 78% of workloads will be managed by cloud data centers as against the remaining 22% processed by traditional data centers.
  6. 6. Where there is more data, there is bound to be more data breaches!
  7. 7. Security in the Cloud Security of the Cloud
  8. 8. Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment IDC, July 2015
  9. 9. Why the Cloud is more Secure? ● More segmentation (separation) ● More encryption ● Stronger authentication ● More logging and monitoring
  10. 10. Top Topics ● Infrastructure Security ● Network Security ● Host Security ● Data Encryption ● Identity Management ● Monitoring & Auditing
  11. 11. Identity Federation
  12. 12. Why do you need Single Identity? ● Multiple AWS Accounts ● Multiple Security Policies ● Multiple Entry Points ● Many Resources ● Multiple 3rd Party Services
  13. 13. Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
  14. 14. Organization users accessing: AWS Resources ● AWS Console ● AWS API ● Network Access / VPN ● EC2 Instances Other Resources ● New Relic ● Datadog ● Pingdom ● Google Apps ● Office 365 ● Jira ● Github ● Logz.io ● ...
  15. 15. ● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
  16. 16. Corporate ● Corporate Active Directory ● Mix of users and desktops / servers ● 3rd Party SSO / Federation Services Cloud ● Cloud Active Directory ● Cloud Resources Only Integration ● One Way Trust between Corp AD and Cloud AD
  17. 17. Login Scenarios ● AWS Console ○ SAML Federation ● VPN ○ Radius ● Jumpbox on EC2 ○ Radius / LDAP ● Windows instance on EC2 ○ Kerberos / LDAP ● Linux instance on EC2 ○ Kerberos / LDAP No need for IAM Users
  18. 18. Network Access
  19. 19. Networking ● Public Internet ● VPN / IPSec Tunnel ● DirectConnect
  20. 20. Direct Connect Options ● Private Virtual Interface – Access to VPC ○ Note: Not VPC Endpoints or transitive via VPC Peering ● Public Virtual Interface – Access to non-VPC Services
  21. 21. SSL VPN Options ● OpenVPN ● Fortinet Fortigate ● Sophos ● pfSense ● … Others
  22. 22. Don’t assume your corporate network is secure and expose your production networks to all users
  23. 23. Smart Separation
  24. 24. Inbound Application Outbound
  25. 25. ● Create a controlled environment that minimizes human mistakes ● Inspect inbound and outbound traffic
  26. 26. Host Security
  27. 27. What’s Host Security ? ● OS Hardening ● Anti Virus ● Malware Protection ● Host Based IPS ● File Integrity Monitoring ● Vulnerability Scanning
  28. 28. Data Encryption
  29. 29. AWS Encryption Options Data at Rest ● EBS Encryption (inc. root device) ● S3 Client / Server Side Encryption ● RDS / Redshift Storage Encryption ● DynamoDB Client Side Encryption https://d0.awsstatic.com/whitepapers/aws-securing-data-at- rest-with-encryption.pdf Data in Transit ● API’s are TLS Encrypted ● Service Endpoints are TLS Encrypted ● Elastic Load Balancer supports TLS ● CloudFront supports TLS ● IPSec VPN
  30. 30. Encrypt all your data, you never know who and when someone will request access to the data
  31. 31. Centrally Monitor and Audit
  32. 32. Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF & IPS ● Evident.io / Dome9 ● Observable
  33. 33. ● Create Clear Visibility ● Set Governance Rules ● Define Actions
  34. 34. Join our Fastlane to a Successful Cloud Deployment Thank you, lahavs@emind.co

×