Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
How to Protect Your
IoT data on AWS
Lahav Savir
Co-founder and CTO
AllCloud
A Global Leader in Cloud
Transformation and Adoption for
SaaS, ISV and Enterprises
“AWS Managed Service Partners
are skilled at cloud infrastructure
and application migration, and
deliver value to customer...
A “Cloud-native” MSP
Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015)
“Amazon We...
360° Solution for
vending business
● 100s of thousands connected
devices around the world
● GPRS / 3G / Wifi
● Real-Time D...
More Than Just A Wireless
Charging Solution.
● 1000s of locations
worldwide
● Driving more traffic to
businesses
● Big-dat...
Where there is more data,
there are bound to be more
data breaches!
Security
in the
Cloud
Security
of the
Cloud
Assessing the Risk:
Yes, the Cloud Can Be
More Secure Than Your
On-Premises Environment
IDC, July 2015
Why the Cloud
is more Secure?
● More segmentation
● More encryption
● Stronger
authentication
● More logging and
monitorin...
Top Topics
● Infrastructure
Security
● Network Security
● Host Security
● Data Encryption
● Identity Management
● Monitori...
Identity Federation
Why do you
need
Single Identity?
● Multiple AWS
Accounts
● Multiple Security
Policies
● Multiple Entry Points
● Many Resou...
Single Identity
Provider
● Single Password
Policy
● Single Lock Policy
● Single OTP
● Single Login Audit
● Same username u...
Organization users accessing:
AWS Resources
● AWS Console
● AWS API
● Network Access / VPN
● EC2 Instances
Other Resources...
● Don't mix Corporate
and Cloud Resources
● Minimize Replication
● Maximize Federation
Corporate
● Corporate Active Directory
● Mix of users and desktops / servers
● 3rd Party SSO / Federation Services
Cloud
●...
Login Scenarios
● AWS Console
○ SAML Federation
● VPN
○ Radius
● Jumpbox on EC2
○ Radius / LDAP
● Windows instance on EC2
...
Network Access
Networking
● Public Internet
● VPN / IPSec
Tunnel
● DirectConnect
Direct Connect
Options
● Private Virtual Interface –
Access to VPC
○ Note: VPC Endpoints are
not transitive via VPC
Peerin...
SSL VPN
Options
● OpenVPN
● Fortinet Fortigate
● CheckPoint
● Sophos
● pfSense
● … Others
Don’t assume your corporate
network is secure and expose your
production networks to all users
Smart Separation
Inbound Layer
Application Layer
Outbound Layer
● Create a controlled environment
that minimizes human mistakes
● Inspect inbound and outbound
traffic
Host Security
What’s Host
Security ?
● OS Hardening
● Anti Virus
● Malware Protection
● Host Based IPS
● File Integrity Monitoring
● Vul...
Data Encryption
AWS Encryption Options
Data at Rest
● EBS Encryption (inc. root device)
● S3 Client / Server Side Encryption
● RDS / Redsh...
Encrypt all your data, you never
know who and when someone will
request access to the data
Centrally Monitor and Audit
Events Sources
● CloudTrail
● ELB / S3 / CloudFront
Access Logs
● VPC Flow logs
● AWS Inspector
● Host AV & IPS
● Network ...
● Create Clear Visibility
● Set Governance Rules
● Define Actions
© 2016 AllCloud
Join our Fastlane to a
Successful Cloud Deployment
Contact me: lahav.savir@allcloud.io
How to protect your IoT data on AWS
How to protect your IoT data on AWS
How to protect your IoT data on AWS
How to protect your IoT data on AWS
How to protect your IoT data on AWS
How to protect your IoT data on AWS
Upcoming SlideShare
Loading in …5
×

How to protect your IoT data on AWS

266 views

Published on

Data and IoT are very exciting but also very dangerous, this presentation walk though AWS best practicing for securing the cloud platfrom

Published in: Technology
  • Be the first to comment

How to protect your IoT data on AWS

  1. 1. How to Protect Your IoT data on AWS Lahav Savir Co-founder and CTO AllCloud
  2. 2. A Global Leader in Cloud Transformation and Adoption for SaaS, ISV and Enterprises
  3. 3. “AWS Managed Service Partners are skilled at cloud infrastructure and application migration, and deliver value to customers by offering proactive monitoring, automation, and management of their customer’s environment.” https://aws.amazon.com/partners/msp/ http://www.emind.co/msp AWS Next-Gen (v3) Managed Service Partner (MSP)
  4. 4. A “Cloud-native” MSP Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015) “Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.” https://www.gartner.com/doc/3157620/market-guide-managed-service-providers “Common Types of MSPs (on AWS) with Example References ● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS-specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
  5. 5. 360° Solution for vending business ● 100s of thousands connected devices around the world ● GPRS / 3G / Wifi ● Real-Time Data ● PCI-DSS Certified http://www.emind.co/case-study/nayax-partners-with-emind-to-migr ate-cashless-service-solutions-to-amazon-cloud/
  6. 6. More Than Just A Wireless Charging Solution. ● 1000s of locations worldwide ● Driving more traffic to businesses ● Big-data and real-time analytics http://www.emind.co/case-study/powermat-partners-with-emind-to- fully-manage-their-wireless-charging-services-on-aws/
  7. 7. Where there is more data, there are bound to be more data breaches!
  8. 8. Security in the Cloud Security of the Cloud
  9. 9. Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment IDC, July 2015
  10. 10. Why the Cloud is more Secure? ● More segmentation ● More encryption ● Stronger authentication ● More logging and monitoring ● More managed platforms
  11. 11. Top Topics ● Infrastructure Security ● Network Security ● Host Security ● Data Encryption ● Identity Management ● Monitoring & Auditing
  12. 12. Identity Federation
  13. 13. Why do you need Single Identity? ● Multiple AWS Accounts ● Multiple Security Policies ● Multiple Entry Points ● Many Resources ● Multiple 3rd Party Services
  14. 14. Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
  15. 15. Organization users accessing: AWS Resources ● AWS Console ● AWS API ● Network Access / VPN ● EC2 Instances Other Resources ● New Relic ● Datadog ● Pingdom ● Google Apps ● Office 365 ● Jira ● Github ● Logz.io ● ...
  16. 16. ● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
  17. 17. Corporate ● Corporate Active Directory ● Mix of users and desktops / servers ● 3rd Party SSO / Federation Services Cloud ● Cloud Active Directory ● Cloud Resources Only Integration ● One Way Trust between Corp AD and Cloud AD
  18. 18. Login Scenarios ● AWS Console ○ SAML Federation ● VPN ○ Radius ● Jumpbox on EC2 ○ Radius / LDAP ● Windows instance on EC2 ○ Kerberos / LDAP ● Linux instance on EC2 ○ Kerberos / LDAP You can avoid the IAM Users
  19. 19. Network Access
  20. 20. Networking ● Public Internet ● VPN / IPSec Tunnel ● DirectConnect
  21. 21. Direct Connect Options ● Private Virtual Interface – Access to VPC ○ Note: VPC Endpoints are not transitive via VPC Peering ● Public Virtual Interface – Access to the region IP address space (non-VPC Services)
  22. 22. SSL VPN Options ● OpenVPN ● Fortinet Fortigate ● CheckPoint ● Sophos ● pfSense ● … Others
  23. 23. Don’t assume your corporate network is secure and expose your production networks to all users
  24. 24. Smart Separation
  25. 25. Inbound Layer Application Layer Outbound Layer
  26. 26. ● Create a controlled environment that minimizes human mistakes ● Inspect inbound and outbound traffic
  27. 27. Host Security
  28. 28. What’s Host Security ? ● OS Hardening ● Anti Virus ● Malware Protection ● Host Based IPS ● File Integrity Monitoring ● Vulnerability Scanning
  29. 29. Data Encryption
  30. 30. AWS Encryption Options Data at Rest ● EBS Encryption (inc. root device) ● S3 Client / Server Side Encryption ● RDS / Redshift Storage Encryption ● DynamoDB Client Side Encryption https://d0.awsstatic.com/whitepapers/aws-securing-data -at-rest-with-encryption.pdf Data in Transit ● API’s are TLS Encrypted ● Service Endpoints are TLS Encrypted ● Elastic Load Balancer supports TLS ● CloudFront supports TLS ● IPSec VPN
  31. 31. Encrypt all your data, you never know who and when someone will request access to the data
  32. 32. Centrally Monitor and Audit
  33. 33. Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF & IPS ● Evident.io / Dome9 ● Observable
  34. 34. ● Create Clear Visibility ● Set Governance Rules ● Define Actions
  35. 35. © 2016 AllCloud Join our Fastlane to a Successful Cloud Deployment Contact me: lahav.savir@allcloud.io

×