ICT role in 21st century education and its challenges
How to Secure Your AWS Powered Mobile App End-to-End
1. How to Secure Your Mobile App End-to End | May 2017
How to Secure Your
Mobile App End-to-End
Lahav Savir - lahav.savir@allcloud.io
Co-founder and CTO
AllCloud
2. How to Secure Your Mobile App End-to End | May 2017
AllCloud is a leading global Cloud Solutions Provider
with expertise across the cloud stack, Infrastructure,
Platform, and Software-as-a-Service
3. How to Secure Your Mobile App End-to End | May 2017
“AWS Managed Service Partners
are skilled at cloud infrastructure
and application migration, and
deliver value to customers by
offering proactive monitoring,
automation, and management of
their customer’s environment.”
https://aws.amazon.com/partners/msp/
http://www.emind.co/msp
AWS Next-Gen (v3) Managed Service Partner (MSP)
4. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Enabling Next Generation
Businesses through SaaSification
5. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
End-to-End
Security for
Cloud
Powered
Mobile Apps
6. How to Secure Your Mobile App End-to End | May 2017
Where there is more data,
there are bound to be more
data breaches!
7. How to Secure Your Mobile App End-to End | May 2017
Part 1:
Securing the
Mobile to Cloud
Integration
● Identifying the mobile app
● Identifying the user
● Providing secure
communication to
backend
● Grant fine grained
permission to cloud
services and API’s
8. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.ioOver 60 million users worldwide, supporting +1,200 cities, in 77 countries,
and 43 languages.
9. How to Secure Your Mobile App End-to End | May 2017
AWS Cognito
10. How to Secure Your Mobile App End-to End | May 2017
Cognito Authentication Flow
11. How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to AWS Services
12. How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to non AWS Services
13. How to Secure Your Mobile App End-to End | May 2017
Part 2:
Securing the
Mobile Backend
● Securing the backend
service endpoints
● Protecting user’s data
● Ensuring service
resiliency
14. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Gett has raised $640 million in funding and was selected by Forbes as one of
the “top 15 explosively growing companies”.
15. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Security
in the
Cloud
Security
of the
Cloud
16. How to Secure Your Mobile App End-to End | May 2017
Top Topics
● AWS Account
Security
● Identity Management
● Network Security
● Host Security
● Data Encryption
● Monitoring &
Auditing
17. How to Secure Your Mobile App End-to End | May 2017
AWS Account Security
18. How to Secure Your Mobile App End-to End | May 2017
Basic Account Configurations
● Services Enablement
○ CloudTrail (in all regions)
○ Config
● Provisions
○ Identities / Federations
○ IAM Roles and Policies
(Admin, DevOps, Developer,
Support)
○ IAM Password Policies
○ CIS Benchmark tools
● Config Checks
○ S3 Bucket Policy (Private /
Public)
○ Logging enabled on
■ ELB, S3 Buckets, CloudFront,
VPC Flow logs
○ Root Account MFA
○ Tag Strategy
■ Owner / Launcher
■ Stage
■ Env / AppName
○ Resources Backups
19. How to Secure Your Mobile App End-to End | May 2017
Identity Management
20. How to Secure Your Mobile App End-to End | May 2017
Why do you
want a
Single Identity?
● Multiple AWS
Accounts
● Multiple Security
Policies
● Multiple Entry Points
● Many Resources
● Multiple 3rd Party
Services
21. How to Secure Your Mobile App End-to End | May 2017
Single Identity
Provider
● Single Password
Policy
● Single Lock Policy
● Single OTP
● Single Login Audit
● Same username used
across all resources
22. How to Secure Your Mobile App End-to End | May 2017
Organization users accessing:
AWS Resources
● AWS Console
● AWS API
● Network Access / VPN
● EC2 Instances
Other Resources
● New Relic
● Datadog
● Pingdom
● Google Apps
● Office 365
● Jira
● Github
● Logz.io
● ...
23. How to Secure Your Mobile App End-to End | May 2017
● Don't mix Corporate
and Cloud Resources
● Minimize Replication
● Maximize Federation
24. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Corporate
● Corporate Active Directory
● Mix of users and desktops / servers
● 3rd Party SSO / Federation Services
Cloud
● Cloud Active Directory
● Cloud Resources Only
Integration
● One Way Trust between Corp AD and
Cloud AD
● Temporary credentials “Token
Vending Machine”
25. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Login Scenarios
● AWS Console
○ SAML Federation
● VPN
○ Radius
● Jumpbox on EC2
○ Radius / LDAP
● Windows instance on EC2
○ Kerberos / LDAP
● Linux instance on EC2
○ Kerberos / LDAP
Avoid multiple identities
including IAM Users
27. How to Secure Your Mobile App End-to End | May 2017
Network Access
28. How to Secure Your Mobile App End-to End | May 2017
Networking
● Public Internet
● VPN / IPSec
Tunnel
● DirectConnect
29. How to Secure Your Mobile App End-to End | May 2017
Direct Connect
Options
● Private Virtual Interface –
Access to VPC
○ Note: VPC Endpoints are
not transitive via VPC
Peering
● Public Virtual Interface –
Access to the region IP
address space (non-VPC
Services)
30. How to Secure Your Mobile App End-to End | May 2017
Access to your
private
resources over
SSL VPN
● OpenVPN
● Fortinet Fortigate
● CheckPoint
● Sophos
● pfSense
● … Others
31. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Don’t assume your corporate
network is secure and expose your
production networks to all users
32. How to Secure Your Mobile App End-to End | May 2017
Perimeter Security
33. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Inbound Layer
Application Layer
Outbound Layer
34. How to Secure Your Mobile App End-to End | May 2017
AWS Shield -
Managed (DDoS)
protection service
● Basic / Advanced
● Seamless Integration and
Deployment
● Customizable Protection
● Cost Efficient
AWS WAF -
Web Application
Firewall
● Increased Protection
Against Web Attacks
● Security Integrated with
Applications
● Web Traffic Visibility
● Cost Effective Web
Application Protection
35. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Inspect inbound and outbound
traffic
● Create a controlled environment
that minimizes human mistakes
36. How to Secure Your Mobile App End-to End | May 2017
Host Security
37. How to Secure Your Mobile App End-to End | May 2017
What’s Host
Security ?
● OS Hardening
● Anti Virus
● Malware Protection
● Host Based IPS
● File Integrity Monitoring
● Vulnerability Scanning
38. How to Secure Your Mobile App End-to End | May 2017
Data Encryption
39. How to Secure Your Mobile App End-to End | May 2017
AWS Encryption Options
Data at Rest
● EC2 Parameter Store
● EBS Encryption (inc. root device)
● S3 Client / Server Side Encryption
● RDS / Redshift Storage
Encryption
● DynamoDB Client Side
Encryption
https://d0.awsstatic.com/whitepapers/aws-securing-data
-at-rest-with-encryption.pdf
Data in Transit
● API’s are TLS Encrypted
● Service Endpoints are TLS
Encrypted
● Elastic Load Balancer supports
TLS
● CloudFront supports TLS
● IPSec VPN
40. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Encrypt all your data with fine
grained policy, you never know who
and when someone will gain access
to the data
41. How to Secure Your Mobile App End-to End | May 2017
Centrally Monitor and Audit
42. How to Secure Your Mobile App End-to End | May 2017
Events Sources
● CloudTrail
● ELB / S3 / CloudFront
Access Logs
● VPC Flow logs
● AWS Inspector
● Host AV & IPS
● Network WAF & IPS
● Evident.io / Dome9
● Observable
49. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Create Clear Visibility
● Set Governance Rules
● Define Actions
50. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
3 Pages AWS Secuirty Checklist
https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pd
f
51. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Join our Fastlane to a
Successful Cloud Deployment
Contact me: lahav.savir@allcloud.io