Learn how to leverage AWS and security super friends like Trend Micro to create an impenetrable fortress for your AWS workloads, without hindering performance or agility. Join this session and learn three cloud security super powers that will help you thwart villains interested in your workloads. We will walk through three stories of Amazon EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools. Join us to learn: • Design a workload-centric security architecture • Improve visibility of AWS-only or hybrid environments • Stop patching live instances but still prevent exploits

1. 3 Secrets to becoming a
cloud security superhero
Pat McDowell, Solutions Architect with AWS
Tuesday, May 10 2016
Dawn Smeaton, Director - Cloud Workload Security with Trend Micro

2. AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption

3. This is you…
This is you with Trend Micro + AWS

4. Your new superpowers…
Invisibility X-ray VisionShapeshifting

5. Shapeshift
Design a workload-centric
security architecture
Superpower #1

6. Web
Tier
App
Tier
DB
Tier
On-premises
Before
Load
Balancer
Firewall IPS

7. Amazon S3
DynamoDB
Amazon RDS
Web
Tier
on
Amazon
EC2
App
Tier
on
Amazon
EC2
Elastic
Load
Balancing
Load
Balancer
DB
Tier
Web
Tier
App
Tier
IAM CloudTrail
After
Amazon VPC
&
Security
Groups
AWS
Firewall IPS

9. Shapeshift superpower demo

10. Amazon
EC2

11. Don’t Replicate…
WARNING:
 Single Point of Failure
 Limited Throughput

12. Shapeshift
MISSION
ACCOMPLISHED:
 No Single Point of Failure
 Unlimited Throughput
Elastic Load Balancer

13. Confidential under NDA | Copyright 2016 Trend Micro Inc, http://cloudsecurity.trendmicro.com/us/technology-innovation/customers-partners/healthdirect-australia/index.html
Enable rapid innovation with host-based security
Reduced risk and adopted automated,
workload centric security
• Enabled DevOps with shift from unmanageable
open source solution to Deep Security
• Prevented over 5,000 attacks in 7 days with IPS
• Immediate vulnerability protection – met 2 day
patch pace, bought time for proper patch cycle
Deep Security helps
Healthdirect achieve
rapid innovation. It
takes us the least
amount of time to
manage in our
environment. We put
it in and it just works.”
“
CASE STUDY

14. Shapeshift for Amazon Web Services
• Security inside each workload
• Protect instance-to-instance traffic
• Make it context sensitive
(fast and low false-positive)
• No bottleneck
• No single point of failure
= Cloud friendly
IPS

15. Invisibility
Automate and blend in,
don’t bolt on
Superpower #2

17. Invisibility superpower demo

18. Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
Change
Records
Report
Creating an audit trail, before

19. Payment
Client Data
On-premises
AWS
CloudTrail
Amazon EC2 instances
Deep Security
Management console
Amazon S3
CloudFrontAmazon RDS
Report
Creating an audit trail, after

20. Audit-o
CloudTrail
& AWS Config
Deep Security

21. Top 10 global sports brand delivered high performance,
scalable applications, while meeting rigid security
requirements
• Security seamlessly scaled with Amazon EC2
• Provided audit evidence needed for internal and PCI
DSS compliance requirements
• Unified policies across hybrid architecture with IPS,
Integrity Monitoring and Anti-malware
Confidential under NDA | Copyright 2016 Trend Micro Inc,
Agile protection with audit evidence
CASE STUDY

22. Make Security Invisible for Amazon Web Services
• Build it in, not bolt on
• Fully automate security
• Automate record keeping for auditors
= Security designed for AWS

23. X-Ray Vision
Improve visibility of AWS
and hybrid environments
Superpower #3

25. Creating an invincible web site
Protects site against malicious changes with a
Deep Security driven auto-recovery mechanism
 Reduced risk of cyberattack for high profile
product launch (RoBoHoN)
 Immediately fixes unauthorized changes by
using FIM and CMS to restore original content
 Sped response to cyberattack from 2+ days to
seconds, without server shutdown
Deep Security
defends from the
communication layer
to the application
layer. There is no
other software
product on the market
that offers that depth
of protection”
http://cloudsecurity.trendmicro.com/us/technology-innovation/customers-partners/sharp/index.html
“
CASE STUDY

26. Use X-ray vision onAWS
• Use Integrity Monitoring and Log
monitoring to see inside instances
• Detect suspicious changes that are
indicators of compromise and
unintended changes
= Total visibility

27. Securing your data on AWS

28.  Better Security

29. $6.53M 56% 70%
Your data and IP are your most valuable assets
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-
security/information-security-survey.html
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
Average cost of a
data breach
https://www.csid.com/resources/stats/data-breaches/

30. In June 2015, IDC released a report which found that most customers can be more secure
in AWS than their on-premises environment. How?
AWS can be more secure than your existing environment
Automating logging
and monitoring
Simplifying
resource access
Making it easy to
encrypt properly
Enforcing strong
authentication

31. The AWS infrastructure is protected by
extensive network and security monitoring
systems:
• Network access is monitored by AWS
security managers daily
• CloudTrail lets you monitor
and record all API calls
• Amazon Inspector automatically assesses
applications for vulnerabilities
Constantly monitored

32. The AWS infrastructure footprint protects
your data from costly downtime:
• 33 Availability Zones in 12 regions for
multi-synchronous geographic redundancy
• Retain control of where your data resides
for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using
services like AutoScaling, Route 53
Highly available

33. AWS enables you to improve your security
using many of your existing tools and
practices:
• Integrate your existing Active Directory
• Use dedicated connections as a secure,
low-latency extension of your data center
• Provide and manage your own encryption
keys if you choose
Integrated with your existing resources

34. Key AWS Certifications and Assurance Programs

35. Shapeshifting Invisibility X-ray Vision
Your new superpowers…

36. Gartner Best Practices for Securing AWS workloads
http://aws.amazon.com/featured-partners/trendmicro/
Get your copy at:

37. trendmicro.com/aws