SlideShare a Scribd company logo

Architect secure cloud services.

Moshe Ferber
Moshe Ferber

My SACON.IO conference presentation about how to architect secure IaaS/PaaS services. Presentation mostly uses AWS examples, but relevant also to Azure / GCE and similar services.

Technology
1 of 36
SACON SACON International 2017 Moshe Ferber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
SACON 2017 About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
SACON 2017 So, what is cloud?
SACON 2017 SaaS PaaS IaaS Private Hybrid Public Cloud Services are very different in nature Cloud Services are very different in nature
SACON 2017Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
SACON 2017 The CISO Challenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
SACON 2017 Our focus today IaaS PaaS SaaS
SACON 2017 Terminology AWS IaaS PaaS Instance Image Snapshot ELB Root Account IAM user
SACON 2017 Architecting for availability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
SACON 2017 Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
SACON 2017 Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
SACON 2017 Architecting for availability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
SACON 2017 Architecting for network separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
SACON 2017 DB Subnet MNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
SACON 2017 Understanding VPC (Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
SACON 2017 Understanding Security groups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
SACON 2017 The advantages of Micro Segmentation Architecting for network separation Traditional Micro segmentation
SACON 2017 Additional VPC tools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
SACON 2017 Architecting for network separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
SACON 2017 Web Application Firewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
SACON 2017 Build application separation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
SACON 2017 Architecting for application separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
SACON 2017 Architecting for application separation Front End Back End Queue Service
SACON 2017 Limiting blast Radius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
SACON 2017 Limiting blast Radius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
SACON 2017 Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
SACON 2017 Volume storage Architecting for data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
SACON 2017 Object storage Architecting for data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
SACON 2017 Database Storage (Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
SACON 2017 Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source : AWS Security best practices
SACON 2017 A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
SACON 2017 A r c h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
SACON 2017 Questions?
SACON 2017 KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Recommended

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 

Recommended

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
Moshe Ferber
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
Puneet Kukreja
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
Jorge Sebastiao
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
George Fares
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
The TNS Group
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
HTS Hosting
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
Priyanka Aash
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
Digital Transformation EXPO Event Series
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 

More Related Content

What's hot

Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
Moshe Ferber
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
Puneet Kukreja
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
Jorge Sebastiao
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
George Fares
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
The TNS Group
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
HTS Hosting
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
Priyanka Aash
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
Digital Transformation EXPO Event Series
 

What's hot (20)

Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
 
Cloud security
Cloud securityCloud security
Cloud security
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 

Similar to Architect secure cloud services.

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
Azure Storage
Azure StorageAzure Storage
Azure Storage
Mustafa
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof
 
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Amazon Web Services
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco Canada
 
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Amazon Web Services
 
IaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysisIaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysis
Graisy Biswal
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
Amazon Web Services
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
Ammar Hasayen
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Amazon Web Services
 
AWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - Bulletproof
Amazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
The Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business LogicThe Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business Logic
Scott Weber
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
Peter Selch Dahl
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
Amazon Web Services
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid Architectures
Amazon Web Services
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
Amazon Web Services
 

Similar to Architect secure cloud services. (20)

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
Azure Storage
Azure StorageAzure Storage
Azure Storage
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
 
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr
 
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
 
IaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysisIaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysis
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
 
AWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - Bulletproof
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
The Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business LogicThe Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business Logic
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid Architectures
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 

Recently uploaded

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 

Recently uploaded (20)

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 

Architect secure cloud services.

  • 1. SACON SACON International 2017 Moshe Ferber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
  • 2. SACON 2017 About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 4. SACON 2017 SaaS PaaS IaaS Private Hybrid Public Cloud Services are very different in nature Cloud Services are very different in nature
  • 5. SACON 2017Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
  • 6. SACON 2017 The CISO Challenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
  • 7. SACON 2017 Our focus today IaaS PaaS SaaS
  • 8. SACON 2017 Terminology AWS IaaS PaaS Instance Image Snapshot ELB Root Account IAM user
  • 9. SACON 2017 Architecting for availability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
  • 10. SACON 2017 Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
  • 11. SACON 2017 Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
  • 12. SACON 2017 Architecting for availability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
  • 13. SACON 2017 Architecting for network separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
  • 14. SACON 2017 DB Subnet MNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
  • 15. SACON 2017 Understanding VPC (Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
  • 16. SACON 2017 Understanding Security groups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
  • 17. SACON 2017 The advantages of Micro Segmentation Architecting for network separation Traditional Micro segmentation
  • 18. SACON 2017 Additional VPC tools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
  • 19. SACON 2017 Architecting for network separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
  • 20. SACON 2017 Web Application Firewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
  • 21. SACON 2017 Build application separation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
  • 22. SACON 2017 Architecting for application separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
  • 23. SACON 2017 Architecting for application separation Front End Back End Queue Service
  • 24. SACON 2017 Limiting blast Radius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
  • 25. SACON 2017 Limiting blast Radius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
  • 26. SACON 2017 Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
  • 27. SACON 2017 Volume storage Architecting for data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
  • 28. SACON 2017 Object storage Architecting for data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
  • 29. SACON 2017 Database Storage (Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
  • 30. SACON 2017 Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
  • 31. SACON 2017 A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
  • 32. SACON 2017 A r c h i t e c t i n g f o r C I / C D Source : AWS Security best practices
  • 33. SACON 2017 A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
  • 34. SACON 2017 A r c h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
  • 36. SACON 2017 KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule