Moshe Ferber, profile picture
Uploaded byMoshe Ferber
882 views

Architect secure cloud services.

The document is a presentation by Moshe Ferber, an information security professional, focused on architecting secure cloud services and emphasizing the variations between IaaS, PaaS, and SaaS cloud services. It discusses strategic principles for security in cloud architecture, including availability, network separation, application separation, and data security, highlighting tools and practices like micro-segmentation and encryption. Additionally, it covers the importance of audit and monitoring for secure cloud environments and provides a resource for further cloud security course schedules.

Embed presentation

SACON SACON International 2017 Moshe Ferber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
SACON 2017 About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
SACON 2017 So, what is cloud?
SACON 2017 SaaS PaaS IaaS Private Hybrid Public Cloud Services are very different in nature Cloud Services are very different in nature
SACON 2017Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
SACON 2017 The CISO Challenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
SACON 2017 Our focus today IaaS PaaS SaaS
SACON 2017 Terminology AWS IaaS PaaS Instance Image Snapshot ELB Root Account IAM user
SACON 2017 Architecting for availability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
SACON 2017 Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
SACON 2017 Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
SACON 2017 Architecting for availability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
SACON 2017 Architecting for network separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
SACON 2017 DB Subnet MNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
SACON 2017 Understanding VPC (Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
SACON 2017 Understanding Security groups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
SACON 2017 The advantages of Micro Segmentation Architecting for network separation Traditional Micro segmentation
SACON 2017 Additional VPC tools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
SACON 2017 Architecting for network separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
SACON 2017 Web Application Firewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
SACON 2017 Build application separation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
SACON 2017 Architecting for application separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
SACON 2017 Architecting for application separation Front End Back End Queue Service
SACON 2017 Limiting blast Radius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
SACON 2017 Limiting blast Radius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
SACON 2017 Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
SACON 2017 Volume storage Architecting for data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
SACON 2017 Object storage Architecting for data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
SACON 2017 Database Storage (Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
SACON 2017 Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source : AWS Security best practices
SACON 2017 A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
SACON 2017 A r c h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
SACON 2017 Questions?
SACON 2017 KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

More Related Content

PPTX
Cloud security for financial services
byMoshe Ferber
 
PPTX
Surviving the lions den - how to sell SaaS services to security oriented cust...
byMoshe Ferber
 
PPTX
What the auditor need to know about cloud computing
byMoshe Ferber
 
PPTX
Transforming cloud security into an advantage
byMoshe Ferber
 
PPTX
The Cloud & I, The CISO challenges with Cloud Computing
byMoshe Ferber
 
PPTX
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
PPTX
Cloud security what to expect (introduction to cloud security)
byMoshe Ferber
 
PPTX
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
byMoshe Ferber
 
Cloud security for financial services
byMoshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
byMoshe Ferber
 
What the auditor need to know about cloud computing
byMoshe Ferber
 
Transforming cloud security into an advantage
byMoshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
byMoshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
byMoshe Ferber
 
Cloud security what to expect (introduction to cloud security)
byMoshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
byMoshe Ferber
 

What's hot

PPTX
Aligning Risk with Growth - Cloud Security for startups
byMoshe Ferber
 
PPTX
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
byMoshe Ferber
 
PPTX
2012 10 cloud security architecture
byVladimir Jirasek
 
PPTX
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
byPuneet Kukreja
 
PPTX
Cloud Access Security Brokers - CASB
bySamrat Das
 
PPTX
C-Level tools for Cloud security
byVladimir Jirasek
 
PPTX
Cloud risk and business continuity v21
byJorge Sebastiao
 
PPTX
Secure your cloud applications by building solid foundations with enterprise ...
byVladimir Jirasek
 
PDF
Cloud Security & Cloud Encryption Explained
byPorticor - The Cloud Security Experts
 
PPTX
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
byHimani Singh
 
PDF
Cloud Access Security Brokers
byAbhishek Tripathi
 
PDF
Cloud security
byBikashPokharel3
 
PPTX
Security As A Service
byGeorge Fares
 
PDF
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
byNetskope
 
PPTX
Cloud Security
byThe TNS Group
 
PPTX
Comprehensive Information on CASB
byHTS Hosting
 
PPTX
Securing virtual workload and cloud
byHimani Singh
 
PDF
Workshop: Threat Intelligence - Part 1
byPriyanka Aash
 
PDF
CASB — Your new best friend for safe cloud adoption?
byDigital Transformation EXPO Event Series
 
Aligning Risk with Growth - Cloud Security for startups
byMoshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
byMoshe Ferber
 
2012 10 cloud security architecture
byVladimir Jirasek
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
byPuneet Kukreja
 
Cloud Access Security Brokers - CASB
bySamrat Das
 
C-Level tools for Cloud security
byVladimir Jirasek
 
Cloud risk and business continuity v21
byJorge Sebastiao
 
Secure your cloud applications by building solid foundations with enterprise ...
byVladimir Jirasek
 
Cloud Security & Cloud Encryption Explained
byPorticor - The Cloud Security Experts
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
byHimani Singh
 
Cloud Access Security Brokers
byAbhishek Tripathi
 
Cloud security
byBikashPokharel3
 
Security As A Service
byGeorge Fares
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
byNetskope
 
Cloud Security
byThe TNS Group
 
Comprehensive Information on CASB
byHTS Hosting
 
Securing virtual workload and cloud
byHimani Singh
 
Workshop: Threat Intelligence - Part 1
byPriyanka Aash
 
CASB — Your new best friend for safe cloud adoption?
byDigital Transformation EXPO Event Series
 

Similar to Architect secure cloud services.

PDF
SACON - Cloud Security Architecture (Moshe Ferber)
byPriyanka Aash
 
PDF
(SACON) Anant Shrivastava - cloud pentesting
byPriyanka Aash
 
PPTX
Cloud Security Architecture.pptx
byMoshe Ferber
 
PDF
SACON - Enterprise Security Architecture (Bikash Barai)
byPriyanka Aash
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
PPTX
Cloud Security
byAWS User Group Bengaluru
 
PPTX
Cloud Security
byAWS User Group Bengaluru
 
PDF
SACON - Security Architecture (Arnab Chattopadhayay)
byPriyanka Aash
 
PPT
Cloud Computing & Security Concerns
byUniversity of San Francisco
 
POT
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
PPTX
Infrastructure for SaaS Applications
byEjaz Siddiqui
 
PPTX
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
PPTX
security and compliance in the cloud
byAjay Rathi
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PPT
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
PPT
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
PPT
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
PPTX
Securing your Cloud Deployment
byHrusostomos Vicatos
 
PPTX
cloud security management for security issue of cloud
byshivshankarprasad21
 
PDF
Cloud services and it security
byEast Midlands Cyber Security Forum
 
SACON - Cloud Security Architecture (Moshe Ferber)
byPriyanka Aash
 
(SACON) Anant Shrivastava - cloud pentesting
byPriyanka Aash
 
Cloud Security Architecture.pptx
byMoshe Ferber
 
SACON - Enterprise Security Architecture (Bikash Barai)
byPriyanka Aash
 
talk6securingcloudamarprusty-191030091632.pptx
byTrongMinhHoang1
 
Cloud Security
byAWS User Group Bengaluru
 
Cloud Security
byAWS User Group Bengaluru
 
SACON - Security Architecture (Arnab Chattopadhayay)
byPriyanka Aash
 
Cloud Computing & Security Concerns
byUniversity of San Francisco
 
Automation alley day in the cloud presentation - formatted
byMatthew Moldvan
 
Infrastructure for SaaS Applications
byEjaz Siddiqui
 
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
security and compliance in the cloud
byAjay Rathi
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Presentation on Effectively and Securely Using the Cloud Computing Paradigm v26
byBill Annibell
 
Presentation On Effectively And Securely Using The Cloud Computing Paradigm V26
byTT L
 
Effectively and Securely Using the Cloud Computing Paradigm
byfanc1985
 
Securing your Cloud Deployment
byHrusostomos Vicatos
 
cloud security management for security issue of cloud
byshivshankarprasad21
 
Cloud services and it security
byEast Midlands Cyber Security Forum
 

Recently uploaded

PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
apidays New York 2025 | AI in Application Security
byapidays
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 

Architect secure cloud services.

  • 1.
    SACON SACON International 2017 MosheFerber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
  • 2.
    SACON 2017 About myself Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 3.
  • 4.
    SACON 2017 SaaS PaaS IaaS Private HybridPublic Cloud Services are very different in nature Cloud Services are very different in nature
  • 5.
    SACON 2017Physical Security Network& Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
  • 6.
    SACON 2017 The CISOChallenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
  • 7.
    SACON 2017 Our focustoday IaaS PaaS SaaS
  • 8.
    SACON 2017 Terminology AWS IaaSPaaS Instance Image Snapshot ELB Root Account IAM user
  • 9.
    SACON 2017 Architecting foravailability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
  • 10.
    SACON 2017 Architecting foravailability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
  • 11.
    SACON 2017 Architecting foravailability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
  • 12.
    SACON 2017 Architecting foravailability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
  • 13.
    SACON 2017 Architecting fornetwork separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
  • 14.
    SACON 2017 DB SubnetMNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
  • 15.
    SACON 2017 Understanding VPC(Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
  • 16.
    SACON 2017 Understanding Securitygroups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
  • 17.
    SACON 2017 The advantagesof Micro Segmentation Architecting for network separation Traditional Micro segmentation
  • 18.
    SACON 2017 Additional VPCtools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
  • 19.
    SACON 2017 Architecting fornetwork separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
  • 20.
    SACON 2017 Web ApplicationFirewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
  • 21.
    SACON 2017 Build applicationseparation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
  • 22.
    SACON 2017 Architecting forapplication separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
  • 23.
    SACON 2017 Architecting forapplication separation Front End Back End Queue Service
  • 24.
    SACON 2017 Limiting blastRadius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
  • 25.
    SACON 2017 Limiting blastRadius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
  • 26.
    SACON 2017 Understanding storageoptions Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
  • 27.
    SACON 2017 Volume storage Architectingfor data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
  • 28.
    SACON 2017 Object storage Architectingfor data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
  • 29.
    SACON 2017 Database Storage(Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
  • 30.
    SACON 2017 Encryption Architecting fordata security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
  • 31.
    SACON 2017 A rc h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
  • 32.
    SACON 2017 A rc h i t e c t i n g f o r C I / C D Source : AWS Security best practices
  • 33.
    SACON 2017 A rc h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
  • 34.
    SACON 2017 A rc h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
  • 35.
  • 36.
    SACON 2017 KEEP INTOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule