Michael Pearce, profile picture
Uploaded byMichael Pearce
PPTX, PDF71 views

Cloud Security and some preferred practices

The document discusses essential practices for cloud security, emphasizing the importance of obligation beyond mere compliance to protect against threats. Key topics include encryption, data storage, and utilizing vault services for secrets management. It advocates for a proactive approach to security measures and the principle of least privileges for data protection.

Embed presentation

Download to read offline
Cloud Security And some preferred practices
“”Werner Vogels - CTO & VP, Amazon Web Services Dance like nobody's watching… Encrypt like everyone is! 2
Contents 1. Why Security Matters 2. Why Me? 3. Security vs Compliance 4. Encryption 5. Data Storage 6. Version Control 7. Environment Variables, Vaults, Encryption Utils 8. Vaults 9. Staying In The Network 10. Reducing Attack Vectors 11. Separating The Data
Costs of a breach Including but not limited to... Monetary Legal / Regulatory Reputation Crisis Services
Shared Responsibility AWS responsible for “Security of the Cloud” Vs Customer responsible for “Security in the Cloud” 5
Security vs Compliance Compliance isn’t enough - it should be the outcome, not the driver! Compliance can’t cover everything, and often isn’t enough. Threat Actors Don't Care if You're Compliant.
● Sum of processes and features safeguarding your data ● Threat identification through proactive risk assessment ● Threat intelligence ● Active monitoring Security Cloud Security | peak.ai
(Generic blueprint for the security of certain kinds of data - governmental, non-profit, industry groups etc. Compliance ● Regulatory Orgs. provide standards set a minimum standard ● Enforced with Audits or Assessments (Only a snapshot!) ● Responsive opposed to Proactive, creating lag ● It should be the outcome, not the driver! Cloud Security | peak.ai
Security is inherently risk-based. Instead of measuring effectiveness based on adherence to prescribed controls, its success is defined by the ability to protect against and respond to threats. Protection as a metric isn’t always easy to track, but can’t be underappreciated – especially when a single data breach can ruin an organisation. Security vs Compliance
Encryption Basics Convert the data in some unreadable form Helps in protecting the privacy while sending the data from sender to receiver The Key The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. Decryption On the receiver side, the data can be decrypted and can be brought back to its original form. The reverse of encryption is called as decryption. Asymmetric Encryption There may be cases when same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
Data Storage & Encryption Data (encryption) at Rest Data (encryption) in Transit
“”Don’t share them with your neighbours Don’t use the same key for your house as every other house on the street! 12
Don’t but keys and tokens in git! (Even private repositories) More common than you would think.. Always in the history But if you do… Revoke the key immediately Check audit trails for any malicious activity Create a new key and don’t make the same mistake! The same goes for passwords and other secret values Version Control Cloud Security | peak.ai
Environment Variables “Env Var” = Key/Value pair usually set outside of the program Used to decouple configuration from the application Dynamic variables, instead of hard coding and/or storing in git Not always secure (often stored in plain text), but a step forward Cloud Security | peak.ai
Vaults & Encryption Utilities There are many ‘vault’ services that can be used to store secrets ● Hashicorp Vault ● AWS Secrets Manager ● AWS Parameter Store (Secret Text) ● Key Vault for Azure Used for Infra As Code, Applications and more Encryption Utilities also help manage credentials and other secrets ● Credstash ● Git-crypt ● Java Keystore Cloud Security | peak.ai
Virtual Private Cloud Keep traffic in the boundaries, not out and back Service endpoints Specify as a target to route traffic directly to a service. E.g. S3, DynamoDB etc. Use Endpoint Policies to define access Often quicker and cheaper! Cloud Security | peak.ai
Reducing the Attack Vectors Network Security ● WAF ● Shield ● CloudFront ● Route 53 ● NACL / Security Groups Monitoring and Alerting ● Guard Duty ● CloudWatch Scaling in and out fast ● Load Balancers ● Autoscaling Cloud Security | peak.ai
Separating the Data Keeping people away from the data, and the data from the data AIS is a multi tenant platform (shared access to an interface), but ● Separated Data Storage and Processing ● Separate AWS accounts (Federated access and MFA) ● Role Based Access Control (RBAC) ● Separated Development Environments ● Abstraction layers Cloud Security | peak.ai
Design Principles (Review) Cloud Security | peak.ai ● Principle of least privileges (roles and not just users!) ● Enable traceability ● Security at all layers - firewalls, app security etc. ● Automate best practices - threat detection, response etc. ● Protect data in transit and at rest - confidentiality and integrity of the data ● Keep people away from the data - No prod data for dev! Use abstraction layers etc. ● Prepare for security events - priorities, who to contact, what to do to remediate etc.
“” Tools alone won’t transform and organisation, you need to change the mindset of the team. 20
Question Time

More Related Content

PPTX
Look mum, no hands! AWS Systems Manager for server management and automation.
byMichael Pearce
 
PPTX
Building scalable infrastructure for AI & ML
byMichael Pearce
 
PPTX
Cloud Expo Europe 2014: Practical methods to improve your security in the cloud
byDatabarracks
 
PDF
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
PDF
How to Protect your AWS Environment
byLahav Savir
 
PDF
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
byAWS Chicago
 
PDF
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
byAWS Chicago
 
PPTX
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
bySebastian Taphanel CISSP-ISSEP
 
Look mum, no hands! AWS Systems Manager for server management and automation.
byMichael Pearce
 
Building scalable infrastructure for AI & ML
byMichael Pearce
 
Cloud Expo Europe 2014: Practical methods to improve your security in the cloud
byDatabarracks
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
byEvident.io
 
How to Protect your AWS Environment
byLahav Savir
 
Matt Badanes' talk from AWS + OWASP "Event-based Scanning for AMI enforcement...
byAWS Chicago
 
Mike Allen's AWS + OWASP talk "AWS secret manager for protecting and rotating...
byAWS Chicago
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
bySebastian Taphanel CISSP-ISSEP
 

What's hot

PPTX
How to Develop and Deploy Web-Scale Applications on AWS
byDatabarracks
 
PDF
How to protect your IoT data on AWS
byLahav Savir
 
PDF
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
byNCCOMMS
 
PDF
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
PDF
CSF18 - Securing the Cloud - Karim El-Melhaoui
byNCCOMMS
 
PDF
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
PPTX
Pyramid Analytics vs Sisense
byPyramid Analytics
 
PPTX
Pyramid vs QlikView
byPyramid Analytics
 
PPTX
Secret Management Architectures
byStenio Ferreira
 
PDF
Securing aws workloads with embedded application security
byJohn Varghese
 
PPTX
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
PPTX
Securing Applications in the Cloud
bySecurity Innovation
 
PPTX
Cloud Security Training Crash Course
byBryan Len
 
PPT
Scale out magento 2 at aws
byroot360 GmbH
 
PDF
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
PPTX
Microsoft Azure News - 2018 May
byDaniel Toomey
 
PPTX
GoGrid February 2010 Webinar on New Features
byGoGrid Cloud Hosting
 
PDF
The AWS Shared Responsibility Model in Practice
byAlert Logic
 
How to Develop and Deploy Web-Scale Applications on AWS
byDatabarracks
 
How to protect your IoT data on AWS
byLahav Savir
 
CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal
byNCCOMMS
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
byJose Hernandez
 
CSF18 - Securing the Cloud - Karim El-Melhaoui
byNCCOMMS
 
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
byCloudVillage
 
Pyramid Analytics vs Sisense
byPyramid Analytics
 
Pyramid vs QlikView
byPyramid Analytics
 
Secret Management Architectures
byStenio Ferreira
 
Securing aws workloads with embedded application security
byJohn Varghese
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
byCloudHesive
 
Securing Applications in the Cloud
bySecurity Innovation
 
Cloud Security Training Crash Course
byBryan Len
 
Scale out magento 2 at aws
byroot360 GmbH
 
Overview of secret management solutions and architecture
byYuechuan (Mike) Chen
 
Microsoft Azure News - 2018 May
byDaniel Toomey
 
GoGrid February 2010 Webinar on New Features
byGoGrid Cloud Hosting
 
The AWS Shared Responsibility Model in Practice
byAlert Logic
 

Similar to Cloud Security and some preferred practices

PPT
Securing Your Data In The Cloud
byOmer Trajman
 
PPT
Aws training in bangalore
byapponix123
 
PPTX
Application security meetup - cloud security best practices 24062021
bylior mazor
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PDF
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
PPTX
Cloud Security.pptx
byReena Harnal
 
PPTX
Automating your AWS Security Operations
byEvident.io
 
PDF
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
PPTX
Cloud Security At Netflix, October 2013
byJay Zarfoss
 
PPTX
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
PPTX
Cloud Security Solutions - Cyber security.pptx
byjaswanthbale2
 
PPTX
Presentation 10.pptx
bymishogelashvili28
 
PPTX
Cloud computing and Cloud security fundamentals
byViresh Suri
 
PPT
28_Security-Privacy-inxssudusd_Cloud.ppt
byajinkyajagtap23
 
PPT
28_Security-Privacy-in_Cloud_AND_real.ppt
bykyogesh5
 
PDF
Ready to Ace Your Cloud Security Interview.
byInfosecTrain
 
PDF
Top 20 Cloud Security Professional Interview Questions and Answers
bypriyanshamadhwal2
 
PDF
Top 20 Cloud Security Professional Interview Q&A.pdf
byinfosecTrain
 
PDF
Rugged Building Materials and Creating Agility with Security
byDavid Etue
 
PDF
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
byUlf Mattsson
 
Securing Your Data In The Cloud
byOmer Trajman
 
Aws training in bangalore
byapponix123
 
Application security meetup - cloud security best practices 24062021
bylior mazor
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
byAdnene Guabtni
 
Cloud Security.pptx
byReena Harnal
 
Automating your AWS Security Operations
byEvident.io
 
Eat Your Vegetables - Data Security for Data Scientists
byWilliam Voorhees
 
Cloud Security At Netflix, October 2013
byJay Zarfoss
 
Security in the cloud Workshop HSTC 2014
byAkash Mahajan
 
Cloud Security Solutions - Cyber security.pptx
byjaswanthbale2
 
Presentation 10.pptx
bymishogelashvili28
 
Cloud computing and Cloud security fundamentals
byViresh Suri
 
28_Security-Privacy-inxssudusd_Cloud.ppt
byajinkyajagtap23
 
28_Security-Privacy-in_Cloud_AND_real.ppt
bykyogesh5
 
Ready to Ace Your Cloud Security Interview.
byInfosecTrain
 
Top 20 Cloud Security Professional Interview Questions and Answers
bypriyanshamadhwal2
 
Top 20 Cloud Security Professional Interview Q&A.pdf
byinfosecTrain
 
Rugged Building Materials and Creating Agility with Security
byDavid Etue
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
byUlf Mattsson
 

More from Michael Pearce

PPTX
MLOps - Getting Machine Learning Into Production
byMichael Pearce
 
PPTX
Linux CLI Primer
byMichael Pearce
 
PDF
IaC: Tools of the trade
byMichael Pearce
 
PPTX
Sage Advice: Getting started with Amazon SageMaker
byMichael Pearce
 
PPTX
Learning, Losing & Lessons Learnt: Cloud Certification the 2nd time around
byMichael Pearce
 
PPTX
Git Primer
byMichael Pearce
 
PPTX
Building Scalable Data Ingestion
byMichael Pearce
 
PPTX
Infrastructure as Code (IaC): Introduction to scripted infrastructure
byMichael Pearce
 
PPTX
Cloudphrase: AWS basics
byMichael Pearce
 
PPTX
Introduction to AWS VPC & Networking
byMichael Pearce
 
PDF
Alexa, call SageMaker!
byMichael Pearce
 
MLOps - Getting Machine Learning Into Production
byMichael Pearce
 
Linux CLI Primer
byMichael Pearce
 
IaC: Tools of the trade
byMichael Pearce
 
Sage Advice: Getting started with Amazon SageMaker
byMichael Pearce
 
Learning, Losing & Lessons Learnt: Cloud Certification the 2nd time around
byMichael Pearce
 
Git Primer
byMichael Pearce
 
Building Scalable Data Ingestion
byMichael Pearce
 
Infrastructure as Code (IaC): Introduction to scripted infrastructure
byMichael Pearce
 
Cloudphrase: AWS basics
byMichael Pearce
 
Introduction to AWS VPC & Networking
byMichael Pearce
 
Alexa, call SageMaker!
byMichael Pearce
 

Recently uploaded

PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
CI CD Observability, Metrics and DORA - Shifting Left and Cleaning Up! - Febr...
byPeter Souter
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 

Cloud Security and some preferred practices

  • 1.
    Cloud Security And somepreferred practices
  • 2.
    “”Werner Vogels -CTO & VP, Amazon Web Services Dance like nobody's watching… Encrypt like everyone is! 2
  • 3.
    Contents 1. Why SecurityMatters 2. Why Me? 3. Security vs Compliance 4. Encryption 5. Data Storage 6. Version Control 7. Environment Variables, Vaults, Encryption Utils 8. Vaults 9. Staying In The Network 10. Reducing Attack Vectors 11. Separating The Data
  • 4.
    Costs of abreach Including but not limited to... Monetary Legal / Regulatory Reputation Crisis Services
  • 5.
    Shared Responsibility AWS responsiblefor “Security of the Cloud” Vs Customer responsible for “Security in the Cloud” 5
  • 6.
    Security vs Compliance Complianceisn’t enough - it should be the outcome, not the driver! Compliance can’t cover everything, and often isn’t enough. Threat Actors Don't Care if You're Compliant.
  • 7.
    ● Sum ofprocesses and features safeguarding your data ● Threat identification through proactive risk assessment ● Threat intelligence ● Active monitoring Security Cloud Security | peak.ai
  • 8.
    (Generic blueprint forthe security of certain kinds of data - governmental, non-profit, industry groups etc. Compliance ● Regulatory Orgs. provide standards set a minimum standard ● Enforced with Audits or Assessments (Only a snapshot!) ● Responsive opposed to Proactive, creating lag ● It should be the outcome, not the driver! Cloud Security | peak.ai
  • 9.
    Security is inherentlyrisk-based. Instead of measuring effectiveness based on adherence to prescribed controls, its success is defined by the ability to protect against and respond to threats. Protection as a metric isn’t always easy to track, but can’t be underappreciated – especially when a single data breach can ruin an organisation. Security vs Compliance
  • 10.
    Encryption Basics Convert the datain some unreadable form Helps in protecting the privacy while sending the data from sender to receiver The Key The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. Decryption On the receiver side, the data can be decrypted and can be brought back to its original form. The reverse of encryption is called as decryption. Asymmetric Encryption There may be cases when same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
  • 11.
    Data Storage &Encryption Data (encryption) at Rest Data (encryption) in Transit
  • 12.
    “”Don’t share themwith your neighbours Don’t use the same key for your house as every other house on the street! 12
  • 13.
    Don’t but keysand tokens in git! (Even private repositories) More common than you would think.. Always in the history But if you do… Revoke the key immediately Check audit trails for any malicious activity Create a new key and don’t make the same mistake! The same goes for passwords and other secret values Version Control Cloud Security | peak.ai
  • 14.
    Environment Variables “Env Var”= Key/Value pair usually set outside of the program Used to decouple configuration from the application Dynamic variables, instead of hard coding and/or storing in git Not always secure (often stored in plain text), but a step forward Cloud Security | peak.ai
  • 15.
    Vaults & EncryptionUtilities There are many ‘vault’ services that can be used to store secrets ● Hashicorp Vault ● AWS Secrets Manager ● AWS Parameter Store (Secret Text) ● Key Vault for Azure Used for Infra As Code, Applications and more Encryption Utilities also help manage credentials and other secrets ● Credstash ● Git-crypt ● Java Keystore Cloud Security | peak.ai
  • 16.
    Virtual Private Cloud Keeptraffic in the boundaries, not out and back Service endpoints Specify as a target to route traffic directly to a service. E.g. S3, DynamoDB etc. Use Endpoint Policies to define access Often quicker and cheaper! Cloud Security | peak.ai
  • 17.
    Reducing the AttackVectors Network Security ● WAF ● Shield ● CloudFront ● Route 53 ● NACL / Security Groups Monitoring and Alerting ● Guard Duty ● CloudWatch Scaling in and out fast ● Load Balancers ● Autoscaling Cloud Security | peak.ai
  • 18.
    Separating the Data Keepingpeople away from the data, and the data from the data AIS is a multi tenant platform (shared access to an interface), but ● Separated Data Storage and Processing ● Separate AWS accounts (Federated access and MFA) ● Role Based Access Control (RBAC) ● Separated Development Environments ● Abstraction layers Cloud Security | peak.ai
  • 19.
    Design Principles (Review) Cloud Security| peak.ai ● Principle of least privileges (roles and not just users!) ● Enable traceability ● Security at all layers - firewalls, app security etc. ● Automate best practices - threat detection, response etc. ● Protect data in transit and at rest - confidentiality and integrity of the data ● Keep people away from the data - No prod data for dev! Use abstraction layers etc. ● Prepare for security events - priorities, who to contact, what to do to remediate etc.
  • 20.
    “” Tools alone won’ttransform and organisation, you need to change the mindset of the team. 20
  • 21.

Editor's Notes

  • #3 The Mantra
  • #4 There will be lots of cross overs!
  • #6 Why Me? AWS doesn’t do it for us. They give us the tools but we are still responsible for configuring things properly - shared responsibility model.
  • #7 We often refer to compliance, regarding the “rules we should comply with”. But there is a difference between Security and Compliance. But it shouldn’t be the only thing, outcome not driver! Can’t cover everything, threat actors don’t care if you’re compliant! But it can also be a bit subjective e.g. changing passwords every 90 days.
  • #8 Security is the sum of processes and features safeguarding your data. Effective security requires threat identification through proactive risk assessment and threat intelligence as well as active monitoring and analysis of your network environment.
  • #9 Determined by governmental, non-profit or industry groups and serves as a generic blueprint for the security of certain kinds of data. The regulatory organizations that govern compliance standards issue them as a minimum bar for security. Enforcement is established through audits or assessments that are either self-administered or coordinated by a third party. Audits act as a snapshot of how your organization fared at one moment in time. And, as is common with regulatory standards, organizations that mandate compliance standards are often responsive as opposed to proactive – creating a lag time between when a threat emerges and when the prescribed solution is codified. For these reasons, organizations that let compliance drive their cloud security strategy (i.e. only focusing on passing their audits) ultimately limit their ability to remain secure long-term.
  • #11 In a simplest form, encryption is to convert the data in some unreadable form. This helps in protecting the privacy while sending the data from sender to receiver. On the receiver side, the data can be decrypted and can be brought back to its original form. The reverse of encryption is called as decryption. This information is known as key. The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. There may be cases when same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
  • #12 Manage Confidentiality and integrity of the data
  • #13 Encryption Keys - just like passwords, tokens etc. Set a policy for who can access, who can use the key, and what the key can be used for.
  • #17 Internal endpoints instead of external dns names where possible
  • #18 We use a few different services for network security, mostly managed by AWS. WAF (web application firewall) Shield (DDoS protection) CloudFront (for content delivery and caching, but also an extra layer of highly scalable protection such as field-level encryption, enforced https etc). We also monitor and alert using Guard Duty that provides intelligent threat detection by monitoring and alerting for issues and anomalies on audit logs, vpc flow logs and dns logs.
  • #19 Keep people away from the data - no prod data for dev! And abstraction layers etc. Although AIS is a multi tenant platform which provides the tenants which shared access to an interface, all data storage and processing is separated by tenant on separate resources with no direct access between each other. PepsiCo have their own separate AWS account/environment for storing and processing data. Access to the resources to the resources is restricted only to employees at Peak that are conducting work relating to the project and use access is done using Federated access using Multi Factor Authentication. Development environments are also separated from the production environment, only authorised administrators have any access to the underlying infrastructure of the production environment for monitoring and debugging purposes where required.
  • #20 Strong identity foundation - least privileged (roles and not just users!) Enable traceability Security at all layers - firewalls, app security etc. Automate best practices - threat detection, response etc. Protect data in transit and at rest - confidentiality and integrity of the data Keep people away from the data - no prod data for dev! And abstraction layers etc. Prepare for security events - priorities, who to contact, what to do to remediate
  • #21 A repeat.. But still true!