Cloud Security and some preferred practices
•Download as PPTX, PDF•
0 likes•61 views
Cloud Security and some preferred practices. Security isn't easy, but here is why it matters, the difference between security and compliance and what we can do to implement it and mitigate some of the risks. Michael Pearce, DevOps Engineer @ Peak AI.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cloud Security and some preferred practices
Similar to Cloud Security and some preferred practices (20)
More from Michael Pearce
More from Michael Pearce (11)
Recently uploaded
Recently uploaded (20)
Cloud Security and some preferred practices
- 1. Cloud Security And some preferred practices
- 2. “”Werner Vogels - CTO & VP, Amazon Web Services Dance like nobody's watching… Encrypt like everyone is! 2
- 3. Contents 1. Why Security Matters 2. Why Me? 3. Security vs Compliance 4. Encryption 5. Data Storage 6. Version Control 7. Environment Variables, Vaults, Encryption Utils 8. Vaults 9. Staying In The Network 10. Reducing Attack Vectors 11. Separating The Data
- 4. Costs of a breach Including but not limited to... Monetary Legal / Regulatory Reputation Crisis Services
- 5. Shared Responsibility AWS responsible for “Security of the Cloud” Vs Customer responsible for “Security in the Cloud” 5
- 6. Security vs Compliance Compliance isn’t enough - it should be the outcome, not the driver! Compliance can’t cover everything, and often isn’t enough. Threat Actors Don't Care if You're Compliant.
- 7. ● Sum of processes and features safeguarding your data ● Threat identification through proactive risk assessment ● Threat intelligence ● Active monitoring Security Cloud Security | peak.ai
- 8. (Generic blueprint for the security of certain kinds of data - governmental, non-profit, industry groups etc. Compliance ● Regulatory Orgs. provide standards set a minimum standard ● Enforced with Audits or Assessments (Only a snapshot!) ● Responsive opposed to Proactive, creating lag ● It should be the outcome, not the driver! Cloud Security | peak.ai
- 9. Security is inherently risk-based. Instead of measuring effectiveness based on adherence to prescribed controls, its success is defined by the ability to protect against and respond to threats. Protection as a metric isn’t always easy to track, but can’t be underappreciated – especially when a single data breach can ruin an organisation. Security vs Compliance
- 10. Encryption Basics Convert the data in some unreadable form Helps in protecting the privacy while sending the data from sender to receiver The Key The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. Decryption On the receiver side, the data can be decrypted and can be brought back to its original form. The reverse of encryption is called as decryption. Asymmetric Encryption There may be cases when same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
- 11. Data Storage & Encryption Data (encryption) at Rest Data (encryption) in Transit
- 12. “”Don’t share them with your neighbours Don’t use the same key for your house as every other house on the street! 12
- 13. Don’t but keys and tokens in git! (Even private repositories) More common than you would think.. Always in the history But if you do… Revoke the key immediately Check audit trails for any malicious activity Create a new key and don’t make the same mistake! The same goes for passwords and other secret values Version Control Cloud Security | peak.ai
- 14. Environment Variables “Env Var” = Key/Value pair usually set outside of the program Used to decouple configuration from the application Dynamic variables, instead of hard coding and/or storing in git Not always secure (often stored in plain text), but a step forward Cloud Security | peak.ai
- 15. Vaults & Encryption Utilities There are many ‘vault’ services that can be used to store secrets ● Hashicorp Vault ● AWS Secrets Manager ● AWS Parameter Store (Secret Text) ● Key Vault for Azure Used for Infra As Code, Applications and more Encryption Utilities also help manage credentials and other secrets ● Credstash ● Git-crypt ● Java Keystore Cloud Security | peak.ai
- 16. Virtual Private Cloud Keep traffic in the boundaries, not out and back Service endpoints Specify as a target to route traffic directly to a service. E.g. S3, DynamoDB etc. Use Endpoint Policies to define access Often quicker and cheaper! Cloud Security | peak.ai
- 17. Reducing the Attack Vectors Network Security ● WAF ● Shield ● CloudFront ● Route 53 ● NACL / Security Groups Monitoring and Alerting ● Guard Duty ● CloudWatch Scaling in and out fast ● Load Balancers ● Autoscaling Cloud Security | peak.ai
- 18. Separating the Data Keeping people away from the data, and the data from the data AIS is a multi tenant platform (shared access to an interface), but ● Separated Data Storage and Processing ● Separate AWS accounts (Federated access and MFA) ● Role Based Access Control (RBAC) ● Separated Development Environments ● Abstraction layers Cloud Security | peak.ai
- 19. Design Principles (Review) Cloud Security | peak.ai ● Principle of least privileges (roles and not just users!) ● Enable traceability ● Security at all layers - firewalls, app security etc. ● Automate best practices - threat detection, response etc. ● Protect data in transit and at rest - confidentiality and integrity of the data ● Keep people away from the data - No prod data for dev! Use abstraction layers etc. ● Prepare for security events - priorities, who to contact, what to do to remediate etc.
- 20. “” Tools alone won’t transform and organisation, you need to change the mindset of the team. 20
- 21. Question Time
Editor's Notes
- The Mantra
- There will be lots of cross overs!
- Why Me? AWS doesn’t do it for us. They give us the tools but we are still responsible for configuring things properly - shared responsibility model.
- We often refer to compliance, regarding the “rules we should comply with”. But there is a difference between Security and Compliance. But it shouldn’t be the only thing, outcome not driver! Can’t cover everything, threat actors don’t care if you’re compliant! But it can also be a bit subjective e.g. changing passwords every 90 days.
- Security is the sum of processes and features safeguarding your data. Effective security requires threat identification through proactive risk assessment and threat intelligence as well as active monitoring and analysis of your network environment.
- Determined by governmental, non-profit or industry groups and serves as a generic blueprint for the security of certain kinds of data. The regulatory organizations that govern compliance standards issue them as a minimum bar for security. Enforcement is established through audits or assessments that are either self-administered or coordinated by a third party. Audits act as a snapshot of how your organization fared at one moment in time. And, as is common with regulatory standards, organizations that mandate compliance standards are often responsive as opposed to proactive – creating a lag time between when a threat emerges and when the prescribed solution is codified. For these reasons, organizations that let compliance drive their cloud security strategy (i.e. only focusing on passing their audits) ultimately limit their ability to remain secure long-term.
- In a simplest form, encryption is to convert the data in some unreadable form. This helps in protecting the privacy while sending the data from sender to receiver. On the receiver side, the data can be decrypted and can be brought back to its original form. The reverse of encryption is called as decryption. This information is known as key. The concept of encryption and decryption requires some extra information for encrypting and decrypting the data. There may be cases when same key can be used for both encryption and decryption while in certain cases, encryption and decryption may require different keys.
- Manage Confidentiality and integrity of the data
- Encryption Keys - just like passwords, tokens etc. Set a policy for who can access, who can use the key, and what the key can be used for.
- Internal endpoints instead of external dns names where possible
- We use a few different services for network security, mostly managed by AWS. WAF (web application firewall) Shield (DDoS protection) CloudFront (for content delivery and caching, but also an extra layer of highly scalable protection such as field-level encryption, enforced https etc). We also monitor and alert using Guard Duty that provides intelligent threat detection by monitoring and alerting for issues and anomalies on audit logs, vpc flow logs and dns logs.
- Keep people away from the data - no prod data for dev! And abstraction layers etc. Although AIS is a multi tenant platform which provides the tenants which shared access to an interface, all data storage and processing is separated by tenant on separate resources with no direct access between each other. PepsiCo have their own separate AWS account/environment for storing and processing data. Access to the resources to the resources is restricted only to employees at Peak that are conducting work relating to the project and use access is done using Federated access using Multi Factor Authentication. Development environments are also separated from the production environment, only authorised administrators have any access to the underlying infrastructure of the production environment for monitoring and debugging purposes where required.
- Strong identity foundation - least privileged (roles and not just users!) Enable traceability Security at all layers - firewalls, app security etc. Automate best practices - threat detection, response etc. Protect data in transit and at rest - confidentiality and integrity of the data Keep people away from the data - no prod data for dev! And abstraction layers etc. Prepare for security events - priorities, who to contact, what to do to remediate
- A repeat.. But still true!