SlideShare a Scribd company logo

Cloud Security Essentials 2.0 at RSA

Download as PPTX, PDF
Shannon Lietz
Shannon Lietz

Enabling security at speed and scale requires building security as code which is often provided by software defined networks. The cloud offers software defined networks and some challenges to enabling safe workloads.

Technology
1 of 45
SESSION ID: #RSAC Javier Godinez CLOUD SECURITY ESSENTIALS 2.0 CRAWL. WALK. RUN. Principal DevSecOps Architect Intuit Shannon LIetz Director, DevSecOps & Security Eng Intuit @devsecops
#RSAC 2
#RSAC Uh… where do these go? 3
#RSAC http://donsmaps.com/images22/mutta1200.jpg 4
#RSAC Let’s switch some things around… Data Center Network Servers Virtualization Operations Platforms Buyer Identifier Cloud Account(s) Virtual IP Addresses Containerization Appliances Storage Security Features Applications Ephemeral Instances Scale on Demand IAAS, PAAS, SAAS Resource Testing Built-In Security Long-Term Contracts Partner Marketplaces Slow-ish Decisions Experiments 5
#RSAC The Basic Cloud Model 6 CloudProviderNetwork Backbone Backbone Cloud Platform (Orchestration) Network Compute Storage Internet CloudAccount(s) Load Balancers Compute Instances VPCs Block Storage Object Storage Relational Databases NoSQL Databases Containers Content Acceleration Messaging Email Utilities Key Management API/Templates Certificate Management Partner Platform
#RSAC Reality… 7 Internet CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork CloudProviderNetwork DataCenter DataCenter CloudProviderNetwork
#RSAC https://www.flickr.com/photos/comedynose 8
#RSAC Developers have lots of options… 9
#RSAC And Attackers also have lots of options… 10
#RSAC 11
#RSAC DevOps brings mega-change! This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security … And maybe that’s a good thing! 12
#RSAC Top 5 Cloud Security Principles 2.0 The Cloud is not a Datacenter. Reduce blast radius; play the odds. Encryption is inconvenient. Speed & Ease is both Friend & Foe. Protection is ideal; Detection is a must! 13
#RSAC 14
#RSAC The Cloud is not a Datacenter. 15
#RSAC VPNs that connect to Clouds are evil! 16 CloudProviderNetwork DataCenter PUBLIC SUBNET APP DATABASE DATABASE APP PUBLIC SUBNET VPN Cloud Web Console API Credentials “NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS! Remote Access PRIVATE SOFTWARE VPN MANAGED VPN 10.0.0.0/8 Connected & Routable? No IDS? What do you mean the IP could change? Tags? Security Groups? SDE?
#RSAC Host-Based Controls 17 Shared Responsibility and Cloud require host-based controls. Instrumentation is everything! Fine-grained controls require more scrutiny and bigger big data analysis. CloudProviderNetwork InstanceInstance Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B
#RSAC Lights out… 18 Lights out datacenters have always been a desired nirvana. Automation is required to stack and replace cloud workloads. Cloud security benefits are derived from lights out… Automation & Instrumentation Ephemeral Bastions Drift Management Security Testing Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B CloudProviderNetwork Bastion Instance Instance
#RSAC Long live APIs… 19 Everything in the cloud should be an API, even Security… Protocols that are not cloudy should not span across environments. If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: Messaging Databases File Transfers Logging CloudProviderNetwork Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API
#RSAC https://www.flickr.com/photos/mountainbread 20
#RSAC Blast Radius is a real thing… 21
#RSAC Beware of Orchestrators… 22 Orchestration creates blast radius because it centralizes the deployment/security for cloud workloads. Tools that act on behalf usually require credentials and create blindspots. Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be. Cloud Orchestration Platform CloudProviderNetwork A B C CloudAccount CloudAccount CloudAccount secrets What’s normal?
#RSAC Account Sharding is a new control! 23 Splitting cloud workloads into many accounts has a benefit. Accounts should contain less than 100% of a cloud workload. Works well with APIs; works dismal with forklifts. What is your appetite for risk? Cloud Workload Templates CloudProviderNetwork 33 % 33 % 33 % CloudAccount CloudAccount CloudAccount attacker
#RSAC MFA is a MUST! 24 Passwords don’t work. Passwords aren’t enough to protect infrastructure. Use MFA to protect User accounts and API credentials used by Humans. On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA. 123456 Implement cloud template… API Credentials accepted... Please input your MFA token: XXXXXX (123456) Cloud stack 123 has been implemented.
#RSAC 50 % Cloud Disaster Recovery is a different animal… 25 Regional recovery is not enough to cover security woes. Security events can quickly escalate to disasters. Got a disaster recovery team? Multi-Account strategies with separation of duties can help. Don’t hard code if you can help it. Encryption is inconvenient, but necessary… Cloud Workload Templates CloudProviderNetwork 50 % 50 % CloudAccount CloudAccount Disaster Templates 50 % CloudAccounts
#RSAC https://www.flickr.com/photos/ideonexus 26
#RSAC Encryption is a necessary evil… It helps with Safe Harbor. It helps with SQL Injection. It helps with Data Ownership. It helps with Privacy. It’s not a silver bullet… 27 CloudProviderNetwork CloudAccount CloudAccount CloudAccount Instance Secrets Management Key Management & Encryption App DB Disk Managed Service
#RSAC So much inconvenience It can limit scale and it may narrow design options. Scalable Key Management is really hard in the cloud. Inconvenience commonly comes from blue/green changes, dynamic environment & sharing secrets for auto-scale. 28 Instance Secrets Management Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk APP APP DB DB CloudAccount CloudAccount Phew I’m exhausted
#RSAC Overcoming Inconvenience Use built-in transparent encryption when possible. Use native cloud key management and encryption when available. Develop back up strategies for keys and secrets. Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor. Use APIs to exchange data and rotate encryption. 29 CloudProviderNetwork CloudAccount CloudAccount CloudAccount Instance Secrets Management Key Management & Encryption App DB Disk Managed Service
#RSAC https://www.flickr.com/photos/sreybhtiek 30
#RSAC Speed & Ease can create problems… Overloaded terms like “Policy” can cause confusion for DevOps and Security teams. Applying broad controls to narrow problems can create gaps. Security reviews are too slow… Mistakes can and do happen!! Security scanners and testing tools are not yet available for solving these speed & ease challenges. 31 DEVOPS SECURITY CLOUD SECURITY POLICIESSECURITY AS CODE Page 3 of 433 How do I? Did you mean? What is? Sigh…It’s like we aren’t speaking the same language…
#RSAC Mixed modes don’t work Forklifts are not a good idea because the original controls operate different. Systems designed for waterfall don’t have an easy path to achieve agile. Fragile applications in the cloud are easy pickings for attackers! 32 MAN – THIS SHELL IS HEAVY!
#RSAC Code can solve the divide Paper-resident policies do not stand up to constant cloud evolution and lessons learned. Translation from paper to code can lead to mistakes. Traditional security policies do not 1:1 translate to Full Stack deployments. 33 DataCenter CloudProvider Network • LOCK YOUR DOORS • BADGE IN • AUTHORIZED PERSONNEL ONLY • BACKGROUND CHECKS • CHOOSE STRONG PASSWORDS • USE MFA • ROTATE API CREDENTIALS • CROSS-ACCOUNT ACCESS EVERYTHING AS CODE Page 3 of 433
#RSAC Speed & Ease can increase security! Fast remediation can remove attack path quickly. Resolution can be achieved in minutes compared to months in a datacenter environment. Continuous Delivery has an advantage of being able to publish over an attacker. Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place. 34 APP APP DB DB APP DB ATTACKED FORENSICSRECOVERED
#RSAC https://www.flickr.com/photos/waltstoneburner 35
#RSAC Shift controls & mindset 36 Security Monitoring
#RSAC Cloud Security is a Big Data Challenge… DevOps + Security is the biggest big data challenge ahead. Use Attack Models and choose the right Data Sources to discover attacks in near real- time. Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for. 37 • Web Access Logs • Java Instrumentation • Proxy Logs • DNS Logs
#RSAC Cloud Security Feedback Loop 38 insights security sciencesecurity tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel
#RSAC https://www.flickr.com/photos/atomicbartbeans 39
#RSAC Safe experimentation is critical… Test possible solutions, arrive at Good Enough. Crawl-Walk-Run plans can save your org from large- scale incidents. Keep up with Lessons Learned! 40
#RSAC 10DAYS Don’t Hug Your Instances… 41 Research suggests that you should replace your instances at least every 10 days, and that may not be often enough. Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching. Make sure to keep a snapshot for forensic and compliance purposes. Use config management automation to make changes part of the stack. Refresh routinely; refresh often!
#RSAC Use Cloud Native Security Features... 42 Cloud native security features are designed to be cloudy. Audit is a primary need! Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle. Be deliberate about how to use built-in security controls and who has access.
#RSAC Security as Code… gotta do it. 43
#RSAC Apply what you learned today… 44 Next week you should: Understand how your organization is or plans to use cloud providers Identify cloud workloads and virtual blast radius within your organization In the first 3 months following this presentation you should: Begin to build Security as Code skills and run cloud security experiments to understand the issues Develop Crawl-Walk-Run plans to help your organization build security into cloud workloads Within 6 months you should: Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads Remediation happens in hours to days as a result of automation
#RSAC Get Involved & Join the Community devsecops.org @devsecops on Twitter DevSecOps on LinkedIn DevSecOps on Github RuggedSoftware.org Compliance at Velocity Join Us !!! Spread the word!!! 45

Recommended

A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
DevOps.com
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 

Recommended

A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
DevOps.com
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Jason Mashak
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Runecast Analyzer Overview
Runecast Analyzer OverviewRunecast Analyzer Overview
Runecast Analyzer Overview
Stanimir Markov
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Jason Mashak
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
Uleska
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 

More Related Content

What's hot

Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
Amazon Web Services
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
Deborah Schalm
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Jason Mashak
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
Amazon Web Services
 
Runecast Analyzer Overview
Runecast Analyzer OverviewRunecast Analyzer Overview
Runecast Analyzer Overview
Stanimir Markov
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Jason Mashak
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
Uleska
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
DevOps Indonesia
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
Amazon Web Services
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 

What's hot (20)

Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Take Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps ProgramTake Control: Design a Complete DevSecOps Program
Take Control: Design a Complete DevSecOps Program
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOps
 
Runecast Analyzer Overview
Runecast Analyzer OverviewRunecast Analyzer Overview
Runecast Analyzer Overview
 
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
Optimize & Secure Your Hybrid Cloud with Runecast (September 2021)
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
 

Viewers also liked

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
Shannon Lietz
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
Shannon Lietz
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
DevSecCon
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
SeniorStoryteller
 
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Ingram Micro Cloud
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
Madhu Akula
 
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
acinfotec
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
John D. Johnson
 
Cloud Security & Privacy Standard Slide
Cloud Security & Privacy Standard SlideCloud Security & Privacy Standard Slide
Cloud Security & Privacy Standard Slide
acinfotec
 
How Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersHow Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-Users
WSO2
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computing
ragibhasan
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon
 
Innovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
Innovation Through Collaboration - "Nat" Rajesh Natarajan, IntuitInnovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
Innovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
turboki
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon
 

Viewers also liked (20)

DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
DevSecCon Keynote
DevSecCon KeynoteDevSecCon Keynote
DevSecCon Keynote
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
Justin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application deliveryJustin collins - Practical Static Analysis for continuous application delivery
Justin collins - Practical Static Analysis for continuous application delivery
 
DevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatopsDevSecCon Asia 2017 Arun N: Securing chatops
DevSecCon Asia 2017 Arun N: Securing chatops
 
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
DevSecCon Asia 2017 - Abhay Bhargav: Building an Application Vulnerability To...
 
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
DevSecCon Asia 2017 Joel Divekar: Using Open Source Automation tools for DevS...
 
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the governmentDevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
DevSecCon Asia 2017 Fabian Lim: DevSecOps in the government
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
Trend Micro: Security Challenges and Solutions for the Cloud (Saas) & Cloud S...
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
C-SEC|2016 Session 3 How to pass and get certify on the new cyber/cloud secur...
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
 
Cloud Security & Privacy Standard Slide
Cloud Security & Privacy Standard SlideCloud Security & Privacy Standard Slide
Cloud Security & Privacy Standard Slide
 
How Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-UsersHow Privacy in the Cloud Affects End-Users
How Privacy in the Cloud Affects End-Users
 
Lecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud ComputingLecture01: Introduction to Security and Privacy in Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computing
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
Innovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
Innovation Through Collaboration - "Nat" Rajesh Natarajan, IntuitInnovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
Innovation Through Collaboration - "Nat" Rajesh Natarajan, Intuit
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 

Similar to Cloud Security Essentials 2.0 at RSA

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
Priyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
Priyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
Priyanka Aash
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
Scott Carlson
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
Priyanka Aash
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Symantec
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
James Wickett
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
Karthik Gaekwad
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Priyanka Aash
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
anupriti
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
SBWebinars
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Priyanka Aash
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
Ernest Mueller
 

Similar to Cloud Security Essentials 2.0 at RSA (20)

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
RSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud SecurityRSA 2015 Realities of Private Cloud Security
RSA 2015 Realities of Private Cloud Security
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
Cloud Computing and Virtualisation
Cloud Computing and VirtualisationCloud Computing and Virtualisation
Cloud Computing and Virtualisation
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 

Cloud Security Essentials 2.0 at RSA

  • 1. SESSION ID: #RSAC Javier Godinez CLOUD SECURITY ESSENTIALS 2.0 CRAWL. WALK. RUN. Principal DevSecOps Architect Intuit Shannon LIetz Director, DevSecOps & Security Eng Intuit @devsecops
  • 3. #RSAC Uh… where do these go? 3
  • 5. #RSAC Let’s switch some things around… Data Center Network Servers Virtualization Operations Platforms Buyer Identifier Cloud Account(s) Virtual IP Addresses Containerization Appliances Storage Security Features Applications Ephemeral Instances Scale on Demand IAAS, PAAS, SAAS Resource Testing Built-In Security Long-Term Contracts Partner Marketplaces Slow-ish Decisions Experiments 5
  • 6. #RSAC The Basic Cloud Model 6 CloudProviderNetwork Backbone Backbone Cloud Platform (Orchestration) Network Compute Storage Internet CloudAccount(s) Load Balancers Compute Instances VPCs Block Storage Object Storage Relational Databases NoSQL Databases Containers Content Acceleration Messaging Email Utilities Key Management API/Templates Certificate Management Partner Platform
  • 9. #RSAC Developers have lots of options… 9
  • 10. #RSAC And Attackers also have lots of options… 10
  • 12. #RSAC DevOps brings mega-change! This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry. http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security … And maybe that’s a good thing! 12
  • 13. #RSAC Top 5 Cloud Security Principles 2.0 The Cloud is not a Datacenter. Reduce blast radius; play the odds. Encryption is inconvenient. Speed & Ease is both Friend & Foe. Protection is ideal; Detection is a must! 13
  • 15. #RSAC The Cloud is not a Datacenter. 15
  • 16. #RSAC VPNs that connect to Clouds are evil! 16 CloudProviderNetwork DataCenter PUBLIC SUBNET APP DATABASE DATABASE APP PUBLIC SUBNET VPN Cloud Web Console API Credentials “NEW” BOUNDARY HAS ALL THE WEAKNESSES OF BOTH AND MIXES TWO DIFFERENT SECURITY MODELS! Remote Access PRIVATE SOFTWARE VPN MANAGED VPN 10.0.0.0/8 Connected & Routable? No IDS? What do you mean the IP could change? Tags? Security Groups? SDE?
  • 17. #RSAC Host-Based Controls 17 Shared Responsibility and Cloud require host-based controls. Instrumentation is everything! Fine-grained controls require more scrutiny and bigger big data analysis. CloudProviderNetwork InstanceInstance Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B
  • 18. #RSAC Lights out… 18 Lights out datacenters have always been a desired nirvana. Automation is required to stack and replace cloud workloads. Cloud security benefits are derived from lights out… Automation & Instrumentation Ephemeral Bastions Drift Management Security Testing Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B CloudProviderNetwork Bastion Instance Instance
  • 19. #RSAC Long live APIs… 19 Everything in the cloud should be an API, even Security… Protocols that are not cloudy should not span across environments. If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: Messaging Databases File Transfers Logging CloudProviderNetwork Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API
  • 21. #RSAC Blast Radius is a real thing… 21
  • 22. #RSAC Beware of Orchestrators… 22 Orchestration creates blast radius because it centralizes the deployment/security for cloud workloads. Tools that act on behalf usually require credentials and create blindspots. Non-native tools require specialized skills and make it difficult to gain context on what the right behavior should be. Cloud Orchestration Platform CloudProviderNetwork A B C CloudAccount CloudAccount CloudAccount secrets What’s normal?
  • 23. #RSAC Account Sharding is a new control! 23 Splitting cloud workloads into many accounts has a benefit. Accounts should contain less than 100% of a cloud workload. Works well with APIs; works dismal with forklifts. What is your appetite for risk? Cloud Workload Templates CloudProviderNetwork 33 % 33 % 33 % CloudAccount CloudAccount CloudAccount attacker
  • 24. #RSAC MFA is a MUST! 24 Passwords don’t work. Passwords aren’t enough to protect infrastructure. Use MFA to protect User accounts and API credentials used by Humans. On some cloud platforms it is possible to make roles work only when MFA is provided and for certain actions to require MFA. 123456 Implement cloud template… API Credentials accepted... Please input your MFA token: XXXXXX (123456) Cloud stack 123 has been implemented.
  • 25. #RSAC 50 % Cloud Disaster Recovery is a different animal… 25 Regional recovery is not enough to cover security woes. Security events can quickly escalate to disasters. Got a disaster recovery team? Multi-Account strategies with separation of duties can help. Don’t hard code if you can help it. Encryption is inconvenient, but necessary… Cloud Workload Templates CloudProviderNetwork 50 % 50 % CloudAccount CloudAccount Disaster Templates 50 % CloudAccounts
  • 27. #RSAC Encryption is a necessary evil… It helps with Safe Harbor. It helps with SQL Injection. It helps with Data Ownership. It helps with Privacy. It’s not a silver bullet… 27 CloudProviderNetwork CloudAccount CloudAccount CloudAccount Instance Secrets Management Key Management & Encryption App DB Disk Managed Service
  • 28. #RSAC So much inconvenience It can limit scale and it may narrow design options. Scalable Key Management is really hard in the cloud. Inconvenience commonly comes from blue/green changes, dynamic environment & sharing secrets for auto-scale. 28 Instance Secrets Management Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk Instance Disk APP APP DB DB CloudAccount CloudAccount Phew I’m exhausted
  • 29. #RSAC Overcoming Inconvenience Use built-in transparent encryption when possible. Use native cloud key management and encryption when available. Develop back up strategies for keys and secrets. Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor. Use APIs to exchange data and rotate encryption. 29 CloudProviderNetwork CloudAccount CloudAccount CloudAccount Instance Secrets Management Key Management & Encryption App DB Disk Managed Service
  • 31. #RSAC Speed & Ease can create problems… Overloaded terms like “Policy” can cause confusion for DevOps and Security teams. Applying broad controls to narrow problems can create gaps. Security reviews are too slow… Mistakes can and do happen!! Security scanners and testing tools are not yet available for solving these speed & ease challenges. 31 DEVOPS SECURITY CLOUD SECURITY POLICIESSECURITY AS CODE Page 3 of 433 How do I? Did you mean? What is? Sigh…It’s like we aren’t speaking the same language…
  • 32. #RSAC Mixed modes don’t work Forklifts are not a good idea because the original controls operate different. Systems designed for waterfall don’t have an easy path to achieve agile. Fragile applications in the cloud are easy pickings for attackers! 32 MAN – THIS SHELL IS HEAVY!
  • 33. #RSAC Code can solve the divide Paper-resident policies do not stand up to constant cloud evolution and lessons learned. Translation from paper to code can lead to mistakes. Traditional security policies do not 1:1 translate to Full Stack deployments. 33 DataCenter CloudProvider Network • LOCK YOUR DOORS • BADGE IN • AUTHORIZED PERSONNEL ONLY • BACKGROUND CHECKS • CHOOSE STRONG PASSWORDS • USE MFA • ROTATE API CREDENTIALS • CROSS-ACCOUNT ACCESS EVERYTHING AS CODE Page 3 of 433
  • 34. #RSAC Speed & Ease can increase security! Fast remediation can remove attack path quickly. Resolution can be achieved in minutes compared to months in a datacenter environment. Continuous Delivery has an advantage of being able to publish over an attacker. Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place. 34 APP APP DB DB APP DB ATTACKED FORENSICSRECOVERED
  • 36. #RSAC Shift controls & mindset 36 Security Monitoring
  • 37. #RSAC Cloud Security is a Big Data Challenge… DevOps + Security is the biggest big data challenge ahead. Use Attack Models and choose the right Data Sources to discover attacks in near real- time. Develop a scientific approach to help DevOps teams get the security feedback loop they have been looking for. 37 • Web Access Logs • Java Instrumentation • Proxy Logs • DNS Logs
  • 38. #RSAC Cloud Security Feedback Loop 38 insights security sciencesecurity tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel
  • 40. #RSAC Safe experimentation is critical… Test possible solutions, arrive at Good Enough. Crawl-Walk-Run plans can save your org from large- scale incidents. Keep up with Lessons Learned! 40
  • 41. #RSAC 10DAYS Don’t Hug Your Instances… 41 Research suggests that you should replace your instances at least every 10 days, and that may not be often enough. Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching. Make sure to keep a snapshot for forensic and compliance purposes. Use config management automation to make changes part of the stack. Refresh routinely; refresh often!
  • 42. #RSAC Use Cloud Native Security Features... 42 Cloud native security features are designed to be cloudy. Audit is a primary need! Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle. Be deliberate about how to use built-in security controls and who has access.
  • 43. #RSAC Security as Code… gotta do it. 43
  • 44. #RSAC Apply what you learned today… 44 Next week you should: Understand how your organization is or plans to use cloud providers Identify cloud workloads and virtual blast radius within your organization In the first 3 months following this presentation you should: Begin to build Security as Code skills and run cloud security experiments to understand the issues Develop Crawl-Walk-Run plans to help your organization build security into cloud workloads Within 6 months you should: Cloud workloads have been instrumented for known security issues and flagged during the Continuous Delivery of software to the cloud Your group has begun to test using Red Team methods and automation to ensure end-to-end security for your cloud workloads Remediation happens in hours to days as a result of automation
  • 45. #RSAC Get Involved & Join the Community devsecops.org @devsecops on Twitter DevSecOps on LinkedIn DevSecOps on Github RuggedSoftware.org Compliance at Velocity Join Us !!! Spread the word!!! 45