SlideShare a Scribd company logo

Cloud Security for Startups - From A to E(xit)

S
Shahar Geiger Maor

Security Essentials For Startups Taking Their First Steps As Cloud Providers. This deck is based on the the below paper: https://chapters.cloudsecurityalliance.org/israel/papers/

Internet
1 of 59
Download to read offline
Why am I here?
} Background } Application Security } Platform Security } Security Management
To help wish we Ourselves
Security as you evolve Intrusiveness Type of data collected Sector (Fin, Gov) SU maturity OS PII
Security by Design • Spoofing identity • Tampering with data • Repudiation • Information disclosure • Denial of service • Elevation of privilege
Authentication & Authorization
Application Security Eitan Satmary, Security Architect @Wix eitans@wix.com
✔ Secure hosting ✔ SEO ✔ 24/7 Support Easy drag and drop Designer-made templates Beautiful galleries, mobile optimized, domains, huge image collection 1 2 Everything you need to create your FREE stunning website People from every type of business & profession imaginable. Musicians, Online store owners, Designers, Dentists, Dog walkers, Bloggers, Photographers, Lawyers, and more…
1 1 Over 102 millions users in 180 countries Over 250 Apps Over 550 Templates Offices in 8 countries Business Partner 1400 Employees 500 Developers Over 2.5 PByte User’s media files Over 1000 servers In 3 datacenters 2 Clouds (Amazon & Google)
Security Challenges ★ More than 2 billions requests per day ★ above 400 micro services ★ 1,300 deployments a month (totally Agile) ★ We’re always on ★ 5 main programming languages ★ Platform abuse - targeted for malicious activity
Security at Wix FED Server Product Security Cross-engineering teams 11 in Security team IT and Production Security champion in every company Security forum every 2 weeks from legal, marketing, HR, BI and more Security in all company’s departments
What I would do if I would start from scratch ★ You’re a new startup ★ Security products cost money, maintenance and training ★ You want top value for your efforts 321 Follow this 3-steps workflow
321 step 1 Implement security best practices in SDLC ★ Authentication ★ Authorization ★ Password policy ★ Session management ★ Error handling ★ Storing sensitive data ★ Input validation ★ Secured queries ★ Logs ★ More...
321 step 1 Implement security best practices in SDLC For every new big feature: analyze threat models by STRIDE Threat Mitigation Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information disclosure Confidentiality Denial of Service Availability Elevation of Privileges Authorization
step 2 How certificates can help you 1. They enforce order and procedures 2. You’ll have something to show your customers PCI ISO 27001 ISO 27018 321
step 2 Implement security best practices in SDLC Internal and external Penetration Tests Define vectors that disturb the flow ★ Can I crash the site / data? ★ Can I steal information? ★ Can I access users’ PII? ★ Can I disconnect the data? 321
step 2 Implement security best practices in SDLC Use your BI data! Configure alerts for abnormalities of user actions Deliver dedicated security trainings ★ For frontend developers ★ For server developers ★ For mobile developers ★ For QA ★ For Support 321
321 step 3 Now you can buy products WAF Bug bounty DB FW Static & dynamic code analysis
Eitan Satmary, Security Architect @Wix eitans@wix.com
Shared responsibility
Management dashboard
Backend • Network segregation • Red/Black push • Encryption • Physical security
Platform Security Marius Aharonovich Cloud Security Architect ClickSoftware
} Platform Security } Management } Secure API keys } Increase Your Visibility } Host Security } Encryption and Key Management
Platform Security Security Best Practices checklist: CIS AWS AZURE GOOGLE Cloud Platform AWS Infrastructure Management Services EC2 Instance 3rd party
Management Amazon Web Services Root Limited use Support plan Payment Close account Request PenTest Two-Factor-Authentication TOTP enabled virtual TFA Google authenticator Authy IAM Users Two-Factor- Authentication User Groups DevOps, NOC, R&D Lead, DBA, Security IAM Policies "Effect": "Allow", "Action": "s3:ListBucket ", "Resource": "arn:aws:s3::: example_bucket " Services Resource Based Policies " “Effect": "Deny", Principal": "*", "Action": "s3:*", Resource": "arn:aws:s3::: example Condition": {“BoolIfExists ":{ "aws:MultiFact orAuthPresent" : false Cross Account Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: AccountID"}, "Action": "sts: AssumeRole", "Condition": { "StringEquals" : { "sts: ExternalId": “IAMUSerID"
Services – Secure API keys Use temporary keys (STS) Don't embed API keys directly into code Rotate API keys periodically Delete unused API keys Use unique API keys for applications
Increase Your Visibility AWS EC2CloudTrail Dashboard APIs CASB Access & Activities Trusted Advisor Credentials Report IAM User “List Events” Cloud Security Control SG Changes & Risk & Compliance Forensics traffic layers 3/4 Web traffic analysis IAM Cross Account Role “List Configuration” IAM Cross Account Role “IP Traffic” logC VPC Flow-Log logC S3 logC Other Cloud Services logC Service User “List Events” Infrastructure EC2 Instance logC Load Balancer logC Web Traffic (syslog) Log Collector Security event alerting Security reports Forensics Domain Auditor Domain changes reporting Forensics EventsDomain Config Web Traffic (syslog)
Host Security VPN Gateway Two-Factor- Authentication Encrypted TLS Patch Hosts WSUS Systems Manager New Deployed AMI DoS Protection AWS Shield Basic Advanced 3rd party solution SIEM Access & Activities Infra Changes Analysis Firewall Inbound & outbound rules Security Groups 3rd party Harden Hosts (CIS) User groups & Permissions Antimalware & HIPS Scan Hosts 3rd party Vulnerabilities
Encryption and Key Management Why to Encrypt ? Contracts Regulations Standards Data in Transit TLSv1.2 AES-256bit GCM ELB ALB CloudFront 3rd party Certificate Manager Data at Rest Storage / Volume Encryption EBS Encryption RDS Storage Encryption KMS Data Backup Encryption SQL Backup Encryption RDS Snapshot Encryption KMS HSM FIPS 140-2 Level 2 FIPS 140-2 Level 3
Security Management Gilad Yaron, Head of Cybersecurity Strategy & Cloud Services, SECOZ cybersecurity center, BDO
36 Our goal is to maintain the agile pace of development, while introducing security in ways that accommodate simple and efficient processes. We find alternatives that are sufficient to get
38
39
40
41
42
Security Management Shahar Maor, Information Security Manager, Outbrain
3 6200 120 500M 250B
Discovery: • So many options, so many providers… • Manual on/off-boarding • Long tail apps, Chrome ext. Control: • Multiple passwords, app-specific password • Collaboration is open by design
MMMMMM…. Active Directory
Corporate Privacy and Compliance Anti-Fraud Platform RnD and Products
Core systems SSO Other external services Production Data centers 51
Awareness and Education 5 3 On-Boarding Company Communications Awareness Campaigns: Phishing&SE 5 3 Information Security
Suspicious email Malware DetectedNo Malware Detected FWD to: xxx@outbrain.com Analyzing the message Scan links & attachments Harness the power of 56 file scanners and 67 link scanners! 5 4 Information Security Beta: Phishing and Virus analyzer
Cloud Security • So many options, so many providers… • Manual on/off-boarding • Long tail apps, Chrome ext. • Multiple passwords, app-specific password • Collaboration is open by design
Solutions • Narrow down choices (Box, Google Drive) • Education • Formal tool selection • Education • SSO+2FA • Education • CASB • Education
“TRYING ISTHE FIRST STEP TOWARDS FAILURE” H. Simpson
Cloud Security for Startups - From A to E(xit)

Recommended

4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP
Andrew Bettany
 
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP
 
1 Modern Security - Keynote
1 Modern Security - Keynote1 Modern Security - Keynote
1 Modern Security - Keynote
Andrew Bettany
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
Aidy Tificate
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacks
Akram Qureshi
 

Recommended

4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP4 Modern Security - Integrated SecOps and incident response with MTP
4 Modern Security - Integrated SecOps and incident response with MTP
Andrew Bettany
 
Secure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity GovernanceSecure your M365 resources using Azure AD Identity Governance
Secure your M365 resources using Azure AD Identity Governance
Vignesh Ganesan I Microsoft MVP
 
1 Modern Security - Keynote
1 Modern Security - Keynote1 Modern Security - Keynote
1 Modern Security - Keynote
Andrew Bettany
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
IAM Cloud
IAM CloudIAM Cloud
IAM Cloud
Aidy Tificate
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Daniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity storyDaniel Grabski | Microsofts cybersecurity story
Daniel Grabski | Microsofts cybersecurity story
Microsoft Österreich
 
Msft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacksMsft cloud architecture_security_commonattacks
Msft cloud architecture_security_commonattacks
Akram Qureshi
 
Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloud
Microsoft
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
Karl Ots
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
Matt Soseman
 
Introduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + SecurityIntroduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + Security
AntonioMaio2
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
Andrew Bettany
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD 2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD
Peter Selch Dahl
 
Mct summit 2021
Mct summit 2021Mct summit 2021
Mct summit 2021
Kushantha Gunawardana
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
Lalit Rawat
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
Ammar Hasayen
 
Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview
Syed Sabhi Haider
 
EMS Diagram Click Through Web
EMS Diagram Click Through WebEMS Diagram Click Through Web
EMS Diagram Click Through WebEric Inch
 
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Jan Ketil Skanke
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Webinar Express: What is a CASB?
Webinar Express: What is a CASB?
Bitglass
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
Cheah Eng Soon
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App Security
Microsoft
 
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Bitglass
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 

More Related Content

What's hot

Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloud
Microsoft
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
Vishwas Manral
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
Karl Ots
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
Matt Soseman
 
Introduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + SecurityIntroduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + Security
AntonioMaio2
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
Andrew Bettany
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
Stas Lebedenko
 
2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD 2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD
Peter Selch Dahl
 
Mct summit 2021
Mct summit 2021Mct summit 2021
Mct summit 2021
Kushantha Gunawardana
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
Lalit Rawat
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
Ammar Hasayen
 
Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview
Syed Sabhi Haider
 
EMS Diagram Click Through Web
EMS Diagram Click Through WebEMS Diagram Click Through Web
EMS Diagram Click Through WebEric Inch
 
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Jan Ketil Skanke
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Webinar Express: What is a CASB?
Webinar Express: What is a CASB?
Bitglass
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
Cheah Eng Soon
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App Security
Microsoft
 
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Bitglass
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 

What's hot (20)

Protect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloudProtect your business with identity and access management in the cloud
Protect your business with identity and access management in the cloud
 
CSA SV Threat detection and prediction
CSA SV Threat detection and predictionCSA SV Threat detection and prediction
CSA SV Threat detection and prediction
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021MCAS High Level Architecture May 2021
MCAS High Level Architecture May 2021
 
Introduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + SecurityIntroduction to Microsoft Enterprise Mobility + Security
Introduction to Microsoft Enterprise Mobility + Security
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
 
Azure security basics
Azure security basicsAzure security basics
Azure security basics
 
2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD 2018 November - AZUGDK - Azure AD
2018 November - AZUGDK - Azure AD
 
Mct summit 2021
Mct summit 2021Mct summit 2021
Mct summit 2021
 
Tour to Azure Security Center
Tour to Azure Security CenterTour to Azure Security Center
Tour to Azure Security Center
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASB
 
Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview
 
EMS Diagram Click Through Web
EMS Diagram Click Through WebEMS Diagram Click Through Web
EMS Diagram Click Through Web
 
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
Azure AD Premium @ Windows 10 Partner Technical Bootcamp Microsoft Norway Oct...
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Webinar Express: What is a CASB?
Webinar Express: What is a CASB?Webinar Express: What is a CASB?
Webinar Express: What is a CASB?
 
Getting Started with Azure Security Center
Getting Started with Azure Security CenterGetting Started with Azure Security Center
Getting Started with Azure Security Center
 
Microsoft Cloud App Security
Microsoft Cloud App SecurityMicrosoft Cloud App Security
Microsoft Cloud App Security
 
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
Beyond the Firewall: Securing the cloud with a CASB (in partnership with CSA)
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 

Similar to Cloud Security for Startups - From A to E(xit)

microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, Scalability
Zuora, Inc.
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
Amazon Web Services
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
Amazon Web Services
 
Building Bulletproof Infrastructure on AWS
Building Bulletproof Infrastructure on AWSBuilding Bulletproof Infrastructure on AWS
Building Bulletproof Infrastructure on AWS
2nd Watch
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
PlatformSecurityManagement
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
Vignesh Ganesan I Microsoft MVP
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
Thuan Ng
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
AWS Germany
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
IBM Security
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
Evident.io
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
itnewsafrica
 

Similar to Cloud Security for Startups - From A to E(xit) (20)

microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, Scalability
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 
Building Bulletproof Infrastructure on AWS
Building Bulletproof Infrastructure on AWSBuilding Bulletproof Infrastructure on AWS
Building Bulletproof Infrastructure on AWS
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
 

Recently uploaded

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 

Recently uploaded (16)

History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 

Cloud Security for Startups - From A to E(xit)

  • 1.
  • 2. Why am I here?
  • 3. } Background } Application Security } Platform Security } Security Management
  • 4. To help wish we Ourselves
  • 5. Security as you evolve Intrusiveness Type of data collected Sector (Fin, Gov) SU maturity OS PII
  • 6.
  • 7. Security by Design • Spoofing identity • Tampering with data • Repudiation • Information disclosure • Denial of service • Elevation of privilege
  • 9. Application Security Eitan Satmary, Security Architect @Wix eitans@wix.com
  • 10. ✔ Secure hosting ✔ SEO ✔ 24/7 Support Easy drag and drop Designer-made templates Beautiful galleries, mobile optimized, domains, huge image collection 1 2 Everything you need to create your FREE stunning website People from every type of business & profession imaginable. Musicians, Online store owners, Designers, Dentists, Dog walkers, Bloggers, Photographers, Lawyers, and more…
  • 11. 1 1 Over 102 millions users in 180 countries Over 250 Apps Over 550 Templates Offices in 8 countries Business Partner 1400 Employees 500 Developers Over 2.5 PByte User’s media files Over 1000 servers In 3 datacenters 2 Clouds (Amazon & Google)
  • 12. Security Challenges ★ More than 2 billions requests per day ★ above 400 micro services ★ 1,300 deployments a month (totally Agile) ★ We’re always on ★ 5 main programming languages ★ Platform abuse - targeted for malicious activity
  • 13. Security at Wix FED Server Product Security Cross-engineering teams 11 in Security team IT and Production Security champion in every company Security forum every 2 weeks from legal, marketing, HR, BI and more Security in all company’s departments
  • 14. What I would do if I would start from scratch ★ You’re a new startup ★ Security products cost money, maintenance and training ★ You want top value for your efforts 321 Follow this 3-steps workflow
  • 15. 321 step 1 Implement security best practices in SDLC ★ Authentication ★ Authorization ★ Password policy ★ Session management ★ Error handling ★ Storing sensitive data ★ Input validation ★ Secured queries ★ Logs ★ More...
  • 16. 321 step 1 Implement security best practices in SDLC For every new big feature: analyze threat models by STRIDE Threat Mitigation Spoofing Authentication Tampering Integrity Repudiation Nonrepudiation Information disclosure Confidentiality Denial of Service Availability Elevation of Privileges Authorization
  • 17. step 2 How certificates can help you 1. They enforce order and procedures 2. You’ll have something to show your customers PCI ISO 27001 ISO 27018 321
  • 18. step 2 Implement security best practices in SDLC Internal and external Penetration Tests Define vectors that disturb the flow ★ Can I crash the site / data? ★ Can I steal information? ★ Can I access users’ PII? ★ Can I disconnect the data? 321
  • 19. step 2 Implement security best practices in SDLC Use your BI data! Configure alerts for abnormalities of user actions Deliver dedicated security trainings ★ For frontend developers ★ For server developers ★ For mobile developers ★ For QA ★ For Support 321
  • 20. 321 step 3 Now you can buy products WAF Bug bounty DB FW Static & dynamic code analysis
  • 21. Eitan Satmary, Security Architect @Wix eitans@wix.com
  • 22.
  • 25. Backend • Network segregation • Red/Black push • Encryption • Physical security
  • 26. Platform Security Marius Aharonovich Cloud Security Architect ClickSoftware
  • 27. } Platform Security } Management } Secure API keys } Increase Your Visibility } Host Security } Encryption and Key Management
  • 28. Platform Security Security Best Practices checklist: CIS AWS AZURE GOOGLE Cloud Platform AWS Infrastructure Management Services EC2 Instance 3rd party
  • 29. Management Amazon Web Services Root Limited use Support plan Payment Close account Request PenTest Two-Factor-Authentication TOTP enabled virtual TFA Google authenticator Authy IAM Users Two-Factor- Authentication User Groups DevOps, NOC, R&D Lead, DBA, Security IAM Policies "Effect": "Allow", "Action": "s3:ListBucket ", "Resource": "arn:aws:s3::: example_bucket " Services Resource Based Policies " “Effect": "Deny", Principal": "*", "Action": "s3:*", Resource": "arn:aws:s3::: example Condition": {“BoolIfExists ":{ "aws:MultiFact orAuthPresent" : false Cross Account Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: AccountID"}, "Action": "sts: AssumeRole", "Condition": { "StringEquals" : { "sts: ExternalId": “IAMUSerID"
  • 30. Services – Secure API keys Use temporary keys (STS) Don't embed API keys directly into code Rotate API keys periodically Delete unused API keys Use unique API keys for applications
  • 31. Increase Your Visibility AWS EC2CloudTrail Dashboard APIs CASB Access & Activities Trusted Advisor Credentials Report IAM User “List Events” Cloud Security Control SG Changes & Risk & Compliance Forensics traffic layers 3/4 Web traffic analysis IAM Cross Account Role “List Configuration” IAM Cross Account Role “IP Traffic” logC VPC Flow-Log logC S3 logC Other Cloud Services logC Service User “List Events” Infrastructure EC2 Instance logC Load Balancer logC Web Traffic (syslog) Log Collector Security event alerting Security reports Forensics Domain Auditor Domain changes reporting Forensics EventsDomain Config Web Traffic (syslog)
  • 32. Host Security VPN Gateway Two-Factor- Authentication Encrypted TLS Patch Hosts WSUS Systems Manager New Deployed AMI DoS Protection AWS Shield Basic Advanced 3rd party solution SIEM Access & Activities Infra Changes Analysis Firewall Inbound & outbound rules Security Groups 3rd party Harden Hosts (CIS) User groups & Permissions Antimalware & HIPS Scan Hosts 3rd party Vulnerabilities
  • 33. Encryption and Key Management Why to Encrypt ? Contracts Regulations Standards Data in Transit TLSv1.2 AES-256bit GCM ELB ALB CloudFront 3rd party Certificate Manager Data at Rest Storage / Volume Encryption EBS Encryption RDS Storage Encryption KMS Data Backup Encryption SQL Backup Encryption RDS Snapshot Encryption KMS HSM FIPS 140-2 Level 2 FIPS 140-2 Level 3
  • 34.
  • 35. Security Management Gilad Yaron, Head of Cybersecurity Strategy & Cloud Services, SECOZ cybersecurity center, BDO
  • 36. 36 Our goal is to maintain the agile pace of development, while introducing security in ways that accommodate simple and efficient processes. We find alternatives that are sufficient to get
  • 37.
  • 38. 38
  • 39. 39
  • 40. 40
  • 41. 41
  • 42. 42
  • 43. Security Management Shahar Maor, Information Security Manager, Outbrain
  • 44. 3 6200 120 500M 250B
  • 45.
  • 46.
  • 47. Discovery: • So many options, so many providers… • Manual on/off-boarding • Long tail apps, Chrome ext. Control: • Multiple passwords, app-specific password • Collaboration is open by design
  • 48.
  • 52.
  • 54. Suspicious email Malware DetectedNo Malware Detected FWD to: xxx@outbrain.com Analyzing the message Scan links & attachments Harness the power of 56 file scanners and 67 link scanners! 5 4 Information Security Beta: Phishing and Virus analyzer
  • 55.
  • 56. Cloud Security • So many options, so many providers… • Manual on/off-boarding • Long tail apps, Chrome ext. • Multiple passwords, app-specific password • Collaboration is open by design
  • 57. Solutions • Narrow down choices (Box, Google Drive) • Education • Formal tool selection • Education • SSO+2FA • Education • CASB • Education
  • 58. “TRYING ISTHE FIRST STEP TOWARDS FAILURE” H. Simpson