This document discusses how to secure mobile apps end-to-end. It covers securing the mobile to cloud integration by identifying the mobile app and user and providing secure communication. It also covers securing the mobile backend by protecting user data and service endpoints. Specific techniques discussed include using AWS Cognito for authentication, securing AWS accounts and resources, implementing identity management, protecting network access, encrypting data, and central monitoring.

1. How to Secure Your Mobile App End-to End | May 2017
How to Secure Your
Mobile App End-to-End
Lahav Savir - lahav.savir@allcloud.io
Co-founder and CTO
AllCloud

2. How to Secure Your Mobile App End-to End | May 2017
AllCloud is a leading global Cloud Solutions Provider
with expertise across the cloud stack, Infrastructure,
Platform, and Software-as-a-Service

3. How to Secure Your Mobile App End-to End | May 2017
“AWS Managed Service Partners
are skilled at cloud infrastructure
and application migration, and
deliver value to customers by
offering proactive monitoring,
automation, and management of
their customer’s environment.”
https://aws.amazon.com/partners/msp/
http://www.emind.co/msp
AWS Next-Gen (v3) Managed Service Partner (MSP)

4. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Enabling Next Generation
Businesses through SaaSification

5. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
End-to-End
Security for
Cloud
Powered
Mobile Apps

6. How to Secure Your Mobile App End-to End | May 2017
Where there is more data,
there are bound to be more
data breaches!

7. How to Secure Your Mobile App End-to End | May 2017
Part 1:
Securing the
Mobile to Cloud
Integration
● Identifying the mobile app
● Identifying the user
● Providing secure
communication to
backend
● Grant fine grained
permission to cloud
services and API’s

8. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.ioOver 60 million users worldwide, supporting +1,200 cities, in 77 countries,
and 43 languages.

9. How to Secure Your Mobile App End-to End | May 2017
AWS Cognito

10. How to Secure Your Mobile App End-to End | May 2017
Cognito Authentication Flow

11. How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to AWS Services

12. How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to non AWS Services

13. How to Secure Your Mobile App End-to End | May 2017
Part 2:
Securing the
Mobile Backend
● Securing the backend
service endpoints
● Protecting user’s data
● Ensuring service
resiliency

14. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Gett has raised $640 million in funding and was selected by Forbes as one of
the “top 15 explosively growing companies”.

15. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Security
in the
Cloud
Security
of the
Cloud

16. How to Secure Your Mobile App End-to End | May 2017
Top Topics
● AWS Account
Security
● Identity Management
● Network Security
● Host Security
● Data Encryption
● Monitoring &
Auditing

17. How to Secure Your Mobile App End-to End | May 2017
AWS Account Security

18. How to Secure Your Mobile App End-to End | May 2017
Basic Account Configurations
● Services Enablement
○ CloudTrail (in all regions)
○ Config
● Provisions
○ Identities / Federations
○ IAM Roles and Policies
(Admin, DevOps, Developer,
Support)
○ IAM Password Policies
○ CIS Benchmark tools
● Config Checks
○ S3 Bucket Policy (Private /
Public)
○ Logging enabled on
■ ELB, S3 Buckets, CloudFront,
VPC Flow logs
○ Root Account MFA
○ Tag Strategy
■ Owner / Launcher
■ Stage
■ Env / AppName
○ Resources Backups

19. How to Secure Your Mobile App End-to End | May 2017
Identity Management

20. How to Secure Your Mobile App End-to End | May 2017
Why do you
want a
Single Identity?
● Multiple AWS
Accounts
● Multiple Security
Policies
● Multiple Entry Points
● Many Resources
● Multiple 3rd Party
Services

21. How to Secure Your Mobile App End-to End | May 2017
Single Identity
Provider
● Single Password
Policy
● Single Lock Policy
● Single OTP
● Single Login Audit
● Same username used
across all resources

22. How to Secure Your Mobile App End-to End | May 2017
Organization users accessing:
AWS Resources
● AWS Console
● AWS API
● Network Access / VPN
● EC2 Instances
Other Resources
● New Relic
● Datadog
● Pingdom
● Google Apps
● Office 365
● Jira
● Github
● Logz.io
● ...

23. How to Secure Your Mobile App End-to End | May 2017
● Don't mix Corporate
and Cloud Resources
● Minimize Replication
● Maximize Federation

24. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Corporate
● Corporate Active Directory
● Mix of users and desktops / servers
● 3rd Party SSO / Federation Services
Cloud
● Cloud Active Directory
● Cloud Resources Only
Integration
● One Way Trust between Corp AD and
Cloud AD
● Temporary credentials “Token
Vending Machine”

25. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Login Scenarios
● AWS Console
○ SAML Federation
● VPN
○ Radius
● Jumpbox on EC2
○ Radius / LDAP
● Windows instance on EC2
○ Kerberos / LDAP
● Linux instance on EC2
○ Kerberos / LDAP
Avoid multiple identities
including IAM Users

26. How to Secure Your Mobile App End-to End | May 2017

27. How to Secure Your Mobile App End-to End | May 2017
Network Access

28. How to Secure Your Mobile App End-to End | May 2017
Networking
● Public Internet
● VPN / IPSec
Tunnel
● DirectConnect

29. How to Secure Your Mobile App End-to End | May 2017
Direct Connect
Options
● Private Virtual Interface –
Access to VPC
○ Note: VPC Endpoints are
not transitive via VPC
Peering
● Public Virtual Interface –
Access to the region IP
address space (non-VPC
Services)

30. How to Secure Your Mobile App End-to End | May 2017
Access to your
private
resources over
SSL VPN
● OpenVPN
● Fortinet Fortigate
● CheckPoint
● Sophos
● pfSense
● … Others

31. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Don’t assume your corporate
network is secure and expose your
production networks to all users

32. How to Secure Your Mobile App End-to End | May 2017
Perimeter Security

33. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Inbound Layer
Application Layer
Outbound Layer

34. How to Secure Your Mobile App End-to End | May 2017
AWS Shield -
Managed (DDoS)
protection service
● Basic / Advanced
● Seamless Integration and
Deployment
● Customizable Protection
● Cost Efficient
AWS WAF -
Web Application
Firewall
● Increased Protection
Against Web Attacks
● Security Integrated with
Applications
● Web Traffic Visibility
● Cost Effective Web
Application Protection

35. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Inspect inbound and outbound
traffic
● Create a controlled environment
that minimizes human mistakes

36. How to Secure Your Mobile App End-to End | May 2017
Host Security

37. How to Secure Your Mobile App End-to End | May 2017
What’s Host
Security ?
● OS Hardening
● Anti Virus
● Malware Protection
● Host Based IPS
● File Integrity Monitoring
● Vulnerability Scanning

38. How to Secure Your Mobile App End-to End | May 2017
Data Encryption

39. How to Secure Your Mobile App End-to End | May 2017
AWS Encryption Options
Data at Rest
● EC2 Parameter Store
● EBS Encryption (inc. root device)
● S3 Client / Server Side Encryption
● RDS / Redshift Storage
Encryption
● DynamoDB Client Side
Encryption
https://d0.awsstatic.com/whitepapers/aws-securing-data
-at-rest-with-encryption.pdf
Data in Transit
● API’s are TLS Encrypted
● Service Endpoints are TLS
Encrypted
● Elastic Load Balancer supports
TLS
● CloudFront supports TLS
● IPSec VPN

40. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Encrypt all your data with fine
grained policy, you never know who
and when someone will gain access
to the data

41. How to Secure Your Mobile App End-to End | May 2017
Centrally Monitor and Audit

42. How to Secure Your Mobile App End-to End | May 2017
Events Sources
● CloudTrail
● ELB / S3 / CloudFront
Access Logs
● VPC Flow logs
● AWS Inspector
● Host AV & IPS
● Network WAF & IPS
● Evident.io / Dome9
● Observable

43. How to Secure Your Mobile App End-to End | May 2017

44. How to Secure Your Mobile App End-to End | May 2017

45. How to Secure Your Mobile App End-to End | May 2017

46. How to Secure Your Mobile App End-to End | May 2017

47. How to Secure Your Mobile App End-to End | May 2017

48. How to Secure Your Mobile App End-to End | May 2017

49. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Create Clear Visibility
● Set Governance Rules
● Define Actions

50. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
3 Pages AWS Secuirty Checklist
https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pd
f

51. How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Join our Fastlane to a
Successful Cloud Deployment
Contact me: lahav.savir@allcloud.io