SlideShare a Scribd company logo
1 of 51
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your
Mobile App End-to-End
Lahav Savir - lahav.savir@allcloud.io
Co-founder and CTO
AllCloud
How to Secure Your Mobile App End-to End | May 2017
AllCloud is a leading global Cloud Solutions Provider
with expertise across the cloud stack, Infrastructure,
Platform, and Software-as-a-Service
How to Secure Your Mobile App End-to End | May 2017
“AWS Managed Service Partners
are skilled at cloud infrastructure
and application migration, and
deliver value to customers by
offering proactive monitoring,
automation, and management of
their customer’s environment.”
https://aws.amazon.com/partners/msp/
http://www.emind.co/msp
AWS Next-Gen (v3) Managed Service Partner (MSP)
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Enabling Next Generation
Businesses through SaaSification
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
End-to-End
Security for
Cloud
Powered
Mobile Apps
How to Secure Your Mobile App End-to End | May 2017
Where there is more data,
there are bound to be more
data breaches!
How to Secure Your Mobile App End-to End | May 2017
Part 1:
Securing the
Mobile to Cloud
Integration
● Identifying the mobile app
● Identifying the user
● Providing secure
communication to
backend
● Grant fine grained
permission to cloud
services and API’s
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.ioOver 60 million users worldwide, supporting +1,200 cities, in 77 countries,
and 43 languages.
How to Secure Your Mobile App End-to End | May 2017
AWS Cognito
How to Secure Your Mobile App End-to End | May 2017
Cognito Authentication Flow
How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to AWS Services
How to Secure Your Mobile App End-to End | May 2017
Mobile Integration to non AWS Services
How to Secure Your Mobile App End-to End | May 2017
Part 2:
Securing the
Mobile Backend
● Securing the backend
service endpoints
● Protecting user’s data
● Ensuring service
resiliency
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Gett has raised $640 million in funding and was selected by Forbes as one of
the “top 15 explosively growing companies”.
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Security
in the
Cloud
Security
of the
Cloud
How to Secure Your Mobile App End-to End | May 2017
Top Topics
● AWS Account
Security
● Identity Management
● Network Security
● Host Security
● Data Encryption
● Monitoring &
Auditing
How to Secure Your Mobile App End-to End | May 2017
AWS Account Security
How to Secure Your Mobile App End-to End | May 2017
Basic Account Configurations
● Services Enablement
○ CloudTrail (in all regions)
○ Config
● Provisions
○ Identities / Federations
○ IAM Roles and Policies
(Admin, DevOps, Developer,
Support)
○ IAM Password Policies
○ CIS Benchmark tools
● Config Checks
○ S3 Bucket Policy (Private /
Public)
○ Logging enabled on
■ ELB, S3 Buckets, CloudFront,
VPC Flow logs
○ Root Account MFA
○ Tag Strategy
■ Owner / Launcher
■ Stage
■ Env / AppName
○ Resources Backups
How to Secure Your Mobile App End-to End | May 2017
Identity Management
How to Secure Your Mobile App End-to End | May 2017
Why do you
want a
Single Identity?
● Multiple AWS
Accounts
● Multiple Security
Policies
● Multiple Entry Points
● Many Resources
● Multiple 3rd Party
Services
How to Secure Your Mobile App End-to End | May 2017
Single Identity
Provider
● Single Password
Policy
● Single Lock Policy
● Single OTP
● Single Login Audit
● Same username used
across all resources
How to Secure Your Mobile App End-to End | May 2017
Organization users accessing:
AWS Resources
● AWS Console
● AWS API
● Network Access / VPN
● EC2 Instances
Other Resources
● New Relic
● Datadog
● Pingdom
● Google Apps
● Office 365
● Jira
● Github
● Logz.io
● ...
How to Secure Your Mobile App End-to End | May 2017
● Don't mix Corporate
and Cloud Resources
● Minimize Replication
● Maximize Federation
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Corporate
● Corporate Active Directory
● Mix of users and desktops / servers
● 3rd Party SSO / Federation Services
Cloud
● Cloud Active Directory
● Cloud Resources Only
Integration
● One Way Trust between Corp AD and
Cloud AD
● Temporary credentials “Token
Vending Machine”
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Login Scenarios
● AWS Console
○ SAML Federation
● VPN
○ Radius
● Jumpbox on EC2
○ Radius / LDAP
● Windows instance on EC2
○ Kerberos / LDAP
● Linux instance on EC2
○ Kerberos / LDAP
Avoid multiple identities
including IAM Users
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
Network Access
How to Secure Your Mobile App End-to End | May 2017
Networking
● Public Internet
● VPN / IPSec
Tunnel
● DirectConnect
How to Secure Your Mobile App End-to End | May 2017
Direct Connect
Options
● Private Virtual Interface –
Access to VPC
○ Note: VPC Endpoints are
not transitive via VPC
Peering
● Public Virtual Interface –
Access to the region IP
address space (non-VPC
Services)
How to Secure Your Mobile App End-to End | May 2017
Access to your
private
resources over
SSL VPN
● OpenVPN
● Fortinet Fortigate
● CheckPoint
● Sophos
● pfSense
● … Others
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Don’t assume your corporate
network is secure and expose your
production networks to all users
How to Secure Your Mobile App End-to End | May 2017
Perimeter Security
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Inbound Layer
Application Layer
Outbound Layer
How to Secure Your Mobile App End-to End | May 2017
AWS Shield -
Managed (DDoS)
protection service
● Basic / Advanced
● Seamless Integration and
Deployment
● Customizable Protection
● Cost Efficient
AWS WAF -
Web Application
Firewall
● Increased Protection
Against Web Attacks
● Security Integrated with
Applications
● Web Traffic Visibility
● Cost Effective Web
Application Protection
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Inspect inbound and outbound
traffic
● Create a controlled environment
that minimizes human mistakes
How to Secure Your Mobile App End-to End | May 2017
Host Security
How to Secure Your Mobile App End-to End | May 2017
What’s Host
Security ?
● OS Hardening
● Anti Virus
● Malware Protection
● Host Based IPS
● File Integrity Monitoring
● Vulnerability Scanning
How to Secure Your Mobile App End-to End | May 2017
Data Encryption
How to Secure Your Mobile App End-to End | May 2017
AWS Encryption Options
Data at Rest
● EC2 Parameter Store
● EBS Encryption (inc. root device)
● S3 Client / Server Side Encryption
● RDS / Redshift Storage
Encryption
● DynamoDB Client Side
Encryption
https://d0.awsstatic.com/whitepapers/aws-securing-data
-at-rest-with-encryption.pdf
Data in Transit
● API’s are TLS Encrypted
● Service Endpoints are TLS
Encrypted
● Elastic Load Balancer supports
TLS
● CloudFront supports TLS
● IPSec VPN
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Encrypt all your data with fine
grained policy, you never know who
and when someone will gain access
to the data
How to Secure Your Mobile App End-to End | May 2017
Centrally Monitor and Audit
How to Secure Your Mobile App End-to End | May 2017
Events Sources
● CloudTrail
● ELB / S3 / CloudFront
Access Logs
● VPC Flow logs
● AWS Inspector
● Host AV & IPS
● Network WAF & IPS
● Evident.io / Dome9
● Observable
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
● Create Clear Visibility
● Set Governance Rules
● Define Actions
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
3 Pages AWS Secuirty Checklist
https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pd
f
How to Secure Your Mobile App End-to End | May 2017
www.allcloud.io
Join our Fastlane to a
Successful Cloud Deployment
Contact me: lahav.savir@allcloud.io

More Related Content

What's hot

What's hot (20)

Compute Without Servers – Building Applications with AWS Lambda
Compute Without Servers – Building Applications with AWS LambdaCompute Without Servers – Building Applications with AWS Lambda
Compute Without Servers – Building Applications with AWS Lambda
 
DevOps für mittlere Unternehmen und Großunternehmen - AWS Cloud Web Day für M...
DevOps für mittlere Unternehmen und Großunternehmen - AWS Cloud Web Day für M...DevOps für mittlere Unternehmen und Großunternehmen - AWS Cloud Web Day für M...
DevOps für mittlere Unternehmen und Großunternehmen - AWS Cloud Web Day für M...
 
Using Security To Build With Confidence in AWS – Justin Foster, Director of P...
Using Security To Build With Confidence in AWS – Justin Foster, Director of P...Using Security To Build With Confidence in AWS – Justin Foster, Director of P...
Using Security To Build With Confidence in AWS – Justin Foster, Director of P...
 
Startup Showcase - QuizUp
Startup Showcase - QuizUpStartup Showcase - QuizUp
Startup Showcase - QuizUp
 
Serverless beyond AWS Lambda
Serverless beyond AWS LambdaServerless beyond AWS Lambda
Serverless beyond AWS Lambda
 
Multi-Account Strategy At Scale - Nick Bausch, Chicago
Multi-Account Strategy At Scale - Nick Bausch, ChicagoMulti-Account Strategy At Scale - Nick Bausch, Chicago
Multi-Account Strategy At Scale - Nick Bausch, Chicago
 
Security Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud WorldSecurity Teams & Tech In A Cloud World
Security Teams & Tech In A Cloud World
 
Introduction to Serverless on AWS
Introduction to Serverless on AWSIntroduction to Serverless on AWS
Introduction to Serverless on AWS
 
Distributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect MarriageDistributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect Marriage
 
Simplestream
SimplestreamSimplestream
Simplestream
 
Serverless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversServerless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about servers
 
AWS re:Invent 2016: Unlocking the Four Seasons of Migrations and Operations: ...
AWS re:Invent 2016: Unlocking the Four Seasons of Migrations and Operations: ...AWS re:Invent 2016: Unlocking the Four Seasons of Migrations and Operations: ...
AWS re:Invent 2016: Unlocking the Four Seasons of Migrations and Operations: ...
 
Improving Security Agility using DevSecOps
Improving Security Agility using DevSecOpsImproving Security Agility using DevSecOps
Improving Security Agility using DevSecOps
 
Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017 Serverless solutions - AWS Summit SG 2017
Serverless solutions - AWS Summit SG 2017
 
Orchestrating Network with Web Services Session Sponsored by Megaport – Camer...
Orchestrating Network with Web Services Session Sponsored by Megaport – Camer...Orchestrating Network with Web Services Session Sponsored by Megaport – Camer...
Orchestrating Network with Web Services Session Sponsored by Megaport – Camer...
 
Easy Analytics with AWS - AWS Summit Bahrain 2017
Easy Analytics with AWS - AWS Summit Bahrain 2017Easy Analytics with AWS - AWS Summit Bahrain 2017
Easy Analytics with AWS - AWS Summit Bahrain 2017
 
I servizi AWS per le applicazioni mobili: sviluppo, test e produzione
I servizi AWS per le applicazioni mobili: sviluppo, test e produzioneI servizi AWS per le applicazioni mobili: sviluppo, test e produzione
I servizi AWS per le applicazioni mobili: sviluppo, test e produzione
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOpsAutomating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 

Similar to How to Secure Your AWS Powered Mobile App End-to-End

Patterns for Mobile and IoT backends with serverless paradigms
Patterns for Mobile and IoT backends with serverless paradigmsPatterns for Mobile and IoT backends with serverless paradigms
Patterns for Mobile and IoT backends with serverless paradigms
Vidyasagar Machupalli
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Amazon Web Services
 

Similar to How to Secure Your AWS Powered Mobile App End-to-End (20)

How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWS
 
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel AvivHow to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
 
Nader Dabit - Introduction to Mobile Development with AWS.pdf
Nader Dabit - Introduction to Mobile Development with AWS.pdfNader Dabit - Introduction to Mobile Development with AWS.pdf
Nader Dabit - Introduction to Mobile Development with AWS.pdf
 
Building secure and scalable mobile applications on AWS - AWS Summit Cape Tow...
Building secure and scalable mobile applications on AWS - AWS Summit Cape Tow...Building secure and scalable mobile applications on AWS - AWS Summit Cape Tow...
Building secure and scalable mobile applications on AWS - AWS Summit Cape Tow...
 
How to Protect your AWS Environment
How to Protect your AWS EnvironmentHow to Protect your AWS Environment
How to Protect your AWS Environment
 
Introduction to Mobile Development with AWS
Introduction to Mobile Development with AWSIntroduction to Mobile Development with AWS
Introduction to Mobile Development with AWS
 
Introduction to Mobile Development with AWS
Introduction to Mobile Development with AWSIntroduction to Mobile Development with AWS
Introduction to Mobile Development with AWS
 
Building Enterprise enabled Cognitive Mobile application for a Hybrid Cloud E...
Building Enterprise enabled Cognitive Mobile application for a Hybrid Cloud E...Building Enterprise enabled Cognitive Mobile application for a Hybrid Cloud E...
Building Enterprise enabled Cognitive Mobile application for a Hybrid Cloud E...
 
Supercharge Your Spring Boot Apps!
Supercharge Your Spring Boot Apps!Supercharge Your Spring Boot Apps!
Supercharge Your Spring Boot Apps!
 
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo AppMRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
MRA AMA: Ingenious: The Journey to Service Mesh using a Microservices Demo App
 
Bridging Microservices, APIs and Integration
Bridging Microservices, APIs and IntegrationBridging Microservices, APIs and Integration
Bridging Microservices, APIs and Integration
 
An Introduction to AWS Mobile Services - DevDay Los Angeles 2017
An Introduction to AWS Mobile Services - DevDay Los Angeles 2017An Introduction to AWS Mobile Services - DevDay Los Angeles 2017
An Introduction to AWS Mobile Services - DevDay Los Angeles 2017
 
Agile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messagingAgile integration architecture in relation to APIs and messaging
Agile integration architecture in relation to APIs and messaging
 
Patterns for Mobile and IoT backends with serverless paradigms
Patterns for Mobile and IoT backends with serverless paradigmsPatterns for Mobile and IoT backends with serverless paradigms
Patterns for Mobile and IoT backends with serverless paradigms
 
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS AccountsHow to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
How to leverage Evident Security Platform for DFARS-NIST 800-171 AWS Accounts
 
API Integration: Red Hat integration perspective
API Integration: Red Hat integration perspectiveAPI Integration: Red Hat integration perspective
API Integration: Red Hat integration perspective
 
Intro To AWS for Mobile Developers: Collision 2018
Intro To AWS for Mobile Developers: Collision 2018Intro To AWS for Mobile Developers: Collision 2018
Intro To AWS for Mobile Developers: Collision 2018
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
 
Create Event-Driven iOS Apps Using IBM Mobile Foundation, OpenWhisk Runtime a...
Create Event-Driven iOS Apps Using IBM Mobile Foundation, OpenWhisk Runtime a...Create Event-Driven iOS Apps Using IBM Mobile Foundation, OpenWhisk Runtime a...
Create Event-Driven iOS Apps Using IBM Mobile Foundation, OpenWhisk Runtime a...
 
Collision 2018: AWS Serverless Platform for Mobile
Collision 2018: AWS Serverless Platform for MobileCollision 2018: AWS Serverless Platform for Mobile
Collision 2018: AWS Serverless Platform for Mobile
 

More from Lahav Savir (9)

Emind’s Architecture for Enterprise with AWS Integration
Emind’s Architecture for Enterprise with AWS IntegrationEmind’s Architecture for Enterprise with AWS Integration
Emind’s Architecture for Enterprise with AWS Integration
 
Real-Time Vote Platform Benchmark
Real-Time Vote Platform BenchmarkReal-Time Vote Platform Benchmark
Real-Time Vote Platform Benchmark
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
 
Running an erlang based messaging system on AWS
Running an erlang based messaging system on AWSRunning an erlang based messaging system on AWS
Running an erlang based messaging system on AWS
 
DevOps sensors 360° high availability in the cloud
DevOps sensors 360°   high availability in the cloudDevOps sensors 360°   high availability in the cloud
DevOps sensors 360° high availability in the cloud
 
Deploying secure backup on to the Cloud
Deploying secure backup on to the CloudDeploying secure backup on to the Cloud
Deploying secure backup on to the Cloud
 
סע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתייםסע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתיים
 
Multi Layer Monitoring V1
Multi Layer Monitoring V1Multi Layer Monitoring V1
Multi Layer Monitoring V1
 
Lahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile GatewaysLahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile Gateways
 

Recently uploaded

Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
Overkill Security
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Microsoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdfMicrosoft BitLocker Bypass Attack Method.pdf
Microsoft BitLocker Bypass Attack Method.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 

How to Secure Your AWS Powered Mobile App End-to-End

  • 1. How to Secure Your Mobile App End-to End | May 2017 How to Secure Your Mobile App End-to-End Lahav Savir - lahav.savir@allcloud.io Co-founder and CTO AllCloud
  • 2. How to Secure Your Mobile App End-to End | May 2017 AllCloud is a leading global Cloud Solutions Provider with expertise across the cloud stack, Infrastructure, Platform, and Software-as-a-Service
  • 3. How to Secure Your Mobile App End-to End | May 2017 “AWS Managed Service Partners are skilled at cloud infrastructure and application migration, and deliver value to customers by offering proactive monitoring, automation, and management of their customer’s environment.” https://aws.amazon.com/partners/msp/ http://www.emind.co/msp AWS Next-Gen (v3) Managed Service Partner (MSP)
  • 4. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Enabling Next Generation Businesses through SaaSification
  • 5. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io End-to-End Security for Cloud Powered Mobile Apps
  • 6. How to Secure Your Mobile App End-to End | May 2017 Where there is more data, there are bound to be more data breaches!
  • 7. How to Secure Your Mobile App End-to End | May 2017 Part 1: Securing the Mobile to Cloud Integration ● Identifying the mobile app ● Identifying the user ● Providing secure communication to backend ● Grant fine grained permission to cloud services and API’s
  • 8. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.ioOver 60 million users worldwide, supporting +1,200 cities, in 77 countries, and 43 languages.
  • 9. How to Secure Your Mobile App End-to End | May 2017 AWS Cognito
  • 10. How to Secure Your Mobile App End-to End | May 2017 Cognito Authentication Flow
  • 11. How to Secure Your Mobile App End-to End | May 2017 Mobile Integration to AWS Services
  • 12. How to Secure Your Mobile App End-to End | May 2017 Mobile Integration to non AWS Services
  • 13. How to Secure Your Mobile App End-to End | May 2017 Part 2: Securing the Mobile Backend ● Securing the backend service endpoints ● Protecting user’s data ● Ensuring service resiliency
  • 14. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Gett has raised $640 million in funding and was selected by Forbes as one of the “top 15 explosively growing companies”.
  • 15. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Security in the Cloud Security of the Cloud
  • 16. How to Secure Your Mobile App End-to End | May 2017 Top Topics ● AWS Account Security ● Identity Management ● Network Security ● Host Security ● Data Encryption ● Monitoring & Auditing
  • 17. How to Secure Your Mobile App End-to End | May 2017 AWS Account Security
  • 18. How to Secure Your Mobile App End-to End | May 2017 Basic Account Configurations ● Services Enablement ○ CloudTrail (in all regions) ○ Config ● Provisions ○ Identities / Federations ○ IAM Roles and Policies (Admin, DevOps, Developer, Support) ○ IAM Password Policies ○ CIS Benchmark tools ● Config Checks ○ S3 Bucket Policy (Private / Public) ○ Logging enabled on ■ ELB, S3 Buckets, CloudFront, VPC Flow logs ○ Root Account MFA ○ Tag Strategy ■ Owner / Launcher ■ Stage ■ Env / AppName ○ Resources Backups
  • 19. How to Secure Your Mobile App End-to End | May 2017 Identity Management
  • 20. How to Secure Your Mobile App End-to End | May 2017 Why do you want a Single Identity? ● Multiple AWS Accounts ● Multiple Security Policies ● Multiple Entry Points ● Many Resources ● Multiple 3rd Party Services
  • 21. How to Secure Your Mobile App End-to End | May 2017 Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
  • 22. How to Secure Your Mobile App End-to End | May 2017 Organization users accessing: AWS Resources ● AWS Console ● AWS API ● Network Access / VPN ● EC2 Instances Other Resources ● New Relic ● Datadog ● Pingdom ● Google Apps ● Office 365 ● Jira ● Github ● Logz.io ● ...
  • 23. How to Secure Your Mobile App End-to End | May 2017 ● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
  • 24. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Corporate ● Corporate Active Directory ● Mix of users and desktops / servers ● 3rd Party SSO / Federation Services Cloud ● Cloud Active Directory ● Cloud Resources Only Integration ● One Way Trust between Corp AD and Cloud AD ● Temporary credentials “Token Vending Machine”
  • 25. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Login Scenarios ● AWS Console ○ SAML Federation ● VPN ○ Radius ● Jumpbox on EC2 ○ Radius / LDAP ● Windows instance on EC2 ○ Kerberos / LDAP ● Linux instance on EC2 ○ Kerberos / LDAP Avoid multiple identities including IAM Users
  • 26. How to Secure Your Mobile App End-to End | May 2017
  • 27. How to Secure Your Mobile App End-to End | May 2017 Network Access
  • 28. How to Secure Your Mobile App End-to End | May 2017 Networking ● Public Internet ● VPN / IPSec Tunnel ● DirectConnect
  • 29. How to Secure Your Mobile App End-to End | May 2017 Direct Connect Options ● Private Virtual Interface – Access to VPC ○ Note: VPC Endpoints are not transitive via VPC Peering ● Public Virtual Interface – Access to the region IP address space (non-VPC Services)
  • 30. How to Secure Your Mobile App End-to End | May 2017 Access to your private resources over SSL VPN ● OpenVPN ● Fortinet Fortigate ● CheckPoint ● Sophos ● pfSense ● … Others
  • 31. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Don’t assume your corporate network is secure and expose your production networks to all users
  • 32. How to Secure Your Mobile App End-to End | May 2017 Perimeter Security
  • 33. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Inbound Layer Application Layer Outbound Layer
  • 34. How to Secure Your Mobile App End-to End | May 2017 AWS Shield - Managed (DDoS) protection service ● Basic / Advanced ● Seamless Integration and Deployment ● Customizable Protection ● Cost Efficient AWS WAF - Web Application Firewall ● Increased Protection Against Web Attacks ● Security Integrated with Applications ● Web Traffic Visibility ● Cost Effective Web Application Protection
  • 35. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io ● Inspect inbound and outbound traffic ● Create a controlled environment that minimizes human mistakes
  • 36. How to Secure Your Mobile App End-to End | May 2017 Host Security
  • 37. How to Secure Your Mobile App End-to End | May 2017 What’s Host Security ? ● OS Hardening ● Anti Virus ● Malware Protection ● Host Based IPS ● File Integrity Monitoring ● Vulnerability Scanning
  • 38. How to Secure Your Mobile App End-to End | May 2017 Data Encryption
  • 39. How to Secure Your Mobile App End-to End | May 2017 AWS Encryption Options Data at Rest ● EC2 Parameter Store ● EBS Encryption (inc. root device) ● S3 Client / Server Side Encryption ● RDS / Redshift Storage Encryption ● DynamoDB Client Side Encryption https://d0.awsstatic.com/whitepapers/aws-securing-data -at-rest-with-encryption.pdf Data in Transit ● API’s are TLS Encrypted ● Service Endpoints are TLS Encrypted ● Elastic Load Balancer supports TLS ● CloudFront supports TLS ● IPSec VPN
  • 40. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Encrypt all your data with fine grained policy, you never know who and when someone will gain access to the data
  • 41. How to Secure Your Mobile App End-to End | May 2017 Centrally Monitor and Audit
  • 42. How to Secure Your Mobile App End-to End | May 2017 Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF & IPS ● Evident.io / Dome9 ● Observable
  • 43. How to Secure Your Mobile App End-to End | May 2017
  • 44. How to Secure Your Mobile App End-to End | May 2017
  • 45. How to Secure Your Mobile App End-to End | May 2017
  • 46. How to Secure Your Mobile App End-to End | May 2017
  • 47. How to Secure Your Mobile App End-to End | May 2017
  • 48. How to Secure Your Mobile App End-to End | May 2017
  • 49. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io ● Create Clear Visibility ● Set Governance Rules ● Define Actions
  • 50. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io 3 Pages AWS Secuirty Checklist https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Checklist.pd f
  • 51. How to Secure Your Mobile App End-to End | May 2017 www.allcloud.io Join our Fastlane to a Successful Cloud Deployment Contact me: lahav.savir@allcloud.io