The document outlines best practices for cloud security in 2019, emphasizing the importance of shared responsibility between security and development teams. It highlights challenges such as immature security practices and the inadequacy of traditional security tools for modern cloud environments. Recommendations include deploying DevSecOps, automating compliance, and ensuring proper configuration to protect data across various cloud services.

1. February 2019
Best Practices for Cloud Security:
Insights from the Front Lines

2. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Security in the Public Cloud
The Shared ResponsibilityModel
2

3. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Security in the Public Cloud
Challenges
3
• Immature practice of security controls yields low-hanging fruit
for attackers
• Zero-day exploits against cloud workloads and containers
• Malware outbreak via cloud storage
• Attackers insert rogue processes into
authorized workloads
• Traditional endpoint protection does not work
in cloud environments

4. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Lift & Shift Security Fails in the Cloud
Not a Long-termSolution
4
Traditional security tools
- Can’t integrate with modern DevOps workflows
- Break immutable workload requirements
- Break auto-deployment workflows

5. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
IaaS: CASB & CWP
IaaS/PaaS+ SaaS IaaS/PaaS
InfoSec DevSecOps
InfrastructureManagement
UserManagement
OS Hardening
App Control
RT File IntegrityManagement
App Isolation
Malware Protection
Data Loss Prevention
User/AdminMonitoring and Control
UEBA Account Protection
PreventMisconfiguration
PolicyEnforcement
DLP for Storage
Malware Protection for Storage
Custom App Security
IaaS/PaaS
Compliance Assurance
ConfigurationMonitoring
ComputeStorage
ComplianceThreat
Protection
Integrated
Cyber Defense
Data Loss
Prevention
5
Configuration Control Plane

6. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Symantec Cloud Workload Protection (CWP)
AutomatedSecurity for Public Cloud InfrastructureManagement
6
• Cloud-nativeprotectionintegrateswith modern DevOpsand CI/CD pipelines
• Cost savings resultfrom automating deploymentworkflows
• Anti-malwarefor computeand storage
• OS and application hardeningfor continuous
management withoutpatchingor intervention
• CWP security controlsarebaked into images
satisfying immutability requirements
* 20,000 hours of free usage, valid for 89 days Details.
Try SymantecCloud Workload Protectionfor free*

7. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Symantec Cloud Workload Assurance (CWA)
Cloud Security Posture Managementfor ConfigurationControl Plane
7
• Gain deep visibility of all risksand controlof the cloud
management plane acrossmulti-cloud surfaces
• Monitorcloud resourcesformisconfigurations
that can exposedata
• Fix misconfigurationsquickly and easily with guided
remediation and alerts
• Assess and reportcompliancepostureagainst regulations
& benchmarks
* 1 account and up to 500 resources, valid for 30 days Details.
Try SymantecCloud Workload Assurancefor free*

8. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Symantec CloudSOC
Cloud Access Security Broker for SaaS, PaaS, and IaaS
8
• Shadow IT: Detect, monitor, and control Shadow IT use of cloud
and mobile apps
• Data Security: Protect confidential data from loss or exposure
in the cloud with advanced DLP
• Threat Protection: Combat threats with malware analysis,
advanced threat protection, and the world’s largest civilian
threat intelligence network. Protect against compromised
accounts and careless or malicious users.
• Compliance: Perform risk analysis of cloud services, monitor
use of cloud, and protect regulated data types with automated
controls and at-a-glancedashboards
Requesta Shadow Data Risk Assessmentfor AWS Today!

9. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
AWS Cloud Security
Best Practices
9
Decentralize security
responsibility
Educateapplicationowners on how to
secure their services.
Engage risk and compliance team to establish
regulatorycompliance requirements.
Involve InfoSecteam to include AWS into cloud
app security and dataloss protectionstrategy.
Democratize cloud
infrastructure
Adopt a shared responsibility model.
• AWS to secure the underlying
infrastructure
• Your teams to determine how to
configureand use your AWS
environment
“Organizations
can’t have
centralized security
and decentralized
operations.”
Hardeep Singh
Symantec Cloud Security Architect

10. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
AWS Cloud Security
Best Practices
10
Deploy DevSecOps
Reengineer software
development lifecycle (SDLC)and
morph it into a security practice.
Embed security within the
software development lifecycle
process when migratingto AWS.
Address attack vectors
Adopt a holistic cloud security
approachand secure the entire fabric.
• From where the informationis
stored,to compute, to different
service componentsthat you may
consume from AWS
“Security is not absolute,
but a gradient against the
lever of velocity.”
Raj Patel
Vice Presidentof Cloud Platform Engineering,
Symantec

11. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
AWS Cloud Security
Best Practices
11
Automate Compliance
Enforcecritical policies and
regulationsby employing
governance,risk and compliance
tools that can help inventory your IT
assets,evaluate vulnerabilities,
govern informationaccess, and
automatecompliance reporting.
Enhance visibility
Monitorand audit the
configurationof your cloud
services and security-related
actions of your admins and
users by obtaining visibility and
controlof their cloud
management plane.

12. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
AWS Cloud Security
Best Practices
12
Avoid configuration
mistakes
Configure your cloud in key areas
including identity and access
management,logging, monitoring
and networking.
“Companies with limited
resources and budget should
actually consider moving to
the cloud in order to benefit
from stronger security and
compliance.”
Curt Dukes
Executive Vice President
for Security Best Practices, CIS
(Centerfor Internet Security, Inc)

13. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
DevOps + InfoSec
5 Steps to Better Security
13
Embrace the shared responsibilitymodel
Approach for therelationship between the
DevOpsteam and the security team—both teams
need to work collaboratively to securepublic
cloud infrastructure.

14. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
DevOps + InfoSec
5 Steps to Better Security
14
Apply security at all layers
in CI/CD pipeline
Shift left for planning, shift right for runtime.
This movessecurity managementto a continuous
validation mode. The cloud allows you to change
things or movethings really rapidly and in a
software-drivenway.

15. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
DevOps + InfoSec
5 Steps to Better Security
15
Implement a “least privilege”approach
Adopt a “least privilege” approachupfrontand if
your organization is just starting down the
DevSecOpspath,focus on the usersand appsthat
havethe most risk for their business.

16. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
DevOps + InfoSec
5 Steps to Better Security
16
Protect data in transit and at rest
Leveragethe agile softwaredevelopment
processes to write cyber security-relateduse
cases with data protection foremostin mind.

17. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
DevOps + InfoSec
5 Steps to Better Security
17
Embed a security professional or
engineer within DevOps
Ensuresecurity is a regulardiscipline in CI/CD
pipeline by havingdevelopers and InfoSec
professionalsworkingelbow-to-elbow.

18. Copyright © 2019 Symantec Corporation SYMANTEC PROPRIETARY– Limited Use Only
Resources
18
• A Guide to Amazon Web Services (AWS) Cloud Security Best Practices
• AWS & Symantec Webcast: Security that Scales: Automating Security and
Compliance for DevOps
• Infographic for DevOps: Work Less. Secure More.
• Infographic for InfoSec: DevOps + InfoSec − The New Dynamic Duo
• Shared Responsibility Quiz: Now Who Protects What?
• Try Symantec Cloud Workload Protection for free
• Try Symantec Cloud Workload Protection for Storage for free
• Try Symantec Cloud Workload Assurance for free

19. Thank You!