Best Practices for Securing Your AWS Cloud Network

Transcription

1 Best Practices for Securing Your AWS Cloud Network Roy Feintuch CTO Harish Agastya CMO

2 Who Are We An advanced SaaS-based security solution designed to secure public and hybrid clouds Over 1000 Customers, 100,000 Cloud Servers Protected 2

3 Agenda On this webinar, you will learn about: Typical network security issues seen by Dome9 while working with organizations on AWS Best practices to address these issues (without Dome9) Leveraging Dome9 to address these best practices 3

4 What s Not Covered in this Webinar Things around general AWS security issues: Console security Identity and Access Mgmt Specific AWS services hardening (such as S3 security) Server / OS hardening User accounts management Encryption 4

5 The Challenges of being an AWS Security Admin Mission-critical enterprise applications are now being run on AWS De-facto platform leader with many built-in security controls Not a dedicated security operations console, challenging to operate at scale at the speed of cloud You still need to ensure ALL servers maintain adequate security ALWAYS - and you have to be able to prove it 3rd party security tools have limited visibility across AWS services & don t leverage the existing AWS security controls 5

6 9 Best Practice Recommendations from Dome Prevent firewall misconfiguration 2. Ensure correct AWS Security group assignments 3. Implement Network ACL correctly 4. Ensure SSH/RDP not open to the Internet 5. Plan for firewall change management and audit 6. Have firewall logs in place 7. Use human readable security policies 8. Manage your inventory of IP addresses 9. Deploy security in depth with host controls

7 #1: Prevent Firewall Misconfiguration Firewall misconfiguration (e.g. ports opened to the entire internet) is one of the main causes of breach Recommendations: Set and Review Alerts from AWS Trusted Advisor Periodic review of your Security groups The Dome9 Way: Alerts, Visualization of Security Group Policies 7

8 #2: Ensure correct AWS Security Group assignments Incorrect assignment of instances to SG. Especially with more complex deployments and where an instances is assigned to multiple SGs Recommendation: Assign security specialist to regularly monitor AWS console The Dome9 Way: Visualization of Instances Effective Policy 8

9 #3: Implement Network ACLs. Correctly Security teams often neglect to implement Network ACLs or to complement them with Security Groups Recommendations: Implement Network ACLs to segregate networks Make sure that Security Groups are implemented as a fine-grained network control Dome9 Tip: Look for Yellow colorcoded instances in Dome9 Clarity Visualization 9

10 #4: Ensure SSH/RDP not open to Internet SSH/RDP or other administrative services are frequently kept open for simplicity Recommendations: Limit the scope of these services to a few trusted IP addresses Use bastion hosts to reduce exposure of internal cloud servers The Dome9 Way: Dome9 dynamic access leases enable fine-grained on-demand access 10

11 #5:Plan for firewall change management & audit Many organizations overlook this in AWS environments compared to internal datacenters Recommendations: Implement AWS Cloudtrail and create alerts for security related changes Have strict IAM policy in place The Dome9 Way: Strong user permissions system Security groups Tamper Protection Auditing and notifications system 11

12 #6: Have firewall logs in place Firewall logging information is critical to improve your security, however AWS does not currently provide that functionality. Recommendations: Enable ELB, CloudFront and S3 access logs. Configure host-based logging via Linux IPtables and Windows FW logging capabilities. The Dome9 Way: Deploy Dome9 Agents and turn on logging policy 12

13 #7: Use human readable security policies Challenge: large scale firewall policies becomes very difficult to manage Recommendations: Utilize AWS tags for SG to add as much information as possible Maintain external documentation (Excel?) for all your security policies - with relevant context, ports and purpose of the service The Dome9 Way: Dome9 policies (even when defined in AWS) can be annotated with human descriptions and tags. 13

14 #8: Manage your inventory of IP addresses IP addresses are a source of rigidity in security operations. Eventually they will become a source of misconfiguration and security risk Recommendation: Make sure to documents all IP addresses that are used in AWS policies (Excel?) The Dome9 Way: Dome9 provides an IP address center to manage IP Lists & DNS objects 14

15 #9: Deploy security in depth with host controls For mission critical servers, it is important to include additional host based security controls beyond what s available in AWS Recommendation: Implement proper server hardening techniques and deploy host-based security controls like OSSEC The Dome9 Way: Dome9 agents can provide managed FIM as a second line of defence (based on OSSEC) 15

16 9 Best Practice Recommendations Recap Prevent firewall misconfiguration 2. Ensure correct AWS Security group assignments 3. Implement Network ACL correctly 4. Ensure SSH/RDP not open to the Internet 5. Plan for firewall change management and audit 6. Have firewall logs in place 7. Use human readable security policies 8. Manage your inventory of IP addresses 9. Deploy security in depth with host controls

17 Take Dome9 Out for a Spin Sign up for a 30-day free www. dome9.com 5 minute setup REGISTER NOW 17

18 Q&A

19 The Dome9 Solution 1 19 Large Scale Network Firewall Management 2 3 Host Firewall and File Integrity Continuous Monitoring and Auditing 4 Server Access Control