Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Similar documents
Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Getting Started with AWS Security

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

AWS Well Architected Framework

Securing Microservices Containerized Security in AWS

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Monitoring Serverless Architectures in AWS

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Network Security & Access Control in AWS

Cloud Computing /AWS Course Content

Hardening AWS Environments. Automating Incident Response. AWS Compromises

Simple Security for Startups. Mark Bate, AWS Solutions Architect

Cloud Security Strategy - Adapt to Changes with Security Automation -

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

CogniFit Technical Security Details

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

Getting started with AWS security

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Title: Planning AWS Platform Security Assessment?

CYBER SECURITY WHITEPAPER

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Security & Compliance in the AWS Cloud. Amazon Web Services

Mapping traditional security technologies to AWS Dave Walker Specialised Solutions Architect Security and Compliance Amazon Web Services UK Ltd

LINUX, WINDOWS(MCSE),

DevOps Agility in the Evolving Cloud Services Landscape

CSV-W14 - BUILDING AND ADOPTING A CLOUD-NATIVE SECURITY PROGRAM

Who done it: Gaining visibility and accountability in the cloud

Minfy MS Workloads Use Case

Mid-Atlantic CIO Forum

OptiSol FinTech Platforms

AWS Data Security Security Update

Oracle WebLogic Server 12c on AWS. December 2018

Amazon Web Services Training. Training Topics:

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Launching a Highly-regulated Startup in the Cloud

Introduction to Cloud Computing

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

Security by Design Running Compliant workloads in AWS

Security Camp 2016 Cloud Security. August 18, 2016

Getting started with AWS security

Training on Amazon AWS Cloud Computing. Course Content

ASD CERTIFICATION REPORT

AWS Agility + Splunk Visibility = Cloud Success. Splunk App for AWS Demo. Laura Ripans, AWS Alliance Manager

Hackproof Your Cloud Responding to 2016 Threats

WHITEPAPER. Security overview. podio.com

High School Technology Services myhsts.org Certification Courses

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Additional Security Services on AWS

Build planetary scale applications with compartmentalization

Understanding Perimeter Security

AWS Solutions Architect Associate (SAA-C01) Sample Exam Questions

Incident Response and Forensics in your Pyjamas

HPE Digital Learner AWS Certified SysOps Administrator (Intermediate) Content Pack

AWS Landing Zone. AWS User Guide. November 2018

Information Security Policy

At Course Completion Prepares you as per certification requirements for AWS Developer Associate.

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Security and Compliance at Mavenlink

AWS Solution Architect Associate

Amazon Web Services 101 April 17 th, 2014 Joel Williams Solutions Architect. Amazon.com, Inc. and its affiliates. All rights reserved.

Amazon Web Services (AWS) Training Course Content

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

IAM Recommended Practices

Lift and Shift, Don t Lift and Pray: Pragmatic Cloud Migration Strategies

Security+ SY0-501 Study Guide Table of Contents

ActiveNET. #202, Manjeera Plaza, Opp: Aditya Park Inn, Ameerpetet HYD

Better, Faster, Stronger web apps with Amazon Web Services. Senior Technology Evangelist, Amazon Web Services

Minfy MS Workloads Use Case

AWS Storage Gateway. Not your father s hybrid storage. University of Arizona IT Summit October 23, Jay Vagalatos, AWS Solutions Architect

The Common Controls Framework BY ADOBE

The Orion Papers. AWS Solutions Architect (Associate) Exam Course Manual. Enter

Building a More Secure Cloud Architecture

Certificate of Registration

Amazon Web Services. Block 402, 4 th Floor, Saptagiri Towers, Above Pantaloons, Begumpet Main Road, Hyderabad Telangana India

Security Overview of the BGI Online Platform

What s New at AWS? looking at just a few new things for Enterprise. Philipp Behre, Enterprise Solutions Architect, Amazon Web Services

Enroll Now to Take online Course Contact: Demo video By Chandra sir

AWS 101. Patrick Pierson, IonChannel

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Architecting for HIPAA Security and Compliance on Amazon Web Services

Microservices Architekturen aufbauen, aber wie?

Operational Logging & Compliance in AWS

AWS Administration. Suggested Pre-requisites Basic IT Knowledge

Creating an AWS Account: Beyond the Basics

QuickBooks Online Security White Paper July 2017

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

PRAGMATIC SECURITY AUTOMATION FOR CLOUD

Pragmatic Cloud Security

Securing Serverless Architectures

Microservices on AWS. Matthias Jung, Solutions Architect AWS

Security

Standardized Architecture for PCI DSS on the AWS Cloud

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

What s New at AWS? A selection of some new stuff. Constantin Gonzalez, Principal Solutions Architect, Amazon Web Services

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Transcription:

Best Practices for Cloud Security at Scale Phil Rodrigues Security Solutions Architect Web Services, ANZ www.cloudsec.com #CLOUDSEC

Best Practices for Security at Scale Best of the Best tips for Security in the Cloud Phil Rodrigues Security Solutions Architect Web Services Level 200 2017, Web Services, Inc. or its Affiliates. All rights reserved.

Agenda Sources of Best Practices A Bad Day Best of the Best Practices Infrastructure Security Data Protection Identity and Access Management Logging and Monitoring Tools and Automation Click, Script, Commit

Sources of Best Practices AWS Cloud Adoption Framework (CAF) AWS Security Best Practices Centre for Security (CIS) s How to move to the cloud securely including the Core Five Epics : Identity and Access Management Logging and Monitoring Infrastructure Security Data Protection Incident Response Whitepaper with 44 best practices including: Identity and Access Management (10 best practices) Logging and Monitoring (4) Infrastructure Security (15) Data Protection (15) 148 detailed recommendations for configuration and auditing covering: AWS Foundations with 52 checks aligned to AWS Best Practices AWS Three-Tier Web Architecture with 96 checks for web applications

CIS s: What, Why, Check, Fix

A is for Andy and B is for Bill Andy follows best practices Bill does NOT follow best practices :-) :-(

Bill s Bad Day Bill AWS Account Gateway Web Server Instance Internal Data Service Website Images Data Backup

Bill s Bad Day Bill 1 Access the vulnerable web application AWS Account 2 Pivot to the data service 1 2 5 Bad Person Gateway Web Server Instance Internal Data Service 3 Delete the website image files 3 4 4 Change permissions to the data backup Website Images Data Backup 5 Download the data backup

Bill s Bad Day Bill 1 No web application protection AWS Account 2 No segmentation 3 One account Gateway Web Server Instance Internal Data Service 4 All permissions granted 5 Sensitive data not encrypted Andy now let s help Andy have a great day! :-) Website Images Data Backup 6 No logging, monitoring, alerting

Best of the Best Practices: Infrastructure Security 1) Create a Threat Prevention Layer using AWS Edge Services 2) Create network zones with Virtual Private Clouds (VPCs) and Security Groups Security Group 3) Manage vulnerabilities through patching and scanning CloudFront AWS Shield AWS WAF Inspector Use the 70 worldwide points of presence in the AWS Edge Network to provide scalability, protect from denial of service attacks, and protect from web application attacks. Implement security controls at the boundaries of hosts and virtual networks within the cloud environment to enforce access policy. Test virtual machine images and snapshots for operating system and application vulnerabilities throughout the build pipeline and into the operational environment. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier

Infrastructure Security Andy 1 Inspector AWS Account Security Group Security Group AWS WAF CloudFront Gateway Web Server Instance Internal Data Service AWS Shield Website Images Data Backup

Best of the Best Practices: Data Protection 4) Encrypt data at rest (with the occasional exception) 5) Use server-side encryption with provider managed keys 6) Encrypt data in transit (with no exceptions) AWS KMS S3 Data AWS KMS Encryption Key CloudFront Enabling encryption at rest helps ensure the confidentiality and integrity of data. Consider encrypting everything that is not public. AWS Key Management Service (KMS) is seamlessly integrated with 18 other AWS services. You can use a default master key or select a custom master key, both managed by AWS. Gateway SSL / TLS / HTTPS Encryption of data in transit provides protection from accidental disclosure, verifies the integrity of the data, and can be used to validate the remote connection. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier

Data Protection Andy Inspector AWS Account AWS WAF CloudFront Gateway Internal Data Service AWS Shield Website Images AWS KMS 2 Data Backup AWS KMS Data Encryption Key

Best of the Best Practices: Identity and Access Mgmt 7) Use multiple AWS accounts to reduce blast radius 8) Use limited roles and grant temporary security credentials 9) Federate to an existing identity service Production Staging AWS accounts provide administrative isolation between workloads across different lines of business, regions, stages of production and types of data classification. IAM IAM Roles Temporary Security Credentials IAM roles and temporary security credentials mean you don't always have to manage long-term credentials and IAM users for each entity that requires access to a resource. IAM MFA token AWS Directory Service Control access to AWS resources, and manage the authentication and authorisation process without needing to re-create all your corporate users as IAM users. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier

Identity and Access Management Andy Inspector AWS Account AWS Account AWS Directory Service MFA token AWS WAF CloudFront Gateway Internal Data Service 3 IAM AWS Shield Website Images Database Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key

Best of the Best Practices: Logging and Monitoring 10) Turn on logging in all accounts, for all services, in all regions 11) Use the AWS platform s built-in monitoring and alerting features 12) Use a separate AWS account to fetch and store copies of all logs Production Security AWS CloudTrail CloudWatch The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. CloudWatch collects and tracks metrics and monitors log files. CloudWatch Alarms AWS Config Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Configuring a security account to copy logs to a separate bucket ensures access to information which can be useful in security incident response workflows. AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier AWS Best Practices Paper CIS Foundation CIS Web-Tier

Logging and Monitoring Andy Inspector AWS CloudTrail AWS Account CloudWatch 4 AWS Config AWS Account AWS Directory Service MFA token AWS WAF CloudFront Gateway Internal Data Service IAM AWS Shield Website Images Database Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key

Best Practices Andy Inspector AWS CloudTrail AWS Account CloudWatch AWS Config AWS Account AWS Directory Service Security Group Security Group MFA token AWS WAF CloudFront Gateway Web Server Instance Internal Data Service IAM AWS Shield Website Images Data Backup Temporary Security Credentials AWS KMS AWS KMS Data Encryption Key

Tools and Automation Inspector CloudWatch Events AWS Config Rules An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. A monitoring service for AWS cloud resources and the applications you run on AWS. You can easily build workflows that automatically take actions you define, such as invoking an AWS Lambda function, when an event of interest occurs. A fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. AWS re:invent 2016: 5 Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules (SAC401)

Three Speeds? Crawl Run

Three Speeds Crawl Walk Run

Three Levels? 8-bit Mario 64-bit Mario

Three Levels 8-bit Mario 16-bit Mario 64-bit Mario

Three Stages? Zero Hero

Three Stages Zero Pro Hero

Three Stages Click Script Commit

Three Stages of Cloud Security Maturity Stage One Click Stage Two Script Stage Three Commit Manual Best Practices Automated Controls Continuous Security Static Workloads Evolving Workloads Agile Workloads Release 1x per month Release 1-10x per month Release 10-100x per month DevSecOps?

Prepare your Umbrella Before it Rains turn it on

Resources AWS Security Best Practices White Paper http://bit.ly/awsbest CIS AWS Security Foundations http://bit.ly/awscis CIS AWS Three-Tier Web Architecture http://bit.ly/awscis3t https://aws.amazon.com/summits/sydney/on-demand-17/security-cloud/

Thank you!

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback