CLOUD SECURITY CRASH COURSE ADDRESSING REAL WORLD CONCERNS Joel Friedman, CTSO
ABOUT ME Name: Joel Friedman Title: Chief Technology & Security Officer of Datapipe Certifications: CISSP, CISA, CISM, CRISC, CEH, CCISO, AWS SSA, PCI ISA Quick facts about Joel: 16 years of information security experience NJ Tech Council Chief Technology Officer of the Year Inventor of Datapipe Audit and Access Control (DAAC) Quick facts about Datapipe: Cloud agnostic managed services company, including traditional IT & hybrid First managed services partner for AWS Magic Quadrant for Public Cloud Infrastructure Managed Service Providers, Worldwide: Leader Asia/Pacific Magic Quadrant Cloud-Enabled Managed Hosting: Visionary 3
PREAMBLE SECURITY IS NOT A BARRIER, RATHER AN ENABLER ROOT CAUSE OF SECURITY BREACHES: People: Phishing, key usage Services: Web applications Configuration: Platform, systems ACADEMIC PRAGMATIC 4
Platform Risks
VENDOR MANAGEMENT Inherited compliance and certifications o Scope matters Indemnification and Liability Limits o Differ amongst hyper-scalers Privacy (NDA, privacy policies) Data storage & data sovereignty (DPA, Privacy Shield) Compliance Restrictions o Dedicated tenancy hosts 6
CUSTOMERS SHARED RESPONSIBILITY MODEL CUSTOMER CONTENT Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customers are responsible for their security and compliance IN the Cloud Client-side Data Encryption Server-side Data Encryption Network Traffic Protection FOUNDATION SERVICES Compute Storage Database Networking GLOBAL INFRASTRUCTURE Availability Zones Regions Edge Locations AWS is responsible for the security OF the Cloud 7
PLATFORM SECURITY SETTINGS Numerous user controllable options governing cloud security. Define a corporate policy around appropriate settings, and ideally leverage tools which automatically check and report on a continual basis. USER SECURITY SETTINGS Root account Root API Password Policy MFA VPC Encryption Insecure SGs / NACLs IAM Policies Object Storage Permissions 8
IDENTITY AND FEDERATION External identity management provides: Unified identity for cloud and on premise users Integration into existing starters/leavers process Integration into corporate RBAC process (map to Roles) Sign-Sign On (MFA, UBA, etc..) 9
PaaS & SaaS
WISHFUL THINKING In a perfect world there would be a SaaS for every business function you need, customized precisely how you need it, that you trusted and complied with all regulations. Life would be easy. 11
AS-A-SERVICE DIFFERENTIATION SAAS Presentation Modality Data Integration & middleware APIs Core connectivity & delivery Abstraction RFP / CONTRACT IT IN Meta data Hardware Facilities Content PAAS Integration & middleware APIs Core connectivity & delivery Abstraction Hardware Facilities The lower down the stack the Cloud provider stops, the more security the consumer is tactically responsible for implementing & managing. IAAS APIs Core connectivity & delivery Abstraction Hardware Facilities BUILD IT IN 12
PLATFORM-AS-A-SERVICE SAAS + PLATFORM + DEVELOPERS Training Contract Platform specific security settings SSDLC Security Training Documented Security Requirements Integrated Security in Cloud Architecture Design CI/CD push from Dev to Prod Automated & Manual Testing Test SSDLC Secure Software Development Life Cycle Define SAST / DAST Code review with emphasis on critical components Develop Design 13
Instance Security (IaaS)
CHANGE INFRASTRUCTURE MATURITY STEADY STATE DATACENTER HIGH-VELOCITY CLOUD DEPLOYMENTS Generally labeled as Mode 1 Slowly changing applications with larger sets of changes per deployment Less time-critical, business-focused need to change Often seen in back-office applications Generally labeled as Mode 2 Also labeled as DevOps in popular press Key feature is smaller, more rapid deployments driven by need to provide direct business value Often necessary due to competitive landscape in a line of business + - MODE 1 MODE 2 Systems of Innovation Systems of Differentiation Systems of Record - + GOVERNANCE 15
MODE 1: SECURITY Manual Deployments Manual Patch Management & App Updates Governed Under Change Control 1 System Hardening Agent Based Security Virtual Network Appliances 16
MODE 2: SECURITY Immutable workloads AMI builds / image factory / container registry User-data bootstrapping 2 Auto-inheritence of security policies Auto-discovery via API and network No network chokepoints Identifiers should not be IP address based 17
Best Practices
ACCESS CONTROL API KEY MANAGEMENT Source code Servers Temporary Keys USER BASED Active Directory SSH Keys
GOVERNANCE Tagging Account & VPC segregation Continuous Integration / Continuous Deployment Cloud Access Security Broker (CASB) SaaS encryption, User Behavior Analytics / Compromised Credentials, Data Leak Protection 20
ARCHITECTURAL PATTERNS Management VPC Bastion Hosts NACLs & Security Groups VPN 21
NATIVE OR BRING YOUR OWN Key / Encryption Management Platform / Customer Managed Keys IAM Integration vs. Separate Identities HSM Network Management Scale or visibility? Centralized vs. distributed control
FURTHER READING CLOUD SECURITY ALLIANCE ALIBABA Security Guidance for Critical Areas of Focus in Cloud Computing Cloud Security Whitepaper AWS AZURE Introduction to AWS Security Introduction to AWS Security Processes Security Best Practices AWS Security Checklist Many more Network Security Best Practices Data security and encryption best practices Identity management and access control security best practices IaaS Security Best Practices Many more 23
THANK YOU FOR LISTENING ANY QUESTIONS?
COME & SEE US AT OUR STAND! W: DATAPIPE.COM E: apac@datapipe.com T: (HK) +852 3521 0215