SlideShare a Scribd company logo

Automating your AWS Security Operations

Download as PPTX, PDF
Evident.io
Evident.io

This document discusses automating security operations on AWS. It begins by noting the large costs of data breaches and intellectual property theft for businesses. It then discusses how AWS can provide more security than an on-premises environment through features like automated logging and monitoring, simplified access controls, and encryption. The document emphasizes that security is a shared responsibility between AWS and the customer, with AWS securing the underlying cloud infrastructure and customers securing their applications and data. It provides examples of AWS security certifications and programs. Finally, it discusses how security automation is key to keeping up with the scale of cloud infrastructure and software delivery.

1 of 51
Downloaded 34 times
Automating Security Operations on AWS Pat McDowell Solutions Architect at AWS Tim Prendergast CEO and Co-Founder at Evident.io Shannon Lietz DevSecOps Leader at Intuit
$6.53M 56% 70% Increase in theft of hard intellectual property Of consumers indicated they’d avoid businesses following a security breach Average cost of a data breach Your data and IP are your most valuable assets https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html https://www.csid.com/resources/stats/data-breaches/
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS can be more secure than your existing environment
AWS and you share responsibility for security AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption
Constantly monitored The AWS infrastructure is protected by extensive network and security monitoring systems: • Network access is monitored by AWS security managers daily • AWS CloudTrail lets you monitor and record all API calls • Use VPC Flow Logs to monitor and analyze network traffic to your instances
Highly available The AWS infrastructure footprint protects your data from costly downtime: • 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy • Retain control of where your data resides for compliance with regulatory requirements • Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
Integrated with your existing resources AWS enables you to improve your security using many of your existing tools and practices: • Integrate your existing Active Directory • Use dedicated connections as a secure, low-latency extension of your data center • Provide and manage your own encryption keys if you choose
Key AWS Certifications and Assurance Programs
+
Security Automation is a key differentiator for cloud companies
You are responsible for protecting your data/assets Customer Data Applications Identity Access Management OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Compute Storage Networking AWS Global Infrastructure (Regions, Azs, Edge Locations) AWS: Security of the Cloud Customer: Security on the Cloud
You have a huge quantity of intelligence to process This is just a SUBSET of an average company’s data flows Amazon Elasticsearch
The Human Challenge Humans have finite scale…
…Then we turn to automation.
Security breach
Why automate Security? We’re less than one million security professionals short of “equilibrium” and lagging…
No matter how good your process is, Alert Fatigue will trump it… Why automate Security? Alert Psychology proves that fatigue destroys process
As infrastructure and software delivery accelerate, there is no alternative. The fallacy of choice…
Security DevOps Security Automation is good for everyone  DevOps builds Value  Security builds Trust  Customers / businesses need  Trust and Value
Evident Security Platform (ESP)  Built by cloud pioneers from Adobe, AWS, and Netflix  Agentless deployment (<5 mins)  Continuous security scanning & alerting across several AWS Services  Aligns your Security and DevOps teams on protecting cloud assets  Tracks security state to support audit, compliance, and incident response needs
Leader in Cloud Security Automation & Innovation Leader in DevSecOps + Evident & Intuit
Cloud Security Operations “boldly go where no human has gone before…” Shannon Lietz DevSecOps Leader at Intuit @devsecops
The Context… Cloud Security Operations Imagine:  Software defined security  Thousands of changes a day  The biggest “big data” problem MeanTimetoResolution(MTTR) 6 months Fast MTTR… the final frontier
So what hinders “secure” innovation @ speed & scale? 1. Manual processes & meeting culture 2. Point in time assessments 3. Friction for friction’s sake 4. Contextual misunderstandings 5. Decisions being made outside of value creation 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
In the Cloud, Everything is Code
Let’s switch some things around… Data Center Network Servers Virtualization Operations Platforms Buyer Identifier Cloud Account(s) Virtual IP Addresses Containerization Appliances Storage Security Features Applications Ephemeral Instances Scale on Demand IAAS, PAAS, SAAS Resource Testing Built-In Security Long-Term Contracts Partner Marketplaces Slow-ish Decisions Experiments
Software Defined Security  Requires significant intimate knowledge, context & understanding  Critical Cloud Security Operations Elements: – Zoning & Blast Radius Containment – Instrumentation & Monitoring to create the feedback loop – Security as Code Platform (Whitelisting, Encryption, Authorization) – API Catalog & Testing for the Full Stack – Asset Inventory & Hardened Baselines [Software, Services, Components, etc.]
The Basic Cloud Model Cloud Provider Network Backbone Cloud Platform (Orchestration) Network Compute Storage Cloud Account(s) Load Balancers Compute Instances VPCs Block Storage Object Storage Relational Databases NoSQL Databases Containers Content Acceleration Messaging Email Utilities Key Management API/Templates Certificate Management Partner PlatformInternet Backbone
Developers have lots of options…
Reality… Data Center Cloud Provider Network Internet Cloud Provider Network Data Center Cloud Provider Network Cloud Provider Network Cloud Provider Network
And Attackers also have lots of options… Victims Attackers
Shift controls & mindset Security Monitoring
Cloud Security Operations in the Cloud… Monitor & Inspect Everything insightssecurity science security tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel continuous response security feedback loop (speed matters)
What’s this look like in practice? Etc…Etc…Etc…
Account Sharding is a new control!  Splitting cloud workloads into many accounts has a benefit.  Accounts should contain less than 100% of a cloud workload.  Works well with APIs; works dismal with forklifts.  What is your appetite for risk? Cloud Workload Templates Cloud Provider Network 33 % 33 % 33 % Attacker Cloud Account Cloud Account Cloud Account
Long live APIs…  Everything in the cloud should be an API, even Security…  Protocols that are not cloudy should not span across environments.  If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: – Messaging – Databases – File Transfers – Logging Cloud Provider Network Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API
Host-Based Controls  Shared Responsibility and Cloud require host-based controls.  Instrumentation is everything!  Fine-grained controls require more scrutiny and bigger big data analysis.  Agents & Outbound Reporting to an API are critical Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B Instance Cloud Provider Network Instance
Don’t Hug Your Instances…  Research suggests that you should replace your instances at least every 10 days, and that may not be often enough.  Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.  Make sure to keep a snapshot for forensic and compliance purposes.  Use config management automation to make changes part of the stack.  Refresh routinely; refresh often! 10DAYS
Overcoming Inconvenience  Use built-in transparent encryption when possible.  Use native cloud key management and encryption when available.  Develop back up strategies for keys and secrets.  Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor.  Use APIs to exchange data and rotate encryption.
Migrating Security to the Left where it can get built-in design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Security is a Design Constraint faster security feedback loop
Use Cloud Native Security Features...  Cloud native security features are designed to be cloudy.  Audit is a primary need!  Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.  Be deliberate about how to use built-in security controls and who has access.
Secure Baselines & Patterns help a lot! AMI Amazon Elastic MapReduce AWS Import/ Export Security Monitoring Egress Proxy CFn Template Bastion CFn Template Secure VPC CFn Template CloudTrail CFn Template Secrets Bundle MarketPlace templates resourcespatterns services
Fanatical Security Testing static UX & Interfaces Micro Services Web Services Code CFn Templates dynamic Build Artifacts Deployment Packages Resources Patterns & Baselines run-time Security Groups Account Configuration Real-Time Updates Patterns & Baselines
Red Team, Security Operations & Science  API Key Exposure -> 8 hrs  Default Configs -> 24 Hrs  Security Groups -> 24 Hrs  Escalation of Privs -> 5 D  Known Vuln -> 8 Hrs
Cloud Security Disaster Recovery & Forensics is a different animal…  Regional recovery is not enough to cover security woes.  Security events can quickly escalate to disasters.  Got a disaster recovery team?  Multi-Account strategies with separation of duties can help.  Don’t hard code if you can help it.  Encryption is inconvenient, but necessary… Cloud Workload Templates Disaster Templates Cloud Provider Network 50 % 50 % Cloud Account Cloud Account Cloud Account 50 % Cloud Account 50 %
Compliance Operations as Continuous Improvement https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
Code can solve the great divide  Paper-resident policies do not stand up to constant cloud evolution and lessons learned.  Translation from paper to code can lead to mistakes.  Traditional security policies do not 1:1 translate to Full Stack deployments. Data Center • Choose strong passwords • Use MFA • Rotate API credentials • Cross-account access Page 3 of 433 Cloud Provider Network • Lock your doors • Badge in • Authorized personnel only • Background checks EVERYTHING AS CODE
Security Decision Support
Speed & Ease can increase security!  Fast remediation can remove attack path quickly.  Resolution can be achieved in minutes compared to months in a datacenter environment.  Continuous Delivery has an advantage of being able to publish over an attacker.  Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place. APP APP DB DB APP DB ATTACKED FORENSICSRECOVERED
This could be your MTTR…MeanTimetoResolution(MTTR) 6 months
Get Involved and Join the Community  devsecops.org  @devsecops on Twitter  DevSecOps on LinkedIn  DevSecOps on Github  RuggedSoftware.org  Compliance at Velocity
Ad

Recommended

Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Evident.io
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Evident.io
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
Teri Radichel
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
CloudPassage
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
Teri Radichel
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
James Strong
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
kieranjacobsen
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based Applications
John Varghese
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
 
Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014
Nielsen Market Research
 
mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future
Research Now
 
Metrix lab wat kan en moet je weten
Metrix lab wat kan en moet je wetenMetrix lab wat kan en moet je weten
Metrix lab wat kan en moet je weten
MetrixLab - Global Online Consumer Research
 
Ramco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified PlatformRamco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified Platform
Ramco Systems
 
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
TransPerfect Trial Interactive
 
Questions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll ProviderQuestions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll Provider
SafeGuard World International
 
Ad

More Related Content

What's hot (16)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
James Strong
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
kieranjacobsen
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based Applications
John Varghese
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
James Strong
 
Securing aws workloads with embedded application security
Securing aws workloads with embedded application securitySecuring aws workloads with embedded application security
Securing aws workloads with embedded application security
John Varghese
 
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017Security Spotlight: The Coca Cola Company - CSS ATX 2017
Security Spotlight: The Coca Cola Company - CSS ATX 2017
Alert Logic
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
DevSecOps in 10 minutes
DevSecOps in 10 minutesDevSecOps in 10 minutes
DevSecOps in 10 minutes
kieranjacobsen
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based Applications
John Varghese
 
DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017DevSecOps - CrikeyCon 2017
DevSecOps - CrikeyCon 2017
kieranjacobsen
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
 

Viewers also liked (7)

Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014
Nielsen Market Research
 
mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future
Research Now
 
Metrix lab wat kan en moet je weten
Metrix lab wat kan en moet je wetenMetrix lab wat kan en moet je weten
Metrix lab wat kan en moet je weten
MetrixLab - Global Online Consumer Research
 
Ramco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified PlatformRamco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified Platform
Ramco Systems
 
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
TransPerfect Trial Interactive
 
Questions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll ProviderQuestions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll Provider
SafeGuard World International
 
How localization can double your revenues
How localization can double your revenuesHow localization can double your revenues
How localization can double your revenues
RWS Moravia
 
Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014Making the Best Marketing Campaigns Even Better- UK- 2014
Making the Best Marketing Campaigns Even Better- UK- 2014
Nielsen Market Research
 
mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future mHealth Apps: Supporting a Healthier Future
mHealth Apps: Supporting a Healthier Future
Research Now
 
Metrix lab wat kan en moet je weten
Metrix lab wat kan en moet je wetenMetrix lab wat kan en moet je weten
Metrix lab wat kan en moet je weten
MetrixLab - Global Online Consumer Research
 
Ramco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified PlatformRamco Global Payroll on a Single Unified Platform
Ramco Global Payroll on a Single Unified Platform
Ramco Systems
 
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
The Correlation between Patient Reported Outcomes and Clinician Reported Outc...
TransPerfect Trial Interactive
 
Questions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll ProviderQuestions to Ask Before Selecting a Global Payroll Provider
Questions to Ask Before Selecting a Global Payroll Provider
SafeGuard World International
 
How localization can double your revenues
How localization can double your revenuesHow localization can double your revenues
How localization can double your revenues
RWS Moravia
 
Ad

Similar to Automating your AWS Security Operations (11)

Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
AWS Germany
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
craigbalding
 
Top 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdfTop 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdf
Sparity1
 
AWSome Day Philippines Keynote 2015
AWSome Day Philippines Keynote 2015AWSome Day Philippines Keynote 2015
AWSome Day Philippines Keynote 2015
Hwee Bee Tan
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
Cisco Canada
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
Shiva Narayanaswamy
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?Warum ist Cloud-Sicherheit und Compliance wichtig?
Warum ist Cloud-Sicherheit und Compliance wichtig?
AWS Germany
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
craigbalding
 
Top 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdfTop 10 cloud security tools to adopt in 2024.pdf
Top 10 cloud security tools to adopt in 2024.pdf
Sparity1
 
AWSome Day Philippines Keynote 2015
AWSome Day Philippines Keynote 2015AWSome Day Philippines Keynote 2015
AWSome Day Philippines Keynote 2015
Hwee Bee Tan
 
Lacework slides from AWS Meetups
Lacework slides from AWS MeetupsLacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
Cisco Canada
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
Shiva Narayanaswamy
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
Ashnikbiz
 
Ad

Recently uploaded (20)

What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
TrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business ConsultingTrsLabs - Fintech Product & Business Consulting
TrsLabs - Fintech Product & Business Consulting
Trs Labs
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganQuantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur Morgan
Arthur Morgan
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 

Automating your AWS Security Operations

  • 1. Automating Security Operations on AWS Pat McDowell Solutions Architect at AWS Tim Prendergast CEO and Co-Founder at Evident.io Shannon Lietz DevSecOps Leader at Intuit
  • 2. $6.53M 56% 70% Increase in theft of hard intellectual property Of consumers indicated they’d avoid businesses following a security breach Average cost of a data breach Your data and IP are your most valuable assets https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber- security/information-security-survey.html https://www.csid.com/resources/stats/data-breaches/
  • 3. In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How? Automating logging and monitoring Simplifying resource access Making it easy to encrypt properly Enforcing strong authentication AWS can be more secure than your existing environment
  • 4. AWS and you share responsibility for security AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption
  • 5. Constantly monitored The AWS infrastructure is protected by extensive network and security monitoring systems: • Network access is monitored by AWS security managers daily • AWS CloudTrail lets you monitor and record all API calls • Use VPC Flow Logs to monitor and analyze network traffic to your instances
  • 6. Highly available The AWS infrastructure footprint protects your data from costly downtime: • 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy • Retain control of where your data resides for compliance with regulatory requirements • Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
  • 7. Integrated with your existing resources AWS enables you to improve your security using many of your existing tools and practices: • Integrate your existing Active Directory • Use dedicated connections as a secure, low-latency extension of your data center • Provide and manage your own encryption keys if you choose
  • 8. Key AWS Certifications and Assurance Programs
  • 9. +
  • 10. Security Automation is a key differentiator for cloud companies
  • 11. You are responsible for protecting your data/assets Customer Data Applications Identity Access Management OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Compute Storage Networking AWS Global Infrastructure (Regions, Azs, Edge Locations) AWS: Security of the Cloud Customer: Security on the Cloud
  • 12. You have a huge quantity of intelligence to process This is just a SUBSET of an average company’s data flows Amazon Elasticsearch
  • 13. The Human Challenge Humans have finite scale…
  • 14. …Then we turn to automation.
  • 16. Why automate Security? We’re less than one million security professionals short of “equilibrium” and lagging…
  • 17. No matter how good your process is, Alert Fatigue will trump it… Why automate Security? Alert Psychology proves that fatigue destroys process
  • 18. As infrastructure and software delivery accelerate, there is no alternative. The fallacy of choice…
  • 19. Security DevOps Security Automation is good for everyone  DevOps builds Value  Security builds Trust  Customers / businesses need  Trust and Value
  • 20. Evident Security Platform (ESP)  Built by cloud pioneers from Adobe, AWS, and Netflix  Agentless deployment (<5 mins)  Continuous security scanning & alerting across several AWS Services  Aligns your Security and DevOps teams on protecting cloud assets  Tracks security state to support audit, compliance, and incident response needs
  • 21. Leader in Cloud Security Automation & Innovation Leader in DevSecOps + Evident & Intuit
  • 22. Cloud Security Operations “boldly go where no human has gone before…” Shannon Lietz DevSecOps Leader at Intuit @devsecops
  • 23. The Context… Cloud Security Operations Imagine:  Software defined security  Thousands of changes a day  The biggest “big data” problem MeanTimetoResolution(MTTR) 6 months Fast MTTR… the final frontier
  • 24. So what hinders “secure” innovation @ speed & scale? 1. Manual processes & meeting culture 2. Point in time assessments 3. Friction for friction’s sake 4. Contextual misunderstandings 5. Decisions being made outside of value creation 6. Late constraints and requirements 7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration 10. Management and political interference (approvals, exceptions)
  • 26. Let’s switch some things around… Data Center Network Servers Virtualization Operations Platforms Buyer Identifier Cloud Account(s) Virtual IP Addresses Containerization Appliances Storage Security Features Applications Ephemeral Instances Scale on Demand IAAS, PAAS, SAAS Resource Testing Built-In Security Long-Term Contracts Partner Marketplaces Slow-ish Decisions Experiments
  • 27. Software Defined Security  Requires significant intimate knowledge, context & understanding  Critical Cloud Security Operations Elements: – Zoning & Blast Radius Containment – Instrumentation & Monitoring to create the feedback loop – Security as Code Platform (Whitelisting, Encryption, Authorization) – API Catalog & Testing for the Full Stack – Asset Inventory & Hardened Baselines [Software, Services, Components, etc.]
  • 28. The Basic Cloud Model Cloud Provider Network Backbone Cloud Platform (Orchestration) Network Compute Storage Cloud Account(s) Load Balancers Compute Instances VPCs Block Storage Object Storage Relational Databases NoSQL Databases Containers Content Acceleration Messaging Email Utilities Key Management API/Templates Certificate Management Partner PlatformInternet Backbone
  • 29. Developers have lots of options…
  • 30. Reality… Data Center Cloud Provider Network Internet Cloud Provider Network Data Center Cloud Provider Network Cloud Provider Network Cloud Provider Network
  • 31. And Attackers also have lots of options… Victims Attackers
  • 32. Shift controls & mindset Security Monitoring
  • 33. Cloud Security Operations in the Cloud… Monitor & Inspect Everything insightssecurity science security tools & data Cloud accounts S3 Glacier EC2 CloudTrail ingestion threat intel continuous response security feedback loop (speed matters)
  • 34. What’s this look like in practice? Etc…Etc…Etc…
  • 35. Account Sharding is a new control!  Splitting cloud workloads into many accounts has a benefit.  Accounts should contain less than 100% of a cloud workload.  Works well with APIs; works dismal with forklifts.  What is your appetite for risk? Cloud Workload Templates Cloud Provider Network 33 % 33 % 33 % Attacker Cloud Account Cloud Account Cloud Account
  • 36. Long live APIs…  Everything in the cloud should be an API, even Security…  Protocols that are not cloudy should not span across environments.  If you wouldn’t put it on the Internet then you should put an API and Authentication in front of it: – Messaging – Databases – File Transfers – Logging Cloud Provider Network Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B User Routing Data Replication Application Gateway File Transfers Log Sharing Messaging My API
  • 37. Host-Based Controls  Shared Responsibility and Cloud require host-based controls.  Instrumentation is everything!  Fine-grained controls require more scrutiny and bigger big data analysis.  Agents & Outbound Reporting to an API are critical Tested machine image… Tested instances... Tested roles... Tested passwords... New instance created… Instance 12345 changed… User ABC accessed Instance 12345... B Instance Cloud Provider Network Instance
  • 38. Don’t Hug Your Instances…  Research suggests that you should replace your instances at least every 10 days, and that may not be often enough.  Use Blue/Green or Red/Black deployments to reduce security issues by baking in patching.  Make sure to keep a snapshot for forensic and compliance purposes.  Use config management automation to make changes part of the stack.  Refresh routinely; refresh often! 10DAYS
  • 39. Overcoming Inconvenience  Use built-in transparent encryption when possible.  Use native cloud key management and encryption when available.  Develop back up strategies for keys and secrets.  Apply App Level Encryption to help with SQL Injection and preserving Safe Harbor.  Use APIs to exchange data and rotate encryption.
  • 40. Migrating Security to the Left where it can get built-in design build deploy operate How do I secure my app? What component is secure enough? How do I secure secrets for the app? Is my app getting attacked? How? Typical gates for security checks & balances Mistakes and drift often happen after design and build phases that result in weaknesses and potentially exploits Most costly mistakes Happen during design Security is a Design Constraint faster security feedback loop
  • 41. Use Cloud Native Security Features...  Cloud native security features are designed to be cloudy.  Audit is a primary need!  Configuration and baseline checks baked into a Cloud Provider’s Platform help with making decisions and uncovering risks early in the Continuous Delivery cycle.  Be deliberate about how to use built-in security controls and who has access.
  • 42. Secure Baselines & Patterns help a lot! AMI Amazon Elastic MapReduce AWS Import/ Export Security Monitoring Egress Proxy CFn Template Bastion CFn Template Secure VPC CFn Template CloudTrail CFn Template Secrets Bundle MarketPlace templates resourcespatterns services
  • 43. Fanatical Security Testing static UX & Interfaces Micro Services Web Services Code CFn Templates dynamic Build Artifacts Deployment Packages Resources Patterns & Baselines run-time Security Groups Account Configuration Real-Time Updates Patterns & Baselines
  • 44. Red Team, Security Operations & Science  API Key Exposure -> 8 hrs  Default Configs -> 24 Hrs  Security Groups -> 24 Hrs  Escalation of Privs -> 5 D  Known Vuln -> 8 Hrs
  • 45. Cloud Security Disaster Recovery & Forensics is a different animal…  Regional recovery is not enough to cover security woes.  Security events can quickly escalate to disasters.  Got a disaster recovery team?  Multi-Account strategies with separation of duties can help.  Don’t hard code if you can help it.  Encryption is inconvenient, but necessary… Cloud Workload Templates Disaster Templates Cloud Provider Network 50 % 50 % Cloud Account Cloud Account Cloud Account 50 % Cloud Account 50 %
  • 46. Compliance Operations as Continuous Improvement https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
  • 47. Code can solve the great divide  Paper-resident policies do not stand up to constant cloud evolution and lessons learned.  Translation from paper to code can lead to mistakes.  Traditional security policies do not 1:1 translate to Full Stack deployments. Data Center • Choose strong passwords • Use MFA • Rotate API credentials • Cross-account access Page 3 of 433 Cloud Provider Network • Lock your doors • Badge in • Authorized personnel only • Background checks EVERYTHING AS CODE
  • 49. Speed & Ease can increase security!  Fast remediation can remove attack path quickly.  Resolution can be achieved in minutes compared to months in a datacenter environment.  Continuous Delivery has an advantage of being able to publish over an attacker.  Built-in forensic snapshots and blue/green publishing can allow for systems to be recovered while an investigation takes place. APP APP DB DB APP DB ATTACKED FORENSICSRECOVERED
  • 50. This could be your MTTR…MeanTimetoResolution(MTTR) 6 months
  • 51. Get Involved and Join the Community  devsecops.org  @devsecops on Twitter  DevSecOps on LinkedIn  DevSecOps on Github  RuggedSoftware.org  Compliance at Velocity

Editor's Notes

  • #5: At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place. As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services. As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
  • #9: We are also certified and accredited by a wide range of regulators and industry bodies. Here is a list of key bodies that have either certified us, or we have a workbook of guidance showing you how to validate an AWS environment against these standards. Top Row (left to right) ISO 27001 Information Security Management ISO 9001 Quality Management Systems Requirements American Institute of Certified Professional Accounts (SOC 1, SOC 2, SOC 3 reports) Payment Card Industry Data Security Standard (PCI-DSS) Federal Information Security Management Cloud Security Alliance Middle Row: TUV Trust IT – independent certification body for the German Federal Office for Information Security (BSI) IT Baseline protection methodology (IT Grundschutz) UK G-Cloud Digital Marketplace HIPAA (Health Information Portability and Accountability Act) Federal Information Processing Standards 140-2 Americans with Disabilities Act Section 508 Motion Pictures of America Association Bottom Row: US International Traffic in Arms Regulations Department of Defense Cloud Security Model Criminal Justice Information Systems (CJIS) Security Policy Federal Risk Authorization Management Program (FedRAMP) Australian Information Risk Assurance Program US Department of Education (FERPA) <FOR MORE IN DEPTH QUESTIONS REFER THE CUSTOMER TO http://aws.amazon.com/compliance FOR MORE DETAILS>
  • #12: Customer data Platform, applications, identity, and access management Operating system, network, & firewall config Client-side data encryption & integrity authentication, server-side encryption (FS/data), Network Traffic Protection (encryption, integrity, identity) ----------------- customer above, aws below ------------------- Compute | storage | database | networking AWS Global Infrastructure >> [regions | availability zones] | edge locations
  • #13: Clean up the logos to be good on white
  • #27: w