Embed Size (px)
Citation preview
CLOUD SECURITY PLATFORMS
IMPORTANT ASPECTS TO CONSIDER
Ken Dickey
VP – Business Development
Proudly Celebrating 18 Years of Protecting Your Networks 2001-2019
TRADITIONAL SECURITY PERIMETER
HEADQUARTERS
DATA CENTER
REGIONAL
OFFICE(S)
SECURITY STACK
ROAMING
USERS
Function/Capability Control Type
Prevent Unacceptable Application Communication
Next Generation Firewall
Prevent Exploits From Entering The Network
Intrusion Prevention Systems
Cleanse Web Traffic From Malware and Exploits
Secure Web Gateways
Protect Email & Prevent SPAM Email Gateways
Inspect Communications For Advanced Malware
Malware Sandbox
Prevent Corporate Data From Exfiltration
Data Loss Prevention
INTERNET
SAAS
APPLICATIONS
LOG/
SIEM
TAP
API
Connector
ReverseProxy
ForwardProxy
Identity
Gateway
VISIBILITY
STACK
CLOUD-
BASED
CONTROLS
-CASB-
IAAS COMES INTO THE PICTURE
SECURITY STACKREGIONAL
OFFICE
SECURITY STACK
INTERNET
ROAMING
USERSHEADQUARTERS
DATA CENTER
PUBLIC CLOUD ARCHITECTURES EVOLVE
PUBLIC CLOUD ARCHITECTURES EVOLVE
PUBLIC CLOUD ARCHITECTURES EVOLVE
PUBLIC CLOUD ARCHITECTURES EVOLVE
Client
Amazon API Gateway
Amazon S3
Amazon Cognito
Amazon CloudFrontInternet
IAM
Amazon
Lambda
Amazon CloudWatch
Amazon
ECS
Amazon
Kinesis
Container
Instances
Lambda
Functions
Amazon
ElastiCache
Amazon
DynamoDB
Accelerator
Amazon
MQ Broker
NEW CLOUD PERIMETERS – DATA PERIMETERS
Data Perimeter
Amazon Simple Storage Service (S3)
Public object storage service
Governed by Bucket & Object Policies
Filtering by ACL / Resource Policies as well as IAM Policies
Can expose data to be read/manipulated
Amazon Elastic Block Store (EBS)
Allows for creation of backup snapshots
Misused as a means to share data.
Can be public and leak creds, PII and IP
Amazon Relational Database Service (RDS) Snapshots
Distributed relational database service by Amazon Web Services
Snapshots aregoverned by RDS console/IAM/KMS
Can be public and leak customer data and IP
Amazon Machine Image (AMI)
Full Virtual Machine Image
Can be shared with specific accounts
Can be public and leak creds, PII and IP
CloudWatch Managed Log Aggregation Service
Often contains private data
Access to third-parties and AWS accounts
Elastisearch Log Search Engine Can provide access to private data
Filtering by Resource Policy
Amazon Key Management Service (KMS)
Fully managed Key Service (Encryption)
Every Key can have a policy to control access
Misconfigured policy combined w/accessrisks data leakage
Allowing unauthorized users to read, modify or delete private data
NEW CLOUD PERIMETERS – COMPUTE PERIMETERS
Compute Perimeter
AWS Lambda Lambda can be run inside VPC and Access private data and resources.
Invoked via event subscriptions or manually.
Resource Policy could allow non-authenticated users or external AWS accounts
IAM PoliciesPolicies are not displayed in the UI console.
Amazon API Gateway By design is a perimeter.
Calls Lambda Functions & EC2 instances
APIG to EC2 is governedby netsec Infra*
APIG to Lambda path is not governed
Amazon ECR Docker Container Registry Service
Resource Policies allowaccess to Docker Images
Images could be pulled, exposing IP and code
Images could bereplaced with new code
Allowing External Entities to run code in your environment
NEW CLOUD PERIMETERS – MESSAGING PERIMETERS
Messaging Perimeter
Amazon Simple Notification Service (SNS)
Mass delivery of messages, predominantly to mobile users.
Can expose resource-based policies
Can allow third parties to send/receive/delete messages
Misconfigured service could allow unauth’edentity to access/modify private system Msgs.
Amazon Simple Queue Service (SQS)
Can send, store, and receive messages between software components
Can expose resource-based policies
Can allow third parties to send/receive/delete messages
Misconfigured service could allow unauth’edentity to access/modify private system Msgs.
Amazon Kinesis Collect, process, and analyze real-time, streaming data
Can expose resource-based policies
Can allow third parties to send/receive/delete messages
Misconfigured service could allow unauth’edentity to access/modify private system Msgs.
Allowing External Entities to receive/send massages to private systems
NEW CLOUD PERIMETERS – CLOUD CONTROL-PLANE PERIMETER
Identity Perimeter
IAM Users Create/manage AWS users/groups, and use permissions to allow and deny their access to AWS resources
Credential storage best practices, Least privileges, PAM, Operational Hygiene
High risk if credentials compromised or API keys pilfered
Github is monitored by Amazon and by nefarious actors.
IAM Roles IAM identity that has specific permissions for AWS resources, it provides you with temporary security credentials for your role session
Malicious actors target developer workstations, test/dev environments
Can Query AWS MetaData using info from compromised machines/applications.
Accessible to third-parties through cross-account roles
Allowing External Entities Full Control Over Your Virtualized Data Center
CLOUD SECURITY PLATFORM FEATURE SETS
• Security Operations: Visualize assets, assess security posture, fix
misconfigurations and threats, manage the cloud firewall and
enforce security from a single source of network authority.
• Advanced IAM Protection: Protect against compromised
credentials and identity theft using a cloud’s native IAM capabilities
to safeguard access to actions that can have a big impact.
• Compliance and Governance: Manage the compliance lifecycle
for standards such as PCI DSS, from automated data aggregation
and assessment to remediation and reporting.
• Cloud Security Intelligence: Cloud-native security intelligence
technology that delivers cloud intrusion detection, network traffic
visualization and user activity analytics.
2 270870580655 eni-6d25f24c 172.31.100.49 178.137.87.242 80 57379 6 15 1843 1496697675 1496697715 ACCEPT OK
VPC Flow Log version
AWS Account
Elastic Network Interface
Source IP
Destination IP
Source Port
Destination Port
IP Protocol
Number of Packets
Bytes
Timeframe (in seconds)
SG or NACL action
Log Status
Lambda Function
a known malicious destinationis talking to
Lambda function is
sending outbound traffic
over port 80 to a
malicious IP address
178.137.87.242
CLOUD SECURITY PLATFORM DIFFERENTIATORS
Apply State of the Art Threat Intelligence
CLOUD SECURITY PLATFORM DIFFERENTIATORS
Make All API Data Accessible and Easily Searched
RDS should have isStorageEncrypted = true
RDS storage should be encrypted
Instance should not have inboundRules with [port = 22 and protocol in ('TCP','All') and scope numberOfHosts() > 32]
instance with an open SSH port (22) should not be exposed to a wide network scope
Instance where (tags contain [key='env' and value='prod'] and not name='test') should ...
Search based on tag values
Instance should have inboundRules.length < 10
Instance where image='ami-1234' should...
Instance where name like '%db%' should...
Uses standard operators
STRONG CLOUD SECURITY GUARDRAILS
WITH MODERN SIEM FUNCTIONS
• Agentless, Cloud-native
Architecture
• Fast Time to Value
• Remediate in Place - Find
It, Fix It, Stay Fixed
• Audit log retention, even
after instances have been
removed
