Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sasha Pavlovic | Director, Hybrid Cloud Security, APAC
3 Secrets to Becoming a
Cloud Security Superhero
This is you…
Shapeshift
Design a workload-centric
security architecture
Superpower #1
Cloud
Before
Firewall IPS Load
Balancer
Web
TierApp
Tier
DB
Tier
On-premises
S3
DynamoDB
RDS
…
After
Firewall IPS
AWS
Web
Tier
on
EC2
App
Tier
on
EC2
Elastic
Load
Balancer
VPC
&
Security
Groups
Load
Balancer
DB
TierWeb
TierApp
Tier
IAM CloudTrail
Traditional Responsibility Model
You
Physical
Infrastructure
Network
Virtualization
Operating System
Applications
Data
Service Configuration
Shared Responsibility Model
AWS
Physical
Infrastructure
Network
Virtualization
You
Operating System
Applications
Data
Service Configuration
More at aws.amazon.com/security
Hybrid IT
Crypt-o
Crypt-o
EC2
24h
48h
72h
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
Disclosure
24h
48h
72h
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
Disclosure
24h
48h
72h
Disclosure
Attack Source IP – CVE-2014-6271, 7169, 6277, 6278
Don’t Replicate…
Warning:
Single Point of
Failure
Limited
Throughput
Shapeshift
Mission Accomplished:
No Single Point
of Failure
UN-Limited
Throughput
VPC
&
Security
Groups
S3
DynamoDB
RDS
…
AWS
Web
Tier
on
EC2
App
Tier
on
EC2
Elastic
Load
Balancer
IAM CloudTrail
Shapeshift for Amazon Web Services
• Security inside each workload
• Protect instance-to-instance
traffic
• Make it context sensitive (fast and
low false-positive)
• No bottleneck
• No single point of failure
= CLOUD FRIENDLY
IPS
Invisibility
Automate and blend in,
don’t bolt on
Superpower #2
Creating an audit trail, before
Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
Change
Records
Report
Payment
Client Data
On-premises
AWS
Amazon CloudTrail
EC2 instances
Central management
Amazon S3
Amazon CloudFrontAmazon RDS
Creating an audit trail, after
Report
Audit-o
CloudTrail
& AWS Config
Security Tools
Make Security Invisible for Amazon Web Services
• Build it in, not bolt on
• Fully automate security
• Automate record keeping for
auditors
= SECURITY
DESIGNED FOR AWS
X-Ray Vision
Improve visibility of AWS
and hybrid environments
Superpower #3
Integrity Monitoring
Use X-ray vision on Amazon Web Services
• Use Integrity Monitoring and
Log monitoring to see inside
instances
• Detect suspicious changes that
are indicators of compromise
and unintended changes
= Total visibility
AWS is continuously independently audited
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge
Locations
AWS is
responsible for
the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity
& Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Security is shared between AWS and customers
Custo
mers
Partner solutions – including
Trend Micro
SANS/CIS TOP 20 CRITICAL SECURITY CONTROLS
1. Inventory of Authorized & Unauthorized Devices 11. Secure Configurations for Network Devices
2. Inventory of Authorized & Unauthorized Software 12. Boundary Defense
3. Secure Configurations for Hardware & Software on
Mobile Devices, Laptops, Workstations, & Servers 13. Data Protection
4. Continuous Vulnerability Assessment & Remediation 14. Controlled Access Base on the Need to Know
5. Controlled Use of Administrative Privileges 15. Wireless Access Control
6. Maintenance, Monitoring, & Analysis of Audit Logs 16. Account Monitoring & Control
7. Email and Web Browser Protections 17. Security Skills Assessment & Appropriate Training
to Fill Gaps
8. Malware Defenses 18. Application Software Security
9. Limitation and Control of Network Ports, Protocols,
and Services 19. Incident Response Management
10. Data Recovery Capability 20. Penetration Tests & Red Team Exercises
Your new superpowers…
Shapeshifting X-ray VisionInvisibility
Inspired by real-life Security Superheros
Gartner Best Practices
Best Practices for
Securing Workloads
in Amazon Web
Services
http://bit.ly/1pxaFTL
Now to Introduce a Real World Superhero!
Chris Harwood
Healthdirect Australia
A little bit about Healthdirect
No matter where people live, or what time of the day or night it is, they can talk to a professional, find trusted advice
online about how to manage their issue, and locate the closest appropriate and open service that meets their
needs.
mindhealthconnect
after hours GP helpline
My Aged Care
Carer Gateway
healthdirect
Pregnancy, Birth and Baby
National Health Services Directory
Healthdirect Australia Timeline
mindhealthconnect
(mental health
website)
2012after hours
GP helpline
2011
Pregnancy,
Birth and Baby
service
2010healthdirect
24/7 nurse triage
helpline
2008
Established as
the National
Health Call
Centre Network
2006/2007
Carer
Gateway
2015
My Aged Care
Gateway
2013/2014
National Health
Services Directory
2012
Risks of Healthdirect’s Traditional Environment
Risk Description Rating
Insufficient capacity Scalability is limited by physical hardware High
Limited environments Sufficient environments too expensive High
Ageing servers Existing servers will need replacement within two years Moderate
Lack of agility New work is continually changing what is required of our
infrastructure
Moderate
Difficult to manage No consistency of management and service quality in
the previously fragmented solution
Moderate
Inability to respond
timeously
Procurement lead times too long and inability to try new
things
Extreme
Cost inefficiency Over investment is required in order to manage peak
loads
Moderate
Drivers for Amazon Web Services
Improved
security
The world is
softwareEasily Scale Up
and Down
Improve Agility &
Time to Market
Pay only for
what you use
Ability to optimise
Performance
Increased
Availability
Reduced skills
requirements
Security is critical for Healthdirect Australia
Together Government and Healthcare made up over 40%
of all data breaches in 2015
Trend Micro Follow The Data Report
Security Challenges
• Information Security Manual Compliance
• HIDS/HIPS mandatory
• Patching controls
• Small security staff complement for large
diverse platform
• Privacy Act and sensitive data protection
• Perimeter is NOT good enough any more
Security Challenges
• Understanding the shared responsibility
model
• Moving security staff from gatekeepers to
participants
• Effective management of log and
monitoring data
Trend Micro Deep Security to the Rescue
• DISA certified
• Host based firewalling and intrusion prevention
• Antivirus and anti-malware
• File integrity monitoring
• Log inspection
Trend Micro Deep Security to the Rescue (cont…)
• Server and desktop/laptop protection
• Single management ‘pane of glass’
• Trusted SSL certificate issuing
Why Deep Security Works for Us
• Healthdirect ISM accredited on AWS in 2015
• Virtual patching provides a compensating control
• Agent based fits with continuous delivery practices and
secures AMIs above the hypervisor
Why Deep Security Works for Us (cont…)
• Usage based licensing fits with AWS autoscaling and
instance scheduling
• Minimised security impact on each node
• Great support and easy to configure
For an opportunity to:
• Learn more about Trend Micro;
• Q&A with the experts, and;
• Get started with a Deep Security trial
Come and speak to us at the Trend Micro booth.
Booth# P3
trendmicro.com/aws
