how we should think about security
TRANSCRIPT
![Page 1: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bill Murray AWS Security Programs
June 2016
How We Should Think About Security
![Page 2: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/2.jpg)
1) Why is security such a hot topic?
Because it’s important, and it’s hard
![Page 3: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/3.jpg)
2) Why is enterprise security traditionally so hard?
Because so much planning is needed
![Page 4: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/4.jpg)
3) Why does planning take so long?
Because it requires so many processes
![Page 5: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/5.jpg)
4) Why so many processes?
Because mistakes are easy to make and hard to correct
![Page 6: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/6.jpg)
5) Why are mistakes so hard to correct?
Lack of visibility Low degree of automation
![Page 7: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/7.jpg)
So where does AWS come in?
AWS makes security more agile
Lets you move fast while staying safe
![Page 8: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/8.jpg)
Security is Job Zero
Network Security
Physical Security
Platform Security
People & Procedures
![Page 9: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/9.jpg)
Security is Shared
![Page 10: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/10.jpg)
Build everything on a constantly improving security baseline
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
GxP ISO 13485
AS9100 ISO/TS 16949
![Page 11: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/11.jpg)
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
Client-‐side Data Encryp2on
Server-‐side Data Encryp2on
Network Traffic Protec2on
Pla<orm, Applica2ons, Iden2ty & Access Management
Opera2ng System, Network, & Firewall Configura2on
Customer applica2ons & content Cu
stom
ers
Security & compliance is a shared responsibility
Customers have their choice of
security configurations IN
the Cloud
AWS is responsible for the security OF
the Cloud
![Page 12: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/12.jpg)
Security is Familiar We strive to make security at AWS as familiar as what you are doing right now
• Visibility • Auditability • Controllability • Agility
![Page 13: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/13.jpg)
AWS Marketplace: One-stop shop for familiar tools
Advanced Threat
Analy+cs
Applica+on Security
Iden+ty and Access Mgmt
Encryp+on & Key Mgmt
Server & Endpoint Protec+on
Network Security
Vulnerability & Pen Tes+ng
![Page 14: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/14.jpg)
VISIBILITY
HOW OFTEN DO YOU MAP YOUR NETWORK?
WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
![Page 15: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/15.jpg)
![Page 16: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/16.jpg)
![Page 17: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/17.jpg)
Security is Visible Who is accessing the resources? Who took what action?
• When? • From where? • What did they do? • Logs Logs Logs
![Page 18: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/18.jpg)
Tools to move fast and stay safe
Amazon Inspector AWS WAF AWS Config Rules
![Page 19: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/19.jpg)
Amazon Inspector
Security assessment tool analyzing end-to-end application configuration and activity
![Page 20: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/20.jpg)
Why Amazon Inspector?
• Application Security testing key to moving fast bust staying safe
• Security assessment highly manual - resulting in delays or missed security checks.
• Valuable security subject matter experts spending too much time on routine security assessment
![Page 21: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/21.jpg)
Amazon Inspector Features
Configuration Scanning Engine
Activity Monitoring
Built-in Content Library
Automatable via API
Fully Auditable
![Page 22: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/22.jpg)
Amazon Inspector Rule Sets CVE
Network Security Best Practices
Authentication Best Practices
CIS Operating System Benchmarks
Application Security Best Practices
Runtime Behavior Analysis
![Page 23: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/23.jpg)
Amazon Inspector Benefits
Increased Agility
Embedded Expertise
Improved Security Posture
Streamlined Compliance
![Page 24: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/24.jpg)
Getting started
![Page 25: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/25.jpg)
Prioritized Findings
![Page 26: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/26.jpg)
Detailed Remediation Recommendations
![Page 27: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/27.jpg)
AWS WAF (Web Application Firewall)
![Page 28: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/28.jpg)
AWS WAF Features
Web Filtering
CloudFront Integration
Centralized Rule Management
Real-Time Visibility
API Automation
![Page 29: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/29.jpg)
AWS WAF Benefits
Increased Protection Against Web Attacks
Ease of Deployment and Maintenance
Security Embedded in Development Process
![Page 30: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/30.jpg)
AWS WAF in Action
AWS Management Console Admins
Developers AWS API Web App in CloudFront
Define rules
Deploy protection
AWS WAF
![Page 31: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/31.jpg)
AWS WAF Partner integrations
• Alert Logic, Trend Micro & Imperva integrating with AWS WAF • Offer additional detection and threat intelligence • Dynamically modify rulesets of AWS WAF for increased protection
![Page 32: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/32.jpg)
AWS Config Rules
![Page 33: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/33.jpg)
AWS Config Rules Features
Flexible Rules evaluated continuously and retroactively
Dashboard and Reports for Common Goals
Customizable Remediation
API Automation
![Page 34: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/34.jpg)
AWS Config Rules Benefits
Continuous monitoring for unexpected changes
Shared Compliance across your organization
Simplified management of configuration changes
![Page 35: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/35.jpg)
AWS Config Rules
Broad Ecosystem of solutions
![Page 36: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/36.jpg)
AWS Config Rules
![Page 37: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/37.jpg)
Making Life Easier
![Page 38: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/38.jpg)
Making Life Easier
Choosing security does not mean giving up on convenience or introducing complexity
![Page 39: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/39.jpg)
The AWS Journey
Phase 1: How do I move to AWS?
Time
Experience
![Page 40: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/40.jpg)
The journey we’re seeing with AWS customers
Dev & Test True Production Mission Critical All-in
Build production apps Migrate production apps
Marketing
Build mission-critical apps Migrate mission-critical apps
Development and test environments
Corporate standard
1 2 3 4
![Page 41: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/41.jpg)
The AWS Journey
Phase 2: How do I use AWS to improve?
Time
Experience
![Page 42: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/42.jpg)
Example: Hardened Instances Q
uest
ion
to a
nsw
er
• How many of my instances came from the correct “approved” server image?
• How many “approved” instances?
Trad
ition
al IT
• Manual IT process to prevent
• Even more manual process to audit
AWS
• CloudTrail identifies instance launches with unapproved AMIs
• Continuously auditable
• Push notification rather than regular pull
![Page 43: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/43.jpg)
Example: Entitlements Reporting Q
uest
ion
to a
nsw
er
• What accesses do your people have?
Trad
ition
al IT
• Inventory your assets and privileges
• Reconcile with user accounts
• All manual
AWS
• IAM Auditing native API calls
• GetAccountAuthorizationDetails
• ListUserPolicies • ListGroupPolicies • ListRolePolicies
![Page 44: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/44.jpg)
The AWS Journey
Phase 3: How do I design for tomorrow?
Time
Experience
![Page 45: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/45.jpg)
Security by Design (SbD)
![Page 46: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/46.jpg)
Security by Design - SbD
• Systematic approach to ensure security • Formalizes AWS account design • Automates security controls • Streamlines auditing.
• Provides control insights throughout the
IT management process AWS CloudTrail AWS
CloudHSM
AWS IAM AWS KMS
AWS Config
![Page 47: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/47.jpg)
SbD - Scripting your governance policy
Set of CloudFormation Templates that accelerate compliance with PCI, HIPAA, FFIEC, FISMA, CJIS Result: Reliable technical implementation of administrative controls
![Page 48: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/48.jpg)
How we build our organization
![Page 49: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/49.jpg)
AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for agility
![Page 50: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/50.jpg)
Security Ownership as part of DNA
Promotes culture of “everyone is an owner” for security Makes security stakeholder in business success
Enables easier and smoother communication
Distributed Embedded
![Page 51: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/51.jpg)
Operating Principles
Separation of duties
Different personnel across service lines
Least privilege
![Page 52: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/52.jpg)
Technology to automate operational principles
Visibility through automation
Shrinking the protection boundaries
Ubiquitous encryption
![Page 53: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/53.jpg)
The Bottom Line…….
![Page 54: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/54.jpg)
Design & Deploy
Define sensible defaults
Inherit compliance controls
Use available security features
Manage templates - not instances
![Page 55: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/55.jpg)
Operate & Improve
Constantly reduce the role of people
Reduce Privileged accounts
Concentrate on what matters
![Page 56: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/56.jpg)
Conclusions
Security is critical
We’re creating tools to make it easier We’re creating ways help you build a world class team You can move fast and stay safe
![Page 57: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/57.jpg)
Don’t take my word for it…..
CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply
their imagination and energy to developing new approaches to cloud control, allowing them to securely,
compliantly and reliably leverage the benefits of this increasingly ubiquitous computing model.
Clouds Are Secure: Are You Using Them Securely? Published: 22 September 2015
-- Jay Heiser
![Page 58: How We Should Think About Security](https://reader034.vdocuments.us/reader034/viewer/2022051709/586fb3f31a28abe57d8b6ecf/html5/thumbnails/58.jpg)