master your security in the cloud
TRANSCRIPT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Master your security in the cloud
M K T 2 0 1 - R
Benjamin Andrew
Worldwide Leader: Security, Networking, Open Source Sellers
AWS Marketplace
Amazon Web Services
Andy Smith
Cybersecurity Operations Manager
Sallie Mae Bank
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Marketplace is a curated digital software catalog that helps customers find, test, buy, deploy, and manage the software and services they need to build products and run their businesses
A growing digital software catalog
• Deploy software on demand
• 1,500+ ISVs
• Over 7,000 product listings
• 260,000 active customers
• 100,000 + active security subscriptions
• Over 850 million hours of EC2 deployed monthly
• Deployed in 20 regions
• Offers 39 categories
• Flexible consumption and contract models
• Easy and secure deployment, almost instantly
• One consolidated bill
• Always evolving
Flexible software build and delivery
Amazon Machine
Images
• Ideal for single
instance solutions
deployed directly into
customer’s VPC
AWS CloudFormation
Template
• Third-party software
combined with AWS
services
• You can offer complete
solution implementation,
including multi-instance,
tie-ins to AWS Services,
and high-availability
cluster architectures
SaaS
• Your SaaS solution
with subscription and
tiered contract options,
including annual and
multi-year contracts
• Enables you to
integrate AWS
Marketplace discovery
and procurement
directly to your SaaS
solution
API
• Designed to integrate
directly to an
application
• You can offer
customers high-
consumption API
products with simple
pay-as-you-go pricing
AWS Marketplace deployment options
• You can offer
customers maximum
flexibility with BYOL,
pay-for-what-you-
use, free trials and
curated Open Source
options
Shared responsibility model
Customer
AWS
Security OF
the Cloud
AWS is responsible for
protecting the infrastructure
that runs all of the services
offered in the AWS Cloud
Security IN the
Cloud
Customer responsibility will be
determined by the AWS Cloud
services that a customer selects
Compute Storage Database Networking
AWS / Customer shared responsibility
Availability Zones Regions Edge Locations
Voice of the customer – Sallie Mae BankCloud Migration Journey
2014 - 2017 - Adoption of SaaS platforms, Office 365,
Microsoft Azure
2018 – Complete “Lift and Shift” into Amazon AWS
2019 – App Modernization – Serverless, Containers,
Infrastructure as code
Software Defined Perimeter
Micro-segmentation
Encrypt everything in transit and at rest
CIS Benchmarks
Leverage AWS Security Partners to fill gaps
Voice of the customer – Sallie Mae BankCloud Security Strategy
Struggles we faced as we were migrating from On-Premises to Cloud;
regulator buy-in, internal risk acceptance, security visibility.
Voice of the customer – Sallie Mae Bank
Voice of the customer – Sallie Mae Bank FireEye HELIX
Challenge:
Demonstrate to regulators that we have the ability to
perform Cloud log retention, integration into our SIEM and
demonstrating relevant event correlation to detect and
respond to incidents.
FireEye HELIX —Log Retention, Integration, and Correlation
Challenge:
Internal controls require logging retention and event correlation along with incident response
Log Retention
Cloud Integration
Correlation/SOAR
Voice of the customer – Sallie Mae BankCheckpoint CloudGuard Dome9
Challenge:
Prove to regulators that we could independently evaluate Cloud infrastructure deployments and could quickly scale and automate the enforcement of our internal controls.
Checkpoint CloudGuardDome9—Cloud Configuration and Compliance
Immutable Audit Trail
Security Group Tamper Protection
Region Lock, and IAM Safety
Automated Compliance Checking
and Remediation
Challenge:
Must prove to regulators independent evaluation of cloud deployments and could quickly scale and automate enforcement
Voice of the customer – Sallie Mae BankImperva Application Security
Demonstrate to regulators that we have sufficiently protected our public facing websites against DDoS and OWASP threats.
Imperva Application Security—Ingress Internet Protection
Mitigate Security Risk
Reduce Cost of Noncompliance
Enable Transformation
Challenge:
Protect web applications: scan at the front door, block DDoS, and OWASP attacks
Scenario: Spinning up a new web app
Customer wants to build their first web application and deploy a WAF
in front of it
Deploy a WAF using an AMI
Deploy a WAF as SaaS
Integrate with AWS WAF using Managed
Rules
AWS Lambda
Voice of the customer – Sallie Mae Zscaler Secure Web Gateway
Prevent the loss of company IP and customer data
Reduce the risk of legal liability pertaining to egress web traffic
Voice of the customer – Sallie Mae Bank Firewalls in AWS Marketplace – Barracuda / Palo Alto
Demonstrate the use of advance firewall features such as IPS
Leverage Next Gen Firewalls to compliment Like for Like, “Lift and Shift” into AWS
Barracuda and Palo Alto Nextgen Firewalls—Intrusion Prevention
Advanced Load Balancing
and Routing
Integration Intrusion Prevention
Scalability
Challenge:
Security of applications in addition to AWS Security Groups
Key take-aways
• Remove friction by using the platforms you already have approved to use on-premise
• Keep using your current licenses where it makes sense
• Embrace new ways to deploy your software such as SaaS
• Take advantage of partners who integrate with AWS to automate
• Leverage AWS Marketplace for future software transactions