operational complexity: the biggest security threat to your aws environment
TRANSCRIPT
![Page 1: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/1.jpg)
Operational Complexity: The Biggest Security Threat to Your AWS Environment
![Page 2: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/2.jpg)
Security is kind of a big deal… We’ve all got them. Are we doing the right thing to secure them?
ON-PREMISESIN THE CLOUD HYBRID ENVIRONMENTS
![Page 3: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/3.jpg)
And it’s no different in AWS
Managing tightly-controlled user access in AWS is too complex.
But it’s hard.
And complexity leads to errors and sloppiness.
![Page 4: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/4.jpg)
Why is it so complex?
There are 6 main reasons
6
![Page 5: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/5.jpg)
User access is IP-centric, and their IP addresses change
Predicting where those users are going to be when accessing your network is a very big challenge; and almost impossible if you have a mobile workforce.
1Think office to home, to mobile, to a coffee
shop, to a plane…
![Page 6: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/6.jpg)
Dynamic environments cause extra administrative burdens 2
As virtual machines and services within AWS are spun up, expanded or contracted, being able to dynamically allocate security policies to these resources becomes a real challenge.
![Page 7: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/7.jpg)
Complexity leads to shortcuts 3
A lot of the time shortcuts are taken that compromise the security posture in the footprint of a particular environment.
![Page 8: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/8.jpg)
Forced use of VPN connectivity to manage access control 4
And it can create performance issues for your end users and force unnecessary hops from environment to environment just to ensure that people are coming at the environment from appropriate locations.
If you’re at all into the networking space within your organization, you know that the use of VPNs is also not a trivial task.
VPN
![Page 9: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/9.jpg)
Logging correlation complexities 5
So when it comes to audit and compliance, you have a tremendously difficult task on your hands to correlate these logs and figure out who is doing what, who is accessing which application, what time of day and under what context they are doing it.
All of this hopping around and all of these different technologies lead to logging correlation issues.
![Page 10: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/10.jpg)
Shared AWS responsibility model 6
Do you know where AWS’s responsibility for the cloud ends – and yours begins?
![Page 11: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/11.jpg)
Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
https://aws.amazon.com/compliance/shared-responsibility-model
AWS Shared Responsibility Model
AWS is responsible for this…
Responsible for security ‘of’ the cloud
![Page 12: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/12.jpg)
Customer Data
Platform, Apps, Identity & Access Management
OS, Network & Firewall Configuration
Client-Side Data Encryption and Data
Integrity Authentication
Server-Side Encryption (File
System and/or Data)
Network Traffic Protection
(Encryption/ Integrity/Integrity)
CustomerResponsible for security
‘in’ the cloud
And you’re responsible for this…
![Page 13: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/13.jpg)
Anytime you take advantage of the resources and build virtual machines, deploy data into S3 buckets or use a feature like AWS Snowball to push data into the environment, security becomes your responsibility.
Anything in the cloud is your responsibility
AWS gives you tools, but you have to implement them.
AWS’s responsibility ends with the physical components of the cloud…the data center, the servers, the storage.
You are responsible for everything that leverages those physical components – all the configured services, data, deployed applications. This includes network access security.
![Page 14: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/14.jpg)
Security Groups
So we turn to
![Page 15: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/15.jpg)
You can use Security Groups,
but they introduce operational complexitywith negative consequences.
![Page 16: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/16.jpg)
We either give wide-open access and end up with this…
No accountability/visibility
Increased risk of
security breaches
Managing compliance is
virtually impossible
![Page 17: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/17.jpg)
Ortightly controlled access and end up with this…
Reduced business
agilityFriction for
DevOpsInefficient approval process
![Page 18: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/18.jpg)
Consider this scenario
![Page 19: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/19.jpg)
Security Groups
Four users access the Amazon environment from a known source.
1
73.68.25.22124
![Page 20: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/20.jpg)
Their public IP address is the known source. The security
groups are configured appropriately.
2
Security Groups
Four users access the Amazon environment from a known source.
1
73.68.25.22124
![Page 21: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/21.jpg)
The challenge is when users try to access
from other locations.
73.68.25.22124
Security Groups
![Page 22: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/22.jpg)
Security Groups
Do you:
Allow wide open
access from
anywhere?
73.68.25.22124
Or tightly control access – force
users to VPN into a known office and
through a 73 dot IP address?
![Page 23: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/23.jpg)
There’s a better way to do it.
![Page 24: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/24.jpg)
It’s called a Software-Defined
Perimeter
![Page 25: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/25.jpg)
A Software-Defined Perimeter gives every user on your network –
whether an internal employee or a third-party working for you – an individualized
perimeter around themselves and the network resources that they’re allowed
to access.
![Page 26: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/26.jpg)
And it’s a big deal
![Page 27: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/27.jpg)
Industry experts suggest using it
Legacy, perimeter-based security models are ineffective against attacks. Security and risk pros must make security ubiquitous throughout the ecosystem.”
“ It is easier and less costly to deploy than firewalls, VPN concentrators and other bolt-in technologies.”
SDP enables organizations to provide people-centric, manageable, secure and agile access to networked systems.
“
“
![Page 28: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/28.jpg)
A Software-Defined Perimeter gives you:
Individualized perimeters for each user – a Segment of One
![Page 29: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/29.jpg)
A Software-Defined Perimeter gives you:
Fine-grained authorization to on-premises and cloud
![Page 30: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/30.jpg)
A Software-Defined Perimeter gives you:
Context-aware driven authentication, then access
![Page 31: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/31.jpg)
A Software-Defined Perimeter gives you:
Simpler firewall and security group rules
![Page 32: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/32.jpg)
A Software-Defined Perimeter gives you:
Dynamic authorization adjusting to the user to access new cloud server instances
![Page 33: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/33.jpg)
A Software-Defined Perimeter gives you:
Consistent access policies across heterogeneous environments
![Page 34: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/34.jpg)
A Software-Defined Perimeter puts the person back into the security model.
… by taking the source IP concept out of the equation.
![Page 35: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/35.jpg)
The person, their identity, the device they’re on, the network they’re connected to, and just about anything else you could think of to analyze before you allow access resources on your network, is checked.
73.68.25.22124
![Page 36: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/36.jpg)
Once a person is authorized to view resources, everything else on the network becomes invisible.
![Page 37: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/37.jpg)
Cryptzone delivers a
Software-Defined Perimeter Solution for AWS
![Page 38: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/38.jpg)
DigitalIdentity
AppGateImagine a user wants to access the company’s ERP system
Managed NetworksCloud, On-premises or Hybrid
V
Secured Email
ERP
CRM Group File Share
Executive Files
Enterprise Finance
\\EXEC_SER
VER
SharePoint
![Page 39: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/39.jpg)
AppGate
DigitalIdentity
First we look at both context and identity.
DEVICE TIME
CUSTOMATTRIBUTES
ANTI-VIRUS
LOCATION: OFFICEAPPLICATIONPERMISSIONS
![Page 40: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/40.jpg)
AppGate
DigitalIdentity
We confirm it matches your policies before granting access.
DEVICE TIME
CUSTOMATTRIBUTES
ANTI-VIRUS
LOCATION: OFFICEAPPLICATIONPERMISSIONS
![Page 41: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/41.jpg)
Managed NetworksCloud, On-premises or Hybrid
V
Secured Email
ERP
CRM Group File Share
Executive Files
Enterprise Finance
\\EXEC_SER
VER
SharePoint
DigitalIdentity
We then create a dynamic Segment of One
(1:1 firewall rule).
DEVICE TIME
CUSTOMATTRIBUTES
ANTI-VIRUS
LOCATION: OFFICEAPPLICATIONPERMISSIONS
ENCRYPTED & LOGGED
AppGate
![Page 42: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/42.jpg)
And make everything else (the applications and the
rest of the network) invisible to the user.
DigitalIdentity
DEVICE TIME
CUSTOMATTRIBUTES
ANTI-VIRUS
APPLICATIONPERMISSIONS
ENCRYPTED & LOGGED
AppGateManaged Networks
Cloud, On-premises or Hybrid
ERP
LOCATION: OFFICE
![Page 43: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/43.jpg)
DigitalIdentity
And if the user goes home and wants to continue working, AppGate
automatically checks “user-context” again, and applies the correct “home-
based” policy.
DEVICE TIME
CUSTOMATTRIBUTES
ANTI-VIRUS
LOCATION: HOMEAPPLICATIONPERMISSIONS
ENCRYPTED & LOGGED
AppGateManaged Networks
Cloud, On-premises or Hybrid
ERP
![Page 44: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/44.jpg)
The result?
Locked-down secured access to AWS resources that is operationally simple to manage and maintain.
Let’s look at this more closely…
![Page 45: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/45.jpg)
Current Model
AWS Security Groups
We all know about AWS Security Groups. The current Security Group model is complicated and unpredictable.
![Page 46: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/46.jpg)
AWS Security Groups & AppGateUsing AppGate, there are multiple gateways, protecting multiple cloud providers with split functionality.
Current Model
![Page 47: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/47.jpg)
AWS Security Groups & AppGateAppGate defines protected destinations, called Entitlements and protects simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names.Current Model
![Page 48: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/48.jpg)
AWS Security Groups & AppGateAppGate offers a new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate Gateway, ensuring all users access those resources through the contextual controls provided by AppGate.
AppGate Model
![Page 49: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/49.jpg)
AWS Security Groups & AppGate
Authentication Policy• If users are on corporate
network allow Single-Factor Authentication
• If users are not on corporate network require Multi-Factor Authentication
POLICY
Device Policy• Allow access if Anti-Virus
is running• Allow access if Device
Firewall is enabled• Allow access if OS patch
level is current
POLICYPOLICY
Developer Access Policy• Allow TCP Access
• On Port 22
• For all servers tagged Dev-Project
• If users are in group Development
Users are tied to the entitlements through Policies where we can enforce contextual awareness before allowing specific users access to specific entitlements. This combination allows us to get very granular on who can access what and under what circumstances.
![Page 50: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/50.jpg)
Because there is just one IP address, managing security just got easier.
AppGate Model
![Page 51: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/51.jpg)
Access policies across hybrid
environments are consistent
Access is tightly secured with a
Segment of One
Compliance reporting is easier and
faster
Operational agility is boosted
DevOps can work
faster
Infrastructure changes are dynamically protected
AppGate from Cryptzone provides user control, operational agility and compliance
![Page 52: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/52.jpg)
Sally MDeveloper
Project Eagle
Charlie SDB Admin
Joe RDeveloper
Project Hawk
Coffee Shop
Consultant
Enterprise Headquarters
AWS Security… Simplified!
User-centric security policies…because people are not IP addresses
![Page 53: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/53.jpg)
Learn more about AppGate
AWS SecuritySimplify, Scale, & Secure User
Access
WEBINAR
The Zero Trust Model of
Information Security
WHITEPAPER
Forrest ReportNo More Chewy Centers:
AppGateVIDEO
![Page 54: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/54.jpg)
FREE TRIAL | START NOW
Email: [email protected]
Twitter: @Cryptzone
LinkedIn: linkedin.com/company/cryptzone
GET IN TOUCH
Get access to a 15 day free trial on AWS marketplace.
Would you like to know more?
![Page 55: Operational Complexity: The Biggest Security Threat to Your AWS Environment](https://reader035.vdocuments.us/reader035/viewer/2022062523/58ed30661a28ab42678b4687/html5/thumbnails/55.jpg)
Paul CampanielloChief Marketing OfficerCryptzone