1) Willbros Group is a global contractor that provides engineering, construction, and other services to the oil, gas, and power industries.
2) Willbros uses AWS to build secure and flexible solutions like pipeline routing and collaboration tools to improve productivity in the field.
3) Trend Micro's security solutions help Willbros defend workloads running on AWS against network attacks and malware while simplifying security management across accounts and environments.
2. AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
Amazon Web Services
(AWS) provides flexible,
scalable, and cost-
effective IT infrastructure
for businesses of all
sizes around the world.
3. What sets AWS apart?
Building and managing cloud since 2006
40+ services to support any cloud workload
History of rapid, customer-driven releases
11 regions, 28 availability zones, 53 edge locations
47 proactive price reductions to date
Thousands of partners; 1,900+ Marketplace products
Experience
Service Breadth & Depth
Pace of Innovation
Global Footprint
Pricing Philosophy
Ecosystem
5. Security is Job Zero at AWS
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
• SOC 1, SOC 2 & SOC 3
ISO 27001
• PCI Level 1
• FedRAMP
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA,
DIACAP MAC III sensitive ATO, ITAR, …
6. The Forrester Wave™:
Public Cloud Platform
Service Providers'
Security, Q4 2014
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of
Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted
using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor,
product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect
judgment at the time and are subject to change.
7. Security with AWS
Auditability Visibility Control
Compliance reports Amazon CloudWatch
AWS CloudTrail
AWS Config
“Describe” APIs
AWS IAM
AWS CloudHSM
AWS CloudFormation
AWS KMS
8. Defense-in-depth
Security groups
VPC configuration
Network
Web application
firewalls
Bastion hosts
Encryption
in-transit
Hardened AMIs
OS and app
patch mgmt.
IAM roles for EC2
IAM credentials
Systemsecurity
Logical access
controls
User authentication
Encryption
at-rest
Datasecurity
AWS compliance
program
Third-party
attestations
Physical
9. Encryption: data at rest in AWS
EBS
Volume encryption
EBS encryption OS tools
AWS
marketplace/partner
Object encryption
S3 server side
encryption (sse)
S3 SSE w/ customer
provided keys Client-side encryption
Database encryption
Amazon
Redshift
encryption
RDS
PostgreSQL
KMS
RDS
MYSQL
KMS
RDS
ORACLE
TDE/HSM
RDS MSSQL
TDE
10. AWS Identity and Access Management (IAM)
Multi-factor authentication
AWS Identify and
Access Management
Temporary Credentials
User
Groups
Roles
User User Hardware Software
IAM AWS administrative users
Root accountPolicies
Enforce the principle of least privilege
11. Security Groups and NACLs
Security Groups
• Instance level, stateful
• ALLOW rules only
• Default deny inbound, allow outbound
• Use as “whitelist” – least privilege
NACLs
• Subnet level, stateless
• ALLOW and DENY
• Default allow all
• Use as “blacklist”/“guardrails”(port 135,21,23…)
Separation of duties. Changes audited via AWS CloudTrail
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
…
Virtual Interfaces
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
Security Groups
12. Configure and harden EC2 instances based on
security and compliance needsforce
consistent security on your hosts
Launch
instance
EC2
AMI catalog Running instance
Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Host-based protection software
Restrict access where possible
Connect to existing services
14. Agenda
• Who is Willbros
• Willbros Integrity use-cases
• Security architecture and design considerations
15. Willbros
Willbros Group, Inc. is a global contractor specializing in energy infrastructure
serving the oil, gas and power industries. Our offerings include engineering,
procurement and construction, refinery turnarounds, pipeline construction, pipeline
integrity management, GIS consulting and other specialty services to industry and
government entities worldwide.
18. Pipeline Routing
Analytical routing solution
• Land owners vs. corridors
• Wetlands or other crossings
• Populated areas
• Slope or ground rock
• Federal or conserved lands
Old time vs. new time
• 10x improvement!!
19. Integra Link
• Assets are bought and sold
• Who made it? Where is it? When was it maintained?
• Assets are replaced (or need to be)
• Asset classifications change in the world
• Lag time back to office
20. Integra Link
Collaboration
• Field, Office, and Partners
• Visualization
• Risk
• Location
Requirements
• Fast and familiar (secure)
• One version of the truth
23. Information Security
Confidentiality
Only those that should have access, do.
Integrity
Only those that should modify it, can.
Availability
The service and information is there when you need it.
25. Security: In the old world
• Minimize egress/ingress
• Protections at the perimeter – impossible math
• Once the bad dude is in, he is in
• IDS definitions are BROAD!
• Lots to manage
• Endpoint, physical perimeter, network, server…etc…
• Scale vs. cost vs. security
• Scary patch cycles
• Could just implement this in the cloud
• Agility and scale, price
26. Security: In the old world
Brown fields:
• Bolt-on, forklift or remove (or $$$$)
• Incident response
• Keep service up vs. drop service to mitigate vulnerability
• Lessons learned are road-mapped
• Resources to manage the old and the new
• Rigorous change control processes
• Disaster recovery expense
• Manual testing not representative of actual failure
27. Security: New world
No physical, just logical
Multiple ingress/egress
Containerization
Protection closer to the information
Only necessary protections
Shared security analytics
29. Security: New world
Always Green fields:
• Lessons learned enacted now
• DR testing and implemented as code
• IR failover or rebuild but retain old for investigation
• Manage scope
• One environment doesn’t impact another
• No cookie-cutters
• One new problem…
30. Trend Micro
Security with Trend
• Detect and enforce at the account level
• Auto load policy
• Alert on new or unsecured environments
• Reduce attack vectors by narrowing scope
• Improved 0-day hole
• Parallel IDS/IPS at each host
• File Integrity Management
• Log Inspection
32. Trend Micro Deep Security Protection
Defend against network attacks
Virtually patch software
Keep malware off workloads
Uncover suspicious changes
Copyright 2015 Trend Micro Inc.
Simplify your life with a single security solution, built for
AWS
33. Fits How You Want to Buy and Deploy
AWS Marketplace SoftwareSoftware as a Service
On your AWS bill
for simplified
procurement & billing
Annual license
for hybrid
environments or
maximum control
Usage based pricing
for small instances or
variable workloads
Copyright 2015 Trend Micro Inc.