SlideShare a Scribd company logo

Best Practices for Public Sector AWS Security Posture

Amazon Web Services
Amazon Web Services

According to Gartner, the IaaS market grew at a blistering 42.8% in 2017, twice as fast as SaaS. And with the recent data exposures at Verizon, the RNC, and Dow Jones, IT Security must increasingly focus on protecting their data in IaaS. Both public and private sector organizations need to increase confidence in cloud dependency. We've worked with hundreds of IaaS security professionals to develop Security solutions and a list of critical AWS security best practices and solutions used to protect AWS environments and the applications deployed in them. Join the McAfee/Skyhigh session and learn: -Common scenarios that can result in the loss of corporate data from AWS -Best practices within 5 key areas for securing AWS environments: user and admin behavior monitoring, secure auditable configuration, S3 data loss prevention operations, and threat prevention -How McAfee & Skyhigh products can help accelerate the transition to safety and visibility. See how a solutions approach (including bridging to your on-prem best practices) can provide the needed visibility and control customers expect. -How to gain visibility of all your workloads and protection against advanced threats, & gain insights on lateral threat movements -Recommendations for creating a successful DevOps workflow that integrates security

1 of 33
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sekhar Sarukkai V.P Engineering, McAfee Nathan McGuirt Manager, Solutions Architecture, AWS 198244 Best Practices for Public Sector AWS Security Posture
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model Preventative, Detective, Responsive Controls CASB Overview Threat Vectors Use Cases
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security of the Cloud Physical Security Media Sanitization Climate management Fire Suppression Software Automation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the Cloud
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Cloud Adoption Framework - Security Perspective
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Identity and Access Management MFA for Privileged Users (Especially Root) IAM Roles for programmatic access AWS Secrets Manager or AWS Systems Manager to manage secrets (and AWS Identity and Access Management)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Infrastructure Network Boundaries Networking System Security Service-Level Protection Patch Management Monitoring Log Management Access Management
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Data Data in Transit Encryption Integrity Least Privilege Fine Grained PolicyData at Rest Encryption Integrity Backup
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective – Logging and Monitoring Enable CloudTrail (before you do anything else) Network, System Logs Track State, Config Monitor Applications Capture Logs Log Monitoring System Monitoring Change ControlAWS CloudTrail
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responsive
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating Response Really any Compute Use Detective Sources AWS Lambda Take Corrective Action API Automation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS Fastest Growing Segment of Cloud IaaS 38.4% CAGR SaaS 20.3% CAGR
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60.9% 36.9% 22.6% 73.6% Datacenter Public cloud Percentage of Custom Apps Hosted in each Environment Today In 12 months -24% YoY +51% YoY Custom Apps Rapidly Moving to Public IaaS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The average enterprise has 464 custom apps today
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer’s responsibility in securing IaaS is much greater than in SaaS Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is IT Security not Involved in Custom Apps Deployments? IT Security not Involved in 62% of Custom App Deployments
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Misconfiguration = Negative Results Attack Strategies • Identify publicly readable, writeable or AWS user readable, writeable buckets • Identify publicly modifiable or AWS user modifiable ACLs • Plant malware in the publicly accessible AWS buckets Threat Objectives • Extract data from S3 Buckets • Distribute malware using trusted-IaaS instances • Use EC2 for intense resourcing (ex. crypto mining) • Exploit misconfigurations while customer pays the bill
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Credit card data posted in unprotected notes field in custom app on AWS, violating PCI Car Rental  DLP  Activity Monitoring Discovered incredibly valuable IP in publicly accessible Amazon S3 buckets Agriculture  AWS Configuration Audit  DLP Newly migrated application to cloud requiring logging and monitoring for incident response Insurance  Activity Monitoring  Threat Protection  Privileged User Audit Real World IaaS Security and Compliance Use Cases
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Apps & SaaS Guard the Front Door IaaS Guard the Back Door Too Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Shadow IaaS governance • Insider threat detection • DLP • Configuration audit • Flow analysis CWPP CASB (includes CSPM) McAfee Products Supporting Shared Responsibility Model
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Exfiltration Vectors—IaaS Apps Compromised Accounts MalwareMisconfiguration Provisioning Sprawl Containers and Workloads Rogue Use Workload to Workload Communication IaaS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Exfiltration Vectors—IaaS Apps Compromised Accounts MalwareMisconfiguration Provisioning Sprawl Rogue Use Security Configuration ControlUser Behavior Analytics Workload and Container Security Quarantine / Scan / Remediate Network Segmentation and Security Workload to Workload Communication
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS Integrate natively via API Custom Apps No API – need AI to map apps CASB API CASB Gateway How It’s Done
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Extend CASB protection to IaaS and PaaS “CASBs can gather and analyze risky configurations by assessing the security posture of the cloud infrastructure (for example, data stores exposed to the public internet) — ideally, this would replace the need for cloud infrastructure security posture assessment (CISPA) point products” Gartner Recommended Best Practice
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 3. DLP Control what data is uploaded into a cloud service 2. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations 4. Access Control Define access to the application based on user device, location, or role Custom Apps Key CASB Use-cases
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6. S3 Bucket Storage Analysis Discovery of third party S3 buckets Configured for World Reads/World Writes 3. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 1. Managing Rogue AWS Instances Discover shadow AWS usage and reclaim control of risky IaaS usage 5. Visibility of Confidential Data Gain visibility of regulated/high-value data stored in AWS S3 and Azure Storage 2. Security Configuration Monitoring of AWS Resources Identify AWS resources that are non-compliant to CIS Level 1, 2 policies 4. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations IaaS Key CASB Use-cases
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Free AWS Security Resources AWS Vulnerability Assessment AWS Vulnerability Assessment Definitive Guide to AWS Security eBook Gartner CASB MQ
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Well Architected Framework • https://aws.amazon.com/architecture/well-architected/ AWS Security Best Practices Whitepaper • https://aws.amazon.com/whitepapers/aws-security-best-practices/ IAM Best Practices • https://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey in the summit mobile app.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 

Recommended

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
Amazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
Amazon Web Services
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSight
Amazon Web Services
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Amazon Web Services
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows
Amazon Web Services
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
Amazon Web Services
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Amazon Web Services
 

More Related Content

More from Amazon Web Services

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
Amazon Web Services
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSight
Amazon Web Services
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Amazon Web Services
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows
Amazon Web Services
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
Amazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
Amazon Web Services
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Amazon Web Services
 

More from Amazon Web Services (20)

Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
Crea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSightCrea dashboard interattive con Amazon QuickSight
Crea dashboard interattive con Amazon QuickSight
 
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker AutopilotCostruisci modelli di Machine Learning con Amazon SageMaker Autopilot
Costruisci modelli di Machine Learning con Amazon SageMaker Autopilot
 
Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows Migra le tue file shares in cloud con FSx for Windows
Migra le tue file shares in cloud con FSx for Windows
 
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
La tua organizzazione è pronta per adottare una strategia di cloud ibrido?
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced Attacks
 
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
Track 6 Session 6_ 透過 AWS AI 服務模擬、部署機器人於產業之應用
 

Best Practices for Public Sector AWS Security Posture

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sekhar Sarukkai V.P Engineering, McAfee Nathan McGuirt Manager, Solutions Architecture, AWS 198244 Best Practices for Public Sector AWS Security Posture
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model Preventative, Detective, Responsive Controls CASB Overview Threat Vectors Use Cases
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security of the Cloud Physical Security Media Sanitization Climate management Fire Suppression Software Automation
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in the Cloud
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Cloud Adoption Framework - Security Perspective
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Identity and Access Management MFA for Privileged Users (Especially Root) IAM Roles for programmatic access AWS Secrets Manager or AWS Systems Manager to manage secrets (and AWS Identity and Access Management)
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Infrastructure Network Boundaries Networking System Security Service-Level Protection Patch Management Monitoring Log Management Access Management
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Preventative - Data Data in Transit Encryption Integrity Least Privilege Fine Grained PolicyData at Rest Encryption Integrity Backup
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detective – Logging and Monitoring Enable CloudTrail (before you do anything else) Network, System Logs Track State, Config Monitor Applications Capture Logs Log Monitoring System Monitoring Change ControlAWS CloudTrail
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Responsive
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating Response Really any Compute Use Detective Sources AWS Lambda Take Corrective Action API Automation
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS Fastest Growing Segment of Cloud IaaS 38.4% CAGR SaaS 20.3% CAGR
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 60.9% 36.9% 22.6% 73.6% Datacenter Public cloud Percentage of Custom Apps Hosted in each Environment Today In 12 months -24% YoY +51% YoY Custom Apps Rapidly Moving to Public IaaS
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. The average enterprise has 464 custom apps today
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customer’s responsibility in securing IaaS is much greater than in SaaS Shared Responsibility Model
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is IT Security not Involved in Custom Apps Deployments? IT Security not Involved in 62% of Custom App Deployments
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Misconfiguration = Negative Results Attack Strategies • Identify publicly readable, writeable or AWS user readable, writeable buckets • Identify publicly modifiable or AWS user modifiable ACLs • Plant malware in the publicly accessible AWS buckets Threat Objectives • Extract data from S3 Buckets • Distribute malware using trusted-IaaS instances • Use EC2 for intense resourcing (ex. crypto mining) • Exploit misconfigurations while customer pays the bill
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Credit card data posted in unprotected notes field in custom app on AWS, violating PCI Car Rental  DLP  Activity Monitoring Discovered incredibly valuable IP in publicly accessible Amazon S3 buckets Agriculture  AWS Configuration Audit  DLP Newly migrated application to cloud requiring logging and monitoring for incident response Insurance  Activity Monitoring  Threat Protection  Privileged User Audit Real World IaaS Security and Compliance Use Cases
  • 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Custom Apps & SaaS Guard the Front Door IaaS Guard the Back Door Too Shared Responsibility Model
  • 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Shadow IaaS governance • Insider threat detection • DLP • Configuration audit • Flow analysis CWPP CASB (includes CSPM) McAfee Products Supporting Shared Responsibility Model
  • 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Exfiltration Vectors—IaaS Apps Compromised Accounts MalwareMisconfiguration Provisioning Sprawl Containers and Workloads Rogue Use Workload to Workload Communication IaaS
  • 25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Data Exfiltration Vectors—IaaS Apps Compromised Accounts MalwareMisconfiguration Provisioning Sprawl Rogue Use Security Configuration ControlUser Behavior Analytics Workload and Container Security Quarantine / Scan / Remediate Network Segmentation and Security Workload to Workload Communication
  • 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS Integrate natively via API Custom Apps No API – need AI to map apps CASB API CASB Gateway How It’s Done
  • 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Extend CASB protection to IaaS and PaaS “CASBs can gather and analyze risky configurations by assessing the security posture of the cloud infrastructure (for example, data stores exposed to the public internet) — ideally, this would replace the need for cloud infrastructure security posture assessment (CISPA) point products” Gartner Recommended Best Practice
  • 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 3. DLP Control what data is uploaded into a cloud service 2. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations 4. Access Control Define access to the application based on user device, location, or role Custom Apps Key CASB Use-cases
  • 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 6. S3 Bucket Storage Analysis Discovery of third party S3 buckets Configured for World Reads/World Writes 3. Advanced Threat Protection Detect compromised accounts, insider/privileged user threats, malware 1. Managing Rogue AWS Instances Discover shadow AWS usage and reclaim control of risky IaaS usage 5. Visibility of Confidential Data Gain visibility of regulated/high-value data stored in AWS S3 and Azure Storage 2. Security Configuration Monitoring of AWS Resources Identify AWS resources that are non-compliant to CIS Level 1, 2 policies 4. Activity Monitoring and Forensics Capture and categorize an audit trail of activity for forensic investigations IaaS Key CASB Use-cases
  • 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Free AWS Security Resources AWS Vulnerability Assessment AWS Vulnerability Assessment Definitive Guide to AWS Security eBook Gartner CASB MQ
  • 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resources Well Architected Framework • https://aws.amazon.com/architecture/well-architected/ AWS Security Best Practices Whitepaper • https://aws.amazon.com/whitepapers/aws-security-best-practices/ IAM Best Practices • https://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html
  • 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Please complete the session survey in the summit mobile app.
  • 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.