More Related Content More from Amazon Web Services (20) Best Practices for Public Sector AWS Security Posture1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sekhar Sarukkai
V.P Engineering, McAfee
Nathan McGuirt
Manager, Solutions Architecture, AWS
198244
Best Practices for Public Sector AWS
Security Posture
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility Model
Preventative, Detective, Responsive Controls
CASB Overview
Threat Vectors
Use Cases
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility Model
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security of the Cloud
Physical Security
Media Sanitization
Climate management
Fire Suppression
Software
Automation
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in the Cloud
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cloud Adoption Framework - Security Perspective
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventative
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventative - Identity and Access Management
MFA for Privileged Users
(Especially Root)
IAM Roles for
programmatic access
AWS Secrets Manager
or
AWS Systems Manager
to manage secrets
(and AWS Identity and Access Management)
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventative - Infrastructure
Network Boundaries
Networking System Security Service-Level Protection
Patch Management
Monitoring
Log Management
Access Management
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Preventative - Data
Data in Transit
Encryption
Integrity
Least Privilege
Fine Grained PolicyData at Rest
Encryption
Integrity
Backup
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Detective – Logging and Monitoring
Enable CloudTrail
(before you do anything else)
Network, System Logs
Track State, Config
Monitor Applications
Capture Logs
Log Monitoring
System Monitoring
Change ControlAWS CloudTrail
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Responsive
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating Response
Really any Compute
Use Detective Sources
AWS Lambda
Take Corrective Action
API Automation
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IaaS Fastest Growing Segment of Cloud
IaaS 38.4% CAGR
SaaS 20.3% CAGR
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
60.9%
36.9%
22.6%
73.6%
Datacenter Public cloud
Percentage of
Custom Apps
Hosted in each
Environment
Today
In 12 months
-24% YoY
+51% YoY
Custom Apps Rapidly Moving to Public IaaS
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The average enterprise has
464
custom apps today
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer’s
responsibility in securing
IaaS is much greater
than in SaaS
Shared Responsibility Model
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is IT Security not Involved in Custom
Apps Deployments?
IT Security not Involved in 62% of Custom App Deployments
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Misconfiguration = Negative Results
Attack Strategies
• Identify publicly readable, writeable or AWS user readable,
writeable buckets
• Identify publicly modifiable or AWS user modifiable ACLs
• Plant malware in the publicly accessible AWS buckets
Threat Objectives
• Extract data from S3 Buckets
• Distribute malware using trusted-IaaS instances
• Use EC2 for intense resourcing (ex. crypto mining)
• Exploit misconfigurations while customer pays the bill
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Credit card data posted in
unprotected notes field in custom
app on AWS, violating PCI
Car Rental
DLP
Activity Monitoring
Discovered incredibly valuable
IP in publicly accessible
Amazon S3 buckets
Agriculture
AWS Configuration Audit
DLP
Newly migrated application to
cloud requiring logging and
monitoring for incident response
Insurance
Activity Monitoring
Threat Protection
Privileged User Audit
Real World IaaS Security and Compliance Use Cases
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Custom Apps & SaaS
Guard the Front Door
IaaS
Guard the Back Door Too
Shared Responsibility Model
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Shadow IaaS governance
• Insider threat detection
• DLP
• Configuration audit
• Flow analysis
CWPP
CASB
(includes CSPM)
McAfee Products Supporting Shared Responsibility Model
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Exfiltration Vectors—IaaS Apps
Compromised
Accounts
MalwareMisconfiguration
Provisioning
Sprawl
Containers and Workloads
Rogue Use
Workload to Workload Communication
IaaS
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Exfiltration Vectors—IaaS Apps
Compromised
Accounts
MalwareMisconfiguration
Provisioning
Sprawl
Rogue Use
Security Configuration
ControlUser Behavior Analytics
Workload and Container
Security
Quarantine / Scan / Remediate
Network Segmentation and
Security
Workload to Workload Communication
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
IaaS
Integrate natively via API
Custom Apps
No API – need AI to map apps
CASB
API
CASB
Gateway
How It’s Done
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Extend CASB protection to IaaS
and PaaS
“CASBs can gather and analyze risky
configurations by assessing the security
posture of the cloud infrastructure (for
example, data stores exposed to the public
internet) — ideally, this would replace the
need for cloud infrastructure security
posture assessment (CISPA) point products”
Gartner Recommended Best Practice
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
1. Advanced Threat Protection
Detect compromised accounts, insider/privileged user threats, malware
3. DLP
Control what data is uploaded into a cloud service
2. Activity Monitoring and Forensics
Capture and categorize an audit trail of activity for forensic investigations
4. Access Control
Define access to the application based on user device, location, or role
Custom Apps Key CASB Use-cases
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
6. S3 Bucket Storage Analysis
Discovery of third party S3 buckets Configured for World Reads/World Writes
3. Advanced Threat Protection
Detect compromised accounts, insider/privileged user threats, malware
1. Managing Rogue AWS Instances
Discover shadow AWS usage and reclaim control of risky IaaS usage
5. Visibility of Confidential Data
Gain visibility of regulated/high-value data stored in AWS S3 and Azure Storage
2. Security Configuration Monitoring of AWS Resources
Identify AWS resources that are non-compliant to CIS Level 1, 2 policies
4. Activity Monitoring and Forensics
Capture and categorize an audit trail of activity for forensic investigations
IaaS Key CASB Use-cases
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Free AWS Security Resources
AWS Vulnerability
Assessment
AWS Vulnerability
Assessment
Definitive Guide to
AWS Security eBook
Gartner
CASB MQ
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resources
Well Architected Framework
• https://aws.amazon.com/architecture/well-architected/
AWS Security Best Practices Whitepaper
• https://aws.amazon.com/whitepapers/aws-security-best-practices/
IAM Best Practices
• https://docs.aws.amazon.com/IAM/latest/UserGuide/best-
practices.html
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.