Shared Responsibility In Action

Technology

Traditional Responsibility Model
!
Operating System
Application
Account Management
You
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer

Shared Responsibility Model
You
Operating System
Application
Account Management
Security Groups
Network Configuration
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Layer
More info on the model is available at http://aws.amazon.com/security

Common View
More information on the model at http://aws.amazon.com/security

Abstract
Container
Infrastructure
Better View
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA

Service Examples
Service Type *aaS
SQS, S3, Route53 Abstract SaaS
RDS, EMR, OpsWorks Container PaaS
EC2, EBS, VPC Infrastructure IaaS
From AWS’ Mark Ryland, more info at http://4mn.ca/ZZeDbA

Less responsibilities
More responsibilities
Distribution of Security

Options : Responsibilities
Distribution of Security
Rough correlation between # of options & level of responsibilities

Critical embargoed bug discovered in Xen, details at http://4mn.ca/1rcXTTN

Protecting Instances
A small percentage of instances on EC2 are scheduled for a reboot

Actions to Take
For EC2
Nothing for cloud-native architectures
Manage availability for traditional architectures
For RDS
Nothing for Multi-AZ instances
Standard maintenance window for single instances

CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption

Attack forces an older cipher choice, details at http://4mn.ca/1EYfBEA

For ELB
Select a non-affected cipher suite (e.g., ELBSecurityPolicy-2014-10)
For Web Servers
Enable TLS_FALLBACK_SCSV
Disable support for SSL 3.0*
Disabling SSL 3.0 may cause compatibility issues
Actions to Take

More info on bash at http://www.gnu.org/software/bash

(){}; attack
10/10 vulnerability : widespread & easy to exploit

Actions to Take
Steps to protection
Update bash
Use an intrusion prevention system

Applied at the boundary
Majority of traditional controls are applied at the boundary
Shifting Controls

Applied to each instance
Same controls required in AWS, now applied to the instance
Shifting Controls

Watch the demo in action at http://4mn.ca/1sY3YK4

Return contents of /etc/passwd with a simple custom header

Add intrusion prevention controls to the instance

Intrusion prevention resets connection when attack is detected

Options : Responsibilities
Where does you deployment fall on the scale?

Thank you!
Learn more at
testdrive.trendmicro.com
Follow me on Twitter @marknca

What's hot

Introduction to AWS Security

LalitMohanSharma8

The AWS Shared Security Responsibility Model in Practice

AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives. View a recording of the webinar based on this presentation on YouTube here: http://youtu.be/rXPyGDWKHIo

Journey Through The Cloud - Security Best Practices

CSS17: Atlanta - The AWS Shared Responsibility Model in Practice

How Public Sector Entities are Advancing Their Security and Governance Capabi...

The AWS Shared Responsibility Model in Practice

Shared Security in AWS

PolarSeven Pty Ltd

AWS Security Week: Security, Identity, & Compliance

Amazon Web Services LATAM

Cloud Security, Risk and Compliance on AWS

Karim Hopper

1. aws security and compliance wwps pre-day sao paolo - markry

From the Trenches: Building Comprehensive and Secure Solutions in AWS

Security in the Cloud | Amazon Web Services

Vortrag "Einführung - Compliance mit AWS" von Bertram Dorn beim AWS Security Web Day 2016. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1NFtR5P Das AWS Compliance-Programm ist der Schlüssel für Kunden, um die von AWS getroffenen technischen und organisatorischen Maßnahmen zu verstehen, welche getroffen werden, um Kundendaten zu sichern. Der Vortrag wird einen Einblick in die Grundlagen der Verfahren von ISO270xx, SOC1/2/3 und PCI DSS geben. Auch werden wir uns dem Lesen dieser Zertifikate und Berichte widmen, um deren Inhalt mit den typischen Fragen und Voraussetzungen von Datenverarbeitung, Verfügbarkeit und Risikoabsicherung zu verbinden.

Einführung „Compliance mit AWS" - AWS Security Web Day

AWS Germany

Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin

Does meeting stringent compliance requirements keep you up at night? Do you worry about having the right audit trails in place as proof? In this session, you will learn why building security in from the beginning saves you time (and painful retrofits) later, how to gather and retain audit evidence for instances that are only up for minutes or hours, and how to meet many compliance requirements and ensured that Amazon EC2 instances are immediately protected as they come online.

Cloudten: SIEM in the AWS Cloud

Richard Tomkinson

Compliance with AWS

Aws cloud adoption_framework

IBM India Pvt Ltd

AWS Security Best Practices

Security on AWS, 2021 Edition Meetup

CloudHesive

Security & Compliance in AWS

What's hot (20)

Introduction to AWS Security

The AWS Shared Security Responsibility Model in Practice

Journey Through The Cloud - Security Best Practices

CSS17: Atlanta - The AWS Shared Responsibility Model in Practice

How Public Sector Entities are Advancing Their Security and Governance Capabi...

The AWS Shared Responsibility Model in Practice

Shared Security in AWS

AWS Security Week: Security, Identity, & Compliance

Cloud Security, Risk and Compliance on AWS

1. aws security and compliance wwps pre-day sao paolo - markry

From the Trenches: Building Comprehensive and Secure Solutions in AWS

Security in the Cloud | Amazon Web Services

Einführung „Compliance mit AWS" - AWS Security Web Day

Navigating the AWS Compliance Framework | AWS Security Roadshow Dublin

Cloudten: SIEM in the AWS Cloud

Compliance with AWS

Aws cloud adoption_framework

AWS Security Best Practices

Security on AWS, 2021 Edition Meetup

Security & Compliance in AWS

Similar to Shared Responsibility In Action

Defending your workloads with aws waf and deep security

AWS provides tools to improve your security posture, by providing ways of implementing detective and reactive controls that will detect and remediate security threats. We’ll look at the various services and the features that you can employee, such as AWS Inspector, AWS Trusted Advisor, AWS Config and Config Rules and CloudTrail. We’ll explore how they work and how they should be deployed as part of an overall security strategy.

Europe Cloud Summit - Security hardening of public cloud services

Runcy Oommen

Toward Full Stack Security

During the “Architecting for the Cloud” breakfast seminar where we discussed the requirements of modern cloud-based applications and how to overcome the confinement of traditional on-premises infrastructure. We heard from data management practitioners and cloud strategists from Amazon Web Services and NuoDB about how organizations are meeting the challenges associated with building new or migrating existing applications to the cloud. Finally, we discussed how the right cloud-based architecture can: - Handle rapid user growth by adding new servers on demand - Provide high performance even in the face of heavy application usage - Offer around-the-clock resiliency and uptime - Provide easy and fast access across multiple geographies - Deliver cloud-enabled apps in public, private, or hybrid cloud environments

Dallas Breakfast Seminar

NuoDB

9 Security Best Practices

As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.

Delivering High-Availability Web Services with NGINX Plus on AWS

NGINX, Inc.

Web Security Automation: Spend Less Time Securing your Applications

RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment. Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure. We will discuss: - What's different about security in the cloud - Shared responsibility - Architectural challenges - Key features to secure your cloud servers - Secure deployment via RightScripts Don't miss out on this opportunity to find out about all you need to secure your cloud servers!

Securing Servers in Public and Hybrid Clouds

RightScale

AWS Security Best Practices and Design Patterns

While security and compliance outside the cloud can be an endless struggle against long checklists, the cloud makes it possible to both have a perfect inventory of resources and their state at any given point in time, and the APIs to make the changes needed to ensure a good posture on security. Moving to the cloud can simplify and improve your security posture by shifting a large portion of security management burden to an infrastructure environment that’s designed and managed to the specifications of some of the world’s most security-sensitive organizations. AWS also provides you the tools to automate many common security tasks. We look at effective implementations of security automation that demonstrate why more and more organisations believe and have demonstrated that " you can be more secure in the AWS Cloud than in your own data center. Speaker: Myles Hosford, Security Solution Architect, AWS APAC

Security Automation: Spend Less Time Securing Your Applications.

We will walk you through a hypothetical incident response managed on AWS. Learn how to apply existing best practices as well as how to leverage the unique security visibility, control, and automation that AWS provides. We will cover how to setup your AWS environment to prevent a security event and how to build a cloud-specific incident response plan so that your organization is prepared before a security event occurs. This session also covers specific environment recovery steps available on AWS. Learn More: https://aws.amazon.com/government-education/

Incident Response in the Cloud | AWS Public Sector Summit 2017

Because the entire AWS cloud platform is programmable, it turns out that you can program security and compliance in advance of actually instantiating any actual workloads. In this session, we show how you can design a secure and compliant workload and even have it audited by a third-party auditor before creating it for the first time! Once it's created, other facilities provide mechanisms for detecting and alerting a drift from your baseline, and even automatically remediating the drift. Learn how the comprehensive automation available in AWS provides security and compliance professionals an entire new, more efficient, and more effective way to work. Speaker: John Hildebrand, Solutions Architect, Amazon Web Services

Modern Security and Compliance Through Automation

AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.

Getting Started with AWS Security

AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017

The AWS Cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture. Presenter: Stephen Quigg, Principal APAC Security Solutions Architect, Amazon Web Services

Understanding AWS Security

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...

Learning Objectives: - Learn how to secure your web applications - Learn how to configure AWS Shield and AWS WAF - Learn how to defend the most common Layer 7 attacks Distributed denial of service (DDoS) and other web attacks can affect your applicationâ€™s availability, compromise its security, and consume excessive resources. AWS Shield and AWS Web Application Firewall (WAF) help secure your applications from these types of attacks. AWS Shield is a managed DDoS protection service that offers always-on detection and automatic inline mitigation to minimize application downtime and latency. AWS WAF is a web application firewall that helps protect your applications from common web exploits such as SQLi, XSS, and botnets. This introductory tech talk will provide you an overview and demonstration of these services.

Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...

AWS Summit 2014 Brisbane - Breakout 1 The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources. Presenter: Stephen Quigg, Solutions Architect, APAC, Amazon Web Services

Understanding AWS Security

Attendees will learn how to leverage the identity and authorisation, network security and secrets management features of the wider AWS platform for their containers, including Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Container Service for Kubernetes (Amazon EKS). We also discuss best practices for the security of your container images such as scanning them for known vulnerabilities.

淺談WAF在AWS的架構_20171027

4ndersonLin

Advanced Container Security

Security is often misunderstood and addressed in the last stages of a build. Operationally, it’s ignored until there is an emergency. In this talk, we review several advanced security processes and discuss how too easily automate them using common tools in the AWS Cloud. This approach helps you and your team increase the security of your build while reducing the overall operational requirement of security in your stack. Leave this dev chat with everything you need to get started with automating security.

Similar to Shared Responsibility In Action (20)

Defending your workloads with aws waf and deep security

Europe Cloud Summit - Security hardening of public cloud services

Toward Full Stack Security

Dallas Breakfast Seminar

9 Security Best Practices

Delivering High-Availability Web Services with NGINX Plus on AWS

Web Security Automation: Spend Less Time Securing your Applications

Securing Servers in Public and Hybrid Clouds

AWS Security Best Practices and Design Patterns

Security Automation: Spend Less Time Securing Your Applications.

Incident Response in the Cloud | AWS Public Sector Summit 2017

Modern Security and Compliance Through Automation

Getting Started with AWS Security

AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017

Understanding AWS Security

AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...

Secure your Web Applications with AWS Web Application Firewall (WAF) and AWS ...

Understanding AWS Security

淺談WAF在AWS的架構_20171027

Advanced Container Security

More from Mark Nunnikhoven

Advanced Security Automation Made Simple

AWS re:Invent 2017 re:View

Security in the cloud is fundamentally different. Not so much due to the technology--though there's plenty of differences there--but more with respect to the way that security is applied and how it's run. Over the past few years, we've seen a radical shift in how development and operational teams work together. Security teams have been left out in the cold and are still viewed as the "No" team. It doesn't have to be that way. Cloud technologies have enabled new work flows and models for businesses and other teams...security is no different. We just have to wake up and take advantage of the new ecosystem. When security teams embrace change, the boundaries start to dissolve and security can finally be built in instead of bolted on. In this session, we'll look at some of the challenges involved in this shift, how it impacts your teams, your skill set, and how a modern approach to defence will improve your security posture. Presented at BC Aware Day, 31-Jan-2017

Security Teams & Tech In A Cloud World

AWS re:Invent 2015 re:Cap

When it hits the fan, one of the first questions that you get asked is "Who did this?". And like any good mystery, trying to find the attacker takes many twists and turns. There's a trail of evidence, a red herring or two, and the inevitable plot twist before the final reveal. Unfortunately, despite what you see on TV, in the movies, or even in the press, attack attribution is hard. In face, it's one of the hardest problems in information security today. In this talk, we use real world examples to work through what it takes to properly make the connection between attack and attacker. Looking at real world techniques used to gather and validate evidence, we'll examine what it takes for that evidence to hold up to cross examination. We'll look at the role each of your security controls play in the attribution process and the steps you can take to immediately make attribution easier. Come learn what it takes to actually prove who the attacker is and where attribution fits into your daily security practice.

Whodunit, The Mechanics of Attack Attribution

Power Struggle: Balancing Relationships & Responsibility in the Cloud

Security OF The Cloud

Software-defined networking is the latest technology in a move to abstract a variety of data center resources. As more and more of the data center is defined in code, some unique security challenges come to the fore. In this session, we'll explore both sides of the security challenge. What types of controls and implementations are required to define security as part of your infrastructure code? What challenges does maintaining an infrastructure codebase present? You'll learn not only how to integrate security into your infrastructure code but also how to properly and securely manage that codebase.

Infrastructure as (Secure) Code

Updating Security Operations For The Cloud

This talk looks at the challenges we face as a defender today by examining several recent, prominent breaches and one of their common causes. The first 2/3 of this talk are the same as "Is That Normal?" (http://www.slideshare.net/marknca/is-that-normal-behaviour-modelling-on-the-cheap) but in the last 3rd, instead of diving in the the mechanics of behavioural analysis, this talk looks at what we should be doing with the results. Originally presented at the Gartner Security & Risk Management Summit in London, 08-Sep-2014

The Most Common Failure With Today's Defences

Originally presented at BSides Ottawa on 06-Sep-2014, this talk lays out the challenges faced by todays defender (for context), the gap in our current defensive strategies (what we'll address), and explains how to start a basic behavioural analysis practice with minimal investment. Remember this is a BSides presentation so there may be some language which causes a double-take ;-) Open with caution.

Is That Normal? Behaviour Modelling On The Cheap