SlideShare a Scribd company logo

AWS Security Best Practices, SaaS and Compliance

Gaurav "GP" Pal
Gaurav "GP" Pal

As more SaaS businesses come online it is critical they follow security architecture and operational best practices. The changing regulatory framework from agencies such as SEC, FTC and other agencies requires SaaS companies to implement security best practices.

Business
1 of 18
Download to read offline
Tuesday, 9th Feb 2016 AWS Security Best Practices, Real-world examples and Common Mistakes GP CEO and Founder www.stackArmor.com @cloudpalgp https://www.linkedin.com/in/gppal gpal@stackarmor.com
SaaS, Security and AWS 2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR Cloud Solutions Architect and Technology Strategist • Focused on full-stack security and operations management • Cloud automation and business process acceleration • Cybersecurity Policies, Procedures and Tactics Supported the first AWS cloud migration in 2009 for Recovery.gov and have successfully led multiple large enterprise cloud modernization programs in regulated industries, Financial Services and Healthcare. GP CEO and Founder www.stackArmor.com @cloudpalgp https://www.linkedin.com/in/gppal gpal@stackarmor.com
What we do PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 3
Business Landscape • Data breaches are “daily” news • Regulators are starting to take notice ◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016 ◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015 • NIST Cybersecurity Framework is “standard of care” ◦ http://www.nist.gov/cyberframework/ ◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001 • Cybersecurity is a Board level issue PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4
Technology Landscape • AWS/Cloud “takes care of everything”!! ◦ Shared Responsibility Model • Managed Services and Processes required ◦ Patching and Vulnerability Management ◦ Boundary protection and monitoring ◦ Logging and Centralized log analysis ◦ Backups/Restore • SaaS shops tend to be strong on the Dev but weak on Ops • Network Engineering, Security Zoning, Boundary Protection and Enclave Hardening are not well understood PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5
What?? PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6 “…while doing cloud hosting cost analysis for a venture funded start-up, we noticed heavy data egress charges. A simple analysis revealed that a hacker had penetrated the platform and downloaded the firms’ database and IP. The vulnerability was traced to an un-patched server”. “The Technology team of a SaaS startup with Fortune 500 customers is operating their environment in a cloud environment without any intrusion detection and prevention systems such as web application firewalls thereby creating third-party risk.” “…a SaaS startup exposed their access secret key in their web application in plain view for anyone to access. This could have caused someone to wipe out the firms entire production and operational platform…”
Hmm… PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 7
Top Security “Booboos” Common poor security mistakes Comment 1 Creating unnecessary access and secret keys for IAM Users Console users don’t need keys 2 Using developer keys instead of instance roles for accessing instance Use roles for to allow for credentials for accessing AWS resources that provide temporary credentials 3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as required 4 Lack of restrictions on production instances Any user can perform actions on production instances. Provision IAM roles that allow for separation of duties. 5 Poor segmentation and zoning of application and data components through the use of public and private sub-nets Proper zoning through sub-nets allows for segregating netflow and blackholing requests in the event of an attack 6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions 7 Inconsistent patch management and vulnerability scanning Create an information security policy with a patching schedule with roles, responsibilities and reporting PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 8
Vulnerability Scanning PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 9 • Good operational hygiene keeps the hacker away!?!
Logging and Monitoring… • AWS VPC Flow Logs ◦ Most Talkers ◦ Rejected Traffic • AWS CloudTrail ◦ Who deleted my instances? ◦ Who is asking for old or deleted keys? • AWS Config ◦ Configuration Management PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 10
Tools of our Trade 1 Web Application Firewalls Fortiweb, Sophos, AWS WAF 2 IDS Snort 3 Monitoring Splunk, Elasticsearch, Sensui, Pallera, sumologic 4 Vulnerability Scanning Nessus, Retina, OpenVAS 5 Web Application Scanning Acunetix, Nessus 6 Compliance openSCAP 7 QA/Code Quality SonarQube 8 Static Code Scanning CheckMarx 9 Security Operations Center OpenSOC PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 14
Compliance PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 15 Document Description Basic Security Policy This document provides a basic set of high level security policies that allow client to state that they have a security policy in place that can serve as an initial baseline. Assessment Plan This is a checklist security assessment, basically a self-assessment with questions asked by an experienced Information Assurance Analyst to demonstrate understanding and maturity of Cybersecurity posture. High Level Security Assessment Report Security Assessment Report (SAR) that summarizes the scope, approach, and high level findings. Vulnerability and Penetration Testing Automated scans with basic parameters with provided auto-generated reports. This includes working with the technology team to perform a test to ensure that any technical remediation that have been applied adequately addressed the vulnerabilities found. Attestation Letter Generally speaking an external third-party should be engaged to execute the assessment and be asked to provide an attestation letter that describes the nature of the assessment, findings and remediation conducted.
A questionnaire coming soon… PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 16
Reference Links - SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach https://www.sec.gov/news/pressrelease/2015-202.html - Dental Practice Software Provider Settles FTC Charges It Misled Customers About Encryption of Patient Data https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles- ftc-charges-it-misled - FTC has power to police cyber security: appeals court http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKCN0QT1UP20150824 - Contractor breach gave hackers keys to OPM data http://www.federaltimes.com/story/government/omr/opm-cyber-report/2015/06/23/keypoint-usis- opm-breach/28977277/ - Great security blog http://krebsonsecurity.com/ PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 17
questions? Gaurav “GP” Pal Founder www.stackArmor.com Email: gpal@stackarmor.com 18

Recommended

AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper
 

Recommended

AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
Security OF The Cloud
Security OF The CloudSecurity OF The Cloud
Security OF The Cloud
Mark Nunnikhoven
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
Valdez Ladd MBA, CISSP, CISA,
 
Trust No-One Architecture For Services And Data
Trust No-One Architecture For Services And DataTrust No-One Architecture For Services And Data
Trust No-One Architecture For Services And Data
Aidan Finn
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
Cloud security
Cloud securityCloud security
Cloud security
François Boucher
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security
Amazon Web Services
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-security
kartikaryan4
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
Amazon Web Services
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWS
Amazon Web Services
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
CloudHesive
 
Compliance with AWS
Compliance with AWSCompliance with AWS
Compliance with AWS
Amazon Web Services
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
Techcello
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
LinkedIn
 

More Related Content

What's hot

Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security
Amazon Web Services
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
Amazon Web Services
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Amazon Web Services
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 

What's hot (20)

CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
Cloud security
Cloud securityCloud security
Cloud security
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security F5 on AWS: How MailControl Improved their Application Visbility and Security
F5 on AWS: How MailControl Improved their Application Visbility and Security
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
Aws certified-security
Aws certified-securityAws certified-security
Aws certified-security
 
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
AWS Security Best Practices in a Zero Trust Security Model - DEM06 - Atlanta ...
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Cloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWSCloud Security Guidance from CESG and AWS
Cloud Security Guidance from CESG and AWS
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
5 minutes on security
5 minutes on security5 minutes on security
5 minutes on security
 
Compliance with AWS
Compliance with AWSCompliance with AWS
Compliance with AWS
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 

Viewers also liked

Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
LinkedIn
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerations
Mike Kavis
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Aung Thu Rha Hein
 

Viewers also liked (8)

Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerations
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 

Similar to AWS Security Best Practices, SaaS and Compliance

AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
Gaurav "GP" Pal
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
VAST
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
Amazon Web Services Korea
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
Amazon Web Services
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
Amazon Web Services
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
Amazon Web Services
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 

Similar to AWS Security Best Practices, SaaS and Compliance (20)

AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016AWS Frederick Meetup 07192016
AWS Frederick Meetup 07192016
 
Demystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public SectorDemystifying Cloud Security: Lessons Learned for the Public Sector
Demystifying Cloud Security: Lessons Learned for the Public Sector
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
 
How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...
How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...
How Splunk and AWS Enabled End-to-End Visibility for PagerDuty and Bolstered ...
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
 
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
클라우드 환경에서의 SIEMLESS 통합 보안 서비스, Alert Logic - 채현주 보안기술본부장, Openbase :: AWS Sum...
 
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar DeckHow PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
How PagerDuty Achieved End-to-End Visibility with Splunk and AWS Webinar Deck
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
How Retail Insights, LLC Used Alert Logic to Meet Compliance Mandates and Enh...
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
CloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security ScalingCloudPassage Best Practices for Automatic Security Scaling
CloudPassage Best Practices for Automatic Security Scaling
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Cloud Security:Threats & Mitgations
Cloud Security:Threats & MitgationsCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Databases on AWS: Scaling Applications & Modern Data Architectures
Databases on AWS: Scaling Applications & Modern Data ArchitecturesDatabases on AWS: Scaling Applications & Modern Data Architectures
Databases on AWS: Scaling Applications & Modern Data Architectures
 

More from Gaurav "GP" Pal

stackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWSstackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
Gaurav "GP" Pal
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
Magento Hosting on AWS
Magento Hosting on AWS Magento Hosting on AWS
Magento Hosting on AWS
Gaurav "GP" Pal
 
Rapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWSRapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWS
Gaurav "GP" Pal
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Gaurav "GP" Pal
 
Implementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud PlatformsImplementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud Platforms
Gaurav "GP" Pal
 
stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4
Gaurav "GP" Pal
 
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefDevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Gaurav "GP" Pal
 

More from Gaurav "GP" Pal (18)

stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
stackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutionsstackArmor - FedRAMP and 800-171 compliant cloud solutions
stackArmor - FedRAMP and 800-171 compliant cloud solutions
 
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWSstackArmor Security MicroSummit - Next Generation Firewalls for AWS
stackArmor Security MicroSummit - Next Generation Firewalls for AWS
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
 
stackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPIstackArmor MicroSummit - Niksun Network Monitoring - DPI
stackArmor MicroSummit - Niksun Network Monitoring - DPI
 
stackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with SplunkstackArmor Security MicroSummit - AWS Security with Splunk
stackArmor Security MicroSummit - AWS Security with Splunk
 
Magento Hosting on AWS
Magento Hosting on AWS Magento Hosting on AWS
Magento Hosting on AWS
 
Rapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWSRapid deployment of Sitecore on AWS
Rapid deployment of Sitecore on AWS
 
Secured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWSSecured Hosting of PCI DSS Compliant Web Applications on AWS
Secured Hosting of PCI DSS Compliant Web Applications on AWS
 
Implementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud PlatformsImplementing Secure DevOps on Public Cloud Platforms
Implementing Secure DevOps on Public Cloud Platforms
 
FGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC MeetupFGMC - Managed Data Platform - CloudDC Meetup
FGMC - Managed Data Platform - CloudDC Meetup
 
stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4stackArmor presentation for DevOpsDC ver 4
stackArmor presentation for DevOpsDC ver 4
 
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and ChefDevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
 
Hosting Tableau on AWS
Hosting Tableau on AWSHosting Tableau on AWS
Hosting Tableau on AWS
 
Big Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector ProgramsBig Data - Accountability Solutions for Public Sector Programs
Big Data - Accountability Solutions for Public Sector Programs
 
2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenches2013 11-06 adopting aws at scale - lessons from the trenches
2013 11-06 adopting aws at scale - lessons from the trenches
 
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suroDevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
DevOps in the Amazon Cloud – Learn from the pioneersNetflix suro
 
Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014Enterprise transformation with cloud computing Jan 2014
Enterprise transformation with cloud computing Jan 2014
 

Recently uploaded

Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
pr788182
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
laloo_007
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
instagramfab782445
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 

Recently uploaded (20)

Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDINGParadip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Paradip CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Falcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial WingsFalcon Invoice Discounting: Tailored Financial Wings
Falcon Invoice Discounting: Tailored Financial Wings
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Falcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investorsFalcon Invoice Discounting: The best investment platform in india for investors
Falcon Invoice Discounting: The best investment platform in india for investors
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
BeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdfBeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdf
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Rice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna ExportsRice Manufacturers in India | Shree Krishna Exports
Rice Manufacturers in India | Shree Krishna Exports
 

AWS Security Best Practices, SaaS and Compliance

  • 1. Tuesday, 9th Feb 2016 AWS Security Best Practices, Real-world examples and Common Mistakes GP CEO and Founder www.stackArmor.com @cloudpalgp https://www.linkedin.com/in/gppal gpal@stackarmor.com
  • 2. SaaS, Security and AWS 2PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR Cloud Solutions Architect and Technology Strategist • Focused on full-stack security and operations management • Cloud automation and business process acceleration • Cybersecurity Policies, Procedures and Tactics Supported the first AWS cloud migration in 2009 for Recovery.gov and have successfully led multiple large enterprise cloud modernization programs in regulated industries, Financial Services and Healthcare. GP CEO and Founder www.stackArmor.com @cloudpalgp https://www.linkedin.com/in/gppal gpal@stackarmor.com
  • 3. What we do PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 3
  • 4. Business Landscape • Data breaches are “daily” news • Regulators are starting to take notice ◦ FTC versus Henry Schein Practice Solutions, Inc - Jan 5th , 2016 ◦ SEC versus R.T. Jones Capital Equities Management Sep 22nd , 2015 • NIST Cybersecurity Framework is “standard of care” ◦ http://www.nist.gov/cyberframework/ ◦ HIPAA, FISMA, FedRAMP, PCI-DSS, ISO 27001 • Cybersecurity is a Board level issue PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 4
  • 5. Technology Landscape • AWS/Cloud “takes care of everything”!! ◦ Shared Responsibility Model • Managed Services and Processes required ◦ Patching and Vulnerability Management ◦ Boundary protection and monitoring ◦ Logging and Centralized log analysis ◦ Backups/Restore • SaaS shops tend to be strong on the Dev but weak on Ops • Network Engineering, Security Zoning, Boundary Protection and Enclave Hardening are not well understood PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 5
  • 6. What?? PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 6 “…while doing cloud hosting cost analysis for a venture funded start-up, we noticed heavy data egress charges. A simple analysis revealed that a hacker had penetrated the platform and downloaded the firms’ database and IP. The vulnerability was traced to an un-patched server”. “The Technology team of a SaaS startup with Fortune 500 customers is operating their environment in a cloud environment without any intrusion detection and prevention systems such as web application firewalls thereby creating third-party risk.” “…a SaaS startup exposed their access secret key in their web application in plain view for anyone to access. This could have caused someone to wipe out the firms entire production and operational platform…”
  • 7. Hmm… PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 7
  • 8. Top Security “Booboos” Common poor security mistakes Comment 1 Creating unnecessary access and secret keys for IAM Users Console users don’t need keys 2 Using developer keys instead of instance roles for accessing instance Use roles for to allow for credentials for accessing AWS resources that provide temporary credentials 3 Wide open inbound rules in security groups Restrict entry to specific ports and IP addresses as required 4 Lack of restrictions on production instances Any user can perform actions on production instances. Provision IAM roles that allow for separation of duties. 5 Poor segmentation and zoning of application and data components through the use of public and private sub-nets Proper zoning through sub-nets allows for segregating netflow and blackholing requests in the event of an attack 6 Lack of boundary protection IDS, IPS, VPN Consider using WAF, IPS/IDS and VPN solutions 7 Inconsistent patch management and vulnerability scanning Create an information security policy with a patching schedule with roles, responsibilities and reporting PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 8
  • 9. Vulnerability Scanning PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 9 • Good operational hygiene keeps the hacker away!?!
  • 10. Logging and Monitoring… • AWS VPC Flow Logs ◦ Most Talkers ◦ Rejected Traffic • AWS CloudTrail ◦ Who deleted my instances? ◦ Who is asking for old or deleted keys? • AWS Config ◦ Configuration Management PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 10
  • 11.
  • 12.
  • 13.
  • 14. Tools of our Trade 1 Web Application Firewalls Fortiweb, Sophos, AWS WAF 2 IDS Snort 3 Monitoring Splunk, Elasticsearch, Sensui, Pallera, sumologic 4 Vulnerability Scanning Nessus, Retina, OpenVAS 5 Web Application Scanning Acunetix, Nessus 6 Compliance openSCAP 7 QA/Code Quality SonarQube 8 Static Code Scanning CheckMarx 9 Security Operations Center OpenSOC PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 14
  • 15. Compliance PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 15 Document Description Basic Security Policy This document provides a basic set of high level security policies that allow client to state that they have a security policy in place that can serve as an initial baseline. Assessment Plan This is a checklist security assessment, basically a self-assessment with questions asked by an experienced Information Assurance Analyst to demonstrate understanding and maturity of Cybersecurity posture. High Level Security Assessment Report Security Assessment Report (SAR) that summarizes the scope, approach, and high level findings. Vulnerability and Penetration Testing Automated scans with basic parameters with provided auto-generated reports. This includes working with the technology team to perform a test to ensure that any technical remediation that have been applied adequately addressed the vulnerabilities found. Attestation Letter Generally speaking an external third-party should be engaged to execute the assessment and be asked to provide an attestation letter that describes the nature of the assessment, findings and remediation conducted.
  • 16. A questionnaire coming soon… PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 16
  • 17. Reference Links - SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach https://www.sec.gov/news/pressrelease/2015-202.html - Dental Practice Software Provider Settles FTC Charges It Misled Customers About Encryption of Patient Data https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-software-provider-settles- ftc-charges-it-misled - FTC has power to police cyber security: appeals court http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKCN0QT1UP20150824 - Contractor breach gave hackers keys to OPM data http://www.federaltimes.com/story/government/omr/opm-cyber-report/2015/06/23/keypoint-usis- opm-breach/28977277/ - Great security blog http://krebsonsecurity.com/ PROPRIETARY AND CONFIDENTIAL INFORMATION OF STACKARMOR 17