SlideShare una empresa de Scribd logo

CSS 17: NYC - Building Secure Solutions in AWS

Descargar como PPTX, PDF
Alert Logic
Alert Logic

Presentation by Logicworks CIO Stephanie Tayengco at the Cloud Security Summit in NYC on April 26, 2017.

Tecnología
1 de 19
BUILDING SECURE SOLUTIONS IN AWS Stephanie Tayengco, CIO Logicworks | www.logicworks.com
About Logicworks We are a global leader in cloud consulting and managed services with 20+ years of experience in enterprise IT. - Alert Logic Premier Partner - AWS Premier Partner, Audited Managed Service Partner - Leader in 2017 Gartner Magic Quadrant for Public Cloud MSPs Cloud Strategy Private Cloud Cloud SecurityPublic Cloud
NetworkingStorageCompute Customer Data Platform Management Access Management Applications Operating System, Network, and Firewall Configuration Encryption, Network Traffic Protection Database AWS Global Infrastructure Regions, Availability Zones AWS Foundation Services AWS Shared Responsibility Model (Recap) CUSTOMERAWS Responsible for security “in” the cloud Responsible for security “of” the cloud
AWS Security by Design Approach Identify Requirements Build a “Secure Environment” Enforce Use of Templates Perform Validation Activities PHASE 1 PHASE 2 PHASE 3 PHASE 4
Phase 1: Identify Requirements • Document requirements • Map AWS’ and your controls • Decide what security rules you want to enforce in the environment • Get GRC/security team involved at the beginning • Plan how you will perform security-related operational tasks
NetworkingStorageCompute Customer Data Platform Management Access Management Applications Operating System, Network, and Firewall Configuration Encryption, Network Traffic Protection Database AWS Global Infrastructure Regions, Availability Zones AWS Foundation Services AWS Shared Responsibility Model (Recap) CUSTOMER
Phase 2: Build a “Secure Environment” • Reference Architectures o Understand pattern/anti-patterns & security templates • Things to keep in mind: o Access Management o Network Segmentation o Resource Constraints & Monitoring o Encryption • Enforce requirements with automation • Take advantage of security built into AWS services
Phase 2: AWS CloudFormation Fundamentals • Build network foundation • Configure gateways and access points • Install management services, like Puppet • Allocate Amazon S3 buckets • Attach encrypted volumes • Control and manage access though IAM • Register DNS names with Amazon Route 53 • Configure log shipping and retention
Phase 2: AWS CloudFormation Fundamentals QA Stage Production ASGs Security Groups Layered Architecture Instances ELBs Various Substacks
Phase 2: AWS CloudFormation Fundamentals Instances, ASGs, ELBs, etc. Service Oriented Architecture Networks (VPCs, routes, subnets, etc.) Security Groups IAM (Global Resource)
Phase 2: Configuration Management The goal of configuration management is to create and maintain system configurations. • “One-Two Punch” to configure environment • Every instance gets configured in same way • Encourages the adoption of evolving security standards • Ability to enforce state • New tools from AWS SSM
Phase 2: Build Process Every instance follows the same process. No “snowflake” systems.
Phase 3: Enforce the Use of Templates • Enable agility but decrease risk • Use AWS Service Catalog • Appropriate access controls to make sure only approved IT assets are launched
Phase 3: AWS Service Catalog
Phase 4: Perform Validation Activities • Enable the right monitoring o AWS CloudTrail o AWS Config • Analyze your security data at scale • Automation enabled audit evidence AWS CloudTrail AWS Config
3 Key Takeaways 1) Better planning, no ad hoc environments that lead to an unknown risk profile. 2) Get from heavyweight manpower & repeated tasks to software orchestrating security. 3) Overwhelmed? Start with configuration management. Throw people and money at security. • More hardware • More engineers • More complex processes Develop software to orchestrate security. • Automated controls • Repeatable templates • Less manual work OLD WORLD AWS CLOUD
References • AWS Security by Design Whitepaper - https://d0.awsstatic.com/whitepapers/compliance/Intro_to_Security_by_Design.pdf • AWS Security Whitepaper - https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf • AWS Quick Start Guides - https://aws.amazon.com/quickstart/ • Continuous Compliance on AWS eBook - http://go.logicworks.net/aws-continuous-compliance • DevOps on AWS eBook - http://go.logicworks.net/devops-on-aws-cloud-ebook • Security on AWS Case Studies - http://www.logicworks.com/about-us/#our-customers • Log Management Best Practices - https://www.alertlogic.com/resources/whitepapers/log-management-best-practices/
Thank you.
Thank you.

Recomendados

CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 

Recomendados

CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
Alert Logic
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
Alert Logic
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
Managed Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS ApplicationsManaged Threat Detection & Response for AWS Applications
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
Alert Logic
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
Alert Logic
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Alert Logic
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
Alert Logic
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
Alert Logic
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Alert Logic
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
Lorenzo Barbieri
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Alert Logic
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Alert Logic
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
Amazon Web Services
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Govern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for SuccessGovern Your Cloud: The Foundation for Success
Govern Your Cloud: The Foundation for Success
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Best Practices in Cloud Security
Best Practices in Cloud SecurityBest Practices in Cloud Security
Best Practices in Cloud Security
 
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_alCss sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
Css sf azure_8-9-17-stories_from_the_soc_paul fletcher_al
 
Azure Security Fundamentals
Azure Security FundamentalsAzure Security Fundamentals
Azure Security Fundamentals
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msftCss sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
Css sf azure_8-9-17-microsoft_azure_security_overview_babak suzani_msft
 
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_alCss sf azure_8-9-17-intro to security in the cloud_mark brooks_al
Css sf azure_8-9-17-intro to security in the cloud_mark brooks_al
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 

Similar a CSS 17: NYC - Building Secure Solutions in AWS

Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
Amazon Web Services
 
(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud
Amazon Web Services
 

Similar a CSS 17: NYC - Building Secure Solutions in AWS (20)

Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance(SEC312) Reliable Design & Deployment of Security & Compliance
(SEC312) Reliable Design & Deployment of Security & Compliance
 
AWS Security Architecture - Overview
AWS Security Architecture - OverviewAWS Security Architecture - Overview
AWS Security Architecture - Overview
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Infrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large EnterprisesInfrastructure Provisioning & Automation For Large Enterprises
Infrastructure Provisioning & Automation For Large Enterprises
 
An Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the Cloud
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017 AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
AWS Security Enabiling Fintech Pace Security AWS Summit SG 2017
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 

Más de Alert Logic

Más de Alert Logic (20)

Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface
Reducing Your Attack SurfaceReducing Your Attack Surface
Reducing Your Attack Surface
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Security Spotlight: Rent-A-Center
Security Spotlight: Rent-A-CenterSecurity Spotlight: Rent-A-Center
Security Spotlight: Rent-A-Center
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Security Spotlight: Presidio
Security Spotlight: PresidioSecurity Spotlight: Presidio
Security Spotlight: Presidio
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload ProtectionReducing Your Attack Surface & Your Role in Cloud Workload Protection
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS 2018 Trivia
CSS 2018 TriviaCSS 2018 Trivia
CSS 2018 Trivia
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
The Intersection of Security and DevOps
The Intersection of Security and DevOpsThe Intersection of Security and DevOps
The Intersection of Security and DevOps
 
Security Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola CompanySecurity Spotlight: The Coca Cola Company
Security Spotlight: The Coca Cola Company
 

Último

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

CSS 17: NYC - Building Secure Solutions in AWS

  • 1. BUILDING SECURE SOLUTIONS IN AWS Stephanie Tayengco, CIO Logicworks | www.logicworks.com
  • 2. About Logicworks We are a global leader in cloud consulting and managed services with 20+ years of experience in enterprise IT. - Alert Logic Premier Partner - AWS Premier Partner, Audited Managed Service Partner - Leader in 2017 Gartner Magic Quadrant for Public Cloud MSPs Cloud Strategy Private Cloud Cloud SecurityPublic Cloud
  • 3. NetworkingStorageCompute Customer Data Platform Management Access Management Applications Operating System, Network, and Firewall Configuration Encryption, Network Traffic Protection Database AWS Global Infrastructure Regions, Availability Zones AWS Foundation Services AWS Shared Responsibility Model (Recap) CUSTOMERAWS Responsible for security “in” the cloud Responsible for security “of” the cloud
  • 4. AWS Security by Design Approach Identify Requirements Build a “Secure Environment” Enforce Use of Templates Perform Validation Activities PHASE 1 PHASE 2 PHASE 3 PHASE 4
  • 5. Phase 1: Identify Requirements • Document requirements • Map AWS’ and your controls • Decide what security rules you want to enforce in the environment • Get GRC/security team involved at the beginning • Plan how you will perform security-related operational tasks
  • 6. NetworkingStorageCompute Customer Data Platform Management Access Management Applications Operating System, Network, and Firewall Configuration Encryption, Network Traffic Protection Database AWS Global Infrastructure Regions, Availability Zones AWS Foundation Services AWS Shared Responsibility Model (Recap) CUSTOMER
  • 7. Phase 2: Build a “Secure Environment” • Reference Architectures o Understand pattern/anti-patterns & security templates • Things to keep in mind: o Access Management o Network Segmentation o Resource Constraints & Monitoring o Encryption • Enforce requirements with automation • Take advantage of security built into AWS services
  • 8. Phase 2: AWS CloudFormation Fundamentals • Build network foundation • Configure gateways and access points • Install management services, like Puppet • Allocate Amazon S3 buckets • Attach encrypted volumes • Control and manage access though IAM • Register DNS names with Amazon Route 53 • Configure log shipping and retention
  • 9. Phase 2: AWS CloudFormation Fundamentals QA Stage Production ASGs Security Groups Layered Architecture Instances ELBs Various Substacks
  • 10. Phase 2: AWS CloudFormation Fundamentals Instances, ASGs, ELBs, etc. Service Oriented Architecture Networks (VPCs, routes, subnets, etc.) Security Groups IAM (Global Resource)
  • 11. Phase 2: Configuration Management The goal of configuration management is to create and maintain system configurations. • “One-Two Punch” to configure environment • Every instance gets configured in same way • Encourages the adoption of evolving security standards • Ability to enforce state • New tools from AWS SSM
  • 12. Phase 2: Build Process Every instance follows the same process. No “snowflake” systems.
  • 13. Phase 3: Enforce the Use of Templates • Enable agility but decrease risk • Use AWS Service Catalog • Appropriate access controls to make sure only approved IT assets are launched
  • 14. Phase 3: AWS Service Catalog
  • 15. Phase 4: Perform Validation Activities • Enable the right monitoring o AWS CloudTrail o AWS Config • Analyze your security data at scale • Automation enabled audit evidence AWS CloudTrail AWS Config
  • 16. 3 Key Takeaways 1) Better planning, no ad hoc environments that lead to an unknown risk profile. 2) Get from heavyweight manpower & repeated tasks to software orchestrating security. 3) Overwhelmed? Start with configuration management. Throw people and money at security. • More hardware • More engineers • More complex processes Develop software to orchestrate security. • Automated controls • Repeatable templates • Less manual work OLD WORLD AWS CLOUD
  • 17. References • AWS Security by Design Whitepaper - https://d0.awsstatic.com/whitepapers/compliance/Intro_to_Security_by_Design.pdf • AWS Security Whitepaper - https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf • AWS Quick Start Guides - https://aws.amazon.com/quickstart/ • Continuous Compliance on AWS eBook - http://go.logicworks.net/aws-continuous-compliance • DevOps on AWS eBook - http://go.logicworks.net/devops-on-aws-cloud-ebook • Security on AWS Case Studies - http://www.logicworks.com/about-us/#our-customers • Log Management Best Practices - https://www.alertlogic.com/resources/whitepapers/log-management-best-practices/