5. Security and Business Value
Security as a “Feature”:
• Qualitative measure: either secure or
insecure
• No added end user value
Objective Reality:
• Small or shrinking budgets
• Threat vectors and agents rising in
number and sophistication
Challenge:
How do we justify the cost of security?
6. Cost of Security in the Cloud
CapEx OpEx
Technology
(Physical Security,
Infrastructure, Power,
Networking)
- -
Processes
(standards, procedures,
guidelines, assurance,
compliance)
- -
People
(hire, upskill, compensate,
train, manage)
- -
Infrastructure secure & compliant at
no extra cost
7. Cloud Security Principles Compliance
o Issued 1 Apr 2014 by the CESG
o They replace the Business Impact Levels model (BIL: IL1-IL5+)
o Distributed certification model
o Risk-based approach: suitability for purpose
o New protective marking mechanisms
o AWS Whitepaper Available
8. Cyber Essentials Plus Compliance in Dublin
Cyber Essentials Plus is a UK Government-
backed, industry-supported certification
scheme that helps organisations demonstrate
security against common cyber attacks.
The ‘Plus’ scheme benefits from independent
testing and validation compared to the
baseline ‘Cyber Essentials’ scheme that is
self-attested.
10. AWS Security Tools
AWS Trusted Advisor
AWS Config Rules
Amazon Inspector
Periodic evaluation of alignment with AWS Best
Practices. Not just Security-related.
Create rules that govern configuration of your
AWS resources. Continuous evaluation.
Security insights into your applications.
Runs on EC2 instances;; on-demand scans
AWS Compliance AWS: Security of the cloud
Customer: Security in the cloud
13. Security by Design - SbD
• Systematic approach to
ensure security
• Formalizes AWS account design
• Automates security controls
• Streamlines auditing
• Provides control insights
throughout the IT
management process
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config
14. GoldBase - Scripting your governance policy
Set of CloudFormation Templates & Reference
Arhcitectures that accelerate compliance with PCI, EU
Personal Data Protection, HIPAA, FFIEC, FISMA, CJIS
Result: Reliable technical implementation of administrative
controls
15. What is Inspector?
• Application security assessment
• Selectable built-in rules
• Security findings
• Guidance and management
• Automatable via APIs
16. Rule packages
• CVE (common vulnerabilities and exposures)
• Network security best practices
• Authentication best practices
• Operating system security best practices
• Application security best practices
• PCI DSS 3.0 readiness
18. What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWS
WAF
AWS WAF rules:
1: BLOCK requests from bad guys.
2: ALLOW requests from good guys.
Types of conditions in rules:
1: Source IP/range
2: String Match
3: SQL Injection
19. S2N – AWS Implementation of TLS
• Small:
• ~6,000 lines of code, all audited
• ~80% less memory consumed
• Fast:
• 12% faster
• Simple:
• Avoid rarely used options/extensions
21. Certification & Education
• Security Fundamentals on AWS
• free, online course for security auditors and
analysts
• Security Operations on AWS
• 3-day class for Security engineers, architects,
analysts, and auditors
• AWS Certification
• Security is part of all AWS exams
23. o AWS Security Solutions Architects
o AWS Professional Services
o AWS Secure by Design & Gold Base
o AWS Security Best Practices
o Partner Professional Services
o AWS Training and Certification
o Understand Compliance Requirements
Prepare
24. o Use IAM – consider MFA, roles, federation, SSO
o Implement Amazon WAF
o Leverage S2N for secure TLS connections
o Implement Config Rules to enforce compliance
o Implement Amazon Inspector to identify
vulnerabilities early on
Prevent
25. o Cloud Trail enabled across all accounts and services
o Consider Config & Config Rules logs
o Inspector can be used as a detective tool
o Trusted Advisor goes beyond just security
o Use CloudWatch logs
o VPC Flow Logs give insight into intended and
unintended communication taking place into your VPC
o Do look at partner log management and security
monitoring solutions
Detect
26. o Be Prepared:
o Develop, acquire or hire Security Incident Response
capabilities
o Test preparedness via game days
o Automated response and containment is always
better than manual response
o AWS supports forensic investigations
o Leverage AWS Support for best results
o Talk to our security partners
Respond