Ready to innovate on AWS, but want security that’s just as agile? In this webinar AWS, Barracuda Networks, and Securosis will show you leading-edge application security techniques for creating secure application environments, embedding security into continuous deployment, and scaling security to perfectly fit your operations. You will see the power of automating security on AWS with practical, hands-on examples. Harness the power of cloud and DevOps for security that leaves traditional infrastructures behind.
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Barracuda, AWS & Securosis: Application Security for the Cloud
1. Barracuda, AWS & Securosis:
Application Security for the Cloud
Nick Matthews, Solutions Architect, AWS
Rich Mogull, Securosis, Analyst & CEO
Tushar Richabadas, Product Manager, Barracuda
2. Nick Matthews, Solutions Architect, AWS
Rich Mogull, Securosis, Analyst & CEO
Tushar Richabadas, Product Manager, Barracuda
Today’s Presenters
3. Today’s Agenda
• Security on AWS
• Web Application Security for the Cloud Age
• Barracuda WAF on AWS product overview & demo
• Q&A/Discussion
4. Learning Objectives
• Challenges of app security when moving to the cloud
• Methods for securing web, mobile, and API-based
applications
• Live demo of the Barracuda WAF securing an AWS app
6. Familiar Security
Model
Validated and driven by
customers’ security experts
Benefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Security is Job Zero
7. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity &
Access Control
Network
Security
Customer applications & content
You get to
define your
controls ON
the Cloud
AWS takes
care of the
security OF
the Cloud
You
Inventory
& Config
Data
Encryption
AWS and you share responsibility for security
8. The challenge: How to
integrate security into
DevOps workloads so that
developers can focus on
application development
without worrying about online
attacks.
Moving from DevOps to DevSecOps
DevOps + Security = DevSecOps
10. • Cloud can be more secure than
traditional datacenters.
• The economics are in your
favor.
• Cloud architectures can wipe
out some traditional security
headaches.
• This isn’t theory, it’s being done
today.
• But only if you understand how
to leverage the cloud.
• We can use this to dramatically
improve web application security.
Little. Cloudy. Different.
11. • For clients to use a cloud provider,
they must trust the provider.
• This is especially true for anything
with a sensitive data or process.
• Thus security has to be a top
priority for a provider or you won’t
use them.
• A major breach for a provider that
affects multiple customers is an
existential event.
You get one chance
12. • Security tools and testing are typically added after the fact
• And, often, manually
• Dev and Ops just hate it when security tool changes or updates
break “functionality”
• Even when said functionality is a security issue
• DevOps + Cloud = Immutable = Security Automation and
Integration
Automating Security
14. • Segregating networks in a data center is hard,
expensive, and often unwieldy.
• It’s hard to isolate application services on physical
machines.
• Even using virtual machines has a lot of
management overhead.
• Attackers drop in and move North/South in
application stacks, and East/West on networks (or
both).
Segregation is critical but hard
16. To a host or network…
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Boom
Security
Group
17. To a host or network…
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Boom
Security
Group
18. Or an entire “data center”
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Security
Group
Security
Group
Security
Group
19. Or an entire “data center”
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Account
Virtual Network
Subnet
Virtual Network
Subnet
Security
Group
Boom
Security
Group
Security
Group
Security
Group
21. • Instead of updating, you
completely replace
infrastructure through
automation.
• Can apply to a single server,
up to an entire application
stack.
• Incredibly resilient and secure.
Think “servers without logins.”
The Power of Immutable
Image from: http://tourismplacesworld.blogspot.com/2012/07/uluru.html
37. How immutable works: Auto scaling
Load Balancer
Auto Scale Group
a b c
Vulnerable Patched
38. • Easier to deploy smaller
services since you can
right-fit both networks and
hosts/containers
• Easier to isolate
• Can integrate PaaS for
“network air gaps”
Application Hardening Through
Architecture and Automation
42. • Cloud providers have massive economic incentives to be better at security
than anyone else.
• In reality, we see this mostly in IaaS…SaaS can still be pretty messy.
• Cloud is not merely “virtual machines.”
• To get the security benefits you need to rethink how you do things and
retool operations to be specific for not only cloud, but your cloud
providers of preference.
• Architecture and automation are the keys!
• There are incredible opportunities to leverage the inherent characteristics
of cloud platforms to improve security.
• From managing blast radius to eliminating unapproved infrastructure
changes.
Web Application Security for the Cloud
50. Architecture
Dev/QA/Prod Promotion:
• Scrub kickstart config for env
• Pull latest AMI into CFT
• Add to the App’s AWS Acct
• Grab configuration
• Audit vs. Central
• Validate exceptions
Promotion Process
Amazon S3
Central Bucket
Ready for QA,
modified config
Rest API Call
sends config
Amazon S3
Dev Bucket
Amazon S3
QA Bucket
Central
Config
Backups
Dev Config
Dev CFT
QA Config
QA CFT
Developer
QA
Central Security
Team
51. Engineered for AWS deployments
Elastic
Load
Balancer
Auto-Scaling Group
Barracuda
WAF Cluster
AUTO-SCALING
Virtual
Private
Cloud
Server 1
Server NElastic
Load
Balancer
52. All-in-One Application Security Platform
Session Persistence
Security &
DDoS Protection
Logging & Reporting
Authentication &
Access Control
Load Balancing &
Server Health Monitoring
SSL & Performance
Acceleration
At AWS security is a top priority.
We build our security program on many of the same tenets as you do. Our data centers are designed with the highest physical security requirements in mind, and access to those data centers is restricted to a very small number of individuals. In our data center we have very strict segregation of duties to ensure that out data center technicians have on the most minimal accesses they need to do their jobs. In the same way you do, we lock down our network and systems, and have well defined processes and people controls to make sure our data centers operate in an efficient and secure manner.
Our security measures have been driven by security experts from across our largest, most advanced customers, including Shell, NASDAQ, and GE, and have been validated by a wide range of security experts and accreditation bodies.
These organizations with very high security standards set the bar for AWS security, but the great thing about security in AWS is that everyone gets to benefit from the security controls that we have put in place. Whether you are a small startup, a mid sized enterprise, or the largest company you get to take advantage of the security controls that we have put in place to satisfy
<IF THE CUSTOMER ASKS ABOUT SPECIFIC CONTROLS WE HAVE IN PLACE, DIRECT THEM TOWARDS OUR SECURITY WHITEPAPER, RISK AND COMPLIANCE WHITEPAPER AND SOC 2 REPORTS THAT WE CAN MAKE AVAIALABLE>
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.
As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.
As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
BP to check font size
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
BP to check this slide – should “deployment” be visible?
Should the header include the word “servers”? It’s inconsistent with the rest of these slides (slide 32-37)
BP to check font size
BP to check font size
BP to check font size
BP to check font size
BP to check font size
Thank you Rich!
Good Morning folks! My name is Tushar and I’m the Product Manager for the Barracuda WAF and ADC for the public cloud.
Enabling DevSevOps
Security for web, mobile and API applications
Fits closely into the Continuous Deployment model:
Removes manual config in the deployment phase
CloudFormation and other deployment automation tools
Blue/green deployments, canary rollouts and dark launches
Build and push base config across deployments
Automate config audits for compliance
Support changes due to exception approvals
Build and push base config across deployments
Automate config audits for compliance
Support changes due to exception approvals
Different toolchains used in different departments
Three key things were crucial to helping this customer
Covers 98% of high-level risks for the organization, including OWASP Top 10
Cloud & Automation Ready, with Metered Billing
Quick overview – reference architecture
This shows you how the Barracuda WAF is deployed in your AWS environment – it’s placed using an ELB sandwich in your VPC in an autoscaling group.
Also the Barracuda WAF has the AWS Security competency certified – this just means that our solution is prequalified by AWS that it’s been well architected to leverage AWS features.
The Barracuda WAF is a fully functional WAF, with OWASP Top 10 and lots of other powerful features. One to highlight is logging, since visibility is huge for the DevOps community.
Another thing to highlight is the remediation service – it closely aligns with our theme our helping to automate security.
BVRS enables application security testing at every stage
Automatically reconfigure the Barracuda WAF from the BVRS tool
Mitigate vulnerabilities & false positives much before UAT
Integrate with testing tools with upcoming BVRS API set
Find earlier, fix faster and deploy automatically!
We are laser focused on solving cloud problems – and we know that DevOps wants to move fast. So when innovating, we thought not just about product innovations, but also licensing.
Takes away the friction of BYOL and per-instance costs of PAYG
Allows you to deploy as many instances as you want
Easy billing: Pay per GB of data transfer across all the instances
This takes PAYG to the next level
You’re really only paying for what you use, and allows companies to go to the security everywhere approach.
Do away with the services vpc concept