This document discusses LifeLock's migration of workloads to AWS and their use of Symantec Cloud Workload Protection (CWP) for security. It provides an overview of CWP and how it provides visibility and protection for AWS and hybrid cloud workloads from a single console. It also summarizes LifeLock's experience using CWP for real-time file integrity monitoring during their migration, which provided seamless transition and improved compliance monitoring. Finally, it outlines additional CWP capabilities for container protection and how CWP can provide continuous improvement for cloud and container security.
2. Protect your Cloud Environment
with AWS
Patrick McDowell, Solutions Architect, AWS
3. What is Driving AWS Adoption?
Urgent Need to Respond to Business Needs for:
Increased
Agility
Flexibility
Lower Costs and
Transparency
More
Capabilities
Go Global in
Minutes
Remove Infrastructure
Dependencies
Remove IT as a “Blocker” to Innovation
4. Compelling Events on the Journey
Value
Time
Discovery
and Testing
Application-
Based Projects
Cloud-First /
Standardization
Business
Transformation
Build applications
to run in AWS cloud
Dev & Test /
Startups
Production App
Migration
“Cloud-First”
Standardization /
Mass Migration
Automation /
Business Innovation
Projects
Current State
1
2
3
4
5
5. $6.53M
https://www.csid.com/resources/stats/data-breaches/
Average cost of
a data breach
Your Data and IP Are Your Most
Valuable Assets
56%
Increase in theft of hard
intellectual property
http://www.pwc.com/gx/en/issues/cyber-security/
information-security-survey.html
70%
Of consumers indicated
they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
6. Automating logging
and monitoring
Simplifying resource
access
Making it easy
to encrypt properly
Enforcing
strong authentication
AWS Can Be More Secure than Your
Existing Environment
In a recent IDC report which found that most customers can be more secure
in AWS than their on-premises environment. How?
8. Constantly Monitored
Network access is monitored by AWS
security managers daily
AWS CloudTrail lets you monitor
and record all API calls
Amazon Inspector automatically assesses
applications for vulnerabilities
The AWS infrastructure is protected by extensive network
and security monitoring systems:
9. Highly Available
44 Availability Zones in 16 regions for
multi-synchronous geographic redundancy
Retain control of where your data resides
for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using
services like Route 53
Dynamically grow to meet unforeseen demand
using Auto Scaling
The AWS infrastructure footprint helps protect your data
from costly downtime:
10. Integrated with Your Existing Resources
Integrate your existing Active Directory
Use dedicated connections as a secure,
low-latency extension of your data center
Provide and manage your own encryption
keys if you choose
AWS enables you to improve your security using
many of your existing tools and practices:
13. v
Hybrid Cloud Data Center Evolution
Modern (Off-Premises)Traditional (On-Premises)
Physical Private Cloud (SDDC) Managed Private Cloud AWS Cloud
More Agility - Lower Cost - More Workloads per Server
14. v
Symantec Cloud Workload Protection
Protect AWS and Hybrid Cloud Workloads From a Single Console
Benefits:
Protect all workloads from a single
cloud-based console
Automatic discovery and visibility of public
cloud workloads
Elastic, cloud-native protection scales easily
Symantec Cloud
Workload Protection
Cloud Workload Protection
DevOps /
Security Admin
Physical Data
Center
Private Cloud
15. v
How do I Know if Our Workloads Are Secure?
CISO, Cloud Security Architect
I need to know what
workloads are running across
my hybrid cloud, where they
are, and if they’re protected.Mobile &
Remote
HQBranch DevOps/Test
AWS Regions
Unauthorized
User
Private Cloud
16. v
Continuous visibility of AWS and hybrid
cloud workloads from a single console
Automatic discovery of software services
on AWS workloads
Automatic identification of workload
security postures
Real-time visibility into AWS infrastructure
changes
Agent Not
Installed
Policy Not
Applied
Protected
Symantec CWP Provides:
Visibility and Security for AWS and Hybrid
Cloud Workloads from a Single Console
Discover and view
security postures of
workloads wherever they
are
Shut down rogue
instances to reduce
attack surface
17. v
Shared Responsibility for Security
Security Analyst/Admin
I need to ensure
security of our assets
“IN” the cloud.
18. v
Controls
Anti-Malware
RT-FIM
App Control
Anti-Malware OS Hardening
Single Agent
Single Console
Traditional Workloads
General Purpose Computing
Long Lifespan
IT Managed
App Isolation App Control RT-FIM
Controls
OS Hardening
App Control
RT-FIM
App Isolation
Cloud Workloads
Scalable Business Apps
Short Lifespan
Developer Managed
Comprehensive Protection for All Types of AWS Workloads
Symantec CWP Provides:
19. v
Symantec CWP Provides:
Virtual Patching, Real-time Monitoring and Vulnerability Protection for AWS Workloads
Identify potential threats and
apply security policies
in the same view
Benefits:
Block advanced threats that target
vulnerabilities (virtual patching)
Stop zero-day attacks
Prevent unauthorized changes
Identify suspicious behaviors
Block application-centric malware
20. v
Why “Lift and Shift” Approach to Security Fails
Traditional security solutions can’t keep up.
Velocity of Deployment
ScaleofDeployment
Physical and Private
Cloud Data Centers
AWS Cloud
Public cloud infrastructure is built and
deployed as code
DevOps practitioners use continuous
deployment workflows, increasing velocity
– especially in container environments
Security controls must integrate into DevOps
processes to support cloud elasticity
I need security that integrates
with our DevOps workflows
and scales automatically.
DevOps, SecDevOps
Disruptive Increase in Velocity and Scale of Workload Deployments
21. v
Symantec CWP Provides:
Security scales automatically with dynamic
AWS infrastructure
Integration with AWS enables DevOps to
build security directly into service
deployment workflows
Flexible pay-for-use and annual
subscription pricing models support agile
business planning
Cloud-native Security that Integrates with AWS Infrastructure and DevOps Service
Workflows for Rapid Deployment and Scalability
Instances in auto-scaling
group with policies
applied
Complete instance
mapping with
real-time
protection status
Automatic policy
recommendations
22. v
Need to Secure Containers
Why are containers vulnerable?
High rate of change in container environments
makes standard security best practices impossible
Varied images provide more points of entry
Direct access to the OS kernel creates a larger
attack surface area
How are they attacked?
Real-world attacks use containers to get to the
management framework or container host
Source: https://www.rsaconference.com/videos/orchestration-ownage-exploiting-container-centric-data-center-platforms
Frameworks
Supporting
Apps
Attack RCE
Kernel
23. v
Visibility
Know security posture and
suspicious activity
What container was online and
what it was doing
Full monitoring of container
activity including file integrity
Symantec CWP Provides:
Frictionless Security
Complete protection with
no footprint in container
Enforce security controls
without impacting agility
Containers and their
applications cannot be
used to take control of
the Infrastructure
Built for DevOps
Fully Instrumented for DevOps
ALL UI features have
corresponding RESTAPI
Full Control of security
controls applied
Security for Amazon EC2 Container Services
24. v
Superior Protection
Stop unknown threats with
multi-layered protection
Advanced machine learning
Memory exploit mitigation
Intelligent threat cloud
and more
Symantec CWP Provides:
Seamless Scalability
Autoscaling security
infrastructure of scanners
required to protect storage
based on load
Clean Pipes for Applications
Enable clean S3 storage
Near real-time S3
anti-malware scanning
Container adoption
Serverless solutions
(AWS Lambda)
CWP for Storage - Anti-malware for AWS S3 Storage (Coming Soon)
25. v
Symantec Cloud Workload Protection
Protect AWS and Hybrid Cloud Workloads From a Single Console
Benefits:
Protect all workloads from a single cloud-
based console
Automatic discovery and visibility of public
cloud workloads
Elastic, cloud-native protection scales
easily
Symantec Cloud
Workload Protection
Cloud Workload Protection
DevOps /
Security Admin
Physical Data
Center
Private Cloud
27. v v
Background
Datacenter move to AWS – Full Workload that
included LOB services, internal workloads,
consumer facing, and enterprise security solutions
Required no gaps of visibility and compliance
controls – PCI compliance top priority
Support for Amazon Linux, RHEL, and Windows
Usage of CWP:
Real-Time File Integrity Monitoring (FIM)
28. v v
Solution
Symantec CWP offering with CWP
Agents on AWS workloads & on-premises
legacy infrastructure
Single CWP console to monitor and control
hybrid workloads during the migration
Conduct Proof of Value (PoV) with CWP File
Integrity Monitoring (FIM) capabilities and
reporting
Usage of CWP: Cont.
Real-Time File Integrity Monitoring (FIM)
Results
Seamless transition from PoV to production
environment with no downtime
Improved monitoring and compliance
efficiency and performance of FIM in CWP
29. v v
CWP Usage:
Real-Time File Integrity Monitoring (RT-FIM)
LifeLock Hybrid Architecture Provides
Visibility and Control
Seamless migration from Data Center to AWS
FIM Policy Enforcement- Provide visibility and
compliance reporting of FIM activities
Agents support for Amazon Linux, RHEL,
Windows, and Centos
Protect application vulnerabilities that could
be exploited to attack infrastructure
Alerting and Notifications
Symantec Cloud
Workload Protection
Cloud Workload Protection
CloudOps /
Security Admin
Physical Data
Center
30. v v
Proof of Value Results
Automated installation and easy to
deploy CWP Agents across the
enterprise – required to support
Amazon Linux workloads
No loss of coverage when migrating
hosts to AWS
CWP provides pre-built policies to build
or custom based on requirements
Summary - Results and Benefits
Automated protection profiling
based on workload – CWP
recommends profiles to apply
Continuous visibility, discovery, and
monitoring
Continuous visibility into threat
and vulnerability scores for public
cloud deployments
31. v v
Continuous Improvement for
Cloud & Container Protection
Container protection and discovery
with Docker workloads
Enhanced policy enforcement and
prevention through Real-time File Integrity
Monitoring (FIM) to ensure compliance and
auditing
AV included to scan Linux hosts in CWP
Micro-segmentation capabilities to enforce
security policies and protect workloads
Summary - Results and Benefits
33. Cloud Workload Protection on AWS:
go.Symantec.com/aws-cwp
Learn more about CWP:
go.Symantec.com/cwp
More Symantec on AWS:
aws.amazon.com/featured-partners/Symantec
Find Out More
Additional Resources:
Buy CWP on Marketplace
Free Trial through Symantec
CWP Help and Resources
What’s New in CWP
CWP Security Competency on AWS
Find out more on
LifeLock:
www.lifelock.com