Managing tightly-controlled user access in AWS is complex. And complexity leads to errors and sloppiness. There are six main reasons why this operational complexity is the biggest security threat to your AWS Environment. Paul Campaniello at Cryptzone discusses in this eBook.
2. Security is kind of
a big deal…
We’ve all got them.
Are we doing the right thing to secure
them?
ON-PREMISESIN THE CLOUD HYBRID ENVIRONMENTS
3. And it’s no
different in AWS
Managing tightly-
controlled user access
in AWS is too complex.
But it’s hard.
And complexity
leads to errors and
sloppiness.
5. User access is IP-centric, and
their IP addresses change
Predicting where those users are
going to be when accessing your
network is a very big challenge; and
almost impossible if you have a
mobile workforce.
1
Think office to home, to mobile, to a coffee shop, to a plane…
6. Dynamic environments cause
extra administrative burdens2
As virtual machines and services
within AWS are spun up, expanded
or contracted, being able to
dynamically allocate security policies
to these resources becomes a real
challenge.
7. Complexity leads to shortcuts3
A lot of the time shortcuts are taken
that compromise the security
posture in the footprint of a
particular environment.
8. Forced use of VPN connectivity
to manage access control4
And it can create performance issues
for your end users and force
unnecessary hops from environment
to environment just to ensure that
people are coming at the
environment from appropriate
locations.
If you’re at all into the
networking space within
your organization, you know
that the use of VPNs is also
not a trivial task.
VPN
9. Logging correlation
complexities5
So when it comes to audit and
compliance, you have a
tremendously difficult task on your
hands to correlate these logs and
figure out who is doing what, who is
accessing which application, what
time of day and under what context
they are doing it.
All of this hopping around and all
of these different technologies
lead to logging correlation issues.
11. Compute Storage Database Networking
AWS Global Infrastructure
Regions Availability Zones Edge Locations
https://aws.amazon.com/compliance/shared-responsibility-model
AWS Shared Responsibility Model
AWS is
responsible for this…
Responsible
for security
‘of’ the cloud
12. Customer Data
Platform, Apps, Identity & Access Management
OS, Network & Firewall Configuration
Client-Side Data
Encryption and Data
Integrity Authentication
Server-Side
Encryption (File
System and/or Data)
Network Traffic
Protection
(Encryption/
Integrity/Integrity)
Customer
Responsible for
security ‘in’ the
cloud
And you’re
responsible for this…
13. Anytime you take advantage of
the resources and build virtual
machines, deploy data into S3
buckets or use a feature like AWS
Snowball to push data into the
environment, security becomes
your responsibility.
Anything in the
cloud is your
responsibility
AWS gives you tools,
but you have to implement them.
AWS’s responsibility ends with the physical
components of the cloud…the data center, the
servers, the storage.
You are responsible for everything that leverages
those physical components – all the configured
services, data, deployed applications. This
includes network access security.
15. You can use
Security Groups,
but they introduce
operational complexity
with negative consequences.
16. We either give
wide-open access
and end up with this…
No
accountability/
visibility
Increased risk
of security
breaches
Managing
compliance is
virtually impossible
20. Their public IP address is
the known source. The
security groups are
configured appropriately.
2
Security
Groups
Four users access the
Amazon environment from
a known source.
1
73.68.25.22124
21. The challenge is when
users try to access from
other locations.
73.68.25.22124
Security
Groups
25. A Software-Defined Perimeter gives
every user on your network –
whether an internal employee or a third-party
working for you – an individualized perimeter
around themselves and the network resources
that they’re allowed to access.
27. Industry experts
suggest using it
Legacy, perimeter-based
security models are ineffective
against attacks. Security and risk
pros must make security
ubiquitous throughout the
ecosystem.”
“
It is easier and less costly
to deploy than firewalls,
VPN concentrators and
other bolt-in technologies.”
SDP enables organizations to
provide people-centric,
manageable, secure and agile
access to networked systems.
“
“
35. The person, their identity,
the device they’re on,
the network they’re
connected to, and just about
anything else you could think
of to analyze before you allow
access resources on your
network, is checked.
73.68.25.22124
36. Once a person is authorized to view
resources, everything else on the
network becomes invisible.
38. Digital
Identity
AppGate
Imagine a user wants to access the company’s ERP system
Managed Networks
Cloud, On-premises or Hybrid
V
Secured
Email
ERP
CRM Group
File Share
Executive
Files
Enterpris
e Finance
EXEC_S
ERVER
SharePoint
40. AppGate
Digital
Identity
We confirm it matches your policies before granting access.
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VIRUS
LOCATION: OFFICEAPPLICATION
PERMISSIONS
41. Managed Networks
Cloud, On-premises or Hybrid
V
Secured
Email
ERP
CRM Group
File Share
Executive
Files
Enterpris
e Finance
EXEC_S
ERVER
SharePoint
Digital
Identity
We then create a dynamic
Segment of One
(1:1 firewall rule).
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VIRUS
LOCATION: OFFICEAPPLICATION
PERMISSIONS
ENCRYPTED & LOGGED
AppGate
42. And make everything else (the
applications and the rest of the
network) invisible to the user.
Digital
Identity
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VIRUS
APPLICATION
PERMISSIONS
ENCRYPTED & LOGGED
AppGate
Managed Networks
Cloud, On-premises or Hybrid
ERP
LOCATION: OFFICE
43. Digital
Identity
And if the user goes home and wants to
continue working, AppGate automatically checks
“user-context” again, and applies the correct
“home-based” policy.
DEVICE TIME
CUSTOM
ATTRIBUTES
ANTI-VIRUS
LOCATION: HOMEAPPLICATION
PERMISSIONS
ENCRYPTED & LOGGED
AppGate
Managed Networks
Cloud, On-premises or Hybrid
ERP
44. The result?
Locked-down secured access to
AWS resources that is operationally
simple to manage and maintain.
Let’s look at this more closely…
45. Current Model
AWS Security Groups
We all know about AWS Security
Groups. The current Security
Group model is complicated and
unpredictable.
46. AWS Security Groups & AppGate
Using AppGate, there are multiple gateways, protecting multiple
cloud providers with split functionality.
Current Model
47. AWS Security Groups & AppGate
AppGate defines protected destinations, called Entitlements and protects
simple IP addresses and ports, but also ranges of IP addresses and Ports,
AWS Tag and Values as well as AWS Security Group names.
Current Model
48. AWS Security Groups & AppGate
AppGate offers a new Security Model inside AWS, redefining the Security Group so that
protected destinations allow traffic only from the AppGate Gateway, ensuring all users
access those resources through the contextual controls provided by AppGate.
AppGate Model
49. AWS Security Groups & AppGate
Authentication Policy
• If users are on corporate
network allow Single-
Factor Authentication
• If users are not on
corporate network require
Multi-Factor
Authentication
POLICY
Device Policy
• Allow access if Anti-
Virus is running
• Allow access if Device
Firewall is enabled
• Allow access if OS patch
level is current
POLICYPOLICY
Developer Access Policy
• Allow TCP Access
• On Port 22
• For all servers tagged
Dev-Project
• If users are in group
Development
Users are tied to the entitlements through Policies where we can enforce contextual
awareness before allowing specific users access to specific entitlements. This
combination allows us to get very granular on who can access what and under what
circumstances.
50. Because there is just
one IP address,
managing security
just got easier.
AppGate Model
51. Access policies across
hybrid environments
are consistent
Access is tightly secured
with a Segment
of One
Compliance
reporting is
easier and faster
Operational
agility is boosted
DevOps can
work faster
Infrastructure changes
are dynamically
protected
AppGate from Cryptzone provides user
control, operational agility and compliance
52. Sally M
Developer
Project Eagle
Charlie S
DB Admin
Joe R
Developer
Project Hawk
Coffee Shop
Consultant
Enterprise Headquarters
AWS Security…
Simplified!
User-centric security
policies…because
people are not IP addresses
53. Learn more about AppGate
AWS Security
Simplify, Scale, &
Secure User Access
WEBINAR
The Zero Trust Model of
Information Security
WHITEPAPER
Forrest Report
No More Chewy
Centers:
AppGate
VIDEO
54. FREE TRIAL | START NOW
Email: info@cryptzone.com
Twitter: @Cryptzone
LinkedIn:
linkedin.com/company/cryptzone
GET IN TOUCH
Get access to a 15 day free
trial on AWS marketplace.
Would you like
to know more?
Individual perimeters
Fine grained control
Contextual awareness
Simplified security group rules
Dynamic Adjustments based on Tags or Security Group names
Consistent access, logging and control across heterogeneous environments
Individual perimeters
Fine grained control
Contextual awareness
Simplified security group rules
Dynamic Adjustments based on Tags or Security Group names
Consistent access, logging and control across heterogeneous environments
On clicks:
We all know about AWS Security Groups <click>
Security Group before AppGate: complicated, can’t predict all sources. A mess. <click>
Introduce AppGate. <click>
Notice multiple gateways, protecting multiple cloud providers, split functionality <click>
Next, we define protected destinations, called Entitlements. <click>
Notice, we can protect simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names <click>
That allows us to introduce a whole new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate gateway, ensuring all users access those resources through the contextual controls provided by AppGate. <click>
And finally, we tie the users to the entitlements through Policies where we can enforce contextual awareness before allowing access to specific users to specific entitlements. <click>
This combination allows us to get very granular on who can access what and under what circumstances.
On clicks:
We all know about AWS Security Groups <click>
Security Group before AppGate: complicated, can’t predict all sources. A mess. <click>
Introduce AppGate. <click>
Notice multiple gateways, protecting multiple cloud providers, split functionality <click>
Next, we define protected destinations, called Entitlements. <click>
Notice, we can protect simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names <click>
That allows us to introduce a whole new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate gateway, ensuring all users access those resources through the contextual controls provided by AppGate. <click>
And finally, we tie the users to the entitlements through Policies where we can enforce contextual awareness before allowing access to specific users to specific entitlements. <click>
This combination allows us to get very granular on who can access what and under what circumstances.
On clicks:
We all know about AWS Security Groups <click>
Security Group before AppGate: complicated, can’t predict all sources. A mess. <click>
Introduce AppGate. <click>
Notice multiple gateways, protecting multiple cloud providers, split functionality <click>
Next, we define protected destinations, called Entitlements. <click>
Notice, we can protect simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names <click>
That allows us to introduce a whole new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate gateway, ensuring all users access those resources through the contextual controls provided by AppGate. <click>
And finally, we tie the users to the entitlements through Policies where we can enforce contextual awareness before allowing access to specific users to specific entitlements. <click>
This combination allows us to get very granular on who can access what and under what circumstances.
On clicks:
We all know about AWS Security Groups <click>
Security Group before AppGate: complicated, can’t predict all sources. A mess. <click>
Introduce AppGate. <click>
Notice multiple gateways, protecting multiple cloud providers, split functionality <click>
Next, we define protected destinations, called Entitlements. <click>
Notice, we can protect simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names <click>
That allows us to introduce a whole new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate gateway, ensuring all users access those resources through the contextual controls provided by AppGate. <click>
And finally, we tie the users to the entitlements through Policies where we can enforce contextual awareness before allowing access to specific users to specific entitlements. <click>
This combination allows us to get very granular on who can access what and under what circumstances.
On clicks:
We all know about AWS Security Groups <click>
Security Group before AppGate: complicated, can’t predict all sources. A mess. <click>
Introduce AppGate. <click>
Notice multiple gateways, protecting multiple cloud providers, split functionality <click>
Next, we define protected destinations, called Entitlements. <click>
Notice, we can protect simple IP addresses and ports, but also ranges of IP addresses and Ports, AWS Tag and Values as well as AWS Security Group names <click>
That allows us to introduce a whole new Security Model inside AWS, redefining the Security Group so that protected destinations allow traffic only from the AppGate gateway, ensuring all users access those resources through the contextual controls provided by AppGate. <click>
And finally, we tie the users to the entitlements through Policies where we can enforce contextual awareness before allowing access to specific users to specific entitlements. <click>
This combination allows us to get very granular on who can access what and under what circumstances.