O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Barracuda, AWS & Securosis: Application Security for the Cloud

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio

Confira estes a seguir

1 de 56 Anúncio

Barracuda, AWS & Securosis: Application Security for the Cloud

Baixar para ler offline

Ready to innovate on AWS, but want security that’s just as agile? In this webinar AWS, Barracuda Networks, and Securosis will show you leading-edge application security techniques for creating secure application environments, embedding security into continuous deployment, and scaling security to perfectly fit your operations. You will see the power of automating security on AWS with practical, hands-on examples. Harness the power of cloud and DevOps for security that leaves traditional infrastructures behind.

Ready to innovate on AWS, but want security that’s just as agile? In this webinar AWS, Barracuda Networks, and Securosis will show you leading-edge application security techniques for creating secure application environments, embedding security into continuous deployment, and scaling security to perfectly fit your operations. You will see the power of automating security on AWS with practical, hands-on examples. Harness the power of cloud and DevOps for security that leaves traditional infrastructures behind.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Barracuda, AWS & Securosis: Application Security for the Cloud (20)

Anúncio

Mais de Amazon Web Services (20)

Mais recentes (20)

Anúncio

Barracuda, AWS & Securosis: Application Security for the Cloud

  1. 1. Barracuda, AWS & Securosis: Application Security for the Cloud Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda
  2. 2. Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda Today’s Presenters
  3. 3. Today’s Agenda • Security on AWS • Web Application Security for the Cloud Age • Barracuda WAF on AWS product overview & demo • Q&A/Discussion
  4. 4. Learning Objectives • Challenges of app security when moving to the cloud • Methods for securing web, mobile, and API-based applications • Live demo of the Barracuda WAF securing an AWS app
  5. 5. Security on AWS
  6. 6. Familiar Security Model Validated and driven by customers’ security experts Benefits all customers PEOPLE & PROCESS SYSTEM NETWORK PHYSICAL Security is Job Zero
  7. 7. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption AWS and you share responsibility for security
  8. 8. The challenge: How to integrate security into DevOps workloads so that developers can focus on application development without worrying about online attacks. Moving from DevOps to DevSecOps DevOps + Security = DevSecOps
  9. 9. Web Application Security for the Cloud Age Rich Mogull @rmogull
  10. 10. • Cloud can be more secure than traditional datacenters. • The economics are in your favor. • Cloud architectures can wipe out some traditional security headaches. • This isn’t theory, it’s being done today. • But only if you understand how to leverage the cloud. • We can use this to dramatically improve web application security. Little. Cloudy. Different.
  11. 11. • For clients to use a cloud provider, they must trust the provider. • This is especially true for anything with a sensitive data or process. • Thus security has to be a top priority for a provider or you won’t use them. • A major breach for a provider that affects multiple customers is an existential event. You get one chance
  12. 12. • Security tools and testing are typically added after the fact • And, often, manually • Dev and Ops just hate it when security tool changes or updates break “functionality” • Even when said functionality is a security issue • DevOps + Cloud = Immutable = Security Automation and Integration Automating Security
  13. 13. Controlling Blast Radius
  14. 14. • Segregating networks in a data center is hard, expensive, and often unwieldy. • It’s hard to isolate application services on physical machines. • Even using virtual machines has a lot of management overhead. • Attackers drop in and move North/South in application stacks, and East/West on networks (or both). Segregation is critical but hard
  15. 15. Limiting blast radius Account Security Group Virtual Network Subnet Virtual Network Subnet Security Group
  16. 16. To a host or network… Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group
  17. 17. To a host or network… Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group
  18. 18. Or an entire “data center” Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Security Group Security Group Security Group
  19. 19. Or an entire “data center” Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group Security Group Security Group
  20. 20. But This Works Best with Infrastructure as Code
  21. 21. • Instead of updating, you completely replace infrastructure through automation. • Can apply to a single server, up to an entire application stack. • Incredibly resilient and secure. Think “servers without logins.” The Power of Immutable Image from: http://tourismplacesworld.blogspot.com/2012/07/uluru.html
  22. 22. Source Code GitCloudformation Templates Jenkins Functional Tests Chef Recipes Chef Server NonFunctional Tests Security Tests Test Prod CI for Web Application Security Automation
  23. 23. Immutable Infrastructure Internet Template A:
  24. 24. Immutable Infrastructure Template A: Template B: Internet
  25. 25. Immutable Infrastructure Template A: Template B: Internet
  26. 26. Immutable Infrastructure Template A: Template B: Internet
  27. 27. Immutable Infrastructure Template B: Internet
  28. 28. Immutable Infrastructure Template B: Internet
  29. 29. Embedding and Automating Security with Immutable
  30. 30. How immutable servers work: Auto scaling Load Balancer a b c Auto Scale Group
  31. 31. Load Balancer a b c Auto Scale Group How immutable works: Auto scaling
  32. 32. Load Balancer a b c Auto Scale Group How immutable works: Auto scaling
  33. 33. Load Balancer Auto Scale Group a b c Vulnerable Patched How immutable works: Auto scaling
  34. 34. Load Balancer Auto Scale Group a b c Vulnerable Patched How immutable works: Auto scaling
  35. 35. Load Balancer Auto Scale Group a b c Vulnerable Patched How immutable works: Auto scaling
  36. 36. How immutable works: Auto scaling Load Balancer Auto Scale Group a b c Vulnerable Patched
  37. 37. • Easier to deploy smaller services since you can right-fit both networks and hosts/containers • Easier to isolate • Can integrate PaaS for “network air gaps” Application Hardening Through Architecture and Automation
  38. 38. DEMO!!!
  39. 39. Our Deployment Pipeline +
  40. 40. • Cloud providers have massive economic incentives to be better at security than anyone else. • In reality, we see this mostly in IaaS…SaaS can still be pretty messy. • Cloud is not merely “virtual machines.” • To get the security benefits you need to rethink how you do things and retool operations to be specific for not only cloud, but your cloud providers of preference. • Architecture and automation are the keys! • There are incredible opportunities to leverage the inherent characteristics of cloud platforms to improve security. • From managing blast radius to eliminating unapproved infrastructure changes. Web Application Security for the Cloud
  41. 41. Web Application Security for the Cloud Age Rich Mogull @rmogull
  42. 42. Tushar Richabadas Product Manager, Barracuda
  43. 43. Bridge app security and delivery gaps
  44. 44. Barracuda WAF Demo Barracuda Web Application Firewall for AWS
  45. 45. Real-World Use Case Large Financial Institution
  46. 46. Challenges • Central InfoSec Team • LOB-Specific Toolchains • Need Fully Automated Deployments
  47. 47. Solving Customer Challenges • Automation and Ease of Deployment • Security • Cost Control
  48. 48. Architecture Dev/QA/Prod Promotion: • Scrub kickstart config for env • Pull latest AMI into CFT • Add to the App’s AWS Acct • Grab configuration • Audit vs. Central • Validate exceptions Promotion Process Amazon S3 Central Bucket Ready for QA, modified config Rest API Call sends config Amazon S3 Dev Bucket Amazon S3 QA Bucket Central Config Backups Dev Config Dev CFT QA Config QA CFT Developer QA Central Security Team
  49. 49. Engineered for AWS deployments Elastic Load Balancer Auto-Scaling Group Barracuda WAF Cluster AUTO-SCALING Virtual Private Cloud Server 1 Server NElastic Load Balancer
  50. 50. All-in-One Application Security Platform Session Persistence Security & DDoS Protection Logging & Reporting Authentication & Access Control Load Balancing & Server Health Monitoring SSL & Performance Acceleration
  51. 51. Licensing
  52. 52. Cloud Ready, Set, Go! • Get tutorials and videos: • https://www.barracuda.com/programs/aws • Hands-on lab of the Barracuda WAF on AWS: • https://campus.barracuda.com/product/webapplic ationfirewall/article/display/BWAFv76/70586316/ • Launch a 90-day free trial of Barracuda WAF: • https://aws.amazon.com/marketplace/pp/B014G EC526
  53. 53. Q&A Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda
  54. 54. Thank you! Recording & Slides Will Be Available in 2 to 3 Business Days

Notas do Editor

  • At AWS security is a top priority.

    We build our security program on many of the same tenets as you do. Our data centers are designed with the highest physical security requirements in mind, and access to those data centers is restricted to a very small number of individuals. In our data center we have very strict segregation of duties to ensure that out data center technicians have on the most minimal accesses they need to do their jobs. In the same way you do, we lock down our network and systems, and have well defined processes and people controls to make sure our data centers operate in an efficient and secure manner.

    Our security measures have been driven by security experts from across our largest, most advanced customers, including Shell, NASDAQ, and GE, and have been validated by a wide range of security experts and accreditation bodies.

    These organizations with very high security standards set the bar for AWS security, but the great thing about security in AWS is that everyone gets to benefit from the security controls that we have put in place. Whether you are a small startup, a mid sized enterprise, or the largest company you get to take advantage of the security controls that we have put in place to satisfy

    <IF THE CUSTOMER ASKS ABOUT SPECIFIC CONTROLS WE HAVE IN PLACE, DIRECT THEM TOWARDS OUR SECURITY WHITEPAPER, RISK AND COMPLIANCE WHITEPAPER AND SOC 2 REPORTS THAT WE CAN MAKE AVAIALABLE>
  • At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.

    As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.

    As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
  • BP to check font size
  • Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
  • Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
  • Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
  • Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
  • Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
  • BP to check this slide – should “deployment” be visible?
  • Should the header include the word “servers”? It’s inconsistent with the rest of these slides (slide 32-37)
  • BP to check font size
  • BP to check font size
  • BP to check font size
  • BP to check font size
  • BP to check font size
  • Thank you Rich!
    Good Morning folks! My name is Tushar and I’m the Product Manager for the Barracuda WAF and ADC for the public cloud.


    Enabling DevSevOps
    Security for web, mobile and API applications

    Fits closely into the Continuous Deployment model:
    Removes manual config in the deployment phase
    CloudFormation and other deployment automation tools
    Blue/green deployments, canary rollouts and dark launches
  • Build and push base config across deployments
    Automate config audits for compliance
    Support changes due to exception approvals
    Build and push base config across deployments
    Automate config audits for compliance
    Support changes due to exception approvals
    Different toolchains used in different departments
  • Three key things were crucial to helping this customer

    Covers 98% of high-level risks for the organization, including OWASP Top 10
    Cloud & Automation Ready, with Metered Billing


  • Quick overview – reference architecture
  • This shows you how the Barracuda WAF is deployed in your AWS environment – it’s placed using an ELB sandwich in your VPC in an autoscaling group.

    Also the Barracuda WAF has the AWS Security competency certified – this just means that our solution is prequalified by AWS that it’s been well architected to leverage AWS features.
  • The Barracuda WAF is a fully functional WAF, with OWASP Top 10 and lots of other powerful features. One to highlight is logging, since visibility is huge for the DevOps community.

    Another thing to highlight is the remediation service – it closely aligns with our theme our helping to automate security.

    BVRS enables application security testing at every stage
    Automatically reconfigure the Barracuda WAF from the BVRS tool
    Mitigate vulnerabilities & false positives much before UAT
    Integrate with testing tools with upcoming BVRS API set
    Find earlier, fix faster and deploy automatically!
  • We are laser focused on solving cloud problems – and we know that DevOps wants to move fast. So when innovating, we thought not just about product innovations, but also licensing.

    Takes away the friction of BYOL and per-instance costs of PAYG
    Allows you to deploy as many instances as you want
    Easy billing: Pay per GB of data transfer across all the instances

    This takes PAYG to the next level
    You’re really only paying for what you use, and allows companies to go to the security everywhere approach.
    Do away with the services vpc concept

×