Barracuda, AWS & Securosis: Application Security for the Cloud

1. Barracuda, AWS & Securosis: Application Security for the Cloud Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda
2. Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda Today’s Presenters
3. Today’s Agenda • Security on AWS • Web Application Security for the Cloud Age • Barracuda WAF on AWS product overview & demo • Q&A/Discussion
4. Learning Objectives • Challenges of app security when moving to the cloud • Methods for securing web, mobile, and API-based applications • Live demo of the Barracuda WAF securing an AWS app
5. Security on AWS
6. Familiar Security Model Validated and driven by customers’ security experts Benefits all customers PEOPLE & PROCESS SYSTEM NETWORK PHYSICAL Security is Job Zero
7. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Identity & Access Control Network Security Customer applications & content You get to define your controls ON the Cloud AWS takes care of the security OF the Cloud You Inventory & Config Data Encryption AWS and you share responsibility for security
8. The challenge: How to integrate security into DevOps workloads so that developers can focus on application development without worrying about online attacks. Moving from DevOps to DevSecOps DevOps + Security = DevSecOps
9. Web Application Security for the Cloud Age Rich Mogull @rmogull
10. • Cloud can be more secure than traditional datacenters. • The economics are in your favor. • Cloud architectures can wipe out some traditional security headaches. • This isn’t theory, it’s being done today. • But only if you understand how to leverage the cloud. • We can use this to dramatically improve web application security. Little. Cloudy. Different.
11. • For clients to use a cloud provider, they must trust the provider. • This is especially true for anything with a sensitive data or process. • Thus security has to be a top priority for a provider or you won’t use them. • A major breach for a provider that affects multiple customers is an existential event. You get one chance
12. • Security tools and testing are typically added after the fact • And, often, manually • Dev and Ops just hate it when security tool changes or updates break “functionality” • Even when said functionality is a security issue • DevOps + Cloud = Immutable = Security Automation and Integration Automating Security
13. Controlling Blast Radius
14. • Segregating networks in a data center is hard, expensive, and often unwieldy. • It’s hard to isolate application services on physical machines. • Even using virtual machines has a lot of management overhead. • Attackers drop in and move North/South in application stacks, and East/West on networks (or both). Segregation is critical but hard
15. Limiting blast radius Account Security Group Virtual Network Subnet Virtual Network Subnet Security Group
16. To a host or network… Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group
17. To a host or network… Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group
18. Or an entire “data center” Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Security Group Security Group Security Group
19. Or an entire “data center” Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Account Virtual Network Subnet Virtual Network Subnet Security Group Boom Security Group Security Group Security Group
20. But This Works Best with Infrastructure as Code
21. • Instead of updating, you completely replace infrastructure through automation. • Can apply to a single server, up to an entire application stack. • Incredibly resilient and secure. Think “servers without logins.” The Power of Immutable Image from: http://tourismplacesworld.blogspot.com/2012/07/uluru.html
22. Source Code GitCloudformation Templates Jenkins Functional Tests Chef Recipes Chef Server NonFunctional Tests Security Tests Test Prod CI for Web Application Security Automation
23. Immutable Infrastructure Internet Template A:
24. Immutable Infrastructure Template A: Template B: Internet
27. Immutable Infrastructure Template B: Internet
28. Immutable Infrastructure Template B: Internet
29. Embedding and Automating Security with Immutable
30. How immutable servers work: Auto scaling Load Balancer a b c Auto Scale Group
31. Load Balancer a b c Auto Scale Group How immutable works: Auto scaling
32. Load Balancer a b c Auto Scale Group How immutable works: Auto scaling
33. Load Balancer Auto Scale Group a b c Vulnerable Patched How immutable works: Auto scaling
36. How immutable works: Auto scaling Load Balancer Auto Scale Group a b c Vulnerable Patched
37. • Easier to deploy smaller services since you can right-fit both networks and hosts/containers • Easier to isolate • Can integrate PaaS for “network air gaps” Application Hardening Through Architecture and Automation
38. DEMO!!!
39. Our Deployment Pipeline +
40. • Cloud providers have massive economic incentives to be better at security than anyone else. • In reality, we see this mostly in IaaS…SaaS can still be pretty messy. • Cloud is not merely “virtual machines.” • To get the security benefits you need to rethink how you do things and retool operations to be specific for not only cloud, but your cloud providers of preference. • Architecture and automation are the keys! • There are incredible opportunities to leverage the inherent characteristics of cloud platforms to improve security. • From managing blast radius to eliminating unapproved infrastructure changes. Web Application Security for the Cloud
41. Web Application Security for the Cloud Age Rich Mogull @rmogull
42. Tushar Richabadas Product Manager, Barracuda
43. Bridge app security and delivery gaps
44. Barracuda WAF Demo Barracuda Web Application Firewall for AWS
45. Real-World Use Case Large Financial Institution
46. Challenges • Central InfoSec Team • LOB-Specific Toolchains • Need Fully Automated Deployments
47. Solving Customer Challenges • Automation and Ease of Deployment • Security • Cost Control
48. Architecture Dev/QA/Prod Promotion: • Scrub kickstart config for env • Pull latest AMI into CFT • Add to the App’s AWS Acct • Grab configuration • Audit vs. Central • Validate exceptions Promotion Process Amazon S3 Central Bucket Ready for QA, modified config Rest API Call sends config Amazon S3 Dev Bucket Amazon S3 QA Bucket Central Config Backups Dev Config Dev CFT QA Config QA CFT Developer QA Central Security Team
49. Engineered for AWS deployments Elastic Load Balancer Auto-Scaling Group Barracuda WAF Cluster AUTO-SCALING Virtual Private Cloud Server 1 Server NElastic Load Balancer
50. All-in-One Application Security Platform Session Persistence Security & DDoS Protection Logging & Reporting Authentication & Access Control Load Balancing & Server Health Monitoring SSL & Performance Acceleration
51. Licensing
52. Cloud Ready, Set, Go! • Get tutorials and videos: • https://www.barracuda.com/programs/aws • Hands-on lab of the Barracuda WAF on AWS: • https://campus.barracuda.com/product/webapplic ationfirewall/article/display/BWAFv76/70586316/ • Launch a 90-day free trial of Barracuda WAF: • https://aws.amazon.com/marketplace/pp/B014G EC526
53. Q&A Nick Matthews, Solutions Architect, AWS Rich Mogull, Securosis, Analyst & CEO Tushar Richabadas, Product Manager, Barracuda
54. Thank you! Recording & Slides Will Be Available in 2 to 3 Business Days

Notas do Editor

At AWS security is a top priority.

We build our security program on many of the same tenets as you do. Our data centers are designed with the highest physical security requirements in mind, and access to those data centers is restricted to a very small number of individuals. In our data center we have very strict segregation of duties to ensure that out data center technicians have on the most minimal accesses they need to do their jobs. In the same way you do, we lock down our network and systems, and have well defined processes and people controls to make sure our data centers operate in an efficient and secure manner.

Our security measures have been driven by security experts from across our largest, most advanced customers, including Shell, NASDAQ, and GE, and have been validated by a wide range of security experts and accreditation bodies.

These organizations with very high security standards set the bar for AWS security, but the great thing about security in AWS is that everyone gets to benefit from the security controls that we have put in place. Whether you are a small startup, a mid sized enterprise, or the largest company you get to take advantage of the security controls that we have put in place to satisfy

<IF THE CUSTOMER ASKS ABOUT SPECIFIC CONTROLS WE HAVE IN PLACE, DIRECT THEM TOWARDS OUR SECURITY WHITEPAPER, RISK AND COMPLIANCE WHITEPAPER AND SOC 2 REPORTS THAT WE CAN MAKE AVAIALABLE>
At AWS we have a shared security model, where we are responsible for some aspects of security, whereas you get to choose other security measures you put in place.

As AWS we are responsible for the security of the underlying infrastructure . That of course include physical security across our regions, our data centers, our availability zones, our edge locations. We are also responsible for the security of the foundation services that underpin the AWS environment. This includes the infrastructure that supports our compute, storage, database and networking services.

As a customer, then, you have a choice of what security controls you choose to deploy to protect your virtual networks, servers, your data and what access control policies you wish to put in place. For highly sensitive content and applications you may want to put very stringent controls in place. For less sensitive applications, you may want to dial security back – you get to choose.
BP to check font size
Show the segregation stack- accounts, virtual network, subnets, instances (security groups)
BP to check this slide – should “deployment” be visible?
Should the header include the word “servers”? It’s inconsistent with the rest of these slides (slide 32-37)
Thank you Rich!
Good Morning folks! My name is Tushar and I’m the Product Manager for the Barracuda WAF and ADC for the public cloud.

Enabling DevSevOps
Security for web, mobile and API applications

Fits closely into the Continuous Deployment model:
Removes manual config in the deployment phase
CloudFormation and other deployment automation tools
Blue/green deployments, canary rollouts and dark launches
Build and push base config across deployments
Automate config audits for compliance
Support changes due to exception approvals
Build and push base config across deployments
Automate config audits for compliance
Support changes due to exception approvals
Different toolchains used in different departments
Three key things were crucial to helping this customer

Covers 98% of high-level risks for the organization, including OWASP Top 10
Cloud & Automation Ready, with Metered Billing
Quick overview – reference architecture
This shows you how the Barracuda WAF is deployed in your AWS environment – it’s placed using an ELB sandwich in your VPC in an autoscaling group.

Also the Barracuda WAF has the AWS Security competency certified – this just means that our solution is prequalified by AWS that it’s been well architected to leverage AWS features.
The Barracuda WAF is a fully functional WAF, with OWASP Top 10 and lots of other powerful features. One to highlight is logging, since visibility is huge for the DevOps community.

Another thing to highlight is the remediation service – it closely aligns with our theme our helping to automate security.

BVRS enables application security testing at every stage
Automatically reconfigure the Barracuda WAF from the BVRS tool
Mitigate vulnerabilities & false positives much before UAT
Integrate with testing tools with upcoming BVRS API set
Find earlier, fix faster and deploy automatically!
We are laser focused on solving cloud problems – and we know that DevOps wants to move fast. So when innovating, we thought not just about product innovations, but also licensing.

Takes away the friction of BYOL and per-instance costs of PAYG
Allows you to deploy as many instances as you want
Easy billing: Pay per GB of data transfer across all the instances

This takes PAYG to the next level
You’re really only paying for what you use, and allows companies to go to the security everywhere approach.
Do away with the services vpc concept

Barracuda, AWS & Securosis: Application Security for the Cloud

Esté a ler uma amostra.

Confira estes a seguir

Barracuda, AWS & Securosis: Application Security for the Cloud

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Barracuda, AWS & Securosis: Application Security for the Cloud (20)

Mais de Amazon Web Services (20)

Mais recentes (20)

Barracuda, AWS & Securosis: Application Security for the Cloud

Notas do Editor

Barracuda, AWS & Securosis: Application Security for the Cloud

Esté a ler uma amostra.

Barracuda, AWS & Securosis: Application Security for the Cloud

Recomendadas

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Barracuda, AWS & Securosis: Application Security for the Cloud (20)

Mais de Amazon Web Services (20)

Mais recentes (20)

Barracuda, AWS & Securosis: Application Security for the Cloud

Notas do Editor