SlideShare uma empresa Scribd logo

Secure & Automate AWS Deployments with Next-Generation on Security

Amazon Web Services
Amazon Web Services

Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Palo Alto Networks provides organizations with the visibility and automation needed to create and update security policies in your cloud environment in real time. Learn how you can gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows. Michael South, AWS Security Acceleration Business Development Matt McLimans, Public Cloud Consultant Engineer, Palo Alto Networks Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro

1 de 42
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Michael South, Americas Regional Leader, AWS Public Sector Security & Compliance Business Acceleration Secure and Automate AWS Deployments with Next Generation Security Matthew Mclimans Palo Alto Public Cloud Consultant Engineer
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is security traditionally so hard? Lack of Visibility Low degree of Automation Lack of Resiliency Defense in Depth
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Four Security Benefits of the Cloud • Increased visibility • Increased availability and resiliency • True Defense-in-Depth • Ability to automate Security and Compliance
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visibility
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services that provide Operational Visibility AWS CloudTrail Track user activity and API usage Amazon CloudWatch Monitor resources and applications Amazon Inspector Analyze OS and application security AWS Artifact Self-service for AWS’ compliance reports Amazon VPC Flow Logs Track network activity in/out of VPC Amazon GuardDuty Intelligent Threat Detection Amazon Macie Discover, classify, and protect sensitive data AWS Trusted Advisor Guidance to reduce cost, increase performance, and improve security AWS WAF Logs Track application access/denials
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resiliency
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Global Infrastructure Region & Number of Availability Zones AWS GovCloud EU Oregon (3) Ireland (3) Ohio (3) *Coming Soon Frankfurt (3) London (3) US West Paris (3) Oregon (3) Northern California (3) Asia Pacific Singapore (3) US East Sydney (3) N. Virginia (6) Tokyo (4) Ohio (3) Seoul (2) Mumbai (2) Canada Central (2) China Beijing (2) South America Ningxia (3) São Paulo (3) Announced Regions Bahrain, Hong Kong, Sweden, AWS GovCloud East 18Regions 55 Availability Zones 121 Edge Locations AWS GovCloud (US)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. - Regions: metropolitan area with independent “cloud” - Fully Isolated from other Regions (security boundary) - Customer chooses Region - Data stays within Region - Regions comprised of multiple Availability Zones AZ = 1 or more “data centers” - AZ’s connected through redundant low-latency links - Physically separated; Separate Low Risk Flood Plains - Discrete UPS & Onsite backup - Redundant connections to multiple tier-1 ISP’s - Built for Continuous Availability AWS Region and Availability Zone View Availability Zone Physical Datacenter Fiber Region
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Achieving High Availability in AWS Customer data center WEB APP DB WEB LB FW Customer Datacenter AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet auto scaling group auto scaling group security groupsecurity group synchronous replication
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense in Depth
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reality of Many On-Prem Network Defenses Hard Outer Shell (Perimeter) Soft and Gooey Middle (Datacenter/Network)WAF Firewall IDS/IPS DLP VLANs ACLs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS at the Perimeter Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet AWS Shield DDoS Protection AWS WAF Web Application Firewall VPN Gateway Secure DevOps Comms VPC w/ ACLs Stateless Firewall Internet Gateway Path to Public Internet (Not present by default) Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning AWS Direct Connect Private Fiber Comms Partner Solutions Firewall, IDS/IPS, WAF
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS between Workloads App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet VPCs w/ ACLs Stateless Firewall Default No Communications Between VPCs VPCs w/ ACLs Stateless Firewall Internet Gateway Path to Public Internet VPN Connection Secure Communications over Internet VPN Peering Private network connection between VPCs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS inside the Workload App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server secondary DMZ Subnet App Subnet DB Subnet Security Group Statefull Firewall between Each application tier Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning Web Server Web Server App Server App Server DB Server primary Security Group Does NOT allow peer-to- peer communications by default Amazon CloudWatch Event Management and Alerting AWS CloudTrail API LoggingAmazon Inspector Security & Compliance assessment 3rd Party EPS OS Anti-virus, Firewall, Host Intrusion Protection System
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Get the humans away from the data
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty Threat Detection
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty IDS • Reconnaissance • Instance recon: • Port probe / accepted comm • Port scan (intra-VPC) • Brute force attack (IP) • Drop point (IP) • Tor communications • Account recon • Tor API call (failed) Instance compromise • C&C activity • Malicious domain request • Amazon EC2 on threat list • Drop point IP • Malicious comms (ASIS) • Bitcoin mining • Outbound DDoS • Spambot activity • Outbound SSH brute force • Unusual network port • Unusual traffic volume/direction • Unusual DNS requests Account compromise • Malicious API call (bad IP) • Tor API call (accepted) • CloudTrail disabled • Password policy change • Instance launch unusual • Region activity unusual • Suspicious console login • Unusual ISP caller • Mutating API calls (create, update, delete) • High volume of describe calls • Unusual IAM user added • Detections in gray are signature based, state-less findings • Detections in blue are behavioral, state-full findings / anomaly detections
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services Amazon CloudWatch Event CloudWatch Events Amazon CloudWatch Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation Web Application Firewall AWS WAF WAF Rule Palo Alto NGFW
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workloads appropriate for AWS Web applications and websites Backup, recovery and archiving Disaster recovery Development and test Big data High-performance computingEnterprise IT MobileMission critical applications Data center migration and hybrid IoT Security Operations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improving security with the cloud For more details, see Re:Invent 2013 presentations by NASA JPL cyber security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4) “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters.” -Tom Soderstrom, CTO, NASA JPL
RaEd Abudayyeh Cloud Security Lead, Emerging Markets Secure and Automate AWS Deployments with Next Generation Security.
PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS SECURITY OPERATING PLATFORM LOGGING SERVICE THREAT INTEL DATA NETWORK ENDPOINT CLOUD APPLICATION FRAMEWORK
LEADERSHIP IN CYBERSECURITY 63% of the Global 2K are Palo Alto Networks customers 29% year over year revenue growth* 85 of Fortune 100 rely on Palo Alto Networks #1 in Enterprise Security 54,000+ customers in 150+ countries Revenue trend 40% CAGR FY14 - FY18 FY14 FY15 FY16 FY17 FY18 • Q4FY2018. Fiscal year ends July 31. • Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018
CONSISTENT PREVENTION EVERYWHERE SaaS PHYSICAL NETWORK PRIVATE CLOUD IaaS PaaS MOBILE 25 | © 2018 Palo Alto Networks. All Rights Reserved.
SHARED RESPONSIBILTY
AWS SECURITY = A SHARED RESPONSIBILITY AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client & Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for their security IN the Cloud AWS looks after the security OF the platform
CLOUD USAGE TYPES SAASPRIVATE PHYSICAL IAA S PAAS
SECURING THE CLOUD IS HARD Fragmented Security Human Error Manual Security
“A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic,” Gartner, November 2, 2016 TRIVIA QUESTION! 95% Through 2020 Of cloud security failures will be the customer fault
SAASPRIVATE PHYSICAL SECURING THE PUBLIC CLOUD IAAS PAAS
HOST Continuous security & compliance INLINE Protect and segment cloud workloads API-BASED Secure OS & app within workloads OURVISION FOR CLOUD SECURITY
EV WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server THREE KEY SECURITY ELEMENTS INLINE Protect and Segment Cloud Workloads API HOST Secure OS & App Within Workloads API Continuous Security & Compliance On-Premises Virtual Private Cloud (VPC) Evident Traps VM-Series NGFW
WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server PROTECT AND SEGMENT CLOUD WORKLOADS VM-SERIES On-Premises Application visibility and workload segmentation Auto-scale based on triggers Prevent outbound and inbound attacks Virtual Private Cloud (VPC)
CONTINUOUS MONITORING AND COMPLIANCE EVIDENT API Is MFA Enabled? Is any sensitive data exposed? What services are running? Who has access to this resource? Evident Discover and Monitor Resources Compliance Reporting Secure Storage Services EV
APP WORKLOAD Lightweight Agent Real-time Exploit and Malware Protection Protects Unpatched Workloads WORKLOAD PROTECTION TRAPS Multi-method Attack Prevention Traps Advanced Endpoint Protections
PLATFORM AUTOMATION URL Filtering CLOUD- DELIVERED SECURITY SERVICES WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server API 3rd party feeds Customer data Amazon GuardDuty MineMeld Threat Prevention Malware Analysis EV Evident Traps VM-Series NGFW
IAA S PAAS LET’S TALK SAAS SECURITY PRIVATE PHYSICAL SAAS
SAAS SECURITY APPROACHES SaaS Native Security Limited Scope CASB Vendors Limited Security Legacy Content Security Limited Context
OUR APPROACH TO SAAS SECURITY Remote Users Branch Headquarters Unmanaged Devices Managed Devices GlobalProtect Cloud Service NGFW Aperture A PI Sanctioned Tolerated Unsanctioned SaaS application visibility and granular enforcement delivered inline Monitor in-cloud activity and protect data with Aperture
PHYSICAL NETWORK MOBILE PRIVATE CLOUD CONSISTENT & FRICTIONLESS PREVENTION EVERYWHERE IAAS SAAS PAAS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you Rate my session. https://amzn.to/ottawa-sessions Track: Management Session: 9:00 AM - Secure and Automate AWS Deployments with Next-Generation Security How did we do? https://amzn.to/ottawa-summit

Recomendados

Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
Amazon Web Services
 
How Inovalon Uses Sophos to Control Security Costs on AWS
How Inovalon Uses Sophos to Control Security Costs on AWSHow Inovalon Uses Sophos to Control Security Costs on AWS
How Inovalon Uses Sophos to Control Security Costs on AWS
Amazon Web Services
 
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019 Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Amazon Web Services
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Amazon Web Services
 

Recomendados

Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Amazon Web Services
 
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019 Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Balancing cloud innovation and security - GRC317 - AWS re:Inforce 2019
Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
Amazon Web Services
 
How Inovalon Uses Sophos to Control Security Costs on AWS
How Inovalon Uses Sophos to Control Security Costs on AWSHow Inovalon Uses Sophos to Control Security Costs on AWS
How Inovalon Uses Sophos to Control Security Costs on AWS
Amazon Web Services
 
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019 Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Governance for the Cloud Age - DEM12-R - AWS re:Inforce 2019
Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
Amazon Web Services
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Amazon Web Services
 
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Building a security knowledge management platform for AWS - FND224 - AWS re:I...
Amazon Web Services
 
Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018
Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
Cynthia Hsieh
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019 Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Amazon Web Services
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
Amazon Web Services
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Amazon Web Services
 
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Amazon Web Services
 
How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...
Amazon Web Services
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
Amazon Web Services
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
Alert Logic
 

Mais conteúdo relacionado

Mais procurados

Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Amazon Web Services
 
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 

Mais procurados (20)

Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018Automating DDos and WAF responses - AWS Summit Cape Town 2018
Automating DDos and WAF responses - AWS Summit Cape Town 2018
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
Incident Response: Eyes Everywhere
Incident Response: Eyes EverywhereIncident Response: Eyes Everywhere
Incident Response: Eyes Everywhere
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019 Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
Build anywhere; Secure everywhere - DEM01-R - AWS re:Inforce 2019
 
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
Build a PCI SAQ A-EP-compliant serverless service to manage credit card payme...
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
Architect proper segmentation for PCI DSS workloads on AWS - GRC306 - AWS re:...
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019 Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
Using analytics to set access controls in AWS - SDD204 - AWS re:Inforce 2019
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...Leverage the security & resiliency of the cloud & IoT for industry use cases ...
Leverage the security & resiliency of the cloud & IoT for industry use cases ...
 
How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 

Semelhante a Secure & Automate AWS Deployments with Next-Generation on Security

Strengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdfStrengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdf
Amazon Web Services
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Amazon Web Services
 

Semelhante a Secure & Automate AWS Deployments with Next-Generation on Security (20)

The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
The AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in PracticeThe AWS Shared Responsibility Model in Practice
The AWS Shared Responsibility Model in Practice
 
Cybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud AdoptionCybersecurity: A Drive Force Behind Cloud Adoption
Cybersecurity: A Drive Force Behind Cloud Adoption
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Accelerating Your Cloud Innovation
Accelerating Your Cloud InnovationAccelerating Your Cloud Innovation
Accelerating Your Cloud Innovation
 
Edge immersion days module 2 - protect your application at the edge using a...
Edge immersion days module 2 - protect your application at the edge using a...Edge immersion days module 2 - protect your application at the edge using a...
Edge immersion days module 2 - protect your application at the edge using a...
 
Automating DDoS and WAF Response
Automating DDoS and WAF ResponseAutomating DDoS and WAF Response
Automating DDoS and WAF Response
 
Strengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdfStrengthen Your Organizations Security and Privacy.pdf
Strengthen Your Organizations Security and Privacy.pdf
 
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
Mission (Not) Impossible: Applying NIST 800-53 High Impact-Controls on AWS fo...
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
AWS - Security & Compliance
AWS - Security & ComplianceAWS - Security & Compliance
AWS - Security & Compliance
 
Introduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF LoftIntroduction to AWS Security: Security Week at the SF Loft
Introduction to AWS Security: Security Week at the SF Loft
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud AdoptionInnovate - Cybersecurity: A Drive Force Behind Cloud Adoption
Innovate - Cybersecurity: A Drive Force Behind Cloud Adoption
 
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...Meeting Enterprise Security Requirements with AWS Native Security Services (S...
Meeting Enterprise Security Requirements with AWS Native Security Services (S...
 
雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)
雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)
雲端原生 (Cloud-Native) 的 DDoS Attack 防禦方案 (Level: 200)
 
Hybrid Cloud on AWS
Hybrid Cloud on AWSHybrid Cloud on AWS
Hybrid Cloud on AWS
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Secure & Automate AWS Deployments with Next-Generation on Security

  • 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Michael South, Americas Regional Leader, AWS Public Sector Security & Compliance Business Acceleration Secure and Automate AWS Deployments with Next Generation Security Matthew Mclimans Palo Alto Public Cloud Consultant Engineer
  • 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why is security traditionally so hard? Lack of Visibility Low degree of Automation Lack of Resiliency Defense in Depth
  • 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Four Security Benefits of the Cloud • Increased visibility • Increased availability and resiliency • True Defense-in-Depth • Ability to automate Security and Compliance
  • 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Visibility
  • 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Services that provide Operational Visibility AWS CloudTrail Track user activity and API usage Amazon CloudWatch Monitor resources and applications Amazon Inspector Analyze OS and application security AWS Artifact Self-service for AWS’ compliance reports Amazon VPC Flow Logs Track network activity in/out of VPC Amazon GuardDuty Intelligent Threat Detection Amazon Macie Discover, classify, and protect sensitive data AWS Trusted Advisor Guidance to reduce cost, increase performance, and improve security AWS WAF Logs Track application access/denials
  • 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Resiliency
  • 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Global Infrastructure Region & Number of Availability Zones AWS GovCloud EU Oregon (3) Ireland (3) Ohio (3) *Coming Soon Frankfurt (3) London (3) US West Paris (3) Oregon (3) Northern California (3) Asia Pacific Singapore (3) US East Sydney (3) N. Virginia (6) Tokyo (4) Ohio (3) Seoul (2) Mumbai (2) Canada Central (2) China Beijing (2) South America Ningxia (3) São Paulo (3) Announced Regions Bahrain, Hong Kong, Sweden, AWS GovCloud East 18Regions 55 Availability Zones 121 Edge Locations AWS GovCloud (US)
  • 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. - Regions: metropolitan area with independent “cloud” - Fully Isolated from other Regions (security boundary) - Customer chooses Region - Data stays within Region - Regions comprised of multiple Availability Zones AZ = 1 or more “data centers” - AZ’s connected through redundant low-latency links - Physically separated; Separate Low Risk Flood Plains - Discrete UPS & Onsite backup - Redundant connections to multiple tier-1 ISP’s - Built for Continuous Availability AWS Region and Availability Zone View Availability Zone Physical Datacenter Fiber Region
  • 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Achieving High Availability in AWS Customer data center WEB APP DB WEB LB FW Customer Datacenter AWS Virtual Private Cloud (VPC) AWS Region App Subnet Availability Zone A Database Subnet DMZ Subnet Web Server App Server DB Server primary Availability Zone B Database Subnet DB Server secondary Web Server App Server App Subnet DMZ Subnet auto scaling group auto scaling group security groupsecurity group synchronous replication
  • 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense in Depth
  • 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reality of Many On-Prem Network Defenses Hard Outer Shell (Perimeter) Soft and Gooey Middle (Datacenter/Network)WAF Firewall IDS/IPS DLP VLANs ACLs
  • 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS at the Perimeter Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet AWS Shield DDoS Protection AWS WAF Web Application Firewall VPN Gateway Secure DevOps Comms VPC w/ ACLs Stateless Firewall Internet Gateway Path to Public Internet (Not present by default) Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning AWS Direct Connect Private Fiber Comms Partner Solutions Firewall, IDS/IPS, WAF
  • 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS between Workloads App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server primary DMZ Subnet App Subnet DB Subnet VPCs w/ ACLs Stateless Firewall Default No Communications Between VPCs VPCs w/ ACLs Stateless Firewall Internet Gateway Path to Public Internet VPN Connection Secure Communications over Internet VPN Peering Private network connection between VPCs
  • 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Defense-in-Depth in AWS inside the Workload App Security Group DMZ Security Group Database Security Group Web Server App Server DB Server secondary DMZ Subnet App Subnet DB Subnet Security Group Statefull Firewall between Each application tier Amazon GuardDuty Signature & Behavioral-based Intrusion Detection System using Machine Learning Web Server Web Server App Server App Server DB Server primary Security Group Does NOT allow peer-to- peer communications by default Amazon CloudWatch Event Management and Alerting AWS CloudTrail API LoggingAmazon Inspector Security & Compliance assessment 3rd Party EPS OS Anti-virus, Firewall, Host Intrusion Protection System
  • 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automation
  • 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Get the humans away from the data
  • 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty Threat Detection
  • 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon GuardDuty IDS • Reconnaissance • Instance recon: • Port probe / accepted comm • Port scan (intra-VPC) • Brute force attack (IP) • Drop point (IP) • Tor communications • Account recon • Tor API call (failed) Instance compromise • C&C activity • Malicious domain request • Amazon EC2 on threat list • Drop point IP • Malicious comms (ASIS) • Bitcoin mining • Outbound DDoS • Spambot activity • Outbound SSH brute force • Unusual network port • Unusual traffic volume/direction • Unusual DNS requests Account compromise • Malicious API call (bad IP) • Tor API call (accepted) • CloudTrail disabled • Password policy change • Instance launch unusual • Region activity unusual • Suspicious console login • Unusual ISP caller • Mutating API calls (create, update, delete) • High volume of describe calls • Unusual IAM user added • Detections in gray are signature based, state-less findings • Detections in blue are behavioral, state-full findings / anomaly detections
  • 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with integrated services Amazon CloudWatch Event CloudWatch Events Amazon CloudWatch Lambda Lambda Function AWS Lambda GuardDuty Amazon GuardDuty Automated threat remediation Web Application Firewall AWS WAF WAF Rule Palo Alto NGFW
  • 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workloads appropriate for AWS Web applications and websites Backup, recovery and archiving Disaster recovery Development and test Big data High-performance computingEnterprise IT MobileMission critical applications Data center migration and hybrid IoT Security Operations
  • 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improving security with the cloud For more details, see Re:Invent 2013 presentations by NASA JPL cyber security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4) “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters.” -Tom Soderstrom, CTO, NASA JPL
  • 22. RaEd Abudayyeh Cloud Security Lead, Emerging Markets Secure and Automate AWS Deployments with Next Generation Security.
  • 23. PALO ALTO NETWORKS APPS 3rd PARTY APPS CUSTOMER APPS SECURITY OPERATING PLATFORM LOGGING SERVICE THREAT INTEL DATA NETWORK ENDPOINT CLOUD APPLICATION FRAMEWORK
  • 24. LEADERSHIP IN CYBERSECURITY 63% of the Global 2K are Palo Alto Networks customers 29% year over year revenue growth* 85 of Fortune 100 rely on Palo Alto Networks #1 in Enterprise Security 54,000+ customers in 150+ countries Revenue trend 40% CAGR FY14 - FY18 FY14 FY15 FY16 FY17 FY18 • Q4FY2018. Fiscal year ends July 31. • Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018
  • 25. CONSISTENT PREVENTION EVERYWHERE SaaS PHYSICAL NETWORK PRIVATE CLOUD IaaS PaaS MOBILE 25 | © 2018 Palo Alto Networks. All Rights Reserved.
  • 27. AWS SECURITY = A SHARED RESPONSIBILITY AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client & Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for their security IN the Cloud AWS looks after the security OF the platform
  • 29. SECURING THE CLOUD IS HARD Fragmented Security Human Error Manual Security
  • 30. “A Public Cloud Risk Model: Accepting Cloud Risk Is OK, Ignoring Cloud Risk Is Tragic,” Gartner, November 2, 2016 TRIVIA QUESTION! 95% Through 2020 Of cloud security failures will be the customer fault
  • 32. HOST Continuous security & compliance INLINE Protect and segment cloud workloads API-BASED Secure OS & app within workloads OURVISION FOR CLOUD SECURITY
  • 33. EV WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server THREE KEY SECURITY ELEMENTS INLINE Protect and Segment Cloud Workloads API HOST Secure OS & App Within Workloads API Continuous Security & Compliance On-Premises Virtual Private Cloud (VPC) Evident Traps VM-Series NGFW
  • 34. WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server PROTECT AND SEGMENT CLOUD WORKLOADS VM-SERIES On-Premises Application visibility and workload segmentation Auto-scale based on triggers Prevent outbound and inbound attacks Virtual Private Cloud (VPC)
  • 35. CONTINUOUS MONITORING AND COMPLIANCE EVIDENT API Is MFA Enabled? Is any sensitive data exposed? What services are running? Who has access to this resource? Evident Discover and Monitor Resources Compliance Reporting Secure Storage Services EV
  • 36. APP WORKLOAD Lightweight Agent Real-time Exploit and Malware Protection Protects Unpatched Workloads WORKLOAD PROTECTION TRAPS Multi-method Attack Prevention Traps Advanced Endpoint Protections
  • 37. PLATFORM AUTOMATION URL Filtering CLOUD- DELIVERED SECURITY SERVICES WEB Object Storage Caching Database IaaS PaaS Web Server APP App Server API 3rd party feeds Customer data Amazon GuardDuty MineMeld Threat Prevention Malware Analysis EV Evident Traps VM-Series NGFW
  • 38. IAA S PAAS LET’S TALK SAAS SECURITY PRIVATE PHYSICAL SAAS
  • 39. SAAS SECURITY APPROACHES SaaS Native Security Limited Scope CASB Vendors Limited Security Legacy Content Security Limited Context
  • 40. OUR APPROACH TO SAAS SECURITY Remote Users Branch Headquarters Unmanaged Devices Managed Devices GlobalProtect Cloud Service NGFW Aperture A PI Sanctioned Tolerated Unsanctioned SaaS application visibility and granular enforcement delivered inline Monitor in-cloud activity and protect data with Aperture
  • 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you Rate my session. https://amzn.to/ottawa-sessions Track: Management Session: 9:00 AM - Secure and Automate AWS Deployments with Next-Generation Security How did we do? https://amzn.to/ottawa-summit

Notas do Editor

  1. AWS serves hundreds of thousands of customers in more than 190 countries. Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
  2. This slide builds -
  3. Automate and Reduce Risk with Deeply Integrated Services Automating security tasks on AWS enables you to be more secure by reducing human configuration errors and giving your team more time to focus on other work critical to your business. Select from a wide variety of deeply integrated solutions that can be combined to automate tasks in novel ways, making it easier for your security team to work closely with developer and operations teams to create and deploy code faster and more securely. For example, by employing technologies like machine learning, AWS enables you to automatically and continuously discover, classify, and protect sensitive data in AWS with just a few clicks in the AWS console. You can also automate infrastructure and application security checks to continually enforce your security and compliance controls and help ensure confidentiality, integrity, and availability at all times. Automate in a hybrid environment with our information management and security tools to easily integrate AWS as a seamless and secure extension of your on-premises and legacy environments. Automation helps reduce the amount of noise and manual work your security engineers have to pay attention to so they can focus their expertise where it really matters for your business. In this example: Findings point to a compromised instance (e.g. Backdoor:EC2/XORDDOS, Backdoor:EC2/C&CActivity.B!DNS) CloudWatch Event Alarm triggers Lambda Instance tag can be checked to see if automatic action can be taken or if manual intervention needed (e.g. critical productions services) Lambda Function: Removes instance from current Security Group(s) and adds to one with all ingress and egress blocked Snapshots EBS volume(s) Alerts Security Team
  4. Now, let’s see you how we can apply these three principles of cloud security to the public cloud – IaaS and PaaS services.
  5. And of course, to keep this in perspective, our goal is to secure the entire organization, with cloud included. Enterprise security, consistent and automated protections for all your locations, clouds and users.