While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline three strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools.
Key takeaways from this session include how to:
- Design a workload-centric security architecture
- Improve visibility of AWS-only or hybrid environments
- Stop patching live instances but still prevent exploits
Speaker: Sasha Pavlovic, Director, Cloud & Datacentre Security, Asia Pacific, Trend Micro
22. Shapeshift for Amazon Web Services
• Security inside each workload
• Protect instance-to-instance
traffic
• Make it context sensitive (fast and
low false-positive)
• No bottleneck
• No single point of failure
= CLOUD FRIENDLY
IPS
29. Make Security Invisible for Amazon Web Services
• Build it in, not bolt on
• Fully automate security
• Automate record keeping for
auditors
= SECURITY
DESIGNED FOR AWS
33. Use X-ray vision on Amazon Web Services
• Use Integrity Monitoring and
Log monitoring to see inside
instances
• Detect suspicious changes that
are indicators of compromise
and unintended changes
= Total visibility
34. AWS is continuously independently audited
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge
Locations
AWS is
responsible for
the security OF
the Cloud
35. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity
& Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Security is shared between AWS and customersCustomers
Partner solutions – including
Trend Micro
36. SANS/CIS TOP 20 CRITICAL SECURITY CONTROLS
1. Inventory of Authorized & Unauthorized Devices 11. Secure Configurations for Network Devices
2. Inventory of Authorized & Unauthorized Software 12. Boundary Defense
3. Secure Configurations for Hardware & Software on
Mobile Devices, Laptops, Workstations, & Servers
13. Data Protection
4. Continuous Vulnerability Assessment & Remediation 14. Controlled Access Base on the Need to Know
5. Controlled Use of Administrative Privileges 15. Wireless Access Control
6. Maintenance, Monitoring, & Analysis of Audit Logs 16. Account Monitoring & Control
7. Email and Web Browser Protections
17. Security Skills Assessment & Appropriate Training
to Fill Gaps
8. Malware Defenses 18. Application Software Security
9. Limitation and Control of Network Ports, Protocols,
and Services
19. Incident Response Management
10. Data Recovery Capability 20. Penetration Tests & Red Team Exercises
41. Now to Introduce a Real World Superhero!
Chris Harwood
Healthdirect Australia
42. A little bit about Healthdirect
No matter where people live, or what time of the day or night it is, they can talk to a professional, find trusted advice
online about how to manage their issue, and locate the closest appropriate and open service that meets their
needs.
mindhealthconnect
after hours GP helpline
My Aged Care
Carer Gateway
healthdirect
Pregnancy, Birth and Baby
National Health
Services Directory
43. Healthdirect Australia Timeline
mindhealthconnect
(mental health
website)
2012
after hours
GP helpline
2011
Pregnancy,
Birth and Baby
service
2010healthdirect
24/7 nurse triage
helpline
2008
Established as
the National
Health Call
Centre Network
2006/
2007
Carer
Gateway
2015
My Aged Care
Gateway
2013/
2014
National Health
Services Directory
2012
44. Risks of Healthdirect’s Traditional Environment
Risk Description Rating
Insufficient capacity Scalability is limited by physical hardware High
Limited environments Sufficient environments too expensive High
Ageing servers Existing servers will need replacement within two years Moderate
Lack of agility New work is continually changing what is required of our
infrastructure
Moderate
Difficult to manage No consistency of management and service quality in
the previously fragmented solution
Moderate
Inability to respond
timeously
Procurement lead times too long and inability to try new
things
Extreme
Cost inefficiency Over investment is required in order to manage peak
loads
Moderate
45. Drivers for Amazon Web Services
Improved
security
The world is
software
Easily Scale Up
and Down
Improve Agility &
Time to Market
Pay only for
what you use
Ability to optimise
Performance
Increased
Availability
Reduced skills
requirements
46. Security is critical for Healthdirect Australia
Together Government and Healthcare made up over 40%
of all data breaches in 2015
Trend Micro Follow The Data Report
47. Security Challenges
• Information Security Manual Compliance
• HIDS/HIPS mandatory
• Patching controls
• Small security staff complement for large
diverse platform
• Privacy Act and sensitive data protection
• Perimeter is NOT good enough any more
48. Security Challenges
• Understanding the shared responsibility
model
• Moving security staff from gatekeepers to
participants
• Effective management of log and
monitoring data
49. Trend Micro Deep Security to the Rescue
• DISA certified
• Host based firewalling and intrusion prevention
• Antivirus and anti-malware
• File integrity monitoring
• Log inspection
50. Trend Micro Deep Security to the Rescue (cont…)
• Server and desktop/laptop protection
• Single management ‘pane of glass’
• Trusted SSL certificate issuing
51. Why Deep Security Works for Us
• Healthdirect ISM accredited on AWS in 2015
• Virtual patching provides a compensating control
• Agent based fits with continuous delivery practices and
secures AMIs above the hypervisor
52. Why Deep Security Works for Us (cont…)
• Usage based licensing fits with AWS autoscaling and
instance scheduling
• Minimised security impact on each node
• Great support and easy to configure
53. For an opportunity to:
• Learn more about Trend Micro;
• Q&A with the experts, and;
• Get started with a Deep Security trial
Come and speak to us at the Trend Micro booth.
Booth# P1