From data that analyzed millions of resources across hundreds of customers, we’ve learned that human configuration errors that might expose your AWS resources have become increasingly common. The potential impact to security can be significant, and it’s critical for everyone to play their part in managing the risks. However, it’s important to first understand what risks need managing. In this session, we describe the five most common errors that we have distilled from our experience with customers, and we share how to best avoid these errors and their potential impact.

1. Top 5 Security Errors and
How to Avoid Them
Tim Prendergast
Chief Cloud Officer

2. Key findings based on customer
research and breach analysis

3. 49%
Of organizations leave their
databases unencrypted
• Encrypt, encrypt, encrypt!
• Encryption of Amazon S3 buckets
allows for that data to remain
untampered with and valid for said
audits down the road
• Encryption of RDS protect information
even if databases are compromised or
copied in a malicious manner

4. 41%Of account access keys
have not been rotated in
more than 90 days
• Rotate Keys Regularly
• Rotate ALL credentials, passwords,
and API Access Keys on a regular
basis

5. 32%Of organizations
publicly exposed at
least 1 Amazon S3
bucket
• Don’t let your Amazon S3 bucket policies
atrophy
• Strengthen Amazon S3 buckets with
either IAM Policies, Amazon S3 Bucket
Policies, or Amazon S3 Access Control
Lists

6. 29%
Of organizations enable
root user activities
• Disable Root Account API Access Key
• Create IAM admin users. At least 2, no
more than 3 per IAM group
• Grant access to billing information and
tools
• Disable/Remove the default AWS root
user API access keys

7. 27%
Of organizations leave
default network settings
for at least 1 account
• Always lock down the IP and port of
which you will gain access to your
AWS environment
• Only turn on access when it is needed
and off again once administrative work
has been accomplished

8. Why So Many Security Errors? Disparate Point Product Offerings
CSP NATIVE
TOOLS
CONTAINER
SECURITY TOOLS
8 | © 2019 Palo Alto Networks, Inc. Confidential and Proprietary.
OPSDEV
SIEM
NETWORK
MONITORING TOOLS
• Silo'd tools
• Can’t correlate across
network, user and
config
• Not multi-cloud
• Limited Compliance
• DIY security - too
much data, too much
noise
• Very expensive
• Only provides part of
the story
CASB
• IP addresses are
elastic in cloud
• Lacks cloud-native
context
GRC TOOLS
• Not built for cloud
• Great user & data context,
lacks infrastructure context
(network traffic, vuln, etc.)
• Lacks threat hunting and
incident response
• Higher TCO, requires
constant upkeep with
CSPs
• Limited coverage
OPEN SOURCE TOOLS

9. Effective Cloud Security: Series of Integrated Security Requirements
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
What’s actually happening?
Who is making changes and why?
What do I have in the cloud?
Are my hosts and containers secure?
Is my app & data secure?
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Asset Inventory
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
Am I compliant? Configurations / Compliance Reporting

10. The Problems We Can Help You Solve
10 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Visibility / Configurations / Compliance
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
• Real-time network visibility and incident investigations
• Suspicious/malicious traffic detection
• Virtual firewall for in-line protection (VM-series)
• Account & access key compromise detection
• Anomalous insider activity detection
• Privileged activity monitoring
• Asset inventory tracking and cloud “time machine”
• Compliance scanning (CIS, PCI, GDPR, etc.)
• Configuration best practices
• Runtime security*
• Static image analysis (vulnerabilities and compliance)*
• Configuration monitoring (for cloud native)
• Serverless*
• DLP & malware scanning
* Potential future roadmap

11. The Most Complete Cloud Security Offering
11 | © 2018, Palo Alto Networks. All Rights Reserved.
Detective
control
Infrastructure
security
Incident
response
Data
protection
Visit Our Booth to Learn More

12. THANK YOU