SlideShare uma empresa Scribd logo

Architect secure cloud services.

Moshe Ferber
Moshe Ferber

My SACON.IO conference presentation about how to architect secure IaaS/PaaS services. Presentation mostly uses AWS examples, but relevant also to Azure / GCE and similar services.

Tecnologia
1 de 36
SACON SACON International 2017 Moshe Ferber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
SACON 2017 About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
SACON 2017 So, what is cloud?
SACON 2017 SaaS PaaS IaaS Private Hybrid Public Cloud Services are very different in nature Cloud Services are very different in nature
SACON 2017Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
SACON 2017 The CISO Challenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
SACON 2017 Our focus today IaaS PaaS SaaS
SACON 2017 Terminology AWS IaaS PaaS Instance Image Snapshot ELB Root Account IAM user
SACON 2017 Architecting for availability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
SACON 2017 Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
SACON 2017 Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
SACON 2017 Architecting for availability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
SACON 2017 Architecting for network separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
SACON 2017 DB Subnet MNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
SACON 2017 Understanding VPC (Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
SACON 2017 Understanding Security groups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
SACON 2017 The advantages of Micro Segmentation Architecting for network separation Traditional Micro segmentation
SACON 2017 Additional VPC tools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
SACON 2017 Architecting for network separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
SACON 2017 Web Application Firewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
SACON 2017 Build application separation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
SACON 2017 Architecting for application separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
SACON 2017 Architecting for application separation Front End Back End Queue Service
SACON 2017 Limiting blast Radius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
SACON 2017 Limiting blast Radius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
SACON 2017 Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
SACON 2017 Volume storage Architecting for data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
SACON 2017 Object storage Architecting for data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
SACON 2017 Database Storage (Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
SACON 2017 Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
SACON 2017 A r c h i t e c t i n g f o r C I / C D Source : AWS Security best practices
SACON 2017 A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
SACON 2017 A r c h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
SACON 2017 Questions?
SACON 2017 KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule

Recomendados

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 

Recomendados

Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
Moshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...
Moshe Ferber
 
What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computing
Moshe Ferber
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing
Moshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...
Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
Moshe Ferber
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Moshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
Moshe Ferber
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
Puneet Kukreja
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
Jorge Sebastiao
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
Porticor - The Cloud Security Experts
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
Abhishek Tripathi
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
George Fares
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
The TNS Group
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
HTS Hosting
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
Himani Singh
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
Priyanka Aash
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
Digital Transformation EXPO Event Series
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 

Mais conteúdo relacionado

Mais procurados

2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
Amazon Web Services
 

Mais procurados (20)

Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security - CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
CLOUDSEC LONDON 2016 - Puneet Kukreja - Enabling Cloud Security -
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud Access Security Brokers
Cloud Access Security BrokersCloud Access Security Brokers
Cloud Access Security Brokers
 
Cloud security
Cloud securityCloud security
Cloud security
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
 
Securing virtual workload and cloud
Securing virtual workload and cloudSecuring virtual workload and cloud
Securing virtual workload and cloud
 
Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1Workshop: Threat Intelligence - Part 1
Workshop: Threat Intelligence - Part 1
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 

Semelhante a Architect secure cloud services.

Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Amazon Web Services
 
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco Canada
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Amazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid Architectures
Amazon Web Services
 

Semelhante a Architect secure cloud services. (20)

Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
Azure Storage
Azure StorageAzure Storage
Azure Storage
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
 
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
Verizon: Modernizing Enterprise Infrastructure with AWS - WIN307 - re:Invent ...
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr Cisco’s Cloud Strategy, including our acquisition of CliQr
Cisco’s Cloud Strategy, including our acquisition of CliQr
 
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
Transitioning to the Next Generation Hybrid Cloud Operating Model- AWS Summit...
 
IaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysisIaaS Cloud Providers: A comparative analysis
IaaS Cloud Providers: A comparative analysis
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Cloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 FoundationCloud Reference Architecture - Part 1 Foundation
Cloud Reference Architecture - Part 1 Foundation
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWSDeploy a DoD Secure Cloud Computing Architecture Environment in AWS
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS
 
AWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - Bulletproof
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
The Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business LogicThe Evolution of Cloud Architectures: Focusing More on the Business Logic
The Evolution of Cloud Architectures: Focusing More on the Business Logic
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid Architectures
 
Hybrid Infrastructure Integration
Hybrid Infrastructure IntegrationHybrid Infrastructure Integration
Hybrid Infrastructure Integration
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Architect secure cloud services.

  • 1. SACON SACON International 2017 Moshe Ferber CSA Israel @Ferbermoshe India | Bangalore | November 10 – 11 | Hotel Lalit Ashok Architecting secure cloud services
  • 2. SACON 2017 About myself  Information security professional for over 20 years  Founder, partner and investor at various cyber initiatives and startups  Popular industry speaker & lecturer (DEFCON, BLACKHAT, RSA and more)  Founding committee member for ISC2 CCSP certification.  CCSK Certification lecturer for the Cloud Security Alliance.  Member of the board at Macshava Tova – Narrowing societal gaps  Chairman of the Board, Cloud Security Alliance, Israeli Chapter
  • 4. SACON 2017 SaaS PaaS IaaS Private Hybrid Public Cloud Services are very different in nature Cloud Services are very different in nature
  • 5. SACON 2017Physical Security Network & Data Center Security Hypervisors Security Virtual Machines & OS security Data layer & development platform Application Identity Management DATA Audit & Monitoring IaaS PaaS SaaS Consumer responsibility Provider responsibility The shared responsibility model
  • 6. SACON 2017 The CISO Challenge How to build secure applications How to correctly evaluate your provider IaaS/PaaS SaaS
  • 7. SACON 2017 Our focus today IaaS PaaS SaaS
  • 8. SACON 2017 Terminology AWS IaaS PaaS Instance Image Snapshot ELB Root Account IAM user
  • 9. SACON 2017 Architecting for availability US WEST Region AZ1 AZ2 AZ3 AZ4 Singapore Region AZ1 AZ2 AZ3 Mumbai Region AZ1 AZ2 Regions vs. Availability Zones
  • 10. SACON 2017 Architecting for availability DB Mumbai AZ-1 DB DB Internet Load Balancer Redundancy in one region Mumbai AZ-2 WWWWWW WWW Mumbai AZ-3
  • 11. SACON 2017 Architecting for availability DB US-EAST1 DB DB External CDN US-EAST2 2nd provider Redundancy in multiple regions/clouds WWWWWWWWW
  • 12. SACON 2017 Architecting for availability • CDN providers can add resiliency, flexibility & redundancy • Look for vendors who can add functionality: DDOS protection Web application firewall Load Balancing DNS management
  • 13. SACON 2017 Architecting for network separation Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 DB WWW WWWWWW DBDB Understanding VPC (Virtual Private Cloud) / Virtual Network DB WWW WWWWWW DBDB VPC A: Production VPC B: Test
  • 14. SACON 2017 DB Subnet MNGT subnetWeb SUBNET WWW WWW Understanding VPC (Virtual Private Cloud) / Virtual Network WWW Router DB DB DB MQ Monitoring Logs Production VPC 192.168.0.0 192.168.2.0192.168.1.0 203.0.115.0 192.168.3.0 Architecting for network separation
  • 15. SACON 2017 Understanding VPC (Virtual Private Cloud) / Virtual Network VPC is logical grouping of subnets & instances, virtualizing physical data center features Architecting for network separation
  • 16. SACON 2017 Understanding Security groups Mumbai AZ-2 Mumbai AZ-3Mumbai AZ-1 WWW WWWWWW DBDB DB Security Group: web-servers Allow: 80/443 Security Group: DB-servers Allow: 3306 (MYSQL) Architecting for network separation
  • 17. SACON 2017 The advantages of Micro Segmentation Architecting for network separation Traditional Micro segmentation
  • 18. SACON 2017 Additional VPC tools Architecting for network separation NAT Gateway Direct Connect Bastion Host VPN Gateway Network ACLs Flow logs
  • 19. SACON 2017 Architecting for network separation Test VPC Router WWW Application DB Internet Production VPC WWW Application DB NAT Gateway Corporate network VPN Access VPC Bastion Host S3 EndPoint
  • 20. SACON 2017 Web Application Firewall options Architecting for application separation 3rd party as a service Internal Provider service WAF Proxy inside cloud WAF client on web instances
  • 21. SACON 2017 Build application separation Architecting for application separation Utilize MQ services to separate application components Use API Gateways & Serverless functions
  • 22. SACON 2017 Architecting for application separation Front End Back End Queue Service S3 Storage Serverless Function ApplicationServices
  • 23. SACON 2017 Architecting for application separation Front End Back End Queue Service
  • 24. SACON 2017 Limiting blast Radius Root Account IAM Admin Security Auditor Billing Admin Super Admin Service 1 Admin Service 2 Admin
  • 25. SACON 2017 Limiting blast Radius Organization Production account Test Account MNGT Account Production VPC WWW Application DB NAT Test VPC WWW Application DB NAT MNGT VPC WWW Application DB NAT
  • 26. SACON 2017 Understanding storage options Architecting for data security Volume Storage • Attached to a single instance • Not shared, accessible only from the instance • Useful in storing instance OS environment , application binaries , DB files and anything instances need to operate Object Storage • Provider managed • Files are placed in buckets • Versioning & meta data kept for all objects • Files are accessible by API or HTTP • Independent from AZ or instances dependencies • Useful for storing static applications data, backups, source code and config files Database service • Provider managed • Files are accessible by DB API • Vary between different services: (structured, unstructured and more) • Usually customer has no access to underlying DB infrastructure CDN • Cloud provider proprietary service or external 3rd party services • Provide flexibility and resiliency • Useful in serving static content at late latency • Usually accompanied by additional services: WAF, DDOS protection, Load balancer…
  • 27. SACON 2017 Volume storage Architecting for data security Backups • Usually snapshots • Customer responsibility to keep snapshots inaccessible • Don’t keep application secrets on disk Redundancy • Not redundant • Access is made by a service on the instance OS (web service I.e) • If service fails, no access Encryption • Storage encryption with provider service (i.e. AWS KMS, Azure keyvault) • Or OS Level encryption software (i.e. truecrypt, bitlocker)
  • 28. SACON 2017 Object storage Architecting for data security Backups • Keeps versioning system of files • External backups are recommended (explore provider services) Redundancy • Availability is responsibility of the provider • Increased availability can be achieved by replicating to other regions Encryption • Service side: Storage encryption with provider service (i.e. AWS KMS, Azure key vault) • Or Client side using provider SDK
  • 29. SACON 2017 Database Storage (Database as a service) Architecting for data security Backups • Automated backups are made by provider • External exports and backups should be made periodically, just as any other database Redundancy • Availability is responsibility of the provider but managed by customer • Architect multiple AZ Encryption • Service side: Storage encryption with provider service usually at the database level • TDE can be used here as well to encrypt at table/ column level
  • 30. SACON 2017 Encryption Architecting for data security OS Storage DB Application Encryption Layer TDE Storage Encryption Full Disk Encryption Software KMS HSM Virtual instance KEYS
  • 31. SACON 2017 A r c h i t e c t i n g f o r C I / C D Source: Cloud Security Alliance Guidelines
  • 32. SACON 2017 A r c h i t e c t i n g f o r C I / C D Source : AWS Security best practices
  • 33. SACON 2017 A r c h i t e c t i n g f o r L o g M a n a g e m e n t Portal Logs • Cover API & GUI access Traffic Logs • Network traffic inside VPC Instances Logs • Extracted just like traditional OS
  • 34. SACON 2017 A r c h i t e c t i n g f o r M o n i t o r i n g Cloud Trail S3 SIEM Agent Cloud WATCH (Rules & Alerts) SNS (notifications) VPC Flow Logs OS Logs
  • 36. SACON 2017 KEEP IN TOUCH Cloud Security Course Schedule can be find at: http://www.onlinecloudsec.com/course-schedule