SlideShare a Scribd company logo

DevSecOps-Teams das Security-Steuer überlassen

BATbern
BATbern

Public-Cloud Kunden, haben Multi-Account Architekturen (z.B. Landing Zone), um den DevOps-Teams Autonomie und Geschwindigkeit zu geben. In diesem Umfeld zentrale Security Anforderungen im Bezug Governance und Compliance zu erfüllen, ist eine Herausforderung. Nuvibit Semper unterstützt die Reise vom DevOps- zum DevSecOps-Team, indem es erlaubt, Security Anforderungen durch das Applikations-Team zu spezifizieren und direkt zu applizieren. Unterschiedliche Anforderungen für z.B. Dev, Test, Prod können mit Policies spezifiziert werden. Die Lösung zeigt, was mit AWS nativen Security Services erreicht werden kann.

Presentations & Public Speaking
1 of 53
Download to read offline
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps-Teams das Security-Steuer überlassen B A T B E R N 4 7 Z U " S H I F T L E F T E V E R Y T H I N G "
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introduction
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS global infrastructure 26 geographical regions, 84 availability zones, 310+ POPs Region & number of Availability Zones (AZs) GovCloud (U.S.) Europe U.S.-East (3), US-West (3) Frankfurt (3), Paris (3), Ireland (3), Stockholm (3), U.S. West London (3), Milan (3) Oregon (4) Northern California (3) U.S. East N. Virginia (6), Ohio (3) Middle East Bahrain (3) Canada Asia Pacific Central (3) Singapore (3), Sydney (3), Jakarta (3), Tokyo (4), Osaka (3) South America São Paulo (3) Seoul (4), Mumbai (3), Hong Kong (3) Africa China Cape Town (3) Beijing (2), Ningxia (3) Announced Regions 8 Regions and 24 AZs in Australia, Canada, India, Israel, Australia, Switzerland, Spain, and United Arab Emirates (UAE)
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region design AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs. AWS Availability Zone (AZ) A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. AZ AZ AZ AZ Transit Transit Datacenter Datacenter Datacenter AWS Region
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is an AWS account? Each AWS account: • Is a resource container/isolation boundary for AWS services • Is an explicit security boundary • Is a container for cost tracking and billing Security tooling Templates & Images Workload AWS account AWS account AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With one account… Workload Workload Workload Workload Workload Workload VPC 1 VPC 2 Private subnet Public subnet VPC 3 AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of a multi-account environment Centrally provision accounts and resources Share resources and control access Optimize costs Secure and audit your environment for compliance Benefits Many teams Business process Billing Simplify billing Isolation & security Tight security boundaries Innovate with exclusive resources for each team Organize AWS accounts Use cases
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With multiple accounts… Workload Sec tooling Templates & images Workload Workload Workload Dev VPC Management account AWS account AWS account AWS account AWS account AWS account AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. A Is for “Alice” and B Is for “Bob” Alice follows best practices Bob does NOT follow best practices
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Account Internal Data Service S3 Bucket “Data Backup” Intruder S3 Bucket “Website Images” Web Server Instance 1 2 3 4 5 Bill’s Bad Day 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup AWS Cloud VPC Internet Internet Gateway Bob
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day No web application protection 2 No segmentation 3 One account 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Alice have a great day! Alice AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
© 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best-of-the-Best Practices: Logging and Monitoring 1) Turn on logging in all accounts, for all services, in all regions The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. GuardDuty provides managed threat intelligence and findings. 2) Use the AWS platform’s built-in monitoring and alerting features Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Amazon GuardDuty AWS CloudTrail AWS Config AWS Security Hub
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is AWS Config? AWS Config = Continuous configuration auditor Changing resources AWS Config Normalized AWS Config rules Notifications API access History, snapshot
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail provides audit logs for AWS An audit log of an AWS account’s authenticated request to perform an action with an AWS service and its resources
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon GuardDuty works? VPC flow logs DNS Logs CloudTrail Events Findings Data Sources Threat intelligence Anomaly Detection (ML) AWS Security Hub • Alert • Remediate • Partner Solutions • Send to SIEM CloudWatch Event Finding Types Examples Bitcoin Mining C&C Activity Unusual User behavior Example: • Launch instance • Change Network Permissions Amazon GuardDuty Threat Detection Types HIGH MEDIUM LOW Unusual traffic patterns Example: • Unusual ports and volume Amazon Detective S3 Data Plane Events EKS control plane logs
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Hub overview AWS Identity and Access Management Access Analyzer
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Many AWS accounts and many Security Finding Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!
Shift Left AWS Security 17.06.2022, Michael Ullrich
Who is Nuvibit? • Nuvibit AG • Founded in 2021 in Switzerland • 100% Focus on AWS • Focus large AWS Multi-Account Environments and Security • Addicted to Everything as Code
Discover your Security Findings
AWS has cool native Services Fully integrated Security Standards: • AWS Foundational Security Best Practices v1.0.0: 143 controls per account • CIS AWS Foundations Benchmark v1.2.0: 43 controls per account • PCI DSS v3.2.1: 45 controls per account More than 100 threat-detections for: • EC2 • IAM • S3 • Kubernetes AWS Security Hub Amazon GuardDuty Amazon CloudWatch Logs Insights
• 3.1 Monitor for unauthorized API calls • 3.2 Monitor for AWS Management Console sign-in without MFA • 3.3 Monitor for usage of root account • 3.5 Monitor for CloudTrail configuration changes • 3.6 Monitor for AWS Management Console authentication failures • 3.7 Monitor for disabling or scheduled deletion of customer created CMKs • 3.8 Monitor for S3 bucket policy changes • 3.9 Monitor for AWS Config configuration changes • 3.10 Monitor for security group changes • 3.11 Monitor for changes to Network Access Control Lists (NACL) • 3.12 Monitor for changes to network gateways • 3.13 Monitor for route table changes • 3.14 Monitor for VPC changes Control Details Nuvibit Blog Post How do you monitor the CIS AWS 3.x controls?
Customer Challenges we faced • General Security Controls are not applicable for all workloads (i.e. sandbox accounts) • Some workloads require custom Security Controls • Large amounts of false positives / accepted findings clutter our monitoring • Transparent Security Control and -Finding customization • Fast rollout of new Security Controls (in a large set of accounts) • From Paper Policies to reproducible Results (Security as Code)
Your AWS Accounts are heterogeneous! You need good Tailoring! 1. AWS Foundational Security Best Practices standard 2. CIS AWS Foundations Benchmark controls 3. PCI DSS controls
Cluster your AWS Accounts AWS Account comes with: • Account ID • OU-ID • Account Tags Security / Foundation Team Workload A Team
Use Case - Root Login In Production & Core • CIS AWS 3.3 Benchmark: Monitor for usage of root account • Security Team: In Production- & Core Accounts the security control must generate an alarm Security / Compliance Team
Use Case - Security Group Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
Examples of raw Security Finding Messages
Use Case - Security Group Security / Compliance Team Detect Condition • Only in Production accounts monitor for Security Group changes
Use Case - Security Group Workload A Team Drop Condition • For Production Workload A filter out inbound TCP port 80 / 443 rules
Use Case - Security Group Workload X Team Response Instruction Condition Response-Examples: • Notification • Alarming • Ticket • Auto-Remediation • For Production Workload X alarm on inbound TCP port 22 (SSH) rules
Let’s dive slightly deeper
Use Case - Security Group - Demo Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
SEMPER in a nutshell 1. Detect YOUR findings 2. Enrich YOUR findings with context 3. Filter out unnecessary findings 4. Manage YOUR Response to findings Shift Left AWS Security with Security as Code
Thank You!
Nuvibit AG Nuvibit AG Loonstrasse 36 5452 Oberrohrdorf Switzerland +41 56 511 24 20 hello@nuvibit.com https://nuvibit.com https://ch.linkedin.com/company/nuvibit
Appendix
Cloud Security Frameworks CIS Critical Security Controls v8 BSI C5:2020 NIST CYBERSECURITY FRAMEWORK v1.1
A solid AWS Foundation helps – a lot Foundation Team Workload Team Workload Team • Nuvibit Cloud Foundation Map • Nuvibvit Reference architecture for AWS Multi-Account Customers • AWS Landing Zone Security Team
Discover your Security Findings
Sample of Processed Finding Normalization Response Instruction Original Message
Nuvibit SEMPER AWS Native Security Finding Management Link to Product-Page
SEMPER Deployment
Our Paradigm: Security as Code • McKinsey - Security as code: The best (and maybe only) path to securing cloud applications and systems Because it is the most effective approach to secure cloud workloads with speed and agility! Context-Driven Configuration and Processing • Gartner - Using Cloud-Native ‘Policy as Code’ to Secure Deployments at Scale
SEMPER Policy Types Demo SEMPER – Policy-Scope Account-Clusters via Policy-Scope Configure Policies Filtering-Exclude Policies Response Policies
SEMPER Demo – Use Case IAM Use Case – Observe IAM Roles • Security Team: In the whole AWS Organization monitor for IAM Role changes • Workload A Team: In Production Workload A account IAM Roles must have a Boundary Policy attached Security / Compliance Team Workload A Team
SEMPER Demo – Use Case IAM Security / Compliance Team Workload A Team

Recommended

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 

Recommended

Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxTrack 5 Session 2_SEC01 多重帳戶安全策略與方針.pptx
Track 5 Session 2_SEC01 多重帳戶安全策略與方針.pptxAmazon Web Services
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...
Automated Solution for Deploying AWS Landing Zone (GPSWS407) - AWS re:Invent ...Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS SecurityAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
DevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as CodeDevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as Codejeromevdl
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Segurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSSegurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSAlexandre Santos
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudAmazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 
BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern
 

More Related Content

Similar to DevSecOps-Teams das Security-Steuer überlassen

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneAmazon Web Services
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneAmazon Web Services
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSAmazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS SecurityAmazon Web Services
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerAmazon Web Services
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWSAmazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial ServicesAmazon Web Services
 
DevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as CodeDevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as Codejeromevdl
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Amazon Web Services
 
Segurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSSegurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSAlexandre Santos
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & LoggingJason Poley
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice Alert Logic
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudAmazon Web Services
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management ToolsAmazon Web Services
 

Similar to DevSecOps-Teams das Security-Steuer überlassen (20)

Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
Simplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing ZoneSimplify & Standardise your migration to AWS with a Migration Landing Zone
Simplify & Standardise your migration to AWS with a Migration Landing Zone
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
Network Security and Access Control in AWS
Network Security and Access Control in AWSNetwork Security and Access Control in AWS
Network Security and Access Control in AWS
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
DevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as CodeDevopsDays Geneva 2020 - Compliance & Governance as Code
DevopsDays Geneva 2020 - Compliance & Governance as Code
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
Enterprise Governance and Security Build Your AWS Landing Zone (SEC315) - AWS...
 
Segurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSSegurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWS
 
AWS Monitoring & Logging
AWS Monitoring & LoggingAWS Monitoring & Logging
AWS Monitoring & Logging
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Security Automation using AWS Management Tools
Security Automation using AWS Management ToolsSecurity Automation using AWS Management Tools
Security Automation using AWS Management Tools
 

More from BATbern

BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern
 
BATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern
 
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern
 
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern
 
Embracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceEmbracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceBATbern
 
Serverless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureServerless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureBATbern
 
Serverless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisServerless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisBATbern
 
Serverless at Lifestage
Serverless at LifestageServerless at Lifestage
Serverless at LifestageBATbern
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesBATbern
 
BATbern51 Serverless?!
BATbern51 Serverless?!BATbern51 Serverless?!
BATbern51 Serverless?!BATbern
 
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersEin Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersBATbern
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionBATbern
 
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenBATbern
 
The Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLThe Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLBATbern
 
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarKlassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarBATbern
 
BATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
 
Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?BATbern
 

More from BATbern (20)

BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data MeshBATbern52 Moderation Berner Architekten Treffen zu Data Mesh
BATbern52 Moderation Berner Architekten Treffen zu Data Mesh
 
BATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data MeshBATbern52 Swisscom's Journey into Data Mesh
BATbern52 Swisscom's Journey into Data Mesh
 
BATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und KnacknüsseBATbern52 SBB zu Data Products und Knacknüsse
BATbern52 SBB zu Data Products und Knacknüsse
 
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data MeshBATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
BATbern52 Mobiliar zu Skalierte Datenprodukte mit Data Mesh
 
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++BATbern52 InnoQ on Data Mesh 2019 2023 2024++
BATbern52 InnoQ on Data Mesh 2019 2023 2024++
 
Embracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplaceEmbracing Serverless: reengineering a real-estate digital marketplace
Embracing Serverless: reengineering a real-estate digital marketplace
 
Serverless und Event-Driven Architecture
Serverless und Event-Driven ArchitectureServerless und Event-Driven Architecture
Serverless und Event-Driven Architecture
 
Serverless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der PraxisServerless Dev(Ops) in der Praxis
Serverless Dev(Ops) in der Praxis
 
Serverless at Lifestage
Serverless at LifestageServerless at Lifestage
Serverless at Lifestage
 
Keynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless ArchitecturesKeynote Gregor Hohpe - Serverless Architectures
Keynote Gregor Hohpe - Serverless Architectures
 
BATbern51 Serverless?!
BATbern51 Serverless?!BATbern51 Serverless?!
BATbern51 Serverless?!
 
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen PartnersEin Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
Ein Rückblick anlässlich des 50. BAT aus Sicht eines treuen Partners
 
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future VisionMLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
MLOps journey at Swisscom: AI Use Cases, Architecture and Future Vision
 
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at RaiffeisenFrom Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
From Ideation to Production in 7 days: The Scoring Factory at Raiffeisen
 
The Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/MLThe Future of Coaching in Sport with AI/ML
The Future of Coaching in Sport with AI/ML
 
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der MobiliarKlassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
Klassifizierung von Versicherungsschäden – AI und MLOps bei der Mobiliar
 
BATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdfBATbern48_ZeroTrust-Konzept und Realität.pdf
BATbern48_ZeroTrust-Konzept und Realität.pdf
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern48_Zero Trust Architektur des ISC-EJPD.pdf
BATbern48_Zero Trust Architektur des ISC-EJPD.pdf
 
Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?Why did the shift-left end up in the cloud for Bank Julius Baer?
Why did the shift-left end up in the cloud for Bank Julius Baer?
 

Recently uploaded

Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Escort Service
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxnoorehahmad
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !risocarla2016
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comsaastr
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxaryanv1753
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSebastiano Panichella
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationNathan Young
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸mathanramanathan2005
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.KathleenAnnCordero2
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...marjmae69
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...漢銘 謝
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYpruthirajnayak525
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxCarrieButtitta
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSebastiano Panichella
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxmavinoikein
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxJohnree4
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxFamilyWorshipCenterD
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Krijn Poppe
 

Recently uploaded (20)

Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170Call Girls In Aerocity 🤳 Call Us +919599264170
Call Girls In Aerocity 🤳 Call Us +919599264170
 
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptxAnne Frank A Beacon of Hope amidst darkness ppt.pptx
Anne Frank A Beacon of Hope amidst darkness ppt.pptx
 
James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !James Joyce, Dubliners and Ulysses.ppt !
James Joyce, Dubliners and Ulysses.ppt !
 
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.comSaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
SaaStr Workshop Wednesday w/ Kyle Norton, Owner.com
 
Event 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptxEvent 4 Introduction to Open Source.pptx
Event 4 Introduction to Open Source.pptx
 
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with AerialistSimulation-based Testing of Unmanned Aerial Vehicles with Aerialist
Simulation-based Testing of Unmanned Aerial Vehicles with Aerialist
 
The Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism PresentationThe Ten Facts About People With Autism Presentation
The Ten Facts About People With Autism Presentation
 
Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸Mathan flower ppt.pptx slide orchids ✨🌸
Mathan flower ppt.pptx slide orchids ✨🌸
 
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Rohini Delhi 💯Call Us 🔝8264348440🔝
 
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
PAG-UNLAD NG EKONOMIYA na dapat isaalang alang sa pag-aaral.
 
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
Gaps, Issues and Challenges in the Implementation of Mother Tongue Based-Mult...
 
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
THE COUNTRY WHO SOLVED THE WORLD_HOW CHINA LAUNCHED THE CIVILIZATION REVOLUTI...
 
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGYPHYSICS PROJECT BY MSC - NANOTECHNOLOGY
PHYSICS PROJECT BY MSC - NANOTECHNOLOGY
 
miladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptxmiladyskindiseases-200705210221 2.!!pptx
miladyskindiseases-200705210221 2.!!pptx
 
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular PlasticsDutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
Dutch Power - 26 maart 2024 - Henk Kras - Circular Plastics
 
SBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation TrackSBFT Tool Competition 2024 -- Python Test Case Generation Track
SBFT Tool Competition 2024 -- Python Test Case Generation Track
 
Work Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptxWork Remotely with Confluence ACE 2.pptx
Work Remotely with Confluence ACE 2.pptx
 
Genshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptxGenshin Impact PPT Template by EaTemp.pptx
Genshin Impact PPT Template by EaTemp.pptx
 
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptxGenesis part 2 Isaiah Scudder 04-24-2024.pptx
Genesis part 2 Isaiah Scudder 04-24-2024.pptx
 
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
Presentation for the Strategic Dialogue on the Future of Agriculture, Brussel...
 

DevSecOps-Teams das Security-Steuer überlassen

  • 1. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. DevSecOps-Teams das Security-Steuer überlassen B A T B E R N 4 7 Z U " S H I F T L E F T E V E R Y T H I N G "
  • 2. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Introduction
  • 3. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS global infrastructure 26 geographical regions, 84 availability zones, 310+ POPs Region & number of Availability Zones (AZs) GovCloud (U.S.) Europe U.S.-East (3), US-West (3) Frankfurt (3), Paris (3), Ireland (3), Stockholm (3), U.S. West London (3), Milan (3) Oregon (4) Northern California (3) U.S. East N. Virginia (6), Ohio (3) Middle East Bahrain (3) Canada Asia Pacific Central (3) Singapore (3), Sydney (3), Jakarta (3), Tokyo (4), Osaka (3) South America São Paulo (3) Seoul (4), Mumbai (3), Hong Kong (3) Africa China Cape Town (3) Beijing (2), Ningxia (3) Announced Regions 8 Regions and 24 AZs in Australia, Canada, India, Israel, Australia, Switzerland, Spain, and United Arab Emirates (UAE)
  • 4. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS region design AWS Regions are comprised of multiple AZs for high availability, high scalability, and high fault tolerance. Applications and data are replicated in real time and consistent in the different AZs. AWS Availability Zone (AZ) A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. AZ AZ AZ AZ Transit Transit Datacenter Datacenter Datacenter AWS Region
  • 5. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is an AWS account? Each AWS account: • Is a resource container/isolation boundary for AWS services • Is an explicit security boundary • Is a container for cost tracking and billing Security tooling Templates & Images Workload AWS account AWS account AWS account
  • 6. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With one account… Workload Workload Workload Workload Workload Workload VPC 1 VPC 2 Private subnet Public subnet VPC 3 AWS account
  • 7. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Benefits of a multi-account environment Centrally provision accounts and resources Share resources and control access Optimize costs Secure and audit your environment for compliance Benefits Many teams Business process Billing Simplify billing Isolation & security Tight security boundaries Innovate with exclusive resources for each team Organize AWS accounts Use cases
  • 8. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. With multiple accounts… Workload Sec tooling Templates & images Workload Workload Workload Dev VPC Management account AWS account AWS account AWS account AWS account AWS account AWS account
  • 9. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. A Is for “Alice” and B Is for “Bob” Alice follows best practices Bob does NOT follow best practices
  • 10. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
  • 11. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Account Internal Data Service S3 Bucket “Data Backup” Intruder S3 Bucket “Website Images” Web Server Instance 1 2 3 4 5 Bill’s Bad Day 1 Access the vulnerable web application 2 Pivot to the data service 3 Delete the website image files 4 Change permissions to the data backup 5 Download the data backup AWS Cloud VPC Internet Internet Gateway Bob
  • 12. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Bill’s Bad Day No web application protection 2 No segmentation 3 One account 4 All permissions granted 5 Sensitive data not encrypted 1 6 No logging, monitoring, alerting … now let’s help Alice have a great day! Alice AWS Account Internal Data Service S3 Bucket “Data Backup” S3 Bucket “Website Images” Web Server Instance AWS Cloud VPC Internet Internet Gateway Bob
  • 13. © 2021, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best-of-the-Best Practices: Logging and Monitoring 1) Turn on logging in all accounts, for all services, in all regions The AWS API history in CloudTrail enables security analysis, resource change tracking, and compliance auditing. GuardDuty provides managed threat intelligence and findings. 2) Use the AWS platform’s built-in monitoring and alerting features Monitoring a broad range of sources will ensure that unexpected occurrences are detected. Establish alarms and notifications for anomalous or sensitive account activity. Amazon GuardDuty AWS CloudTrail AWS Config AWS Security Hub
  • 14. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is AWS Config? AWS Config = Continuous configuration auditor Changing resources AWS Config Normalized AWS Config rules Notifications API access History, snapshot
  • 15. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudTrail provides audit logs for AWS An audit log of an AWS account’s authenticated request to perform an action with an AWS service and its resources
  • 16. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. How Amazon GuardDuty works? VPC flow logs DNS Logs CloudTrail Events Findings Data Sources Threat intelligence Anomaly Detection (ML) AWS Security Hub • Alert • Remediate • Partner Solutions • Send to SIEM CloudWatch Event Finding Types Examples Bitcoin Mining C&C Activity Unusual User behavior Example: • Launch instance • Change Network Permissions Amazon GuardDuty Threat Detection Types HIGH MEDIUM LOW Unusual traffic patterns Example: • Unusual ports and volume Amazon Detective S3 Data Plane Events EKS control plane logs
  • 17. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Hub overview AWS Identity and Access Management Access Analyzer
  • 18. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Many AWS accounts and many Security Finding Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account Workload Dev VPC AWS account
  • 19. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. Thank you!
  • 21. Shift Left AWS Security 17.06.2022, Michael Ullrich
  • 22. Who is Nuvibit? • Nuvibit AG • Founded in 2021 in Switzerland • 100% Focus on AWS • Focus large AWS Multi-Account Environments and Security • Addicted to Everything as Code
  • 24. AWS has cool native Services Fully integrated Security Standards: • AWS Foundational Security Best Practices v1.0.0: 143 controls per account • CIS AWS Foundations Benchmark v1.2.0: 43 controls per account • PCI DSS v3.2.1: 45 controls per account More than 100 threat-detections for: • EC2 • IAM • S3 • Kubernetes AWS Security Hub Amazon GuardDuty Amazon CloudWatch Logs Insights
  • 25. • 3.1 Monitor for unauthorized API calls • 3.2 Monitor for AWS Management Console sign-in without MFA • 3.3 Monitor for usage of root account • 3.5 Monitor for CloudTrail configuration changes • 3.6 Monitor for AWS Management Console authentication failures • 3.7 Monitor for disabling or scheduled deletion of customer created CMKs • 3.8 Monitor for S3 bucket policy changes • 3.9 Monitor for AWS Config configuration changes • 3.10 Monitor for security group changes • 3.11 Monitor for changes to Network Access Control Lists (NACL) • 3.12 Monitor for changes to network gateways • 3.13 Monitor for route table changes • 3.14 Monitor for VPC changes Control Details Nuvibit Blog Post How do you monitor the CIS AWS 3.x controls?
  • 26. Customer Challenges we faced • General Security Controls are not applicable for all workloads (i.e. sandbox accounts) • Some workloads require custom Security Controls • Large amounts of false positives / accepted findings clutter our monitoring • Transparent Security Control and -Finding customization • Fast rollout of new Security Controls (in a large set of accounts) • From Paper Policies to reproducible Results (Security as Code)
  • 27. Your AWS Accounts are heterogeneous! You need good Tailoring! 1. AWS Foundational Security Best Practices standard 2. CIS AWS Foundations Benchmark controls 3. PCI DSS controls
  • 28. Cluster your AWS Accounts AWS Account comes with: • Account ID • OU-ID • Account Tags Security / Foundation Team Workload A Team
  • 29. Use Case - Root Login In Production & Core • CIS AWS 3.3 Benchmark: Monitor for usage of root account • Security Team: In Production- & Core Accounts the security control must generate an alarm Security / Compliance Team
  • 30. Use Case - Security Group Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 31. Examples of raw Security Finding Messages
  • 32. Use Case - Security Group Security / Compliance Team Detect Condition • Only in Production accounts monitor for Security Group changes
  • 33. Use Case - Security Group Workload A Team Drop Condition • For Production Workload A filter out inbound TCP port 80 / 443 rules
  • 34. Use Case - Security Group Workload X Team Response Instruction Condition Response-Examples: • Notification • Alarming • Ticket • Auto-Remediation • For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 36. Use Case - Security Group - Demo Security / Compliance Team Workload A Team Workload X Team • CIS AWS 3.10: Monitor for Security Group changes • Security Team: Only in Production accounts monitor for Security Group changes • Workload A Team: For Production Workload A filter out inbound TCP port 80 / 443 rules • Workload X Team: For Production Workload X alarm on inbound TCP port 22 (SSH) rules
  • 37. SEMPER in a nutshell 1. Detect YOUR findings 2. Enrich YOUR findings with context 3. Filter out unnecessary findings 4. Manage YOUR Response to findings Shift Left AWS Security with Security as Code
  • 39. Nuvibit AG Nuvibit AG Loonstrasse 36 5452 Oberrohrdorf Switzerland +41 56 511 24 20 hello@nuvibit.com https://nuvibit.com https://ch.linkedin.com/company/nuvibit
  • 41. Cloud Security Frameworks CIS Critical Security Controls v8 BSI C5:2020 NIST CYBERSECURITY FRAMEWORK v1.1
  • 42. A solid AWS Foundation helps – a lot Foundation Team Workload Team Workload Team • Nuvibit Cloud Foundation Map • Nuvibvit Reference architecture for AWS Multi-Account Customers • AWS Landing Zone Security Team
  • 43.
  • 45.
  • 46. Sample of Processed Finding Normalization Response Instruction Original Message
  • 47. Nuvibit SEMPER AWS Native Security Finding Management Link to Product-Page
  • 49. Our Paradigm: Security as Code • McKinsey - Security as code: The best (and maybe only) path to securing cloud applications and systems Because it is the most effective approach to secure cloud workloads with speed and agility! Context-Driven Configuration and Processing • Gartner - Using Cloud-Native ‘Policy as Code’ to Secure Deployments at Scale
  • 50. SEMPER Policy Types Demo SEMPER – Policy-Scope Account-Clusters via Policy-Scope Configure Policies Filtering-Exclude Policies Response Policies
  • 51.
  • 52. SEMPER Demo – Use Case IAM Use Case – Observe IAM Roles • Security Team: In the whole AWS Organization monitor for IAM Role changes • Workload A Team: In Production Workload A account IAM Roles must have a Boundary Policy attached Security / Compliance Team Workload A Team
  • 53. SEMPER Demo – Use Case IAM Security / Compliance Team Workload A Team