SlideShare uma empresa Scribd logo

AWS Security Architecture - Overview

Sai Kesavamatham
Sai Kesavamatham

AWS Security Framework and Architecture to consider for new implementations

Tecnologia
1 de 27
AWS Security Architecture An Overview October 2014 Sai Kesavamatham
Overview • Cloud - Responsibilities • AWS Reference Model • Architecture • Two Sides of the Cloud • Securing the Cloud Fabric • Securing the Assets in the Cloud • Some Use Cases
Reference Documents: Cloud Security Alliance (CSA) – Security Guidance for Cloud Computing V3.0 Amazon Web Services – AWS Security Best Practices Amazon Web Services – Risk and Compliance Amazon Web Services – Operational Checklists for AWS Amazon Web Services – Auditing Security Checklist for Use of AWS PCI DSS – Cloud Computing Guidelines Netflix Open Source Simian Army for AWS
Responsibilities – Provider vs. Customer CUSTOMER Reference: PCI Security Standards Council PROVIDER LESS C U S T O M E R MORE MORE P R O V I D E R LESS
AWS Reference Model - High Level Overview Customer Virtual Private Cloud (VPC) AWS Cloud Customer Network
Amazon VPC (Virtual Private Cloud) Concept virtual private cloud Security Group 1 EC2 VM Instances VPC subnet 1 Security Group 2 EC2 VM Instances VPC subnet 2 Availability Zone Availability Zone Security Group 4 VPC subnet 4 Availability Zone Security Group 3 VPC subnet 3 Availability Zone AWS Region 1 EC2 VM Instances EC2 VM Instances Cloud Provider is Responsible For providing Infrastructure And Security Multiple Availability Zones are Available in each region Customer is Responsible for Creating Assets and Security
Architecture using VPN Tunnels AWS Region 1 (Oregon) Availability Zone Availability Zone Availability Zone Customer DMZ 1 (City 1) Customer DMZ 2 (City 2) Redundant VPN Connections With BGP for Network Routing Desired regional redundancy AWS Region 1 (Virginia) Availability Zone Availability Zone Availability Zone AWS Internet Gateway Firewall Rules For IN and OutBound Firewall Rules For IN and OutBound This design is different from Direct Connect
Two Sides of AWS Management • Managing the Cloud Fabric (SDN and Data Center Layer) VPCs, Subnets, Security Groups (Firewalls) S3 Buckets (Storage) Managing and Monitoring Access to the SDN Layer API Keys Network Encryption Route 53 (DNS) etc. • Managing the Assets built in the Cloud EC2 instances (Operating System) Applications, Databases and Related Resources User and Service Accounts Client and Server side Encryption Operations/Monitoring
Securing the Cloud Fabric Network Segmentation Security Auditing and Monitoring
Securing the Cloud Fabric – Access Controls • Users • Put away AWS “ROOT” Account of AWS Console and use AWS IAM • Create Unique AWS Credentials with password policies using AWS IAM • Create appropriate Groups, Roles (Read Only, Admins etc.) • Enable MF authentication using Soft Token (using Google Authenticator) • Restrict access to S3 buckets and CloudTrail • API Keys (Access Keys) Access Keys are needed for automation to make programmatic calls. • Secret Key from the Access Key pair must be secured by the assigned user • Restrict Access Keys to IP address (e.g. Ansible Tower or Bastion Host) • Enable Multi Factor for API calls with high risk • Identify high risk API calls • e.g. creating or deleting Subnets, ELBs etc. • Develop Access Key Rotation Policies and Procedures • Develop a ‘Central Server with Access Keys’ approach
Securing the Cloud Fabric Access Control Security Auditing and Monitoring
Securing the Cloud Fabric – Network Segmentation • Isolate all Cloud Assets from direct Internet access • Restrict Public facing subnets to ELBs and instances with need for fixed IPs • Create Private subnets for EC2 instances • All customer application access communication happens through ELBs • Restrict all EC2 asset management access to Customer Network • Route all traffic initiated from EC2 instances through Customer Network OR • Use NATed instances to route internet traffic • Use Virtual Firewalls (Security Groups) for individual Business Apps • Create Security Groups for individual Apps • Create a standard for future Apps • Use Network ACLs to provide high level network security • Control traffic between AWS Cloud and Customer Network • Create firewall policies on the VPN tunnel terminating point • Enable IDS on VPN End Points
Current Architecture – Network Segmentation Public Zones ONLY Elastic Load Balancers (ELB) Private Zones with VM instances Customer DMZ 1 (City 1) Customer DMZ 2 (City 2) AWS Internet Gateway Redundant VPN Connections With BGP for Network Routing Current Setup Public Zones ONLY Elastic Load Balancers (ELB) Private Zones with VM instances AWS Region 1 (Oregon) AWS Region 2 (Virginia)
Securing the Cloud Fabric Access Control Network Segmentation
Securing the Cloud Fabric – Security Auditing • Tag assets - Tag metadata consisting of up to 10 key/value pairs • Create Tags to identify asset functionality • Required Tags • Business Owner • Application • Public or Internal App • Data Classification • Use Tags to identify usage cost structure $2,000.00 $1,800.00 $1,600.00 $1,400.00 $1,200.00 $1,000.00 $800.00 $600.00 $400.00 $200.00 $0.00 3/1/14 4/1/14 5/1/14 6/1/14 7/1/14 8/1/14 Series1
Securing the Cloud Fabric – Security Auditing • Enable Cloud Logs • CloudTrail (Logs all API calls made to AWS to create high level services using AWS Console, API keys etc) • Create Procedures for Logs on New Objects • Restrict Access to CloudTrail • Monitor Logs for suspicious activity at Cloud Layer • Create Alerts on High Severity Activities • Enable AWS Trusted Advisor Alerts • Monitor Billing for Suspicious Activity • Audit Scan reports to monitor changes (e.g. Nessus has a best practices plugin) • Implement Monitoring Tools • Open Source • Commercial • Create Procedures • Operationalize
Securing the Cloud Fabric – Monitoring Challenges • Mapping traditional Security Stack to Cloud Architecture • Need Data Analytics • In-House efforts on using BigData for Analytics (not much progress) • Commercial options (Dome9, Splunk and Others) • No single point solution for monitoring changes to Cloud • Netflix Open Sources (Edda and Security Monkey) • Trusted Advisor • Monitor API Keys • Develop an automated process
Securing assets in the Cloud
Securing the Assets – The Traditional Controls • System Hardening (Build Secure Base AMI) • Application Hardening • System & Application Access Control • Network Segmentation • Data Protection at Rest and In Transit • Data Classification • Vulnerability Scanning • Patch Management • Software Licensing • Asset Tracking • Change Control • DR • Security Monitoring & IR • System Decommissioning How do these map into Cloud? What is covered under Traditional Processes? What is covered under Automation? What else is needed?
Securing Assets – Mapping Traditional Security • System Hardening (Build Secure Base AMI) • Application Hardening • System & Application Access Control • Network Segmentation • Data Protection at Rest and In Transit • Data Classification • Vulnerability Scanning • Patch Management • Software Licensing • Asset Tracking • Change Control • DR • Security Monitoring & IR • System Decommissioning • Packet inspection at all egress points • Security Event and Incidents (SIEM) • Firewalls • Network and Host based IDS/IDP • Encryption • Proxies • Forensics & Malware Analysis • Vulnerability Scanning • Other in-line protection (e.g. FireEye) • Monitoring
Securing Assets – Mapping Traditional Security • Packet inspection means either routing all the traffic back to customer location or building another stack in the cloud • Network scans require pre-authorization from the cloud provider • Not easy to map current day in-line solutions to cloud • Packet inspection at all egress points • Security Event and Incidents (SIEM) • Firewalls • Network and Host based IDS/IDP • Encryption • Proxies • Forensics & Malware Analysis • Vulnerability Scanning • Other in-line protection (e.g. FireEye) • Monitoring
Example Use Cases Enterprise Logging
Encryption – Use Case • Encryption – Rentable CloudHSM for Single Tenant • Centralized Key Management Solution – NIST 800-57 and Oasis Key Management Interoperability • Pre-Boot authentication for EC2/EBS • Client-side object encryption for S3 • File encryption for EC2 and S3 – available but need to be investigated • Proxy based encryption • Any future workloads with sensitive data should evaluate this first • Key Management (ssh and API)
Hybrid model for Encryption - BYOK
Example Use Cases Encryption Incident Response
Enterprise Logging Architecture - Kafka • Enterprise Log Management (Beyond Security Logging) • Create logging strategy (e.g. KAFKA, ELK etc.) • Log Analysis Tools (Analytics) • Kafka - Developed by LinkedIn and now part of Apache project • Distributed system, easy to scale • Multiple Producers and Consumers • Producer • Publishes messages to a Topic • Topic • Message of a particular type • Consumer • Can subscribe to one or more Topics
Enterprise Logging Architecture – ELK • Integrated Stack - Elastic Search, LogStash & Kibana (ELK) • Supports • Many Log Structures • Fast Searching • Scalability • Customizable Visualization • Commercial Support Available

Recomendados

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
Amazon Web Services
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security Model
Amazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
Amazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
Jason Chan
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
😸 Richard Spindler
 

Recomendados

Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
Amazon Web Services
 
In Depth: AWS Shared Security Model
In Depth: AWS Shared Security ModelIn Depth: AWS Shared Security Model
In Depth: AWS Shared Security Model
Amazon Web Services
 
Practical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWSPractical Steps to Hack-Proofing AWS
Practical Steps to Hack-Proofing AWS
Amazon Web Services
 
AWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's PerspectiveAWS Security: A Practitioner's Perspective
AWS Security: A Practitioner's Perspective
Jason Chan
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
😸 Richard Spindler
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
Amazon Web Services
 
Information Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerInformation Security in AWS - Dave Walker
Information Security in AWS - Dave Walker
East Midlands Cyber Security Forum
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
Amazon Web Services
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Security best practices on AWS cloud
Security best practices on AWS cloudSecurity best practices on AWS cloud
Security best practices on AWS cloud
Martin Yan
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
Amazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
Amazon Web Services
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
Amazon Web Services
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
Jim Barlow
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 

Mais conteúdo relacionado

Mais procurados

Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Security best practices on AWS cloud
Security best practices on AWS cloudSecurity best practices on AWS cloud
Security best practices on AWS cloud
Martin Yan
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
Amazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
Amazon Web Services
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
Amazon Web Services
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 

Mais procurados (20)

Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Information Security in AWS - Dave Walker
Information Security in AWS - Dave WalkerInformation Security in AWS - Dave Walker
Information Security in AWS - Dave Walker
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWSSecurity and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
Security and Privacy in the AWS Cloud, Steve Schmidt, CIS Officer, AWS
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Security best practices on AWS cloud
Security best practices on AWS cloudSecurity best practices on AWS cloud
Security best practices on AWS cloud
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYCAWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
CJIS Evidence Management in the Cloud using AWS GovCloud (US) | AWS Public Se...
 
(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise(SEC303) Architecting for End-To-End Security in the Enterprise
(SEC303) Architecting for End-To-End Security in the Enterprise
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 

Destaque

Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Nathen Harvey
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 

Destaque (20)

Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Atomic CLI scan
Atomic CLI scanAtomic CLI scan
Atomic CLI scan
 
Why You Need to Rethink Container Security
Why You Need to Rethink Container SecurityWhy You Need to Rethink Container Security
Why You Need to Rethink Container Security
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Introduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to ChefIntroduction to Infrastructure as Code & Automation / Introduction to Chef
Introduction to Infrastructure as Code & Automation / Introduction to Chef
 
Monetising Your Skill
Monetising Your SkillMonetising Your Skill
Monetising Your Skill
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Security best practices for kubernetes deployment
Security best practices for kubernetes deploymentSecurity best practices for kubernetes deployment
Security best practices for kubernetes deployment
 
Monitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on KubernetesMonitoring, Logging and Tracing on Kubernetes
Monitoring, Logging and Tracing on Kubernetes
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
Container Orchestration Wars
Container Orchestration WarsContainer Orchestration Wars
Container Orchestration Wars
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 

Semelhante a AWS Security Architecture - Overview

Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web Day
AWS Germany
 
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
MohammadEnnab4
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
Amazon Web Services Korea
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
Amazon Web Services
 

Semelhante a AWS Security Architecture - Overview (20)

APN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA PartnersAPN Partner Webinar - Security & Compliance for AWS EMEA Partners
APN Partner Webinar - Security & Compliance for AWS EMEA Partners
 
AWS Security for Financial Services
AWS Security for Financial ServicesAWS Security for Financial Services
AWS Security for Financial Services
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
366864108 azure-security
366864108 azure-security366864108 azure-security
366864108 azure-security
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Datensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web DayDatensicherheit mit AWS - AWS Security Web Day
Datensicherheit mit AWS - AWS Security Web Day
 
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
4-G.Fitzaptrick AWS-ENISA-RIX-.pptx
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
Hack-Proof Your Cloud: Responding to 2016 Threats | AWS Public Sector Summit ...
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security Update
 
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
엔터프라이즈를 위한 하이브리드 클라우드 및 보안 관리
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

AWS Security Architecture - Overview

  • 1. AWS Security Architecture An Overview October 2014 Sai Kesavamatham
  • 2. Overview • Cloud - Responsibilities • AWS Reference Model • Architecture • Two Sides of the Cloud • Securing the Cloud Fabric • Securing the Assets in the Cloud • Some Use Cases
  • 3. Reference Documents: Cloud Security Alliance (CSA) – Security Guidance for Cloud Computing V3.0 Amazon Web Services – AWS Security Best Practices Amazon Web Services – Risk and Compliance Amazon Web Services – Operational Checklists for AWS Amazon Web Services – Auditing Security Checklist for Use of AWS PCI DSS – Cloud Computing Guidelines Netflix Open Source Simian Army for AWS
  • 4. Responsibilities – Provider vs. Customer CUSTOMER Reference: PCI Security Standards Council PROVIDER LESS C U S T O M E R MORE MORE P R O V I D E R LESS
  • 5. AWS Reference Model - High Level Overview Customer Virtual Private Cloud (VPC) AWS Cloud Customer Network
  • 6. Amazon VPC (Virtual Private Cloud) Concept virtual private cloud Security Group 1 EC2 VM Instances VPC subnet 1 Security Group 2 EC2 VM Instances VPC subnet 2 Availability Zone Availability Zone Security Group 4 VPC subnet 4 Availability Zone Security Group 3 VPC subnet 3 Availability Zone AWS Region 1 EC2 VM Instances EC2 VM Instances Cloud Provider is Responsible For providing Infrastructure And Security Multiple Availability Zones are Available in each region Customer is Responsible for Creating Assets and Security
  • 7. Architecture using VPN Tunnels AWS Region 1 (Oregon) Availability Zone Availability Zone Availability Zone Customer DMZ 1 (City 1) Customer DMZ 2 (City 2) Redundant VPN Connections With BGP for Network Routing Desired regional redundancy AWS Region 1 (Virginia) Availability Zone Availability Zone Availability Zone AWS Internet Gateway Firewall Rules For IN and OutBound Firewall Rules For IN and OutBound This design is different from Direct Connect
  • 8. Two Sides of AWS Management • Managing the Cloud Fabric (SDN and Data Center Layer) VPCs, Subnets, Security Groups (Firewalls) S3 Buckets (Storage) Managing and Monitoring Access to the SDN Layer API Keys Network Encryption Route 53 (DNS) etc. • Managing the Assets built in the Cloud EC2 instances (Operating System) Applications, Databases and Related Resources User and Service Accounts Client and Server side Encryption Operations/Monitoring
  • 9. Securing the Cloud Fabric Network Segmentation Security Auditing and Monitoring
  • 10. Securing the Cloud Fabric – Access Controls • Users • Put away AWS “ROOT” Account of AWS Console and use AWS IAM • Create Unique AWS Credentials with password policies using AWS IAM • Create appropriate Groups, Roles (Read Only, Admins etc.) • Enable MF authentication using Soft Token (using Google Authenticator) • Restrict access to S3 buckets and CloudTrail • API Keys (Access Keys) Access Keys are needed for automation to make programmatic calls. • Secret Key from the Access Key pair must be secured by the assigned user • Restrict Access Keys to IP address (e.g. Ansible Tower or Bastion Host) • Enable Multi Factor for API calls with high risk • Identify high risk API calls • e.g. creating or deleting Subnets, ELBs etc. • Develop Access Key Rotation Policies and Procedures • Develop a ‘Central Server with Access Keys’ approach
  • 11. Securing the Cloud Fabric Access Control Security Auditing and Monitoring
  • 12. Securing the Cloud Fabric – Network Segmentation • Isolate all Cloud Assets from direct Internet access • Restrict Public facing subnets to ELBs and instances with need for fixed IPs • Create Private subnets for EC2 instances • All customer application access communication happens through ELBs • Restrict all EC2 asset management access to Customer Network • Route all traffic initiated from EC2 instances through Customer Network OR • Use NATed instances to route internet traffic • Use Virtual Firewalls (Security Groups) for individual Business Apps • Create Security Groups for individual Apps • Create a standard for future Apps • Use Network ACLs to provide high level network security • Control traffic between AWS Cloud and Customer Network • Create firewall policies on the VPN tunnel terminating point • Enable IDS on VPN End Points
  • 13. Current Architecture – Network Segmentation Public Zones ONLY Elastic Load Balancers (ELB) Private Zones with VM instances Customer DMZ 1 (City 1) Customer DMZ 2 (City 2) AWS Internet Gateway Redundant VPN Connections With BGP for Network Routing Current Setup Public Zones ONLY Elastic Load Balancers (ELB) Private Zones with VM instances AWS Region 1 (Oregon) AWS Region 2 (Virginia)
  • 14. Securing the Cloud Fabric Access Control Network Segmentation
  • 15. Securing the Cloud Fabric – Security Auditing • Tag assets - Tag metadata consisting of up to 10 key/value pairs • Create Tags to identify asset functionality • Required Tags • Business Owner • Application • Public or Internal App • Data Classification • Use Tags to identify usage cost structure $2,000.00 $1,800.00 $1,600.00 $1,400.00 $1,200.00 $1,000.00 $800.00 $600.00 $400.00 $200.00 $0.00 3/1/14 4/1/14 5/1/14 6/1/14 7/1/14 8/1/14 Series1
  • 16. Securing the Cloud Fabric – Security Auditing • Enable Cloud Logs • CloudTrail (Logs all API calls made to AWS to create high level services using AWS Console, API keys etc) • Create Procedures for Logs on New Objects • Restrict Access to CloudTrail • Monitor Logs for suspicious activity at Cloud Layer • Create Alerts on High Severity Activities • Enable AWS Trusted Advisor Alerts • Monitor Billing for Suspicious Activity • Audit Scan reports to monitor changes (e.g. Nessus has a best practices plugin) • Implement Monitoring Tools • Open Source • Commercial • Create Procedures • Operationalize
  • 17. Securing the Cloud Fabric – Monitoring Challenges • Mapping traditional Security Stack to Cloud Architecture • Need Data Analytics • In-House efforts on using BigData for Analytics (not much progress) • Commercial options (Dome9, Splunk and Others) • No single point solution for monitoring changes to Cloud • Netflix Open Sources (Edda and Security Monkey) • Trusted Advisor • Monitor API Keys • Develop an automated process
  • 18. Securing assets in the Cloud
  • 19. Securing the Assets – The Traditional Controls • System Hardening (Build Secure Base AMI) • Application Hardening • System & Application Access Control • Network Segmentation • Data Protection at Rest and In Transit • Data Classification • Vulnerability Scanning • Patch Management • Software Licensing • Asset Tracking • Change Control • DR • Security Monitoring & IR • System Decommissioning How do these map into Cloud? What is covered under Traditional Processes? What is covered under Automation? What else is needed?
  • 20. Securing Assets – Mapping Traditional Security • System Hardening (Build Secure Base AMI) • Application Hardening • System & Application Access Control • Network Segmentation • Data Protection at Rest and In Transit • Data Classification • Vulnerability Scanning • Patch Management • Software Licensing • Asset Tracking • Change Control • DR • Security Monitoring & IR • System Decommissioning • Packet inspection at all egress points • Security Event and Incidents (SIEM) • Firewalls • Network and Host based IDS/IDP • Encryption • Proxies • Forensics & Malware Analysis • Vulnerability Scanning • Other in-line protection (e.g. FireEye) • Monitoring
  • 21. Securing Assets – Mapping Traditional Security • Packet inspection means either routing all the traffic back to customer location or building another stack in the cloud • Network scans require pre-authorization from the cloud provider • Not easy to map current day in-line solutions to cloud • Packet inspection at all egress points • Security Event and Incidents (SIEM) • Firewalls • Network and Host based IDS/IDP • Encryption • Proxies • Forensics & Malware Analysis • Vulnerability Scanning • Other in-line protection (e.g. FireEye) • Monitoring
  • 22. Example Use Cases Enterprise Logging
  • 23. Encryption – Use Case • Encryption – Rentable CloudHSM for Single Tenant • Centralized Key Management Solution – NIST 800-57 and Oasis Key Management Interoperability • Pre-Boot authentication for EC2/EBS • Client-side object encryption for S3 • File encryption for EC2 and S3 – available but need to be investigated • Proxy based encryption • Any future workloads with sensitive data should evaluate this first • Key Management (ssh and API)
  • 24. Hybrid model for Encryption - BYOK
  • 25. Example Use Cases Encryption Incident Response
  • 26. Enterprise Logging Architecture - Kafka • Enterprise Log Management (Beyond Security Logging) • Create logging strategy (e.g. KAFKA, ELK etc.) • Log Analysis Tools (Analytics) • Kafka - Developed by LinkedIn and now part of Apache project • Distributed system, easy to scale • Multiple Producers and Consumers • Producer • Publishes messages to a Topic • Topic • Message of a particular type • Consumer • Can subscribe to one or more Topics
  • 27. Enterprise Logging Architecture – ELK • Integrated Stack - Elastic Search, LogStash & Kibana (ELK) • Supports • Many Log Structures • Fast Searching • Scalability • Customizable Visualization • Commercial Support Available

Notas do Editor

  1. We live in a connected world and the foundation for these connections is the network. Broadband Internet traffic is doubling each and every year (according to IDC) [or] Internet traffic worldwide will grow three-fold by the year 2017. (Internet Trends, Mary Meeker (KCPB) Today we have 2.5 billion Internet users in the world – roughly one-third of the Earth’s population. In the next decade, the number of Internet users will double to 5 billion (Mary Meeker, KPCB) That means that two-thirds of the world will be connected by 2023. When you add in the big trends of cloud, mobility, video and security, the combined rate of acceleration is placing unprecedented demands on the network. [Optional stats/factoids] 100 hours of video uploaded every single minute to YouTube (YouTube)   Mobile video traffic exceeded 50 percent for the first time in 2012. (Cisco VNI)   Mobile network connection speeds more than doubled in 2012. (Cisco VNI)   In 2012, a fourth-generation (4G) connection generated 19 times more traffic on average than a non-4G connection. Although 4G connections represent only 0.9 percent of mobile connections today, they already account for 14 percent of mobile data traffic. (Cisco VNI)   [NOTE: Consider finding alternate source for above stats to avoid siting Cisco] As you just described (refer to pain points from previous slide), you are living in this world and feeling the pressure every day. Pradeep Sindhu founded Customer 17 years ago on the belief that we should solve technology problems that matter most to our customers and that make a difference in the world. He recognized the importance of the network and the impact it would have on our world. Our mission is simple, but powerful; to connect everything and empower everyone. In today’s connected world, this mission is more relevant than ever. Here at Customer we are focused on helping alleviate those pain points through our portfolio of high performance networking products. [T] And we do this by listening to our customers and helping them address their challenges and capitalize on their opportunities.