3 secrets to becoming a cloud security superhero
TRANSCRIPT
3 Secrets to becoming acloud security superhero
Pat McDowell, Solutions Architect with AWS
Tuesday, May 10 2016
Dawn Smeaton, Director - Cloud Workload Security with Trend Micro
AWS and you share responsibility for security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer applications & contentYou get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
YouInventory & Config
Data Encryption
This is you…
This is you with Trend Micro + AWS
Your new superpowers…Invisibility X-ray VisionShapeshifting
ShapeshiftDesign a workload-centric security architecture
Superpower #1
WebTier
AppTier
DBTier
On-premises
Before
LoadBalancer
Firewall IPS
Amazon S3
DynamoDB
Amazon RDS
WebTieron
Amazon EC2
AppTieron
Amazon EC2
ElasticLoad
Balancing
LoadBalancer
DBTier
WebTier
AppTier
IAM CloudTrail
After
Amazon VPC&
SecurityGroups
AWS
Firewall IPS
Shapeshift superpower demo
AmazonEC2
Don’t Replicate…
WARNING: Single Point of Failure Limited Throughput
Shapeshift
MISSION ACCOMPLISHED: No Single Point of Failure Unlimited Throughput
Elastic Load Balancer
Confidential under NDA | Copyright 2016 Trend Micro Inc, http://cloudsecurity.trendmicro.com/us/technology-innovation/customers-partners/healthdirect-australia/index.html
Enable rapid innovation with host-based security
Reduced risk and adopted automated, workload centric security• Enabled DevOps with shift from unmanageable
open source solution to Deep Security
• Prevented over 5,000 attacks in 7 days with IPS
• Immediate vulnerability protection – met 2 day patch pace, bought time for proper patch cycle
Deep Security helps Healthdirect achieve rapid innovation. It takes us the least amount of time to manage in our environment. We put it in and it just works.”
“CASE STUDY
Shapeshift for Amazon Web Services• Security inside each workload• Protect instance-to-instance traffic• Make it context sensitive
(fast and low false-positive)• No bottleneck• No single point of failure= Cloud friendly
IPS
InvisibilityAutomate and blend in, don’t bolt on
Superpower #2
Invisibility superpower demo
Servers
Storage Area Network
On-premises
Firewall
IPS
Central logging
ChangeRecords
Report
Creating an audit trail, before
Payment
Client Data
On-premisesAWS
CloudTrail
Amazon EC2 instances
Deep Security Management console
Amazon S3
CloudFrontAmazon RDS
Report
Creating an audit trail, after
Audit-o
CloudTrail& AWS Config
Deep Security
Top 10 global sports brand delivered high performance, scalable applications, while meeting rigid security requirements• Security seamlessly scaled with Amazon EC2
• Provided audit evidence needed for internal and PCI DSS compliance requirements
• Unified policies across hybrid architecture with IPS, Integrity Monitoring and Anti-malware
Confidential under NDA | Copyright 2016 Trend Micro Inc,
Agile protection with audit evidence CASE STUDY
Make Security Invisible for Amazon Web Services• Build it in, not bolt on• Fully automate security • Automate record keeping for auditors = Security designed for AWS
X-Ray VisionImprove visibility of AWS and hybrid environments
Superpower #3
Creating an invincible web site
Protects site against malicious changes with a Deep Security driven auto-recovery mechanism Reduced risk of cyberattack for high profile
product launch (RoBoHoN) Immediately fixes unauthorized changes by
using FIM and CMS to restore original content Sped response to cyberattack from 2+ days to
seconds, without server shutdown
Deep Security defends from the communication layer to the application layer. There is no other software product on the market that offers that depth of protection”
http://cloudsecurity.trendmicro.com/us/technology-innovation/customers-partners/sharp/index.html
“
CASE STUDY
Use X-ray vision on AWS• Use Integrity Monitoring and Log
monitoring to see inside instances• Detect suspicious changes that are
indicators of compromise and unintended changes
= Total visibility
Securing your data on AWS
Better Security
$6.53M 56% 70%
Your data and IP are your most valuable assets
Increase in theft of hard intellectual property
http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
Of consumers indicated they’d avoid businesses
following a security breach
https://www.csid.com/resources/stats/data-breaches/
Average cost of adata breach
https://www.csid.com/resources/stats/data-breaches/
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?
AWS can be more secure than your existing environment
Automating logging and monitoring
Simplifying resource access
Making it easy to encrypt properly
Enforcing strong authentication
The AWS infrastructure is protected by extensive network and security monitoring systems:
• Network access is monitored by AWS security managers daily
• CloudTrail lets you monitor and record all API calls
• Amazon Inspector automatically assesses applications for vulnerabilities
Constantly monitored
The AWS infrastructure footprint protects your data from costly downtime:
• 33 Availability Zones in 12 regions for multi-synchronous geographic redundancy
• Retain control of where your data resides for compliance with regulatory requirements
• Mitigate the risk of DDoS attacks using services like AutoScaling, Route 53
Highly available
AWS enables you to improve your security using many of your existing tools and practices:
• Integrate your existing Active Directory
• Use dedicated connections as a secure, low-latency extension of your data center
• Provide and manage your own encryption keys if you choose
Integrated with your existing resources
Key AWS Certifications and Assurance Programs
Shapeshifting Invisibility X-ray Vision
Your new superpowers…
Gartner Best Practices for Securing AWS workloads
http://aws.amazon.com/featured-partners/trendmicro/Get your copy at:
trendmicro.com/aws