aws april webianr series - how willbros builds securely in aws with trend micro
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jason Cradit, VP of Information Services, Willbros Group
Matt Yanchyshyn, Solutions Architect, AWS
Dawn Smeaton, Director, AWS Security, Trend Micro
April 21, 2015
How Willbros Builds Securely
in AWS with Trend Micro
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
Amazon Web Services
(AWS) provides flexible,
scalable, and cost-
effective IT infrastructure
for businesses of all
sizes around the world.
What sets AWS apart?
Building and managing cloud since 2006
40+ services to support any cloud workload
History of rapid, customer-driven releases
11 regions, 28 availability zones, 53 edge locations
47 proactive price reductions to date
Thousands of partners; 1,900+ Marketplace products
Experience
Service Breadth & Depth
Pace of Innovation
Global Footprint
Pricing Philosophy
Ecosystem
Security is Job Zero at AWS
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
• SOC 1, SOC 2 & SOC 3
ISO 27001
• PCI Level 1
• FedRAMP
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running SOX, HIPAA, FISMA,
DIACAP MAC III sensitive ATO, ITAR, …
The Forrester Wave™:
Public Cloud Platform
Service Providers'
Security, Q4 2014
The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of
Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted
using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor,
product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect
judgment at the time and are subject to change.
Security with AWS
Auditability Visibility Control
Compliance reports Amazon CloudWatch
AWS CloudTrail
AWS Config
“Describe” APIs
AWS IAM
AWS CloudHSM
AWS CloudFormation
AWS KMS
Defense-in-depth
Security groups
VPC configuration
Netw
ork
Web application firewalls
Bastion hosts
Encryption in-transit
Hardened AMIs
OS and apppatch mgmt.
IAM roles for EC2
IAM credentialsSyste
m s
ecurity
Logical access controls
User authentication
Encryption at-restD
ata
security
AWS compliance
program
Third-party
attestationsPhysic
al
Encryption: data at rest in AWS
EBS
Volume encryption
EBS encryption OS toolsAWS
marketplace/partner
Object encryption
S3 server side
encryption (sse)
S3 SSE w/ customer provided keys Client-side encryption
Database encryption
Amazon
Redshift
encryption
RDS
PostgreSQL
KMS
RDS
MYSQL
KMS
RDS
ORACLE
TDE/HSM
RDS MSSQL
TDE
AWS Identity and Access Management (IAM)
Multi-factor authenticationAWS Identify and
Access Management
Temporary Credentials
User
Groups
Roles
User User Hardware Software
IAM AWS administrative users
Root accountPolicies
Enforce the principle of least privilege
Security Groups and NACLs
Security Groups• Instance level, stateful
• ALLOW rules only
• Default deny inbound, allow outbound
• Use as “whitelist” – least privilege
NACLs• Subnet level, stateless
• ALLOW and DENY
• Default allow all
• Use as “blacklist”/“guardrails”(port 135,21,23…)
Separation of duties. Changes audited via AWS CloudTrail
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…
Virtual Interfaces
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
Security Groups
Configure and harden EC2 instances based on
security and compliance needsforce
consistent security on your hosts
Launch
instanceEC2
AMI catalog Running instance
Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Host-based protection software
Restrict access where possible
Connect to existing services
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jason Cradit
April 21st 2015
Oil and Gas Asset SecurityLearn How Willbros Created Secure & Flexible
Solutions with Trend Micro
Agenda
• Who is Willbros
• Willbros Integrity use-cases
• Security architecture and design considerations
Willbros
Willbros Group, Inc. is a global contractor specializing in energy infrastructure
serving the oil, gas and power industries. Our offerings include engineering, procurement and construction, refinery turnarounds, pipeline construction, pipeline integrity management, GIS consulting and other specialty services to industry and government entities worldwide.
Pipeline Routing
Analytical routing solution
• Land owners vs. corridors
• Wetlands or other crossings
• Populated areas
• Slope or ground rock
• Federal or conserved lands
Old time vs. new time
• 10x improvement!!
Integra Link
• Assets are bought and sold
• Who made it? Where is it? When was it maintained?
• Assets are replaced (or need to be)
• Asset classifications change in the world
• Lag time back to office
Integra Link
Collaboration
• Field, Office, and Partners
• Visualization
• Risk
• Location
Requirements
• Fast and familiar (secure)
• One version of the truth
Basic Infrastructure
Infrastructure
• VDI
• Web
• Dev
• Archive
Build and deploy promptly
• Project based IT costs
• Agile elasticity
Information Security
ConfidentialityOnly those that should have access, do.
IntegrityOnly those that should modify it, can.
AvailabilityThe service and information is there when you need it.
Security: In the old world
• Minimize egress/ingress
• Protections at the perimeter – impossible math
• Once the bad dude is in, he is in
• IDS definitions are BROAD!
• Lots to manage
• Endpoint, physical perimeter, network, server…etc…
• Scale vs. cost vs. security
• Scary patch cycles
• Could just implement this in the cloud
• Agility and scale, price
Security: In the old world
Brown fields:
• Bolt-on, forklift or remove (or $$$$)
• Incident response
• Keep service up vs. drop service to mitigate vulnerability
• Lessons learned are road-mapped
• Resources to manage the old and the new
• Rigorous change control processes
• Disaster recovery expense
• Manual testing not representative of actual failure
Security: New world
No physical, just logical
Multiple ingress/egress
Containerization
Protection closer to the information
Only necessary protections
Shared security analytics
Security: New world
Always Green fields:
• Lessons learned enacted now
• DR testing and implemented as code
• IR failover or rebuild but retain old for investigation
• Manage scope
• One environment doesn’t impact another
• No cookie-cutters
• One new problem…
Trend Micro
Security with Trend
• Detect and enforce at the account level
• Auto load policy
• Alert on new or unsecured environments
• Reduce attack vectors by narrowing scope
• Improved 0-day hole
• Parallel IDS/IPS at each host
• File Integrity Management
• Log Inspection
Trend Micro Deep Security Protection
Defend against network attacks
Virtually patch software
Keep malware off workloads
Uncover suspicious changes
Copyright 2015 Trend Micro Inc.
Simplify your life with a single security solution, built for
AWS
Fits How You Want to Buy and Deploy
AWS Marketplace SoftwareSoftware as a Service
On your AWS bill
for simplified
procurement & billing
Annual license
for hybrid
environments or
maximum control
Usage based pricing
for small instances or
variable workloads
Copyright 2015 Trend Micro Inc.