ultra secure cloud data center on aws
DESCRIPTION
This presentation is an introduction to Emind Systems' in-house best practice for an ultra-secure application deployment on the AWS cloud. This best practice is based on Emind's experience in performing dozens of infrastructure projects based on the Amazon Web Services’ platform.TRANSCRIPT
Ultra Secure Data Centeron Amazon Cloud
Lahav Savir, Architect & CEOEmind systems [email protected]
About
Lahav Savir• 15+ years in on-line industry• Architect and CEO @ Emind Systems
Emind Systems (est. 2006)• Boutique system integrator• AWS solution provider• 100+ AWS customers
Amazon (AWS) Certification
Amazon Solution Provider& Consulting Partner
https://aws.amazon.com/solution-providers/si/emind-systems-ltd
What is secure data center ?
• Isolated and controlled• Firewalled• Secure access– VPN– SSL
• Audited• Intrusion detection &
prevention• Configuration analysis
• Data encryption• Antivirus• Frequent updates• User management– One time password
• One spot for monitoring– Centralized alerts and
notifications
• Regulatory compliance
Emind’s best practice
Access Management
• Control the data flow– AWS VPC– ACL– Routing– Handle all in/out traffic
• Access control– Security groups
• Identity access management– One-time-password– AWS IAM with MFA
ACL & Routing in the VPC
7
Emind’s best practice
8
VPC
IAM
Traffic
Traffic Control
• Log in / out traffic• Terminate encrypted connection• Sanitize in / out packets– Real-time decisions– Accept / reject connections– Rate limiting
9
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Anomalies detection
• Host based IDS– Detect configuration changes– Track running processes– Track file access– Resource access– Detect abnormal behavior !
• OS hardening• App cleanup
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
Data Protection
• In-flight– SSL encryption– IPSec
• In-rest– Storage level encryption– Data base encryption
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
Data Enc.
Data Enc.
Data aggregation
• Need to aggregate– VPN access logs– Traffic audit logs– Network IDS logs– Host IDS logs– Anti virus logs
• Detect patterns
15
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
Data Enc.
Data Enc.
Aggregate
Aggregate
Security lifecycle management
• Ongoing log discovery & analysis– Access – Traffic– IDS– Anti virus– Encryption keys
• Act on analysis result• Revel and solve cloud infrastructure settings• Make them all orchestrate together !
17
• goCloud – Emind’s optimal road to the cloud– Secure cloud architecture– Scalable & high-availability design– Customized system deployment– Orchestrating cloud and software– Cloud operation team– Monitoring and alerting– 24x7 SLA
18