Upload
hoangkhue
View
220
Download
2
Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Aaron McKeown
Hardening the Cloud: Assuring Agile Security in High-Growth Environments (Moving from span ports to virtual appliances)
CSV-F01
Lead Security Architect Xero
Beautiful cloud-based accounting softwareConnecting people with the right numbers anytime, anywhere, on any device
3
1,450+ staff globally
$474m raised in capital
$202m sub revenue FY16
$1tr incoming and outgoing transactions in past 12 mths
450m incoming and outgoing transactions in past 12 mths
All figures shown are in NZD
#RSAC
Public Cloud Migration
5
Supporting the next wave
of growth
Reducing our cost to serve
Improving data protection
Eliminating scheduled downtime
Maintaining and improving security
#RSAC
Key Challenges
6
Skills are scarce
Regional representation and recommendations
Application architecture has to change
Automation is key
Third-party commercial models need to change
Need to focus on visibility
#RSAC
Challenge #1: Skills are scarce
7
Challenge #1: Skills are scarce
Make an initial investment in education
Join industry groups and forums
Selective engagement of contractors
Promotion of industry wide cyber skills
#RSAC
Challenge #2: Regional representation
8
Challenge #2: Regional representation and recommendations
Build a strong relationship with AWS
Reach out to your contacts
Look at alternatives
Build a communication path to remote organizations
#RSAC
Challenge #3: Application architecture changes
9
Challenge #3: Application architecture has to change
Work in cross-functional teams
Deliver in short, frequent cycles
Communicate quickly and effectively
Build and deliver “security as a service”
#RSAC
Challenge #4: Automation is key
10
Challenge #4: Automation is key
Make automation a core principle
Start with basic use of CloudFormation
Use a code repository
Build a Continuous Integration (CI) and Continuous Delivery (CD) system
#RSAC
Challenge #5: Focus on visibility
11
Challenge #5: Need to focus on visibility
CloudTrail is enabled by default for all accounts
Track configuration drift
Get the development teams invested Extended into a virtual team
#RSAC
Challenge #6: Third-party commercial models
12
Challenge #6: Third-party commercial models need to change
Do what we advise others to do, use the cloud
Work with our technology partners and vendors
Move from perpetual licenses, to core based licenses
Address commercial and legal issues first
#RSAC
Key Principles
13
Repeatable, automated build and management
of security systems
Accelerated pace of security innovation
On-demand security infrastructure that works at any scale
#RSAC
Key Learnings
14
Security by design -
what’s that?
Communication is key
Welcome to the cloud - “Where’s my span port?”
Measure & Test, monitor everything
#RSAC
Key Learnings: Security by design
15
Security by design -
what’s that?
Build security into every layer
Treat your infrastructure as code
Iterate, iterate, iterate
Build security into the product lifecycle
#RSAC
Key Learnings: Communication is key
16
Communication is key
Make everyone a spokesperson
Evangelize and sell your service
Communicate success (as well as failure)
Documentation is critical
#RSAC
Key Learnings: Measure everything
17
Measure & test, monitor everything
How do you know what normal looks like?
Continually track configuration drift Do a gap analysis
Perform internal and external testing
#RSAC
Key Learnings: Where’s my span port?
18
Welcome to the cloud - “Where’s my span port?”
Change your way of thinking
Expand your scope of responsibility
It is a shared journey for all
Use cross-functional teams
#RSAC
The New Paradigm of Shared Responsibility
19
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
Network Security
Xero Applications & ContentSecurity IN the Cloud
Security OF the Cloud
Xero + Partner
Ecosystem Inventory & Config
Data Encryption
#RSAC
Security as a Service
20
VPN connectivity
Host Based Security
Web Application Security and
Delivery
Shared Key Management
ServicesSecure Bastion Access
Proxy Services
Security Operations
and Consulting
Services
#RSAC
Multi-Factor Authentication
21
The decision to utilize MFA was a core component of security design
User awareness was initially an issue
Some users refused to utilize the system
Multiple MFA systems already in place
Enable the MFA enhanced features
#RSAC
Configuration Drift Management
22
Finding the needle in an automated and freedom-to-deploy haystack
Used Netflix Security Monkey to track, monitor, and action key AWS resource changes
Watchers configured across all AWS accounts
Started as an internal Cloud Security tool Adoption was driven by the product teams
Risk and compliance utilization for best practice review
#RSAC
Host Security Automation
23
Next layer of defense at the host level
Used to monitor, notify, and action instance-level configurations, vulnerabilities and integrity
Automated roll-out and integration with all hosts
Make use of the cloud
Adopt elasticity and automation
Accelerated pace of development
#RSAC
Apply What You Have Learned Today
24
• Activate multi-factor authentication
• Enable CloudTrail • Start your first
automation!
• Define your principles • Develop a security
architecture • Start to track your
configuration drift
• Measure, test & monitor everything
• Build a culture of communication
• Automate more!
WEEK
1MONTH
3MONTH
6