Top 5 Security Errors and

How to Avoid Them

James Brown

Head of Public Cloud

Palo Alto Networks

Key findings based on customer

research and breach analysis

July – October 2018

49%Of organizations leave their

databases unencrypted

• Encrypt, encrypt, encrypt!

• Encryption of S3 buckets allows for

that data to remain untampered with

and valid for said audits down the road

• Encryption of RDS protect information

even if databases are compromised or

copied in a malicious manner

41%Of account access keys

have not been rotated in

more than 90 days

• Rotate Keys Regularly

• Rotate ALL credentials, passwords,

and API Access Keys on a regular

basis

32%Of organizations

publicly exposed at

least 1 S3 bucket

• Don’t let your S3 bucket policies

atrophy

• Strengthen S3 buckets with either IAM

Policies, S3 Bucket Policies, or S3

Access Control Lists

29%Of organizations enable

root user activities

• Disable Root Account API Access Key

• Create IAM admin users. At least 2, no

more than 3 per IAM group

• Grant access to billing information and

tools

• Disable/Remove the default AWS root

user API access keys

27%Of organizations leave

default network settings

for at least 1 account

• Always lock down the IP and port of

which you will gain access to your

AWS environment

• Only turn on access when it is needed

and off again once administrative work

has been accomplished

Why So Many Security Errors? Disparate Point Product Offerings

CSP NATIVE

TOOLS

CONTAINER

SECURITY TOOLS

8 | © 2019 Palo Alto Networks, Inc. Confidential and Proprietary.

OPSDEV

SIEM

NETWORK

MONITORING TOOLS

• Silo'd tools• Can’t correlate across

network, user and config

• Not multi-cloud• Limited Compliance• AWS Well Architected

framework

• DIY security - too much data, too much noise

• Very expensive

• Only provides part of the story

CASB

• IP addresses are elastic in cloud

• Lacks cloud-native context

GRC TOOLS

• Not built for cloud

• Great user & data context, lacks infrastructure context (network traffic, vuln, etc.)

• Lacks threat hunting and incident response

• Higher TCO, requires constant upkeep with CSPs

• Limited coverage

OPEN SOURCE TOOLS

Effective Cloud Security: Series of Integrated Security Requirements

9 | © 2016, Palo Alto Networks. Confidential and Proprietary.

What’s actually happening?

Who is making changes and why?

What do I have in the cloud?

Are my hosts and containers secure?

Is my app & data secure?

Network Security / Flow Logs / Threat Intel

Credentials / Actions / Identity

Asset Inventory

Runtime Security / Image & Vuln Scanning

DLP / Serverless / AppSec

Am I compliant? Configurations / Compliance Reporting

The Problems We Can Help You Solve

10 | © 2016, Palo Alto Networks. Confidential and Proprietary.

Network Security / Flow Logs / Threat Intel

Credentials / Actions / Identity

Visibility / Configurations / Compliance

Runtime Security / Image & Vuln Scanning

DLP / Serverless / AppSec

• Real-time network visibility and incident investigations

• Suspicious/malicious traffic detection

• Virtual firewall for in-line protection (VM-series)

• Account & access key compromise detection

• Anomalous insider activity detection

• Privileged activity monitoring

• Asset inventory tracking and cloud “time machine”

• Compliance scanning (CIS, PCI, GDPR, etc.)

• Configuration best practices

• Runtime security*

• Static image analysis (vulnerabilities and compliance)*

• Configuration monitoring (for cloud native)

• Serverless*

• DLP & malware scanning

* Potential future roadmap

The Most Complete Cloud Security Offering

11 | © 2018, Palo Alto Networks. All Rights Reserved.

Detective

control

Infrastructure

security

Incident

response

Data

protection

Visit Our Booth to Learn More

THANK YOU