Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Robert Groat, EVP Technology and Strategy, Smartronix
June 21, 2016
Adaptive Cloud SecurityGame Changing Cloud Security
and Compliance Automation Strategies
Smartronix introPremier Partner for all 4 yearsInaugural Managed Services PartnerInaugural DevOps competency1st to bring federal government into AWS1st to implement FISMA Moderate/ FedRAMP solutions (NIST 800-53 Rev. 4)One of the largest channel resellers
Successfully completed FedRAMP 3PAO Assessment for our CloudAssured Managed Services
History lesson—2009
CISO quotes:“Cloud is too new.”“Unproven technologies.”“Not secure?”
Cloud is used for web, DR, R&D, storage, email.
Main drivers for use are cost and agility.
Cloud 2016
CIO quotes:“I want to move everything to the cloud.”“Why aren’t we doing more in the cloud?”
Cloud is used for all workloads.
Main drivers for use are security, agility, then cost.
Cloud 2016
If security isn’t the number one reason for you to move to the cloud, it probably should be.
Fundamental Theorem of Cloud Transformation “The area of success is exponentially related to the ability to automate security and compliance at scale.”
Adaptive cloud security
What is it?Why is is it important?
Let’s look at some troubling reasons why it is necessary…
Your data center infrastructure is $#%@!
Your network has been breachedYour physical security is weakYour environment is wildly heterogeneousYou lack organizational standardization
You don’t know what is in there and you have lost control
Your application security is even more $#%@!
Applications built 10–20 years ago are still running and still exposing the same weaknessesYour supply chain of application partners is ever changingYour application security standardization is virtually nonexistentYour security tools do not cover all security aspects/threats
You don’t know what applications and processes you have running and the environment is in constant flux
The hard truth
One bad firewall rule from a junior administrator can enable a breach
One bad web application service written by a lazy programmer can enable a breach
One smart, well-positioned, overly credentialed admin can leave your data center with a lot of information
Wait, so the cloud fixes this?
What is easier to protect?a) A physical infrastructure that has evolved out of control for 20+ years that you don’t even fully know what’s in it?
b) A modern architecture where everything is accessed via software API endpoints?
Look at what you have tried to put in place over last 5 years at a macro level.
How to make a CISO happy
Know everything running at all timesBe alerted when any configuration change happensBuild immutable environmentsEnable policy based access for all privileged componentsLog everythingEnforce complianceEnforce backupsEnsure everything is encrypted
Major security automation enablers
AWS CloudTrailAWS Config/Config RulesAmazon CloudWatch/CloudWatch LogsAmazon InspectorAWS WAF for CloudFrontAWS LambdaAmazon VPC endpointsAWS Identity and Access Management (IAM) AWS Trusted Advisor
AWS KMSAWS CloudHSMAWS Certificate Manager (ACM) AWS STSAmazon Machine LearningAmazon Elasticsearch ServiceAmazon VPC Flow LogsAWS CloudFormationAWS reference architectures
Foundational security & compliance automation
Pre-approved list of launchable Amazon Machine Images (AMIs) and services
- Locked down by policy- Managed by AWS Service Catalog- Version controlled with CloudFormation
- Governed by Config Rules and CloudWatch and automatically revoked by Lambda
Foundational security & compliance automation
Privileged User Access Management- Locked down by IAM policy, device, location- Governed by CloudTrail, CloudWatch Logs- Automated notifications and potentially revoked- Forensics using CloudTrail logs
Foundational security & compliance automation
Data and encryption management- Monitor and enforce encryption on creation- Monitor and enforce compliance with Config- Utilize Amazon Inspector for automated
assessment- Use ACM for data in transit management- Automate data backup services
Foundational security & compliance automation
Boundary management- React immediately to compliance drift- Use VPC Flow Logs to understand traffic- Automate VPC creation
- Use reference architectures and CloudFormation templates (NIST compliance etc.)
Foundational security & compliance automation
Security best practices- Utilize Amazon Inspector for automated
assessment- Create custom triggers from CloudTrail/Config
events- Use pre-approved (STIG) AMIs- Use pre-approved CloudFormation templates- Use Lambda to programmatically react to events
- Use the scale and power of AWS to analyze all events and logs within your environment
Unlearn everything you have heard
Build your foundational cloud services so you can put your most critical workloads in the cloud
Use a Managed Security Service Partner to help your transformation
Embrace security and compliance automation
