© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Joan Pepin, VP of Security/CISO

October 2015

SEC202

If You Build It, They Will ComeBest Practices for Building Secure

Services in the Cloud

Who Am I?

• VP of Security/CISO for Sumo Logic

• More than 17 years experience establishing

policy management, security metrics, and

incident response initiatives

• Inventor of SecureWorks’ Anomaly

Detection Engine

• Experience in healthcare, manufacturing,

defense, ISPs, and MSPs

What to Expect from This Session

• Drivers for leveraging cloud architectures

• Foundational principles to guide design strategy

• The Defense in Depth approach

• Best practices

• Q&A

Consider This…

20% of applications are built

on cloud-friendly architectures

and are ready for cloud.

Source: Right Scale

By 2018, 59% of the total cloud

workloads will be SaaS

workloads, up from 41% in 2013.

Source: Cisco

Cloud IT infrastructure spending

will reach $54.6 billion by

2019 accounting for 46.5% of the

total spending on IT infrastructure.

Source: IDC

Securing Your FutureYou’re Not Ready

A Giant ServerSecurity in Two Dimensions

The World is Not Flat…

Design Principles for Cloud Architectures

Less Is More

• Simplicity of design, APIs, interfaces, and data flow all help lead to a secure and scalable system.

Automate

• Think of your infrastructure as code based—it’s a game changer.

• Test, do rapid prototyping, and implement fully automated, API-driven deployment methods.

Do the Right Thing

• Design in-code reuse and centralize configuration information to keep attack surface to a minimum.

• Sanitize and encrypt it.

• Don’t trust client-side verification; enforce everything at every layer.

The Defense in Depth Approach

Elastic Load Balancing

Internet of Things

API

UI

Rec

AdminAmazon DynamoDB

POD

HOP BOX

VPN

SSH

VAULT

Amazon S3

1,500 Instances

The Defense in Depth Approach

Servers

API

UI

AdminDynamoDB

S3

POD

HOP BOX

1,500 Instances

SSH

VAULT

POD

APM

SEIM

AWS

SEC.

GROUP

IDS FIM.FW. SRU

APLOGS

OIS SSMRec

ELB

VPN

The Defense in Depth Approach

Servers

API

UI

AdminDynamoDB

S3

POD

HOP BOX

SSH

VAULT

RAW META

KEK

KEKEK

OPS

KEKEK

MGMT

1,500 Instances

Rec

ELB

VPN

Defense in Depth Key Takeaways

• Defense in Depth. Everything. All the time.

• Achieve scale by running the POD model.

• Use best-of-breed security stack (IDS, FIM, Log Mgt.,

Host Firewall).

• Automate a complete security stack.

Best Practices

Three-Card MonteIs a Lovely Game

CasinoThe House Always Wins

Final Takeaways

The world is no longer flat…

Centralize your security design in your code base

All things are possible with automation

Simplicity leads to better security

Come visit Sumo Logic at booth #200 to learn how to master

your data and see live demos.

Twitter: @sumologic

Thank you!

joan@sumologic.com

@CloudCISO_Joan

Remember to complete

your evaluations!