Strong security made simple: Putting all the pieces together Mark - - PowerPoint PPT Presentation

strong security made simple putting all the pieces
SMART_READER_LITE
LIVE PREVIEW

Strong security made simple: Putting all the pieces together Mark - - PowerPoint PPT Presentation

Feb 21, 2023 114 likes •1.76k views

SEC204-S Strong security made simple: Putting all the pieces together Mark Nunnikhoven Vice President, Cloud Research at Trend Micro @marknca The cloud simplifies security. The cloud simplifies security. * When you understand how it works

slide-1
SLIDE 1
slide-2
SLIDE 2

SEC204-S

Strong security made simple: Putting all the pieces together

Mark Nunnikhoven

Vice President, Cloud Research at Trend Micro @marknca

slide-3
SLIDE 3

The cloud simplifies security.

slide-4
SLIDE 4

The cloud simplifies security.

* When you understand how it works

slide-5
SLIDE 5

The cloud simplifies security.

* When you understand how it works ** Compared to traditional environments

slide-6
SLIDE 6

The cloud simplifies security.

* When you understand how it works ** Compared to traditional environments

*** Depending on how much you pay attention for the next 60m

slide-7
SLIDE 7

Make sure that systems work as intended

The goal of cybersecurity

slide-8
SLIDE 8
  • nly as intended

…and only as intended Make sure that systems work as intended

The goal of cybersecurity

slide-9
SLIDE 9

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

The Shared Responsibility Model

slide-10
SLIDE 10

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

slide-11
SLIDE 11

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

slide-12
SLIDE 12

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

slide-13
SLIDE 13

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

slide-14
SLIDE 14
slide-15
SLIDE 15
slide-16
SLIDE 16

aws.amazon.com/compliance

slide-17
SLIDE 17

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

slide-18
SLIDE 18

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

slide-19
SLIDE 19

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

slide-20
SLIDE 20

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration AWS does more You do less

slide-21
SLIDE 21

What’s stopping us?

slide-22
SLIDE 22

Hackers

slide-23
SLIDE 23

Nation State

slide-24
SLIDE 24

Insider Threats

Courtesy of the fantastic @quinnypig

slide-25
SLIDE 25
slide-26
SLIDE 26

Mistakes & misconfigurations

slide-27
SLIDE 27

Make sure that systems work as intended and

  • nly as intended

Our goal

Mistakes & misconfigurations

Largest risk

slide-28
SLIDE 28

Can I learn from others?

slide-29
SLIDE 29

Cloud Adoption Framework

slide-30
SLIDE 30

Cloud Adoption Framework

Governance Business People

slide-31
SLIDE 31

Cloud Adoption Framework

Governance Business People Platform Security Operations

slide-32
SLIDE 32

Cloud Adoption Framework

Governance Business People Platform Security Operations

Builds an action plan

slide-33
SLIDE 33

AWS Well-Architected Framework

slide-34
SLIDE 34

AWS Well-Architected Framework

Operational Excellence

slide-35
SLIDE 35

AWS Well-Architected Framework

Operational Excellence Security

slide-36
SLIDE 36

AWS Well-Architected Framework

Operational Excellence Security Reliability

slide-37
SLIDE 37

AWS Well-Architected Framework

Operational Excellence Security Reliability Performance Efficiency

slide-38
SLIDE 38

AWS Well-Architected Framework

Operational Excellence Security Reliability Performance Efficiency Cost Optimization

slide-39
SLIDE 39

AWS Well-Architected Framework

Operational Excellence Security Reliability Performance Efficiency Cost Optimization

Helps you make smart trade-offs

slide-40
SLIDE 40

Modern Application Design

slide-41
SLIDE 41

Modern Application Design

Secure Resilient Elastic Modular Automated Interoperable

slide-42
SLIDE 42

Modern Application Design

Secure Resilient Elastic Modular Automated Interoperable

Re-host

slide-43
SLIDE 43

Modern Application Design

Secure Resilient Elastic Modular Automated Interoperable

Re-host Re-platform

slide-44
SLIDE 44

Modern Application Design

Secure Resilient Elastic Modular Automated Interoperable

Re-host Re-platform Re-factor

slide-45
SLIDE 45

Modern Application Design

Secure Resilient Elastic Modular Automated Interoperable

Re-host Re-platform Re-factor Re-invent

slide-46
SLIDE 46

CIS AWS Foundations

slide-47
SLIDE 47

CIS AWS Foundations

slide-48
SLIDE 48

CIS AWS Foundations

Prescriptive guidance

slide-49
SLIDE 49

CIS AWS Foundations

Prescriptive guidance Checklist of @TODOs

slide-50
SLIDE 50

What happened?

slide-51
SLIDE 51

Auditing

slide-52
SLIDE 52

AWS CloudTrail

slide-53
SLIDE 53

AWS CloudTrail

What happened in your account + Who/what made it happen

slide-54
SLIDE 54

What happened in your account + Who/what made it happen

slide-55
SLIDE 55

What happened in your account + Who/what made it happen

  • Signed audit trail of API calls
slide-56
SLIDE 56

What happened in your account + Who/what made it happen

  • Signed audit trail of API calls
  • Data source for other key services
slide-57
SLIDE 57

What happened in your account + Who/what made it happen

  • Signed audit trail of API calls
  • Data source for other key services
  • On by default
slide-58
SLIDE 58

What happened in your account + Who/what made it happen

  • Signed audit trail of API calls
  • Data source for other key services
  • On by default
  • Log delivery in ~2–4m but no guarantee
slide-59
SLIDE 59

Who’s there?

slide-60
SLIDE 60

Identity

slide-61
SLIDE 61

The Principle of Least Privilege

slide-62
SLIDE 62

The Principle of Least Privilege

Grant only those privileges which are essential to perform the intended function

slide-63
SLIDE 63

AWS IAM

slide-64
SLIDE 64

AWS IAM

Who are you? + What are you allowed to do?

slide-65
SLIDE 65

Who are you? + What are you allowed to do?

slide-66
SLIDE 66

Who are you? + What are you allowed to do?

  • Managed users and roles
slide-67
SLIDE 67

Who are you? + What are you allowed to do?

  • Managed users and roles
  • Assign permissions to policies, users, or roles
slide-68
SLIDE 68

Who are you? + What are you allowed to do?

  • Managed users and roles
  • Assign permissions to policies, users, or roles
  • Granular permissions for each service
slide-69
SLIDE 69

Who are you? + What are you allowed to do?

  • Managed users and roles
  • Assign permissions to policies, users, or roles
  • Granular permissions for each service
  • Federation with existing directories available
slide-70
SLIDE 70

User Permission S3 Bucket

slide-71
SLIDE 71

User Permission S3 Bucket Works fine Unmanageable a scale Not granular enough

slide-72
SLIDE 72

User Role S3 Bucket Permission

slide-73
SLIDE 73

AWS Identity and Access Management (IAM)

slide-74
SLIDE 74

AWS Identity and Access Management (IAM)

SEC209

Getting started with AWS Identity

slide-75
SLIDE 75

AWS Identity and Access Management (IAM)

SEC209

Getting started with AWS Identity

SEC316

Access control confidence: Grant the right access to the right things

Website

IAM Best Practices

slide-76
SLIDE 76

How can I protect my network?

slide-77
SLIDE 77

Amazon VPC

slide-78
SLIDE 78

Amazon VPC

Your own slice of the AWS Cloud

slide-79
SLIDE 79

Your own slice of the AWS Cloud

slide-80
SLIDE 80

Your own slice of the AWS Cloud

  • Controllable routing, IP space, subnetting,

and access control

slide-81
SLIDE 81

Your own slice of the AWS Cloud

  • Controllable routing, IP space, subnetting,

and access control

  • VPC Endpoints allows access to AWS services
slide-82
SLIDE 82

Your own slice of the AWS Cloud

  • Controllable routing, IP space, subnetting,

and access control

  • VPC Endpoints allows access to AWS services
  • AWS PrivateLink connects to 3rd party SaaS’
slide-83
SLIDE 83

Your own slice of the AWS Cloud

  • Controllable routing, IP space, subnetting,

and access control

  • VPC Endpoints allows access to AWS services
  • AWS PrivateLink connects to 3rd party SaaS’
  • AWS Direct Connect connects to on-premises
slide-84
SLIDE 84

AWS Transit Gateway

slide-85
SLIDE 85

AWS Transit Gateway

Make connecting everything easier

slide-86
SLIDE 86

Make connecting everything easier

Gateway

slide-87
SLIDE 87

Make connecting everything easier

  • If you have multiple VPCs or will soon,

Transit Gateway is a simpler way to connect

Gateway

slide-88
SLIDE 88

Make connecting everything easier

  • If you have multiple VPCs or will soon,

Transit Gateway is a simpler way to connect

  • Simplified advanced network design

Gateway

slide-89
SLIDE 89

Make connecting everything easier

  • If you have multiple VPCs or will soon,

Transit Gateway is a simpler way to connect

  • Simplified advanced network design
  • Use VPC Peering at small scale

Gateway

slide-90
SLIDE 90

EC2 Instance EC2 Instance VPCs Routing table NACLs Security Groups AWS Transit Gateway

A B

slide-91
SLIDE 91

EC2 Instance EC2 Instance VPCs Routing table NACLs Security Groups AWS Transit Gateway

A B Is A allowed to talk to B?

slide-92
SLIDE 92

EC2 Instance EC2 Instance VPCs Routing table NACLs Security Groups AWS Transit Gateway

A B What are they saying? IPS

slide-93
SLIDE 93

Compute

slide-94
SLIDE 94

Compute

slide-95
SLIDE 95

Compute

Running code in the cloud

slide-96
SLIDE 96

Amazon EC2

Instances Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

slide-97
SLIDE 97

Amazon EC2

Instances Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

Amazon ECS

Containers + Host Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

slide-98
SLIDE 98

Amazon EC2

Instances Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

Amazon ECS

Containers + Host Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

AWS Fargate

Managed Containers Data Application OS Virtualization Infrastructure Physical

Container (PaaS)

slide-99
SLIDE 99

Amazon EC2

Instances Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

Amazon ECS

Containers + Host Data Application OS Virtualization Infrastructure Physical

Infrastructure (IaaS)

AWS Fargate

Managed Containers Data Application OS Virtualization Infrastructure Physical

Container (PaaS)

AWS Lambda

Functions Data Application OS Virtualization Infrastructure Physical

Abstract (SaaS)

slide-100
SLIDE 100

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

slide-101
SLIDE 101

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
slide-102
SLIDE 102

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
  • Controls like integrity monitoring,

intrusion prevention, anti-malware

slide-103
SLIDE 103

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
  • Controls like integrity monitoring,

intrusion prevention, anti-malware

  • Don’t patch or login to production
slide-104
SLIDE 104

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
  • Controls like integrity monitoring,

intrusion prevention, anti-malware

  • Don’t patch or login to production
  • Code quality is a priority
slide-105
SLIDE 105

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
  • Controls like integrity monitoring,

intrusion prevention, anti-malware

  • Don’t patch or login to production
  • Code quality is a priority
  • Controls like real-time application

protection are key

slide-106
SLIDE 106

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Harden the OS configuration
  • Controls like integrity monitoring,

intrusion prevention, anti-malware

  • Don’t patch or login to production
  • Code quality is a priority
  • Controls like real-time application

protection are key

  • Dependency verification and

validation is critical

slide-107
SLIDE 107

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

slide-108
SLIDE 108

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Fix issues in the build pipeline and redeploy (blue/green)
slide-109
SLIDE 109

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Fix issues in the build pipeline and redeploy (blue/green)
  • Automated controls and verification with security testing
slide-110
SLIDE 110

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Fix issues in the build pipeline and redeploy (blue/green)
  • Automated controls and verification with security testing
  • Builder’s workstations are a weak point (opsec is critical!)
slide-111
SLIDE 111

Amazon EC2

Instances

Amazon ECS

Containers + Host

AWS Fargate

Managed Containers

AWS Lambda

Functions

  • Fix issues in the build pipeline and redeploy (blue/green)
  • Automated controls and verification with security testing
  • Builder’s workstations are a weak point (opsec is critical!)
  • Systems over people
slide-112
SLIDE 112

Data

slide-113
SLIDE 113

Databases

slide-114
SLIDE 114

Databases

Structured, accessible data

slide-115
SLIDE 115

Structured, accessible data

Amazon DynamoDB, Amazon DocumentDB, Amazon RDS, Amazon Timestream, Amazon Neptune, etc.

slide-116
SLIDE 116

Structured, accessible data

  • Encrypt the data at rest

Amazon DynamoDB, Amazon DocumentDB, Amazon RDS, Amazon Timestream, Amazon Neptune, etc.

slide-117
SLIDE 117

Structured, accessible data

  • Encrypt the data at rest
  • Use IAM permissions to restrict access

Amazon DynamoDB, Amazon DocumentDB, Amazon RDS, Amazon Timestream, Amazon Neptune, etc.

slide-118
SLIDE 118

Structured, accessible data

  • Encrypt the data at rest
  • Use IAM permissions to restrict access
  • Backup everything, all the time, test that

backup regularly

Amazon DynamoDB, Amazon DocumentDB, Amazon RDS, Amazon Timestream, Amazon Neptune, etc.

slide-119
SLIDE 119

Storage

slide-120
SLIDE 120

Storage

Structured, accessible data but in files

slide-121
SLIDE 121

Structured, accessible data but in files

Amazon Elastic Block Store, Amazon FSx, Amazon S3, Amazon Glacier, Amazon File System, etc.

slide-122
SLIDE 122

Structured, accessible data but in files

Amazon Elastic Block Store, Amazon FSx, Amazon S3, Amazon Glacier, Amazon File System, etc.

  • Encrypt the data at rest
slide-123
SLIDE 123

Structured, accessible data but in files

Amazon Elastic Block Store, Amazon FSx, Amazon S3, Amazon Glacier, Amazon File System, etc.

  • Encrypt the data at rest
  • Use IAM permissions to restrict access
slide-124
SLIDE 124

Structured, accessible data but in files

Amazon Elastic Block Store, Amazon FSx, Amazon S3, Amazon Glacier, Amazon File System, etc.

  • Encrypt the data at rest
  • Use IAM permissions to restrict access
  • Use lifecycle strategies to reduce costs and
  • ptimize usage
slide-125
SLIDE 125

Is this working?

slide-126
SLIDE 126

Observability

slide-127
SLIDE 127

Traceability

slide-128
SLIDE 128

Verify the history, location, and application of a specific data point or action

Traceability

slide-129
SLIDE 129

Traceability

slide-130
SLIDE 130

Where did this come from? Who can access it? When?

Traceability

slide-131
SLIDE 131

Observability

slide-132
SLIDE 132

The ability to infer internal states from external outputs

Observability

slide-133
SLIDE 133

Observability

slide-134
SLIDE 134

What’s going on?

Observability

slide-135
SLIDE 135

AWS X-Ray

slide-136
SLIDE 136

AWS X-Ray

Understand the behaviour of distributed applications

slide-137
SLIDE 137

Understand the behaviour of distributed applications

slide-138
SLIDE 138

Understand the behaviour of distributed applications

  • Provides a cross-service view of your

application

slide-139
SLIDE 139

Understand the behaviour of distributed applications

  • Provides a cross-service view of your

application

  • Helps map out the service usage
slide-140
SLIDE 140

Understand the behaviour of distributed applications

  • Provides a cross-service view of your

application

  • Helps map out the service usage
  • Limited language support but getting better

quickly

slide-141
SLIDE 141

Amazon CloudWatch

slide-142
SLIDE 142

Amazon CloudWatch

Metrics, events, and logs

slide-143
SLIDE 143

Metrics, events, and logs

CloudWatch

slide-144
SLIDE 144

Metrics, events, and logs

  • 3 services disguised as one

CloudWatch

slide-145
SLIDE 145

Metrics, events, and logs

  • 3 services disguised as one
  • Metrics for basic operational health

CloudWatch

slide-146
SLIDE 146

Metrics, events, and logs

  • 3 services disguised as one
  • Metrics for basic operational health
  • Logs for system and application events

CloudWatch

slide-147
SLIDE 147

Metrics, events, and logs

  • 3 services disguised as one
  • Metrics for basic operational health
  • Logs for system and application events
  • Events for AWS account events is an excellent

trigger for automation via AWS Lambda

CloudWatch

slide-148
SLIDE 148

Automation

Trigger Result

slide-149
SLIDE 149

Automation

Trigger Result CloudWatch Event Lambda

slide-150
SLIDE 150

Automation

Trigger Result CloudWatch Event Lambda CloudTrail Lambda

slide-151
SLIDE 151

Automation

Trigger Result Slow lane Fast lane CloudWatch Event Lambda CloudTrail Lambda

slide-152
SLIDE 152

Keys to success

slide-153
SLIDE 153

The cloud simplifies security.

* When you understand how it works ** Compared to traditional environments

*** Depending on how much you pay attention for the next 60m

slide-154
SLIDE 154

Data Application OS Virtualization Infrastructure Physical

On-premises

(Traditional)

Data Application OS Virtualization Infrastructure Physical

Infrastructure

(IaaS)

Data Application OS Virtualization Infrastructure Physical

Container

(PaaS)

Data Application OS Virtualization Infrastructure Physical

Abstract

(SaaS)

The Shared Responsibility Model

AWS’ responsibility Your responsibility

Service configuration

slide-155
SLIDE 155

Make sure that systems work as intended and

  • nly as intended

Our goal

Mistakes & misconfigurations

Largest risk

slide-156
SLIDE 156

Keys To Success

slide-157
SLIDE 157

Have a plan Cloud Adoption Framework Keys To Success

slide-158
SLIDE 158

Have a plan Cloud Adoption Framework Build well Well-Architected Framework Keys To Success

slide-159
SLIDE 159

Have a plan Cloud Adoption Framework Build well Well-Architected Framework Systems over people The right controls & tools Keys To Success

slide-160
SLIDE 160

Have a plan Cloud Adoption Framework Build well Well-Architected Framework Systems over people The right controls & tools Observe & react Be vigilant & practice Keys To Success

slide-161
SLIDE 161

Cloud security simplified

Visit Trend Micro in booth #2820

slide-162
SLIDE 162

Mark Nunnikhoven

Vice President, Cloud Research at Trend Micro @marknca

slide-163
SLIDE 163