Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Proteggere applicazioni e dati nel cloud AWS

163 vues

Publié le

La sicurezza nel cloud, per AWS, è una priorità. I clienti che scelgono di utilizzare i servizi AWS traggono vantaggio da un'architettura di data center e di rete progettata per soddisfare i requisiti delle organizzazioni più esigenti a livello di sicurezza.Durante questa sessione vedremo quali sono gli strumenti che AWS mette a disposizione dei propri clienti per rendere le proprie applicazioni e i propri dati sicuri.

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Proteggere applicazioni e dati nel cloud AWS

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Strengthen Cybersecurity with AWS 1
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What Security Challenges are We Facing? Large volume of alerts and the need to prioritize 3 Prioritizing Lack of single pane of glass across security and compliance tools 4 Visibility Dozens of security tools with different data formats 2 Multiple formats Ensure your AWS infrastructure meets compliance requirements 1 Compliance
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shared Responsibility Model AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security 101 • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical • Data • Application • OS • Virtualization • Infrastructure • Physical Data Application OS Virtualization Infrastructure Physical On-premises Infrastructure Container Abstract Your responsibility AWS responsibility
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Improve your security posture with AWS On AWSOn-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protecting data Everything is automated
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Assurance Start with bare concrete Periodic checks Workload-specific compliance checks Must keep pace and invest in security innovation Heterogeneous governance processes and tools Typically reactive Start on accredited services Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance Integrated governance processes and tools Focus on prevention On AWSOn-premises
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Unpatched vulnerabilities Security misconfigurations Weak, leaked, stolen passwords Social engineering Insider threat Attacker Tactics for Initial Compromise AWS Systems Manager Amazon Inspector AWS Marketplace AWS Systems Manager Amazon Inspector AWS Marketplace Guidance Amazon GuardDuty AWS CloudTrail AWS Secrets Manager Amazon GuardDuty
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Attacker Tactics for Initial Compromise https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Advantages of the API • Authoritative - the interface to, and between, AWS services • Auditable – always know what, and who, is doing what • Secure – verified integrity, authenticated, no covert channels • Fast - can be read and manipulated in sub-second time • Precise – defines the state of all infrastructure and services • Evolving – continuously improving • Uniform - provides consistency across disparate components • Automatable - enables some really cool capabilities
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Logical Separation • Virtual Private Cloud (VPC) • Not possible for information to pass between multiple tenants without specifically being authorized by both transmitting and receiving customers • Virtualization • Nitro hypervisor • Firecracker • Encryption & key management, encrypting data at-rest and in-transit • Built-in encryption (examples: Amazon S3, Amazon EBS) • Key Management Service (KMS) • CloudHSM • Dedicated Instances, dedicated hosts, and bare metal https://d1.awsstatic.com/whitepapers/compliance/AWS_Logical_Separation_Handbook.pdf
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Services Overview Protect Detect Respond Automate Investigate RecoverIdentify AWS Config AWS Systems Manager Amazon Inspector Amazon Macie Amazon GuardDuty AWS Security Hub AWS Lambda Amazon CloudWatch Amazon CloudWatch AWS CloudTrail AWS IoT Device Defender AWS Key Management Service AWS Identity and Access Management (IAM) AWS Single Sign-On AWS Firewall Manager AWS Secrets Manager AWS Shield AWS WAF Amazon VPC Snapshot Archive
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services 12
  13. 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS ML powered Security Services Amazon Macie Amazon GuardDuty Content Classification • PII and personal data • Source code • SSL certificates, private keys • iOS and Android app signing keys • Database backups • OAuth and Cloud SAAS API Keys Threat detection • VPC Flowlog analysis • Unusual API calls. • Potentially unauthorized deployments that indicate a possible account compromise. • Potentially compromised instances or reconnaissance by attackers.
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC Flow Logs • Agentless • Enable per ENI, per subnet, or per VPC • Logged to AWS CloudWatch Logs • Create CloudWatch metrics from log data • Alarm on those metrics AWS account Source IP Destination IP Source port Destination port Interface Protocol Packets Bytes Start/end time Accept or reject
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging and Audit 15
  16. 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudWatch AWS CloudTrail Core logging services Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made Who did what and when and from where (IP address) • CloudTrail/Config support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift • Edge/CDN, WAF, ELB,VPC/Network FlowLogs • Easily Aggregate all log information • CloudWatch Alarms
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Additional logs from external systems and locations: Gaming IOT sensorsDevices External systems and applications Web content Logs, logs, and more logs … Databases Servers NetworkingStorage Internal systems and applications
  18. 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Log data analytics
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Analytics Machine/Deep Learning
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cyber Data Lake Realtime Application and Users activities On premises activities Cyber Data Lake AWS Security Services Machine/Deep Learning Amazon EMR Amazon Athena Amazon Elasticsearch Service AWS Glue
  21. 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Elasticsearch: Analyzing Log Data Application monitoring & root-cause analysis Security Information and Event Management (SIEM) IoT & mobile Business & clickstream analytics
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ElasticSearch VPC flow logs Analysis
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Overview
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub Benefits Managed regional AWS service in minutes that aggregates findings across AWS accounts Manage security and compliance findings in a single location, increasing efficiency of locating relevant data Create custom insights to track issues unique to your environment
  25. 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub workflow Enable AWS Security Hub for all your accounts. Account 1 Account 2 Account 3 Conduct automated compliance scans and checks. Take action based on findings. Continuously aggregate and prioritize findings.
  26. 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Compliance Standards • Based on CIS AWS Foundations Benchmark • Findings are displayed on main dashboard for quick access • Best practices information is provided to help mitigate issuesCompliance Standards AWS Security Hub
  27. 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Hub insights Security findings that are correlated and grouped for prioritization • More than 20 pre-built insights provided by AWS and AWS partners • Ability to create your own insights • Dashboard provides visibility into the top security findings • Additional details for each finding is available for review EC2 instances that have missing security patches S3 buckets with stored credentials S3 buckets with public read and write permissions
  28. 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security Finding Format ~100 JSON-formatted fields Finding Types • Sensitive Data Identifications • Software and Configuration Checks • Unusual Behaviors • Tactics, Techniques, and Procedures (TTPs) • Effects
  29. 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automated compliance checks 43 fully automated, nearly continuous checks
  30. 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Insights help identify resources that require attention
  31. 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Alert Triage Security findings as custom events AWS Lambda Function 1 Status: Yellow AWS Lambda Function 2 … Notify SecOps team with Amazon SNS Status: Red AWS Security Hub Amazon CloudWatch Events Rule Amazon Simple Notification Service AWS Lambda Customizable response and remediation actions
  32. 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use Case: Compliance Scans An ACL configuration change is discovered by Security Hub – bucket set to public 1 Lambda function sets bucket ACL back to private 3 2 Security Hub invokes Lambda function AWS Lambda Amazon Simple Storage Service (S3) AWS Security Hub
  33. 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key takeaways Collect and process security findings from multiple accounts within a region Evaluate your compliance against regulatory and best practice frameworks Identify and prioritize the most important issues by grouping and correlating security findings with Insights Understand and manage your overall AWS security and compliance posture

×