Roman Zelenko discusses building security for cloud services from scratch. He outlines key areas to focus on like customer data, platforms, applications, identity and access management. Some best practices are to begin with security assessments and penetration testing. Services like GuardDuty, Inspector, Config and Security Hub can help automate security monitoring across accounts. Compliance with regulations is also important to avoid penalties. With the right approach, security can improve service quality while being cost effective.
2. • 6 years experience in domain
• Focused mostly in AppSec aspects (SAST, DAST)
cloud solutions for mitigation security breaches
on application side (WAF) and vulnerabilities
management there.
Roman Zelenko
Lead Security System Engineer in Flo
SELF-REPRESENTATION
3. Cloud Security
✔ Where to begin… and how to improve
✔ The ways of building
✔ Why it is important nowadays
✔ Value for You and your Business
WHAT WE WILL TALK ABOUT
7. CLOUD SECURITY
also known as cloud computing security is
a set of policies, controls, procedures and
technologies that work together to protect
cloud-based systems, data and infrastructure.
(wiki)
Cloud
Security
DEFINITION
DR/BC
Planning
Gover-
nance
Identity
& Access
Manage-
ment
Data
Security
Availability
Compliance
8. SECURITY IN CLOUD
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA
ENCRYPTION & DATA
INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR
DATA)
NETWORK TRAFFIC
PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
CUSTOMER
Responsibility for
security ‘in’ the
cloud
SOFTWARE
HARDWARE/AWS GLOBAL INFRASTRUCTURE
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
COMPUTE STORAGE NETWORKINGDATABASE
AWS
Responsibility for
security ‘of’ the
cloud
9. AWS MISCONFIGURATION BREACHES
100 million people –
$150 M
former AWS employee
Hacked AWS Capital One DB
RDS snapshot + public EC2
with API key to RDS
Password hashes
API keys
SSL certs
S3 bucket configured for
public access
12 GB MSSQL database file
1.8 million Chicago voters
12. The Cloud Security Assessment
is part of a Cloud Cybersecurity Strategy
to secure critical assets and technologies
that you own and using in cloud.
During a Cloud Security Assessment,
you evaluate your Cloud Security posture.
WHERE TO BEGIN
13. CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION &
DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
WHAT SHOULD I AUDIT?
14. EXTERNAL AUDIT
One time or
Regular basis
Nearest result: ~2 months
INFOSEC TEAM
Nearest result: ~2 months
Build security controls
Create bugs and
report stakeholders
Build team
WAYS OF BUILDING
16. EXTERNAL AUDIT
One time or
Regular basis
Nearest result:
~2 months
INFOSEC TEAM
Nearest result:
~2 months
Build security controls
Create bugs and
report stakeholders
DEVOPS
Nearest result:
~1 week
Enable existing security
controls AWS provided
Enabling monitoring for
configuration changes
DEVSECOPS
WAYS OF BUILDING
18. CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
WHAT SHOULD I AUDIT?
19. Guard Duty
Service uses machine learning to automatically discover, classify,
and protect sensitive data in AWS such as:
● Personally Identifiable Information (PII)
● Protected Health Information PHI
● Regulatory documents
● API keys
● Secret keys
● Intellectual property
AWS MACIE
CUSTOMER DATA
20. CUSTOMER DATA
● No IaC solution (terraform we are
interested)
Cons:
FLO data example
annual cost:
Pros:
● GDPR Security Monitoring Compliant
● Easily for enabling
● Finished service out of the box
● It cost like a small jet… or ship ($50/1GB) $600 000
AWS MACIE
21. Guard DutyAutomated Security Assessment Service to help
improve the security and compliance of applications
deployed on AWS
AWS INSPECTOR
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
22. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
Guard Duty
• Network Reachability
Rules Packages
Network assessments:
• Common Vulnerabilities and Exposures
• Center for Internet Security (CIS) Benchmarks
• Security Best Practices for Amazon Inspector
Host assessments:
AWS INSPECTOR
24. PROS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
• Finalized solution out of the box
• Certified Service for vulnerability management
• Easily for implementation
• Cost. but It is tricky
AWS INSPECTOR
25. CONS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
• Requires Inspector agent on EC2 for Host assessment
• Usually you lock on some AMI. It create a challenge in
patch management for you.
• Can be replaced with AWS Config rules
• Can decrease performance of the service
AWS INSPECTOR
29. PROS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
• Finalized solution out of the box
• Easily for implementation and support
• Cost. but It is also tricky =) It depends on count of logs
GUARD DUTY
30. I did not find any cons ¯_(ツ)_/¯
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
GUARD DUTY
CONS
31. AWS Config
is a service that enables you to
acсess, audit, and evaluate the
configurations of your AWS
resources.
CONFIG
sss
44. LEGAL
COMPLIANCE
It helps you to avoid
compliance penalties
Proactive steps are cost
effective in future. Save your
and your business money
COST
EFFECTIVE
Attack mitigation helps to
improve service stability,
availability and decrease
reputational risks
IMPROVE
SERVICE QUALITY
VALUE FOR YOU AND YOUR BUSINESS