SlideShare une entreprise Scribd logo
1  sur  46
Télécharger pour lire hors ligne
BUILDING SECURITY
IN CLOUD
FROM SCRATCH
Raman Zelenko,
Lead Security System Engineer @Flo Health
• 6 years experience in domain
• Focused mostly in AppSec aspects (SAST, DAST)
cloud solutions for mitigation security breaches
on application side (WAF) and vulnerabilities
management there.
Roman Zelenko
Lead Security System Engineer in Flo
SELF-REPRESENTATION
Cloud Security
✔ Where to begin… and how to improve
✔ The ways of building
✔ Why it is important nowadays
✔ Value for You and your Business
WHAT WE WILL TALK ABOUT
Regulations & Compliance
Standard
WHY IT IS IMPORTANT NOWADAYS
Up to €20 million or up to
4% of its entire global
turnover of the preceding
fiscal year, whichever is
higher.
PENALTIES GDPR
PENALTIES
States
vs
Uber
$148M
British authority
vs
British Airways
$230M
CFBP & States
vs
US Equifax
$275M
$5B
FTC
vs
Facebook
$700M
CLOUD SECURITY
also known as cloud computing security is
a set of policies, controls, procedures and
technologies that work together to protect
cloud-based systems, data and infrastructure.
(wiki)
Cloud
Security
DEFINITION
DR/BC
Planning
Gover-
nance
Identity
& Access
Manage-
ment
Data
Security
Availability
Compliance
SECURITY IN CLOUD
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA
ENCRYPTION & DATA
INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR
DATA)
NETWORK TRAFFIC
PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
CUSTOMER
Responsibility for
security ‘in’ the
cloud
SOFTWARE
HARDWARE/AWS GLOBAL INFRASTRUCTURE
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
COMPUTE STORAGE NETWORKINGDATABASE
AWS
Responsibility for
security ‘of’ the
cloud
AWS MISCONFIGURATION BREACHES
100 million people –
$150 M
former AWS employee
Hacked AWS Capital One DB
RDS snapshot + public EC2
with API key to RDS
Password hashes
API keys
SSL certs
S3 bucket configured for
public access
12 GB MSSQL database file
1.8 million Chicago voters
Proper Security is …
COMPROMISE
DEFINITION
Security Assessment
Penetration Testing
WHERE TO BEGIN
The Cloud Security Assessment
is part of a Cloud Cybersecurity Strategy
to secure critical assets and technologies
that you own and using in cloud.
During a Cloud Security Assessment,
you evaluate your Cloud Security posture.
WHERE TO BEGIN
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION &
DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
WHAT SHOULD I AUDIT?
EXTERNAL AUDIT
One time or
Regular basis
Nearest result: ~2 months
INFOSEC TEAM
Nearest result: ~2 months
Build security controls
Create bugs and
report stakeholders
Build team
WAYS OF BUILDING
Building security from scratch
EXTERNAL AUDIT
One time or
Regular basis
Nearest result:
~2 months
INFOSEC TEAM
Nearest result:
~2 months
Build security controls
Create bugs and
report stakeholders
DEVOPS
Nearest result:
~1 week
Enable existing security
controls AWS provided
Enabling monitoring for
configuration changes
DEVSECOPS
WAYS OF BUILDING
GuardDutySecurity
Hub
MacieInspector Config
HOW TO MAKE IT
Services In GCP
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION
& DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION
(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION
(ENCRYPTION, INTEGRITY,
IDENTITY)
WHAT SHOULD I AUDIT?
Guard Duty
Service uses machine learning to automatically discover, classify,
and protect sensitive data in AWS such as:
● Personally Identifiable Information (PII)
● Protected Health Information PHI
● Regulatory documents
● API keys
● Secret keys
● Intellectual property
AWS MACIE
CUSTOMER DATA
CUSTOMER DATA
● No IaC solution (terraform we are
interested)
Cons:
FLO data example
annual cost:
Pros:
● GDPR Security Monitoring Compliant
● Easily for enabling
● Finished service out of the box
● It cost like a small jet… or ship ($50/1GB) $600 000
AWS MACIE
Guard DutyAutomated Security Assessment Service to help
improve the security and compliance of applications
deployed on AWS
AWS INSPECTOR
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
Guard Duty
• Network Reachability
Rules Packages
Network assessments:
• Common Vulnerabilities and Exposures
• Center for Internet Security (CIS) Benchmarks
• Security Best Practices for Amazon Inspector
Host assessments:
AWS INSPECTOR
Guard Duty
AWS INSPECTOR
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
PROS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
• Finalized solution out of the box
• Certified Service for vulnerability management
• Easily for implementation
• Cost. but It is tricky
AWS INSPECTOR
CONS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
• Requires Inspector agent on EC2 for Host assessment
• Usually you lock on some AMI. It create a challenge in
patch management for you.
• Can be replaced with AWS Config rules
• Can decrease performance of the service
AWS INSPECTOR
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
IDS for AWS
GUARD DUTY
Building security from scratch
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
GuardDuty LAMBDA IPS
GUARD DUTY
PROS
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
• Finalized solution out of the box
• Easily for implementation and support
• Cost. but It is also tricky =) It depends on count of logs
GUARD DUTY
I did not find any cons ¯_(ツ)_/¯
OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
GUARD DUTY
CONS
AWS Config
is a service that enables you to
acсess, audit, and evaluate the
configurations of your AWS
resources.
CONFIG
sss
SIEM for AWS services
CONFIG
● Network (restricted ssh, default SG
usage, etc)
● S3 rules (public-read prohibit, replication
enabled, etc)
● IAM (root access key check, mfa enabled
for iam console access)
● EC2 (ec2-instance-no-public-ip)
MIN SET OF RULES
CONFIG
SIEM for AWS services
SECURITY HUB
SIEM for AWS services
SIEM for AWS services
SECURITY HUB
SECURITY HUB
What if I say that you
can enable all these
features using just
couple rows of code
AWS CONFIG
GUARD DUTY
SECURITY HUB
WHAT’S NEXT? HOW TO IMPROVE?
WHAT’S NEXT? HOW TO IMPROVE?
WHAT’S NEXT? HOW TO IMPROVE?
LEGAL
COMPLIANCE
It helps you to avoid
compliance penalties
Proactive steps are cost
effective in future. Save your
and your business money
COST
EFFECTIVE
Attack mitigation helps to
improve service stability,
availability and decrease
reputational risks
IMPROVE
SERVICE QUALITY
VALUE FOR YOU AND YOUR BUSINESS
Q&A
THANK YOU!
Join us and contribute to the global health!
https://flo.health/
careers
https://www.linkedin.com/in/
roman-zelenko-1a755153/

Contenu connexe

Tendances

Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security ArchitectureCisco Canada
 
Cisco ASA con fire power services
Cisco ASA con fire power services Cisco ASA con fire power services
Cisco ASA con fire power services Felipe Lamus
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Secure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMSecure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMBill McGee
 
TechWiseTV Workshop: APIC-EM
TechWiseTV Workshop: APIC-EMTechWiseTV Workshop: APIC-EM
TechWiseTV Workshop: APIC-EMRobb Boyd
 
Cisco amp for meraki
Cisco amp for merakiCisco amp for meraki
Cisco amp for merakiCisco Canada
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Erin Sweeney
 
DevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsDevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsshira koper
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireGlobal Knowledge Training
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...SWITCHPOINT NV/SA
 
Enterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveEnterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveAnusha Vaidyanathan
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarAlgoSec
 
Presentation cisco cloud security strategy
Presentation   cisco cloud security strategyPresentation   cisco cloud security strategy
Presentation cisco cloud security strategyxKinAnx
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018   we make it simpleCisco connect winnipeg 2018   we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco Canada
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldCisco Canada
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
Cisco asa fire power services
Cisco asa fire power servicesCisco asa fire power services
Cisco asa fire power servicesTapan Doshi
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...Cisco Canada
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Amazon Web Services
 

Tendances (20)

Cisco Security Architecture
Cisco Security ArchitectureCisco Security Architecture
Cisco Security Architecture
 
Cisco ASA con fire power services
Cisco ASA con fire power services Cisco ASA con fire power services
Cisco ASA con fire power services
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
 
Secure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDMSecure Data Center Solution with FP 9300 - BDM
Secure Data Center Solution with FP 9300 - BDM
 
TechWiseTV Workshop: APIC-EM
TechWiseTV Workshop: APIC-EMTechWiseTV Workshop: APIC-EM
TechWiseTV Workshop: APIC-EM
 
Cisco amp for meraki
Cisco amp for merakiCisco amp for meraki
Cisco amp for meraki
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
 
DevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOpsDevSecOps: Putting the Sec into the DevOps
DevSecOps: Putting the Sec into the DevOps
 
Building Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and SourcefireBuilding Up Network Security: Intrusion Prevention and Sourcefire
Building Up Network Security: Intrusion Prevention and Sourcefire
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
 
Enterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveEnterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's Perspective
 
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint WebinarCisco Firepower Migration | Cisco and AlgoSec Joint Webinar
Cisco Firepower Migration | Cisco and AlgoSec Joint Webinar
 
Presentation cisco cloud security strategy
Presentation   cisco cloud security strategyPresentation   cisco cloud security strategy
Presentation cisco cloud security strategy
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018   we make it simpleCisco connect winnipeg 2018   we make it simple
Cisco connect winnipeg 2018 we make it simple
 
Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Advanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real WorldAdvanced threat security - Cyber Security For The Real World
Advanced threat security - Cyber Security For The Real World
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
 
Cisco asa fire power services
Cisco asa fire power servicesCisco asa fire power services
Cisco asa fire power services
 
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...Cisco Connect Toronto  2017 - Accelerating Incident Response in Organizations...
Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations...
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 

Similaire à Building security from scratch

Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignAmazon Web Services
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
 Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPTAmazon Web Services
 
AWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAmazon Web Services
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWSAmazon Web Services
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionAmazon Web Services
 
AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union:  Containers (CON316)AWS re:Invent 2016: State of the Union:  Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)Amazon Web Services
 
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...Amazon Web Services
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
Automating nist 800 171 compliance in AWS Govcloud (US)
Automating nist 800 171 compliance in AWS Govcloud (US)Automating nist 800 171 compliance in AWS Govcloud (US)
Automating nist 800 171 compliance in AWS Govcloud (US)Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS SecurityAmazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWSChristian Beedgen
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 

Similaire à Building security from scratch (20)

Compliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By DesignCompliance In The Cloud Using Security By Design
Compliance In The Cloud Using Security By Design
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
 Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT
 
AWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation SecurityAWS Summit Singapore - Next Generation Security
AWS Summit Singapore - Next Generation Security
 
How Redlock Automates Security on AWS
How Redlock Automates Security on AWSHow Redlock Automates Security on AWS
How Redlock Automates Security on AWS
 
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...
 
Security: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud AdoptionSecurity: A Driving Force Behind Cloud Adoption
Security: A Driving Force Behind Cloud Adoption
 
AWS re:Invent 2016: State of the Union: Containers (CON316)
AWS re:Invent 2016: State of the Union:  Containers (CON316)AWS re:Invent 2016: State of the Union:  Containers (CON316)
AWS re:Invent 2016: State of the Union: Containers (CON316)
 
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...
AWS Summit Singapore Webinar Edition | Building Tomorrow’s Financial Services...
 
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
AWS re:Invent 2016: Chalk Talk: Applying Security-by-Design to Drive Complian...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Automating nist 800 171 compliance in AWS Govcloud (US)
Automating nist 800 171 compliance in AWS Govcloud (US)Automating nist 800 171 compliance in AWS Govcloud (US)
Automating nist 800 171 compliance in AWS Govcloud (US)
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS5 Years Of Building SaaS On AWS
5 Years Of Building SaaS On AWS
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
Elevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloudElevate_your_security_with_the_cloud
Elevate_your_security_with_the_cloud
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 

Dernier

LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSlesteraporado16
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilitiesalihassaah1994
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024Jan Löffler
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSedrianrheine
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfmchristianalwyn
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxjayshuklatrainer
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxnaveenithkrishnan
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Shubham Pant
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxnaveenithkrishnan
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdfShreedeep Rayamajhi
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsRoxana Stingu
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteMavein
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusSkylark Nobin
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpressssuser166378
 

Dernier (15)

LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASSLESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
LESSON 10/ GROUP 10/ ST. THOMAS AQUINASS
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
WordPress by the numbers - Jan Loeffler, CTO WebPros, CloudFest 2024
 
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDSTYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
TYPES AND DEFINITION OF ONLINE CRIMES AND HAZARDS
 
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdfLESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
LESSON 5 GROUP 10 ST. THOMAS AQUINAS.pdf
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptxA_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
 
world Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptxworld Tuberculosis day ppt 25-3-2024.pptx
world Tuberculosis day ppt 25-3-2024.pptx
 
Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024Check out the Free Landing Page Hosting in 2024
Check out the Free Landing Page Hosting in 2024
 
Bio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptxBio Medical Waste Management Guideliness 2023 ppt.pptx
Bio Medical Waste Management Guideliness 2023 ppt.pptx
 
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdfIntroduction to ICANN and Fellowship program  by Shreedeep Rayamajhi.pdf
Introduction to ICANN and Fellowship program by Shreedeep Rayamajhi.pdf
 
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced HorizonsVision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
Vision Forward: Tracing Image Search SEO From Its Roots To AI-Enhanced Horizons
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
Computer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a WebsiteComputer 10 Lesson 8: Building a Website
Computer 10 Lesson 8: Building a Website
 
Niche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus BonusNiche Domination Prodigy Review Plus Bonus
Niche Domination Prodigy Review Plus Bonus
 
Presentation2.pptx - JoyPress Wordpress
Presentation2.pptx -  JoyPress WordpressPresentation2.pptx -  JoyPress Wordpress
Presentation2.pptx - JoyPress Wordpress
 

Building security from scratch

  • 1. BUILDING SECURITY IN CLOUD FROM SCRATCH Raman Zelenko, Lead Security System Engineer @Flo Health
  • 2. • 6 years experience in domain • Focused mostly in AppSec aspects (SAST, DAST) cloud solutions for mitigation security breaches on application side (WAF) and vulnerabilities management there. Roman Zelenko Lead Security System Engineer in Flo SELF-REPRESENTATION
  • 3. Cloud Security ✔ Where to begin… and how to improve ✔ The ways of building ✔ Why it is important nowadays ✔ Value for You and your Business WHAT WE WILL TALK ABOUT
  • 4. Regulations & Compliance Standard WHY IT IS IMPORTANT NOWADAYS
  • 5. Up to €20 million or up to 4% of its entire global turnover of the preceding fiscal year, whichever is higher. PENALTIES GDPR
  • 6. PENALTIES States vs Uber $148M British authority vs British Airways $230M CFBP & States vs US Equifax $275M $5B FTC vs Facebook $700M
  • 7. CLOUD SECURITY also known as cloud computing security is a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data and infrastructure. (wiki) Cloud Security DEFINITION DR/BC Planning Gover- nance Identity & Access Manage- ment Data Security Availability Compliance
  • 8. SECURITY IN CLOUD CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) CUSTOMER Responsibility for security ‘in’ the cloud SOFTWARE HARDWARE/AWS GLOBAL INFRASTRUCTURE REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE NETWORKINGDATABASE AWS Responsibility for security ‘of’ the cloud
  • 9. AWS MISCONFIGURATION BREACHES 100 million people – $150 M former AWS employee Hacked AWS Capital One DB RDS snapshot + public EC2 with API key to RDS Password hashes API keys SSL certs S3 bucket configured for public access 12 GB MSSQL database file 1.8 million Chicago voters
  • 10. Proper Security is … COMPROMISE DEFINITION
  • 12. The Cloud Security Assessment is part of a Cloud Cybersecurity Strategy to secure critical assets and technologies that you own and using in cloud. During a Cloud Security Assessment, you evaluate your Cloud Security posture. WHERE TO BEGIN
  • 13. CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) WHAT SHOULD I AUDIT?
  • 14. EXTERNAL AUDIT One time or Regular basis Nearest result: ~2 months INFOSEC TEAM Nearest result: ~2 months Build security controls Create bugs and report stakeholders Build team WAYS OF BUILDING
  • 16. EXTERNAL AUDIT One time or Regular basis Nearest result: ~2 months INFOSEC TEAM Nearest result: ~2 months Build security controls Create bugs and report stakeholders DEVOPS Nearest result: ~1 week Enable existing security controls AWS provided Enabling monitoring for configuration changes DEVSECOPS WAYS OF BUILDING
  • 18. CUSTOMER DATA PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION SERVER-SIDE ENCRYPTION (FILE SYSTEM AND/OR DATA) NETWORK TRAFFIC PROTECTION (ENCRYPTION, INTEGRITY, IDENTITY) WHAT SHOULD I AUDIT?
  • 19. Guard Duty Service uses machine learning to automatically discover, classify, and protect sensitive data in AWS such as: ● Personally Identifiable Information (PII) ● Protected Health Information PHI ● Regulatory documents ● API keys ● Secret keys ● Intellectual property AWS MACIE CUSTOMER DATA
  • 20. CUSTOMER DATA ● No IaC solution (terraform we are interested) Cons: FLO data example annual cost: Pros: ● GDPR Security Monitoring Compliant ● Easily for enabling ● Finished service out of the box ● It cost like a small jet… or ship ($50/1GB) $600 000 AWS MACIE
  • 21. Guard DutyAutomated Security Assessment Service to help improve the security and compliance of applications deployed on AWS AWS INSPECTOR OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
  • 22. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT Guard Duty • Network Reachability Rules Packages Network assessments: • Common Vulnerabilities and Exposures • Center for Internet Security (CIS) Benchmarks • Security Best Practices for Amazon Inspector Host assessments: AWS INSPECTOR
  • 23. Guard Duty AWS INSPECTOR OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
  • 24. PROS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION • Finalized solution out of the box • Certified Service for vulnerability management • Easily for implementation • Cost. but It is tricky AWS INSPECTOR
  • 25. CONS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION • Requires Inspector agent on EC2 for Host assessment • Usually you lock on some AMI. It create a challenge in patch management for you. • Can be replaced with AWS Config rules • Can decrease performance of the service AWS INSPECTOR
  • 26. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT IDS for AWS GUARD DUTY
  • 28. OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT GuardDuty LAMBDA IPS GUARD DUTY
  • 29. PROS OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT • Finalized solution out of the box • Easily for implementation and support • Cost. but It is also tricky =) It depends on count of logs GUARD DUTY
  • 30. I did not find any cons ¯_(ツ)_/¯ OPERATION SYSTEM, NETWORK & FIREWALL CONFIGURATION PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT GUARD DUTY CONS
  • 31. AWS Config is a service that enables you to acсess, audit, and evaluate the configurations of your AWS resources. CONFIG sss
  • 32. SIEM for AWS services CONFIG
  • 33. ● Network (restricted ssh, default SG usage, etc) ● S3 rules (public-read prohibit, replication enabled, etc) ● IAM (root access key check, mfa enabled for iam console access) ● EC2 (ec2-instance-no-public-ip) MIN SET OF RULES CONFIG SIEM for AWS services
  • 34. SECURITY HUB SIEM for AWS services
  • 35. SIEM for AWS services SECURITY HUB
  • 37. What if I say that you can enable all these features using just couple rows of code
  • 41. WHAT’S NEXT? HOW TO IMPROVE?
  • 42. WHAT’S NEXT? HOW TO IMPROVE?
  • 43. WHAT’S NEXT? HOW TO IMPROVE?
  • 44. LEGAL COMPLIANCE It helps you to avoid compliance penalties Proactive steps are cost effective in future. Save your and your business money COST EFFECTIVE Attack mitigation helps to improve service stability, availability and decrease reputational risks IMPROVE SERVICE QUALITY VALUE FOR YOU AND YOUR BUSINESS
  • 45. Q&A
  • 46. THANK YOU! Join us and contribute to the global health! https://flo.health/ careers https://www.linkedin.com/in/ roman-zelenko-1a755153/