SlideShare une entreprise Scribd logo

How to Protect your AWS Environment

Lahav Savir
Lahav Savir

Emind's Public Best Practice for Secure AWS Environemnt

Technologie
1  sur  39
How to Protect Your AWS Environment Lahav Savir, CEO & Architect Emind Cloud Experts
A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
Top Level Partnership
A “Cloud-native” MSP Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015) “Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.” https://www.gartner.com/doc/3157620/market-guide-managed-service-providers “Common Types of MSPs (on AWS) with Example References ● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS- specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
The future is all about cloud computing. Report shows how by 2018, over 78% of workloads will be managed by cloud data centers as against the remaining 22% processed by traditional data centers.
Where there is more data, there is bound to be more data breaches!
Security in the Cloud Security of the Cloud
Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment IDC, July 2015
Why the Cloud is more Secure? ● More segmentation (separation) ● More encryption ● Stronger authentication ● More logging and monitoring
Top Topics ● Infrastructure Security ● Network Security ● Host Security ● Data Encryption ● Identity Management ● Monitoring & Auditing
Identity Federation
Why do you need Single Identity? ● Multiple AWS Accounts ● Multiple Security Policies ● Multiple Entry Points ● Many Resources ● Multiple 3rd Party Services
Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
Organization users accessing: AWS Resources ● AWS Console ● AWS API ● Network Access / VPN ● EC2 Instances Other Resources ● New Relic ● Datadog ● Pingdom ● Google Apps ● Office 365 ● Jira ● Github ● Logz.io ● ...
● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
Corporate ● Corporate Active Directory ● Mix of users and desktops / servers ● 3rd Party SSO / Federation Services Cloud ● Cloud Active Directory ● Cloud Resources Only Integration ● One Way Trust between Corp AD and Cloud AD
Login Scenarios ● AWS Console ○ SAML Federation ● VPN ○ Radius ● Jumpbox on EC2 ○ Radius / LDAP ● Windows instance on EC2 ○ Kerberos / LDAP ● Linux instance on EC2 ○ Kerberos / LDAP No need for IAM Users
Network Access
Networking ● Public Internet ● VPN / IPSec Tunnel ● DirectConnect
Direct Connect Options ● Private Virtual Interface – Access to VPC ○ Note: Not VPC Endpoints or transitive via VPC Peering ● Public Virtual Interface – Access to non-VPC Services
SSL VPN Options ● OpenVPN ● Fortinet Fortigate ● Sophos ● pfSense ● … Others
Don’t assume your corporate network is secure and expose your production networks to all users
Smart Separation
Inbound Application Outbound
● Create a controlled environment that minimizes human mistakes ● Inspect inbound and outbound traffic
Host Security
What’s Host Security ? ● OS Hardening ● Anti Virus ● Malware Protection ● Host Based IPS ● File Integrity Monitoring ● Vulnerability Scanning
Data Encryption
AWS Encryption Options Data at Rest ● EBS Encryption (inc. root device) ● S3 Client / Server Side Encryption ● RDS / Redshift Storage Encryption ● DynamoDB Client Side Encryption https://d0.awsstatic.com/whitepapers/aws-securing-data-at- rest-with-encryption.pdf Data in Transit ● API’s are TLS Encrypted ● Service Endpoints are TLS Encrypted ● Elastic Load Balancer supports TLS ● CloudFront supports TLS ● IPSec VPN
Encrypt all your data, you never know who and when someone will request access to the data
Centrally Monitor and Audit
Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF & IPS ● Evident.io / Dome9 ● Observable
● Create Clear Visibility ● Set Governance Rules ● Define Actions
Join our Fastlane to a Successful Cloud Deployment Thank you, lahavs@emind.co

Recommandé

How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWS
Lahav Savir
 
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event) Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Codit
 
Slide share device to iot solution – a blueprint
Slide share device to iot solution – a blueprintSlide share device to iot solution – a blueprint
Slide share device to iot solution – a blueprint
Guy Vinograd ☁
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Cloud Computing workshop
Cloud Computing workshopCloud Computing workshop
Cloud Computing workshop
Suraj Kumar Jana
 
Integrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft AzureIntegrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft Azure
Xpand IT
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Solace
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Nick Donaldson
 

Recommandé

How to protect your IoT data on AWS
How to protect your IoT data on AWSHow to protect your IoT data on AWS
How to protect your IoT data on AWS
Lahav Savir
 
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event) Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Introduction to Azure PaaS services (Nick Trogh at Codit Azure PaaS Event)
Codit
 
Slide share device to iot solution – a blueprint
Slide share device to iot solution – a blueprintSlide share device to iot solution – a blueprint
Slide share device to iot solution – a blueprint
Guy Vinograd ☁
 
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
PCI Compliance on AWS - Evident.io @ AWS Pop-up Loft 2/26/2015
Evident.io
 
Cloud Computing workshop
Cloud Computing workshopCloud Computing workshop
Cloud Computing workshop
Suraj Kumar Jana
 
Integrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft AzureIntegrating Cloudera & Microsoft Azure
Integrating Cloudera & Microsoft Azure
Xpand IT
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Solace
 
Advanced Event Brokers
Advanced Event BrokersAdvanced Event Brokers
Advanced Event Brokers
Nick Donaldson
 
Azure Administrator
Azure AdministratorAzure Administrator
Azure Administrator
Viknaraj Manogararajah
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practices
Michael Pearce
 
Azure app services 2 - Logic & Api Apps
Azure app services 2 - Logic & Api AppsAzure app services 2 - Logic & Api Apps
Azure app services 2 - Logic & Api Apps
Bill Chesnut
 
Cloud computing
Cloud computingCloud computing
Cloud computing
Thor Tolo
 
Taking Security Responsibility in the AWS Cloud
Taking Security Responsibility in the AWS CloudTaking Security Responsibility in the AWS Cloud
Taking Security Responsibility in the AWS Cloud
Franklin Mosley
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureBuild and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
CloudHesive
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
Tudor Damian
 
Azure operational insights
Azure operational insightsAzure operational insights
Azure operational insights
Ilyas F ☁☁☁
 
The full picture of Openstack in real-time
The full picture of Openstack in real-timeThe full picture of Openstack in real-time
The full picture of Openstack in real-time
Dynatrace
 
Microsoft Azure Fundamentals
Microsoft Azure FundamentalsMicrosoft Azure Fundamentals
Microsoft Azure Fundamentals
Adwait Ullal
 
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDBMongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
MongoDB
 
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flowsDataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
Lenses.io
 
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
Codit
 
Nats meetup sf 20150826
Nats meetup sf 20150826Nats meetup sf 20150826
Nats meetup sf 20150826
Apcera
 
WSO2Con ASIA 2016: Planning Your Cloud Strategy
WSO2Con ASIA 2016: Planning Your Cloud StrategyWSO2Con ASIA 2016: Planning Your Cloud Strategy
WSO2Con ASIA 2016: Planning Your Cloud Strategy
WSO2
 
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
Andrew Backhouse
 
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
marketingsyone
 
Moving Your Data to The Cloud
Moving Your Data to The CloudMoving Your Data to The Cloud
Moving Your Data to The Cloud
Adwait Ullal
 
Microsoft Azure News - 2018 May
Microsoft Azure News - 2018 MayMicrosoft Azure News - 2018 May
Microsoft Azure News - 2018 May
Daniel Toomey
 
Wp cipher graph-cag-topology
Wp cipher graph-cag-topologyWp cipher graph-cag-topology
Wp cipher graph-cag-topology
IRSHAD RATHER
 
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
Amazon Web Services
 

Contenu connexe

Tendances

Moving Your Data to The Cloud
Moving Your Data to The CloudMoving Your Data to The Cloud
Moving Your Data to The Cloud
Adwait Ullal
 

Tendances (20)

Azure Administrator
Azure AdministratorAzure Administrator
Azure Administrator
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practices
 
Azure app services 2 - Logic & Api Apps
Azure app services 2 - Logic & Api AppsAzure app services 2 - Logic & Api Apps
Azure app services 2 - Logic & Api Apps
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Taking Security Responsibility in the AWS Cloud
Taking Security Responsibility in the AWS CloudTaking Security Responsibility in the AWS Cloud
Taking Security Responsibility in the AWS Cloud
 
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and AzureBuild and Manage a Highly Secure Cloud Environment on AWS and Azure
Build and Manage a Highly Secure Cloud Environment on AWS and Azure
 
2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security2016, A new era of OS and Cloud Security
2016, A new era of OS and Cloud Security
 
Azure operational insights
Azure operational insightsAzure operational insights
Azure operational insights
 
The full picture of Openstack in real-time
The full picture of Openstack in real-timeThe full picture of Openstack in real-time
The full picture of Openstack in real-time
 
Microsoft Azure Fundamentals
Microsoft Azure FundamentalsMicrosoft Azure Fundamentals
Microsoft Azure Fundamentals
 
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDBMongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
MongoDB World 2019: Wipro Software Defined Everything Powered by MongoDB
 
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flowsDataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
Dataops on streaming data: Kafka to InfluxDb via Kubernetes native flows
 
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
Event-Driven Serverless Architecture - the next big thing in the cloud (Cleme...
 
Nats meetup sf 20150826
Nats meetup sf 20150826Nats meetup sf 20150826
Nats meetup sf 20150826
 
WSO2Con ASIA 2016: Planning Your Cloud Strategy
WSO2Con ASIA 2016: Planning Your Cloud StrategyWSO2Con ASIA 2016: Planning Your Cloud Strategy
WSO2Con ASIA 2016: Planning Your Cloud Strategy
 
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
AWS Leeds Meetup - How do you manage secure access to AWS in an ever-increasi...
 
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
Tiago Fonseca & Rui Velho - Syone & Leroy Merlin - OSL19
 
Moving Your Data to The Cloud
Moving Your Data to The CloudMoving Your Data to The Cloud
Moving Your Data to The Cloud
 
Microsoft Azure News - 2018 May
Microsoft Azure News - 2018 MayMicrosoft Azure News - 2018 May
Microsoft Azure News - 2018 May
 
Wp cipher graph-cag-topology
Wp cipher graph-cag-topologyWp cipher graph-cag-topology
Wp cipher graph-cag-topology
 

En vedette

Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Amazon Web Services
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
Amazon Web Services
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
Amazon Web Services
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
Amazon Web Services
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
Amazon Web Services
 
Pengembangan sbi
Pengembangan sbiPengembangan sbi
Pengembangan sbi
smkfarmasi
 
La perdurabilidad en las empresas amiliasde
La perdurabilidad en las empresas amiliasdeLa perdurabilidad en las empresas amiliasde
La perdurabilidad en las empresas amiliasde
mariaperezgamboa
 
CGCA: Transition to Home School
CGCA: Transition to Home SchoolCGCA: Transition to Home School
CGCA: Transition to Home School
eeniarrol
 

En vedette (20)

Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
Innovating IAM Protection for AWS with Dome9 - Session Sponsored by Dome9
 
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
AWS re:Invent 2016: The AWS Hero’s Journey to Achieving Autonomous, Self-Heal...
 
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPASecurity & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
Security & Privacy: Using AWS to Meet Requirements for HIPAA, CJIS, and FERPA
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
AWS re:Invent 2016: Security Automation: Spend Less Time Securing Your Applic...
 
Next-Generation Security Operations with AWS
Next-Generation Security Operations with AWSNext-Generation Security Operations with AWS
Next-Generation Security Operations with AWS
 
Getting Started with Amazon Redshift
Getting Started with Amazon RedshiftGetting Started with Amazon Redshift
Getting Started with Amazon Redshift
 
Pengembangan sbi
Pengembangan sbiPengembangan sbi
Pengembangan sbi
 
La perdurabilidad en las empresas amiliasde
La perdurabilidad en las empresas amiliasdeLa perdurabilidad en las empresas amiliasde
La perdurabilidad en las empresas amiliasde
 
Thesis
ThesisThesis
Thesis
 
Angela Brady - Keynote
Angela Brady - KeynoteAngela Brady - Keynote
Angela Brady - Keynote
 
Work1m33 25,9
Work1m33 25,9Work1m33 25,9
Work1m33 25,9
 
Invest in the UK
Invest in the UKInvest in the UK
Invest in the UK
 
Transforming Xml Data Into Html
Transforming Xml Data Into HtmlTransforming Xml Data Into Html
Transforming Xml Data Into Html
 
CGCA: Transition to Home School
CGCA: Transition to Home SchoolCGCA: Transition to Home School
CGCA: Transition to Home School
 
Why Form a Health Professions Training Program at Your Federally Qualified H...
Why Form a Health Professions Training Program at Your Federally Qualified H...Why Form a Health Professions Training Program at Your Federally Qualified H...
Why Form a Health Professions Training Program at Your Federally Qualified H...
 
ValeryBassenkoResume
ValeryBassenkoResumeValeryBassenkoResume
ValeryBassenkoResume
 
Openstack install-guide-apt-kilo
Openstack install-guide-apt-kiloOpenstack install-guide-apt-kilo
Openstack install-guide-apt-kilo
 
JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010JBoye Presentation: WCM Trends for 2010
JBoye Presentation: WCM Trends for 2010
 
Redaccion
RedaccionRedaccion
Redaccion
 

Similaire à How to Protect your AWS Environment

Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Amazon Web Services
 
The Best of Both Worlds: Implementing Hybrid IT with AWS
The Best of Both Worlds: Implementing Hybrid IT with AWSThe Best of Both Worlds: Implementing Hybrid IT with AWS
The Best of Both Worlds: Implementing Hybrid IT with AWS
RightScale
 
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
Amazon Web Services
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech Webinar
Kellton Tech Solutions Ltd
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
FreeTrainingandMento
 
Intro to cloud.pdf
Intro to cloud.pdfIntro to cloud.pdf
Intro to cloud.pdf
SawanBhattacharya
 
Cloud Computing Pascal Walschots
Cloud Computing Pascal WalschotsCloud Computing Pascal Walschots
Cloud Computing Pascal Walschots
PWalschots
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 

Similaire à How to Protect your AWS Environment (20)

How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel AvivHow to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
 
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel AvivBuilding PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
Building PCI Compliance Solution on AWS - Pop-up Loft Tel Aviv
 
Introduction to Microsoft on AWS
Introduction to Microsoft on AWS Introduction to Microsoft on AWS
Introduction to Microsoft on AWS
 
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
Introduction to AWS Cloud Computing | AWS Public Sector Summit 2016
 
The Best of Both Worlds: Implementing Hybrid IT with AWS
The Best of Both Worlds: Implementing Hybrid IT with AWSThe Best of Both Worlds: Implementing Hybrid IT with AWS
The Best of Both Worlds: Implementing Hybrid IT with AWS
 
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
The Best of Both Worlds: Implementing Hybrid IT with AWS (ENT218) | AWS re:In...
 
CC ASSIGNMENT 01.docx
CC ASSIGNMENT 01.docxCC ASSIGNMENT 01.docx
CC ASSIGNMENT 01.docx
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
cloud computing
cloud computingcloud computing
cloud computing
 
Cloud computing ft
Cloud computing ftCloud computing ft
Cloud computing ft
 
cloud computing
cloud computingcloud computing
cloud computing
 
cc.pptx
cc.pptxcc.pptx
cc.pptx
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech Webinar
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Intro to cloud.pdf
Intro to cloud.pdfIntro to cloud.pdf
Intro to cloud.pdf
 
Cloud Computing Pascal Walschots
Cloud Computing Pascal WalschotsCloud Computing Pascal Walschots
Cloud Computing Pascal Walschots
 
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValueThe Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
The Ultimate Guide to Cloud Migration - A Whitepaper by RapidValue
 
Software Engineering in the (AWS) Cloud
Software Engineering in the (AWS) CloudSoftware Engineering in the (AWS) Cloud
Software Engineering in the (AWS) Cloud
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Ccl basics
Ccl basicsCcl basics
Ccl basics
 

Plus de Lahav Savir

Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
Lahav Savir
 
Running an erlang based messaging system on AWS
Running an erlang based messaging system on AWSRunning an erlang based messaging system on AWS
Running an erlang based messaging system on AWS
Lahav Savir
 
Deploying secure backup on to the Cloud
Deploying secure backup on to the CloudDeploying secure backup on to the Cloud
Deploying secure backup on to the Cloud
Lahav Savir
 
סע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתייםסע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתיים
Lahav Savir
 
Multi Layer Monitoring V1
Multi Layer Monitoring V1Multi Layer Monitoring V1
Multi Layer Monitoring V1
Lahav Savir
 
Lahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile GatewaysLahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir
 

Plus de Lahav Savir (11)

How to Secure Your AWS Powered Mobile App End-to-End
How to Secure Your AWS Powered Mobile App End-to-EndHow to Secure Your AWS Powered Mobile App End-to-End
How to Secure Your AWS Powered Mobile App End-to-End
 
Best of re:Invent 2016 meetup presentation
Best of re:Invent 2016 meetup presentationBest of re:Invent 2016 meetup presentation
Best of re:Invent 2016 meetup presentation
 
Emind’s Architecture for Enterprise with AWS Integration
Emind’s Architecture for Enterprise with AWS IntegrationEmind’s Architecture for Enterprise with AWS Integration
Emind’s Architecture for Enterprise with AWS Integration
 
Real-Time Vote Platform Benchmark
Real-Time Vote Platform BenchmarkReal-Time Vote Platform Benchmark
Real-Time Vote Platform Benchmark
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
 
Running an erlang based messaging system on AWS
Running an erlang based messaging system on AWSRunning an erlang based messaging system on AWS
Running an erlang based messaging system on AWS
 
DevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloudDevOps sensors 360° high availability in the cloud
DevOps sensors 360° high availability in the cloud
 
Deploying secure backup on to the Cloud
Deploying secure backup on to the CloudDeploying secure backup on to the Cloud
Deploying secure backup on to the Cloud
 
סע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתייםסע לשלום - הדרכה לרכזים כיתתיים
סע לשלום - הדרכה לרכזים כיתתיים
 
Multi Layer Monitoring V1
Multi Layer Monitoring V1Multi Layer Monitoring V1
Multi Layer Monitoring V1
 
Lahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile GatewaysLahav Savir - Massively Scaleable Mobile Gateways
Lahav Savir - Massively Scaleable Mobile Gateways
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

How to Protect your AWS Environment

  • 1. How to Protect Your AWS Environment Lahav Savir, CEO & Architect Emind Cloud Experts
  • 2. A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
  • 4. A “Cloud-native” MSP Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015) “Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.” https://www.gartner.com/doc/3157620/market-guide-managed-service-providers “Common Types of MSPs (on AWS) with Example References ● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS- specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
  • 5. The future is all about cloud computing. Report shows how by 2018, over 78% of workloads will be managed by cloud data centers as against the remaining 22% processed by traditional data centers.
  • 6. Where there is more data, there is bound to be more data breaches!
  • 8. Assessing the Risk: Yes, the Cloud Can Be More Secure Than Your On-Premises Environment IDC, July 2015
  • 9. Why the Cloud is more Secure? ● More segmentation (separation) ● More encryption ● Stronger authentication ● More logging and monitoring
  • 10. Top Topics ● Infrastructure Security ● Network Security ● Host Security ● Data Encryption ● Identity Management ● Monitoring & Auditing
  • 12. Why do you need Single Identity? ● Multiple AWS Accounts ● Multiple Security Policies ● Multiple Entry Points ● Many Resources ● Multiple 3rd Party Services
  • 13. Single Identity Provider ● Single Password Policy ● Single Lock Policy ● Single OTP ● Single Login Audit ● Same username used across all resources
  • 14. Organization users accessing: AWS Resources ● AWS Console ● AWS API ● Network Access / VPN ● EC2 Instances Other Resources ● New Relic ● Datadog ● Pingdom ● Google Apps ● Office 365 ● Jira ● Github ● Logz.io ● ...
  • 15. ● Don't mix Corporate and Cloud Resources ● Minimize Replication ● Maximize Federation
  • 16. Corporate ● Corporate Active Directory ● Mix of users and desktops / servers ● 3rd Party SSO / Federation Services Cloud ● Cloud Active Directory ● Cloud Resources Only Integration ● One Way Trust between Corp AD and Cloud AD
  • 17. Login Scenarios ● AWS Console ○ SAML Federation ● VPN ○ Radius ● Jumpbox on EC2 ○ Radius / LDAP ● Windows instance on EC2 ○ Kerberos / LDAP ● Linux instance on EC2 ○ Kerberos / LDAP No need for IAM Users
  • 18.
  • 20. Networking ● Public Internet ● VPN / IPSec Tunnel ● DirectConnect
  • 21. Direct Connect Options ● Private Virtual Interface – Access to VPC ○ Note: Not VPC Endpoints or transitive via VPC Peering ● Public Virtual Interface – Access to non-VPC Services
  • 22. SSL VPN Options ● OpenVPN ● Fortinet Fortigate ● Sophos ● pfSense ● … Others
  • 23. Don’t assume your corporate network is secure and expose your production networks to all users
  • 26. ● Create a controlled environment that minimizes human mistakes ● Inspect inbound and outbound traffic
  • 28. What’s Host Security ? ● OS Hardening ● Anti Virus ● Malware Protection ● Host Based IPS ● File Integrity Monitoring ● Vulnerability Scanning
  • 30. AWS Encryption Options Data at Rest ● EBS Encryption (inc. root device) ● S3 Client / Server Side Encryption ● RDS / Redshift Storage Encryption ● DynamoDB Client Side Encryption https://d0.awsstatic.com/whitepapers/aws-securing-data-at- rest-with-encryption.pdf Data in Transit ● API’s are TLS Encrypted ● Service Endpoints are TLS Encrypted ● Elastic Load Balancer supports TLS ● CloudFront supports TLS ● IPSec VPN
  • 31. Encrypt all your data, you never know who and when someone will request access to the data
  • 33. Events Sources ● CloudTrail ● ELB / S3 / CloudFront Access Logs ● VPC Flow logs ● AWS Inspector ● Host AV & IPS ● Network WAF & IPS ● Evident.io / Dome9 ● Observable
  • 34.
  • 35.
  • 36.
  • 37.
  • 38. ● Create Clear Visibility ● Set Governance Rules ● Define Actions
  • 39. Join our Fastlane to a Successful Cloud Deployment Thank you, lahavs@emind.co