AWS Security Ideas - re:Invent 2016
-
Upload
teri-radichel -
Category
Technology
-
view
257 -
download
5
Transcript of AWS Security Ideas - re:Invent 2016
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Teri Radichel | @teriradichel
11/28/2016
AWS Security IdeasLeverage The Platform - Enhance Security
Many companies have gotten past the belief that the cloud is not secure...
But you still have to secure it.
Here are some ideas for a more secure cloud.
@teriradichel
Architect Systems For Security First
If system is designed by security professionals,
Security is built in from the ground up.
@teriradichel
Centralize and Automate Security Functions
Manage security via trained professionals.
Limit mistakes due to lack of knowledge.
@teriradichel
Build System as Gatekeeper
If changes have to go through gatekeeper…
Every change can be monitored.
@teriradichel
Build System as Security Training System
Automate security checks at deployment…
Train developers at the point of action.
@teriradichel
Leverage Event Driven Security Automation
Monitor for unwanted behavior…
Automatically respond.
@teriradichel
Separation of Duties by Design
If it takes multiple people to make a mistake…
Chances are someone will catch the problem.
@teriradichel
Immutable Infrastructure
If it cannot change once it has been deployed…
Malware cannot be installed after deployment.
@teriradichel
Eliminate Published CVEs
According to 2016 Verizon Data Breach Report:
Known CVEs cause majority of breaches.
@teriradichel
A Key is a Password
Keys: brute forced, lost, shared, stolen.
RBAC may be more easily managed.
@teriradichel
Use Key Hierarchies
Limit use of each key to subset of data.
If one key is stolen, limits the damage.
@teriradichel
Make It Easy For Developers
Automate common security related functions.
Simplify: authenticate, log, encrypt, deploy.
@teriradichel
Consider Process vs. Technical Controls
Think encrypting data in memory.
May be more feasible to secure via process.
@teriradichel
Think About Who Can Change Controls
If the control can be changed by lots of people…
It is not an effective control.
@teriradichel
Understand Reconnaissance
Network scans look for vulnerabilities to attack.
Secure all endpoints.
@teriradichel
The Benefit of Network Security
A kernel mode root kit makes machines lie.
The network doesn’t lie.
@teriradichel
Most Developers != Network Professionals
Implementing is not the same as securing.
One hole in the fence enables intrusion.
@teriradichel
Secure Your Logs
Write once, read only, replicated.
Ensure logs are not missing or deceiving.
@teriradichel