CMI-F03 Cloud Security Strategy - Adapt to Changes with ... · PDF fileCloud Security Strategy...
Transcript of CMI-F03 Cloud Security Strategy - Adapt to Changes with ... · PDF fileCloud Security Strategy...
SESSION ID:SESSION ID:
#RSAC
Hayato Kiriyama
Cloud Security Strategy- Adapt to Changes with Security Automation -
CMI-F03
Security Solutions ArchitectAmazon Web Services Japan K.K.@hkiriyam1
#RSAC
Agenda
11
New Normal of Security Architecture
Security Best-Mix to Adapt to Changes
Security Automation as a New Solution
#RSAC
Agenda
12
New Normal of Security Architecture
Security Best-Mix to Adapt to Changes
Security Automation as a New Solution
#RSAC
https://www.youtube.com/watch?v=D5-ifl7KJ00
#RSAC
Cloud has become the New Normal.
Companies of every size are deploying new applications to the cloud by default.
Andy Jassy, Chief Executive Officer, Amazon Web ServicesAWS re:Invent 2015
https://www.youtube.com/watch?v=D5-ifl7KJ00
#RSAC
http://www.youtube.com/watch?v=nsStpwFYcPc&t=28m40s
#RSAC
The only rational response to risk is to be proactive in how we engage with changes.
If you are not disrupting your own markets, someone else will disrupt them for you.
Eric Tucker, IT Chief Technology Officer, GE Global ResearchAWS Summit Tokyo 2016
http://www.youtube.com/watch?v=nsStpwFYcPc&t=28m40s
#RSAC
IT in the Cloud Era
17
ElectricPower
Computing
Private Electric Generator Electric Utility Provider
On-premise Servers
Ownership Utilization
Cloud Service Provider
#RSAC
IT Capacity (On-premise)
18
Rapid Growth or M&A
Lack of Capacity= Opportunity Loss
Surplus CapacitySurplus Capacity
Unpredictable Peak
#RSAC
IT Capacity (Cloud)
19
Rapid Growth or M&A Unpredictable Peak
Freedom from Surplus and Lack of Capacity
Freedom from Surplus Capacity
Freedom from Capacity Sizing
#RSAC
The Value of Cloud
20
Improvement
Innovation Can do what we couldn’t do
Easier, Faster, Cheaper
#RSAC
The Value of Cloud
21
Improvement
Innovation Can do what we couldn’t do
Disruption Bring the old value to naught“Normal” to “New Normal”
Easier, Faster, Cheaper
#RSAC
“Normal” Security Issues
22
Are current security measures effective?
How much should we invest in security?
Is ROI optimized?
#RSAC
Can We Calculate Security ROI?
23
Return
Investment
Protected amount of money applied by security measures
Pure cost of security measures
#RSAC
Can We Calculate Security ROI? NO!
24
Return
Investment
Direct CostIncident Response ExpensesExisting Customers Lost
Measurable
Indirect CostBusiness Opportunity LostProspective Customers Lost
Unmeasurable
IT Investment Facility Investment Training
What is the percentage of Security?
#RSAC
Security is becoming a fabric item.It’s woven through every major
technical decision.
Security Investment Can Not Be Unraveled
https://www.youtube.com/watch?v=zUVCNitSlmA
Mark McLaughlinPresident & CEO, Palo Alto Networks
Ignite 2015
#RSAC
Start with Risk (Risk-based Approach)
26
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
NIST SP800-53Security and Privacy Controls for Federal Information Systems and Organizations
“Select the appropriate security controls in accordance with the required security levels.”
“Tailor security control baselines to achieve the needed level of protection in accordance with organizational assessments of risk.”
#RSAC
Security Risk Formula
27
Threats Vulnerabilities InformationalAssets
• Malware• Targeted Attack• DDoS Attack
• Security Hole• Misconfiguration• Psychological
• Corporate Confidential• Personal Information• Intellectual Property
#RSAC
Risks keep changing
28
• Social Event• Corporate News• Corporate Reputation
• Asset Investment• Organization Growth• Hiring & Deployment
• Business Growth• M&A/IPO• Company Split-up
Threats Vulnerabilities InformationalAssets
#RSAC
Adapt Security Level to Risk Changes
29
Changing Security Risk
#RSAC
Adapt Security Level to Risk Changes
30
Changing Security Risk
Optimal Security Level
#RSAC
From ROI to Adaptiveness
31
“Normal” “New Normal”
What we look at Return On Investment (ROI) Adaptiveness to changes
What it looks like
0 1 2 3 4Changing Security Risk
Adapted Security LevelIncreased Security Level
#RSAC
Agenda
32
New Normal of Security Architecture
Security Best-Mix to Adapt to Changes
Security Automation as a New Solution
#RSAC
Categories by Adaptiveness
33
Fixed Security
Corporate Security
Situational Security
Data CenterServer
Network
EncryptionVulnerbility Mngt.
Access Control
Threat Intelligence
Incident responseAdaptiveness
High
Middle
Low
Category Usecases
FacilityStorage
Hypervisor
Log ManagementData Protection
FW/IPS/IDS
Correlation
ForensicsEDR UEBA
#RSAC
[REF] Electric Power Best Mix
34
Electric Power
Demand
0 6 12 18 24(H)
nuclear electric power
thermal electric power
pumped-storage hydroelectric power
#RSAC
Security Best Mix
35
Secu
rity
Leve
l
Fixed Security
Adaptiveness Cost
Corporate Security
High
Middle
Low
High
Middle
Low
Situational Security
#RSAC
Security Best Mix in the Cloud Era
36
Economies of Scaleby Cloud Service Provider(Cost)
Compliance as CodeDevSecOpsBased on regulatory compliance(Reusability/Repeatability)
Security Automation(Adaptability)
Secu
rity
Leve
l
Fixed Security(Security of the cloud)
Corporate Security(Security in the cloud)
Situational Security(Security by the cloud)
Power Source (Driver)
#RSAC
Security Best Mix in the Cloud Era
37
Economies of Scaleby Cloud Service Provider(Cost)
Compliance as CodeDevSecOpsBased on regulatory compliance(Reusability/Repeatability)
Security Automation(Adaptability) What and How?
Secu
rity
Leve
l
Fixed Security(Security of the cloud)
Corporate Security(Security in the cloud)
Situational Security(Security by the cloud)
Power Source (Driver)
#RSAC
Minimize the Gap to Adapt
38
2. Early Detection1. Granular ResponseSe
curit
y Le
vel
TimeChanging Security Risk
Adapted Security Level
#RSAC
Minimize the Gap to Adapt
39
2. Early Detection1. Granular Response
• Many Small Services• Independently Deployable• Loosely Coupled
MicroservicesArchitecture
#RSAC
Minimize the Gap to Adapt
40
2. Early Detection1. Granular Response
• Many Small Services• Independently Deployable• Loosely Coupled
• Massive Security Logs• Threat Intelligence• Event Driven / API Call
MicroservicesArchitecture
Data ManagementInfrastructure
#RSAC
Minimize the Gap to Adapt
41
2. Early Detection1. Granular Response
• Many Small Services• Independently Deployable• Loosely Coupled
MicroservicesArchitecture
Cloud Makes It Easier and Possible
Data ManagementInfrastructure
• Massive Security Logs• Threat Intelligence• Event Driven / API Call
#RSAC
Agenda
42
New Normal of Security Architecture
Security Best-Mix to Adapt to Changes
Security Automation as a New Solution
#RSAC
Gartner’s Adaptive Security Architecture
Harden and Isolate Systems
Divert Attackers
Prevent Incidents
Detect Incidents
Confirm and Prioritize
Contain IncidentsInvestigate / Forensics
Design / Model Changes
Remediate / Make Changes
Baseline Systems
Predict Attacks
Proactive Exposure Assessment
ContinuousMonitoring
andAnalytics
Predict Prevent
DetectRespond
#RSAC
AWS Service Mapping
44
AWSConfig
Amazon Inspector
3rd PartyData Feed
AWSLambda
Amazon EBS
AmazonSNS
AWSCloudFormation
Amazon VPC flow logs
3rd Party SIEM
NACL SG
AWS WAF
3rd Party IDS
Amazon CloudFront
AWSCloudTrail
Amazon CloudWatch
Predict Prevent
DetectRespondAuto Scaling
#RSAC
Auto Scaling
Use Case: Mitigate External Attacks
45
AWSConfig
Amazon Inspector
Amazon EBS
AWSCloudFormation
Amazon VPC flow logs
3rd Party SIEM
NACL SG
3rd Party IDS
AWSCloudTrail
Predict Prevent
DetectRespond
Amazon CloudWatch
3rd PartyData Feed
AWS WAFAmazon
CloudFront
AWSLambda
AmazonSNS
#RSAC
AWS WAFWeb Application
Firewall
Attacker
User
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
Amazon EC2Web servers
Amazon RDSDatabase
Automatic Update on WAF rule with IP Black List
AWS WAF Security Automationshttps://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
#RSAC
Amazon CloudWatchResource Monitoring
AWS WAFWeb Application
Firewall
Attacker
AWSLambda
Function as a Service
User
①Execute hourly
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
Amazon EC2Web servers
Amazon RDSDatabase
AWS WAF Security Automationshttps://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
Automatic Update on WAF rule with IP Black List
#RSAC
Amazon CloudWatchResource Monitoring
AWS WAFWeb Application
Firewall
Attacker
AWSLambda
Function as a Service
User
①Execute hourly
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
Amazon EC2Web servers
Amazon RDSDatabase
3rd partyReputation ListAWS WAF Security Automations
https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
②Check for malicious IP addresses
Automatic Update on WAF rule with IP Black List
#RSAC
Amazon CloudWatchResource Monitoring
AWS WAFWeb Application
Firewall
Attacker
AWSLambda
Function as a Service
User
①Execute hourly
③Add to an AWS WAF block list
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
Amazon EC2Web servers
Amazon RDSDatabase
3rd partyReputation ListAWS WAF Security Automations
https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
②Check for malicious IP addresses
Automatic Update on WAF rule with IP Black List
#RSAC
Amazon CloudWatchResource Monitoring
AWS WAFWeb Application
Firewall
Attacker
AWSLambda
Function as a Service
User
①Execute hourly
③Add to an AWS WAF block list
④Block the traffic from malicious IP addresses
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
Amazon EC2Web servers
Amazon RDSDatabase
3rd partyReputation ListAWS WAF Security Automations
https://aws.amazon.com/jp/answers/security/aws-waf-security-automations/
②Check for malicious IP addresses
Automatic Update on WAF rule with IP Black List
#RSAC
EC2 InstancesAvailability Zone 1b
Availability Zone 1a
Auto
Sca
ling
Grou
p
Contain and Notify an Incident by Scale-out
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
#RSAC
EC2 InstancesAvailability Zone 1b
Availability Zone 1a
Auto
Sca
ling
Grou
p①Massive traffic
Contain and Notify an Incident by Scale-out
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
#RSAC
EC2 InstancesAvailability Zone 1b
Availability Zone 1a
Auto
Sca
ling
Grou
p①Massive traffic
②Automatic traffic distribution by scale-out
Contain and Notify an Incident by Scale-out
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
#RSAC
EC2 InstancesAvailability Zone 1b
Availability Zone 1a
Auto
Sca
ling
Grou
p①Massive traffic
②Automatic traffic distribution by scale-out
AmazonSNS
Notification Service
③Notify the scaling event
Contain and Notify an Incident by Scale-out
Amazon CloudFrontContent Delivery
Network
Elastic Load Balancing
Load Balancer
#RSAC
EC2 InstancesAvailability Zone 1b
Availability Zone 1a
Auto
Sca
ling
Grou
p①Massive traffic
②Automatic traffic distribution by scale-out
AmazonSNS
Notification Service
③Notify the scaling event
④Call an arbitrary function
Contain and Notify an Incident by Scale-out
Amazon CloudFrontContent Delivery
NetworkAWS
LambdaFunction as a Service
Elastic Load Balancing
Load Balancer
#RSAC
Use Case: Assess Risks to Manage Internal Endpoints
56
AWSConfig
Auto Scaling
AWS WAFAmazon
CloudFront
3rd PartyData Feed
AWSCloudFormation 3rd Party SIEM
3rd Party IDS
Predict Prevent
DetectRespond
Amazon CloudWatch
Amazon Inspector
NACL SG
Amazon VPC flow logs
Amazon EBS
AWSCloudTrail
AWSLambda
AmazonSNS
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
AWSLambda
Function as a Service
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
①Run a security assessment
AWSLambda
Function as a Service
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
①Run a security assessment
AWSLambda
Function as a Service
②Vulnerability scan to endpoint
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
①Run a security assessment
②Vulnerability scan to endpoint
③Notify the scan results
AmazonSNS
Notification Service
AWSLambda
Function as a Service
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
①Run a security assessment
②Vulnerability scan to endpoint
③Notify the scan results④Quarantine the endpoint by firewalls
AmazonSNS
Notification Service
AWSLambda
Function as a Service
AWSLambda
Function as a Service
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
Automate Quarantine and Backup
①Run a security assessment
②Vulnerability scan to endpoint
③Notify the scan results④Quarantine the endpoint by firewalls
snapshot
⑤Copy a disk image for backup
AmazonSNS
Notification Service
AWSLambda
Function as a Service
AWSLambda
Function as a Service
#RSAC
EC2 InstanceEndpoint
Amazon InspectorSecurity Assessment
Amazon EBSBlock Storage
Security GroupStateful Firewall
Network ACLStateless Firewall
AWSCloudTrail
Operation Log Service
Automate Quarantine and Backup
①Run a security assessment
②Vulnerability scan to endpoint
③Notify the scan results④Quarantine the endpoint by firewalls
snapshot
⑤Copy a disk image for backup
⑥Record the backup log
AmazonSNS
Notification Service
AWSLambda
Function as a Service
AWSLambda
Function as a Service
#RSAC
The Value of Cloud Security
64
Improvement
Innovation Can do what we couldn’t do
Disruption Bring the old value to naught“ROI” to “Adaptiveness to changes”
granular response through the microservices
Earlier detection on data management infrastructureEasier, Faster, Cheaper
#RSAC
Summary
65
Be adaptive to the changes of security risksBest-mix security by its adaptivenessCloud makes it easy and possible with
Security Automation
#RSAC
“Apply”
66
Apply cloud technology to improve readiness and responsiveness. (e.g. AWS provides automated security)
Mix different types of security in adaptiveness to attain the necessary security level. Recommend to use:
security of cloud for fixed securitysecurity in cloud for corporate securitysecurity by cloud for situational security
#RSAC
Thank you!