How to Secure yourHybrid Environment

Lahav Savir, CEO & ArchitectEmind Cloud Experts

A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions

Top Level Partnership

A “Cloud-native” MSP

Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015)

“Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.”

https://www.gartner.com/doc/3157620/market-guide-managed-service-providers

“Common Types of MSPs (on AWS) with Example References

● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS-specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”

The future is all about cloud computing. Report shows how by 2018, over 78% of

workloads will be managed by cloud data centers as against the remaining 22% processed by traditional data centers.

A recent Gartner report predicts that 2016 looks to be a defining year for cloud as private cloud begins to yield to hybrid cloud, with no less than 50% of large

enterprises deploying hybrid cloud by 2017.

Where there is more data,there is bound to be more

data breaches!

Security in the Cloud

Security of the Cloud

Assessing the Risk:Yes, the Cloud Can Be More

Secure Than Your On-Premises Environment

IDC, July 2015

Why the Cloud is more Secure?

● More segmentation (separation)

● More encryption● Stronger

authentication● More logging and

monitoring

Top Topics

● Infrastructure Security

● Network Security● Application Security● Data Encryption● Identity Management● Monitoring &

Auditing

Identity Federation

Why do you need Single Identity ?

● Multiple AWS Accounts

● Multiple Security Policies

● Multiple Entry Points● Many Resources● Multiple 3rd Party

Services

Single Identity Provider

● Single Password Policy

● Single Lock Policy● Single OTP● Single Login Audit● Same username used

across all resources

Organization users accessing:AWS Resources

● AWS Console● Network Access / VPN● EC2 Instances

Other Resources

● New Relic● Datadog● Pingdom● Google Apps● Office 365● Jira● Github● Logz.io● ...

● Don't mix Corporate and Cloud Resources

● Minimize Replication● Maximize Federation

Corporate

● Corporate Active Directory● Mix of users and desktops / servers● 3rd Party SSO / Federation Services

Cloud

● Cloud Active Directory● Cloud Resources Only

Integration

● One Way Trust between Corp AD and Cloud AD

Login Scenarios

● AWS Console○ SAML Federation

● VPN○ Radius

● Jumpbox on EC2○ Radius / LDAP

● Windows instance on EC2○ Kerberos / LDAP

● Linux instance on EC2○ Kerberos / LDAP

No need for IAM Users

Network Access

Networking● Public Internet● VPN / IPSec Tunnel● DirectConnect

Direct Connect Options

● Private Virtual Interface – Access to VPC○ Note: Not VPC Endpoints or

transitive via VPC Peering● Public Virtual Interface –

Access to non-VPC Services

SSL VPNOptions

● OpenVPN● Fortinet Fortigate● Sophos● pfSense● … Others

Don’t assume your corporate network is secure and expose your production

networks to all users

Smart Separation

Inbound VPC

Application VPC

Outbound VPC

● Create a controlled environment that minimizes human mistakes

● Inspect inbound and outbound traffic

Data Encryption

AWS Encryption OptionsData at Rest

● EBS Encryption (inc. root device)● S3 Client / Server Side Encryption● RDS / Redshift Storage Encryption● DynamoDB Client Side Encryption

https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf

Data in Transit

● API’s are TLS Encrypted● Service Endpoints are TLS Encrypted● Elastic Load Balancer supports TLS● CloudFront supports TLS● IPSec VPN

Encrypt all your data, you never know who and when someone will request access to

the data

Centrally Monitor and Audit

Events Sources

● CloudTrail● ELB / S3 / CloudFront

Access Logs● VPC Flow logs● AWS Inspector● Host AV & IPS● Network WAF & IPS● Evident.io / Dome9● Observeble

● Create Clear Visibility● Set Governance Rules

● Define Actions

Join our Fastlane to aSuccessful Cloud Deployment

Thank you, lahavs@emind.co