How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
-
Upload
amazon-web-services -
Category
Technology
-
view
432 -
download
5
Transcript of How to Secure your Hybrid Enviroment - Pop-up Loft Tel Aviv
How to Secure yourHybrid Environment
Lahav Savir, CEO & ArchitectEmind Cloud Experts
A Global Expert in Cloud Enablement for Products, SaaS ISV, and Online Solutions
Top Level Partnership
A “Cloud-native” MSP
Market Guide for Managed Service Providers on Amazon Web Services (Lydia Leong, Oct. 2015)
“Amazon Web Services does not offer managed services, but many customers want to use AWS as a cloud IaaS and PaaS platform, while outsourcing IT operations or application management. AWS's ecosystem of MSP partners can fulfill this need.”
https://www.gartner.com/doc/3157620/market-guide-managed-service-providers
“Common Types of MSPs (on AWS) with Example References
● Cloud-native MSPs. These MSPs were either founded specifically to provide services on cloud IaaS, or pivoted to entirely focus their business on these services. Many of these MSPs are AWS-specific. Examples include 2nd Watch, Cloudnexa, Cloudreach, Emind and Minjar”
The future is all about cloud computing. Report shows how by 2018, over 78% of
workloads will be managed by cloud data centers as against the remaining 22% processed by traditional data centers.
A recent Gartner report predicts that 2016 looks to be a defining year for cloud as private cloud begins to yield to hybrid cloud, with no less than 50% of large
enterprises deploying hybrid cloud by 2017.
Where there is more data,there is bound to be more
data breaches!
Security in the Cloud
Security of the Cloud
Assessing the Risk:Yes, the Cloud Can Be More
Secure Than Your On-Premises Environment
IDC, July 2015
Why the Cloud is more Secure?
● More segmentation (separation)
● More encryption● Stronger
authentication● More logging and
monitoring
Top Topics
● Infrastructure Security
● Network Security● Application Security● Data Encryption● Identity Management● Monitoring &
Auditing
Identity Federation
Why do you need Single Identity ?
● Multiple AWS Accounts
● Multiple Security Policies
● Multiple Entry Points● Many Resources● Multiple 3rd Party
Services
Single Identity Provider
● Single Password Policy
● Single Lock Policy● Single OTP● Single Login Audit● Same username used
across all resources
Organization users accessing:AWS Resources
● AWS Console● Network Access / VPN● EC2 Instances
Other Resources
● New Relic● Datadog● Pingdom● Google Apps● Office 365● Jira● Github● Logz.io● ...
● Don't mix Corporate and Cloud Resources
● Minimize Replication● Maximize Federation
Corporate
● Corporate Active Directory● Mix of users and desktops / servers● 3rd Party SSO / Federation Services
Cloud
● Cloud Active Directory● Cloud Resources Only
Integration
● One Way Trust between Corp AD and Cloud AD
Login Scenarios
● AWS Console○ SAML Federation
● VPN○ Radius
● Jumpbox on EC2○ Radius / LDAP
● Windows instance on EC2○ Kerberos / LDAP
● Linux instance on EC2○ Kerberos / LDAP
No need for IAM Users
Network Access
Networking● Public Internet● VPN / IPSec Tunnel● DirectConnect
Direct Connect Options
● Private Virtual Interface – Access to VPC○ Note: Not VPC Endpoints or
transitive via VPC Peering● Public Virtual Interface –
Access to non-VPC Services
SSL VPNOptions
● OpenVPN● Fortinet Fortigate● Sophos● pfSense● … Others
Don’t assume your corporate network is secure and expose your production
networks to all users
Smart Separation
Inbound VPC
Application VPC
Outbound VPC
● Create a controlled environment that minimizes human mistakes
● Inspect inbound and outbound traffic
Data Encryption
AWS Encryption OptionsData at Rest
● EBS Encryption (inc. root device)● S3 Client / Server Side Encryption● RDS / Redshift Storage Encryption● DynamoDB Client Side Encryption
https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf
Data in Transit
● API’s are TLS Encrypted● Service Endpoints are TLS Encrypted● Elastic Load Balancer supports TLS● CloudFront supports TLS● IPSec VPN
Encrypt all your data, you never know who and when someone will request access to
the data
Centrally Monitor and Audit
Events Sources
● CloudTrail● ELB / S3 / CloudFront
Access Logs● VPC Flow logs● AWS Inspector● Host AV & IPS● Network WAF & IPS● Evident.io / Dome9● Observeble
● Create Clear Visibility● Set Governance Rules
● Define Actions
Join our Fastlane to aSuccessful Cloud Deployment
Thank you, [email protected]