Shared Security Responsibility Model of AWS
-
Upload
akshay-mathur -
Category
Technology
-
view
682 -
download
6
Transcript of Shared Security Responsibility Model of AWS
![Page 1: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/1.jpg)
AWS Shared Responsibility Model for Security
Akshay Mathur
@akshaymathu of @appcito
![Page 2: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/2.jpg)
Let’s Know Each Other• Do you work with AWS?
• Do you manage applications?
• What are your goals while managing application?• Happy Users, Happy You (DevOps), Happy Servers
2@akshaymathu
![Page 3: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/3.jpg)
Akshay Mathur• 16+ years in IT industry
• Currently Product Manager at Appcito• Mostly worked with Startups
• From Conceptualization to Stabilization• At different functions i.e. development, testing, release, marketing, devops• With multiple technologies
• Founding Team Member of• ShopSocially (Enabling “social” for retailers)• AirTight Neworks (Global leader of WIPS)
@akshaymathu 3
![Page 4: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/4.jpg)
4
Ground Rules• Tweet now: #AWS @akshaymathu @appcito @AWSStartups• Disturb Everyone later
• Not by phone rings• Not by local talks• By more information
@akshaymathu
![Page 5: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/5.jpg)
@akshaymathu 5
When an Application is Secure• Controlled Access to Application
• Legitimate users are able to use the application
• Illegitimate users are not able to use the application
• No disruption of the service• Resilient infrastructure• Prevention from attacks
• Secure Data• Secure communication• Secure storage
![Page 6: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/6.jpg)
@akshaymathu 6
Cloud Computing Landscape
![Page 7: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/7.jpg)
@akshaymathu 7
Shared Responsibility of Security in Cloud
Don’t worry! AWS is there We need to take care of this
Not to worry! AWS is providing tools
![Page 8: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/8.jpg)
@akshaymathu 8
Share Responsibility of Security in Cloud
Don’t worry! AWS is there
Understand the worries and manage with the help of
partners
Not to worry! AWS is providing tools
![Page 9: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/9.jpg)
Don’t Worry!
AWS is There
![Page 10: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/10.jpg)
@akshaymathu 10
Security ‘of’ Cloud
Don’t worry! AWS is there
![Page 11: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/11.jpg)
@akshaymathu 11
AWS Global Infrastructure
![Page 12: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/12.jpg)
@akshaymathu 12
What AWS takes care• AWS manages the security of the following assets:
• Global facilities (regions, availability zones, edge locations)• Access to data centres• Physical security of hardware (compute and storage)• Network infrastructure• Attacks at layer 2• Virtualization infrastructure
![Page 13: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/13.jpg)
@akshaymathu 13
![Page 14: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/14.jpg)
@akshaymathu 14
AWS Certifications
![Page 15: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/15.jpg)
@akshaymathu 15
![Page 16: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/16.jpg)
Not to Worry!
AWS is Providing Tools
![Page 17: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/17.jpg)
@akshaymathu 17
Security ‘in’ Cloud with AWS Help
Use tools provided by AWS to takes care of this
![Page 18: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/18.jpg)
@akshaymathu 18
What AWS provides• Tools
• IP firewall (Security groups)• Subnet management (Virtual Private Cloud)• Access to virtual resources (Identity and Access Management)• Elastic infrastructure (Auto Scale Groups)
• Resources• So many best practices• AWS partner network
![Page 19: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/19.jpg)
@akshaymathu 19
VPC
![Page 20: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/20.jpg)
@akshaymathu 20
Security Groups• Security groups are like IP firewall• Configure and attach proper security
group at every level (VPC, Subnet, Instance etc.)
• Create both inbound as outbound rules
• Close all not-in-use ports
• Use Bastion Host for managing infrastructure
![Page 21: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/21.jpg)
@akshaymathu 21
IAM
![Page 22: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/22.jpg)
@akshaymathu 22
Top 10 AWS Security Best Practices• Disable root API access key and secret key• Enable MFA tokens everywhere• Reduce number of IAM users with Admin rights• Use Roles for EC2• Least privilege: limit what IAM entities can do with strong/explicit
policies• Rotate all the keys regularly• Use AWS Key Management System and store keys in CloudHSM• Use IAM roles with STS Assume Role where possible• Use Auto Scaling to dampen DDoS effects• Do not allow 0.0.0.0/0 in any EC2/ELB security group unless you
mean it• Watch world-readable/listable S3 bucket policies
![Page 23: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/23.jpg)
@akshaymathu 23
Think before you Do• Do not share access and secret keys
with anyone
• Watch if the access credentials are part of the code you are sharing
![Page 24: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/24.jpg)
@akshaymathu 24
AWS Shared Responsibility Model
![Page 25: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/25.jpg)
Understand & Offload the Worries!
AWS has Great Partners
![Page 26: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/26.jpg)
@akshaymathu 26
Share Responsibility of Security in Cloud
Understand the worries and manage with the help of
partners
![Page 27: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/27.jpg)
@akshaymathu 27
Our Responsibility in AWS• Customer are responsible for the security of the following assets:
• Software• Operating systems• Applications (servers, frameworks, tools)
• Data and Access• Data (in transit as well as at rest)• Credentials• Policies and configuration
• Application layer attacks• OWASP top 10 (XSS, SQL injection etc.)• DoS and DDoS• Malware• BOTs and BOTNets
![Page 28: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/28.jpg)
@akshaymathu 28
Securing Software• Start with known good base AMI
• Pick LTS OS versions• Select a reliable provider
• Pay attention to the software you install• Web/App Servers• Runtime environments• Libraries• Avoid installing development environment
• Apply patches regularly• Write good code
• Do not introduce vulnerability• Scan and Fix regularly
![Page 29: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/29.jpg)
@akshaymathu 29
Securing Data and Policies• Data in transit
• Implement SSL for all communication• Over the internet• Within AWS network
• Implement access policies• For users• For applications• For resources
• Data at rest• Store encrypted data everywhere
• S3• EBS
![Page 30: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/30.jpg)
@akshaymathu 30
Avoiding BOT Traffic• Traffic from bad BOTs is about 30%
• Amounts to 30% wastage of server resources
• Various fingerprinting techniques are there for identifying the BOTs
• IP reputation• UA analysis• Pattern analysis• JS insertion• Advance algorithms
![Page 31: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/31.jpg)
@akshaymathu 31
Preventing Data Theft• Typical ways are:
• SQL/object injection• Cross Site Scripting (XSS)• File include• Malware inclusion• Exploiting vulnerabilities of coding, framework,
language, platform
• Scan the deployment regularly• Fix any vulnerability by applying patches• Use elastic Web Application Firewall (WAF)
![Page 32: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/32.jpg)
@akshaymathu 32
Preventing DDoS Attack• Volumetric attack
• Many clients make connections with server
• Clients send huge traffic to the server• Traffic is typically bogus
• Prevention• Rapidly increase scale to consume
connections/traffic• Rate limit connections/requests• Delay/Deny bogus traffic• Blacklist BAD clients
• Protocol exploits• Attacker crafts traffic knowing the
timeouts and limits of protocol• Slow moving bogus traffic hogs
resources of server
• Prevention• Setup policy to apply aggressive limits
and timeouts in case of heavy load• Terminate connection when unusual
behavior is observed• Blacklist BAD client
![Page 33: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/33.jpg)
@akshaymathu 33
![Page 34: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/34.jpg)
34@akshaymathu
![Page 35: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/35.jpg)
@akshaymathu 35
AWS Certifications
![Page 36: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/36.jpg)
@akshaymathu 36
Application Compliance in AWS
![Page 37: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/37.jpg)
@akshaymathu 37
Application Front-End Architecture CDN
Custom Scripts, Rules, Alert Management Aggregation across instances
• Spaghetti of point solutions• Multiple points of failure, redundancy difficult to setup• Not elastic and cloud native
![Page 38: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/38.jpg)
@akshaymathu 38
Application Front-End Architecture with CAFE
CDN
• All services for application under one consolidated product• Easy Activation of capabilities closer to application• Application policy is coordinated across services and policy enforced
Availability
Security Performance Continuous Deployment
Appcito Cloud Application Front-End (CAFE)
![Page 39: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/39.jpg)
Cloud Application Front End (CAFE)
Taking Cloud Applications from Good to Great
![Page 40: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/40.jpg)
Appcito CAFE Service
Insights & Analytics
Content Optimization
Application Security & DDoS
Prevention
Unified Functionality Available As
SaaS Delivery
Simple Activation
No Code Change
For
Dev /OpsCloud-agnostic
App Owner
ElasticContinuous
Delivery
Availability & Elasticity
![Page 41: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/41.jpg)
Typical Deployment
Customer’s Cloud
Customer’sEnd Users
app server
app server
Load Balancer
app server
DNS
Network Subnet
Availability Zone
![Page 42: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/42.jpg)
Deployment with CAFECustomer’s Cloud
Customer’sEnd Users
app server
app server
Load Balancer
app server
Appcito Cloud
CAFE Barista
Management, Control, Analytics
DNS
CAFEPEP
Network Subnet
Availability Zone
![Page 43: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/43.jpg)
@akshaymathu 43
Purpose-Built Cloud Native Architecture• Scalable architecture decouples control plane
(BARISTA) and data plane (PEP)
• BARISTA provides centralized policy control, visibility and analytics.
• PEP (Policy Execution Proxy) provides full proxy services for applications
• Traffic Management / Load balancing• Application Visibility & Analytics• Application Security
• System is DevOps Friendly• API Driven & Programmable• Integrates with DevOps tools & Processes
![Page 44: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/44.jpg)
@akshaymathu 44
CAFE Configuration Model• Think Out of the box (literally)• Think in terms of
• Applications• Traffic flow• Request patterns
• Forget about• Box provisioning• Box configuration• Networking flow• L2/L3 access control
![Page 45: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/45.jpg)
Application-Level Security Web Application Firewall (WAF)
• Protects against common attack vectors• SQL Injection• Cross-Site Scripting (XSS)• Local and Remote File Includes
• One-click protection for popular web applications
• WordPress• Joomla• Drupal
DDoS & BOT Mitigation• Maximize availability, even during attacks
• Minimize impact on cloud computing resources
• Analyze attack events with comprehensive metrics
• osCommerce• vBulletin• Microsoft SharePoint
![Page 46: Shared Security Responsibility Model of AWS](https://reader035.fdocuments.net/reader035/viewer/2022062310/5882c1fe1a28abb2478b623b/html5/thumbnails/46.jpg)
App & Traffic Metrics
Appcito CAFE Service Capabilities
46
Availability Performance Security DevOps
Advanced Load Balancing
Content Switching
Application Fluency
Elastic & Self-Scaling
Continuous Deployment
Request Mirroring
Request Replay
Programmable Policies
Per Application Control
Front-End Optimization
Optimization for client
Caching & compression
Predictive caching
Application & Server offloading
Application Firewall
Elastic SSL
Anomaly Detection
DDoS
BOT Protection
Trends & Correlations
Anomalies Detection
Policy Recommendation
Analytics & Insights