Top 5 Security Errors and
How to Avoid Them
James Brown
Head of Public Cloud
Palo Alto Networks
Key findings based on customer
research and breach analysis
July – October 2018
49%Of organizations leave their
databases unencrypted
• Encrypt, encrypt, encrypt!
• Encryption of S3 buckets allows for
that data to remain untampered with
and valid for said audits down the road
• Encryption of RDS protect information
even if databases are compromised or
copied in a malicious manner
41%Of account access keys
have not been rotated in
more than 90 days
• Rotate Keys Regularly
• Rotate ALL credentials, passwords,
and API Access Keys on a regular
basis
32%Of organizations
publicly exposed at
least 1 S3 bucket
• Don’t let your S3 bucket policies
atrophy
• Strengthen S3 buckets with either IAM
Policies, S3 Bucket Policies, or S3
Access Control Lists
29%Of organizations enable
root user activities
• Disable Root Account API Access Key
• Create IAM admin users. At least 2, no
more than 3 per IAM group
• Grant access to billing information and
tools
• Disable/Remove the default AWS root
user API access keys
27%Of organizations leave
default network settings
for at least 1 account
• Always lock down the IP and port of
which you will gain access to your
AWS environment
• Only turn on access when it is needed
and off again once administrative work
has been accomplished
Why So Many Security Errors? Disparate Point Product Offerings
CSP NATIVE
TOOLS
CONTAINER
SECURITY TOOLS
8 | © 2019 Palo Alto Networks, Inc. Confidential and Proprietary.
OPSDEV
SIEM
NETWORK
MONITORING TOOLS
• Silo'd tools• Can’t correlate across
network, user and config
• Not multi-cloud• Limited Compliance• AWS Well Architected
framework
• DIY security - too much data, too much noise
• Very expensive
• Only provides part of the story
CASB
• IP addresses are elastic in cloud
• Lacks cloud-native context
GRC TOOLS
• Not built for cloud
• Great user & data context, lacks infrastructure context (network traffic, vuln, etc.)
• Lacks threat hunting and incident response
• Higher TCO, requires constant upkeep with CSPs
• Limited coverage
OPEN SOURCE TOOLS
Effective Cloud Security: Series of Integrated Security Requirements
9 | © 2016, Palo Alto Networks. Confidential and Proprietary.
What’s actually happening?
Who is making changes and why?
What do I have in the cloud?
Are my hosts and containers secure?
Is my app & data secure?
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Asset Inventory
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
Am I compliant? Configurations / Compliance Reporting
The Problems We Can Help You Solve
10 | © 2016, Palo Alto Networks. Confidential and Proprietary.
Network Security / Flow Logs / Threat Intel
Credentials / Actions / Identity
Visibility / Configurations / Compliance
Runtime Security / Image & Vuln Scanning
DLP / Serverless / AppSec
• Real-time network visibility and incident investigations
• Suspicious/malicious traffic detection
• Virtual firewall for in-line protection (VM-series)
• Account & access key compromise detection
• Anomalous insider activity detection
• Privileged activity monitoring
• Asset inventory tracking and cloud “time machine”
• Compliance scanning (CIS, PCI, GDPR, etc.)
• Configuration best practices
• Runtime security*
• Static image analysis (vulnerabilities and compliance)*
• Configuration monitoring (for cloud native)
• Serverless*
• DLP & malware scanning
* Potential future roadmap
The Most Complete Cloud Security Offering
11 | © 2018, Palo Alto Networks. All Rights Reserved.
Detective
control
Infrastructure
security
Incident
response
Data
protection
Visit Our Booth to Learn More
THANK YOU
Top Related