Professional Documents
Culture Documents
Aws Security Model - Best Slides1
Aws Security Model - Best Slides1
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s speakers
Sounil Yu
Creator of the Cyber Defense Matrix
Josh Thurston
Sr. Category Lead, Security at AWS
Sagar Khasnis
Partner Solutions Architect at AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s Agenda
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing the Security
of Your Pets and Cattle
in the Cloud
SOUNIL YU
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS provides a fundamentally different model for how we can
build and operate IT infrastructure and applications, but we
need to be mindful of new security considerations
Opportunities Considerations
Everything is More room for
highly configurable configuration errors
Considerations Approach
More room for
Prevent misconfigurations
configuration errors at scale
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
These risks can be addressed through native AWS capabilities
and through AWS Marketplace vendors
Devices
Applications
Networks
Data
Users
Devices
(compute, hosts)
Applications
(containers, serverless)
Pre-Event
Networks Structural Awareness Post-Event
(VPC, VPN, CDN, DNS)
Situational Awareness
Data
(storage, databases)
Users
(IAM roles)
CSPM
Network Configuration
Control plane and
Control Plane
Storage Configuration PaaS configuration
PaaS Configuration
Sponsored by:
SOUNIL YU
Source: Gartner Market Guide for Cloud Workload Protection Platforms, 2020
@sounilyu
*The views and opinions of Sounil Yu are their own and do not necessarily reflect the positions of AWS or AWS Marketplace.
The Cyber Defense Matrix can show how cloud security can be
addressed with CWPP and CSPM capabilities
CWPP
Devices Cloud Workload Protection
(compute, hosts)
Platform (CWPP) CWPP CWPP CWPP
(containers) CWPP CWPP Cloud-Native
Applications Security
(serverless)
PaaS Configuration Services
ADC, LB,
Networks WAF, DoS,
(VPC, VPN, CDN, DNS)
Cloud Security Posture Network Configuration
CSPM
FW, etc.
Management
Data (CSPM) Storage Configuration
(storage, databases)
Control Plane
Source: Gartner Market Guide for Cloud Workload
Protection Platforms, 2020 (slightly modified)
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
Mapping products, such as Trend Micro’s Cloud One, to the
Cyber Defense Matrix can help understand coverage
Identify Protect
Cloud Workload Protection Platform
Devices Cloud One™
(compute, hosts) Cloud One™ Workload Security
Users
(IAM roles) Cloud Security Posture Management
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
A more detailed breakdown of underlying capabilities provide
further insights on areas of need
Devices Applications Networks Data Users
(compute, hosts) (containers, serverless) (VPC, VPN, CDN, DNS) (storage, databases) (IAM Roles)
Classification of viruses,
Classification Unsupported O/S Admin Accounts
malware, PII, PHI, PCI
Access Mgt EC2 Connect Firewall Manager S3 Bucket ACLs IAM Role Management
Protect
Logging, Monitoring System Logs Application Logs Flow Logs Access Logs Account Activity History
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
Another fundamental benefit of cloud-native security
capabilities is that it helps us adhere to design patterns that
look more like “cattle” and less like “pets”
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
We can leverage AWS native capabilities to secure our “pets”
and address all three elements of the CIA Triad
AWS KMS AWS CloudHSM AWS WAF Amazon AWS Config AWS Cloud AWS Security Amazon AWS Firewall AWS Shield
Detective Trail Hub GuardDuty Manager
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
Adhering to the DIE Triad helps us build “cattle”
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
There are many AWS native capabilities that align to the DIE
Triad to help us build “cattle”
Distributed
AWS Service
Catalog
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
The distribution of “Pets” and “Cattle” change across the
Shared Responsibility Model and with cloud native maturity
CWPP
PETs
CSPM
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
Organizations desiring high
cloud native maturity should
exercise stringent pet control
Discourage / Disincentivize
Encourage / Incentivize
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
Mapping security coverage
from day one in AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration to AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Development in AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identify Assets
at launch
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect Assets
at launch
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protecting sensitive assets in
AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that enable sensitive asset protection
AWS Key
Management
Investigate
Service
AWS Well-
Architected AWS
Tool CloudHSM
Amazon
Detective
Snapshot Archive
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discover your sensitive data with machine learning
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Increase visibility and secure sensitive assets
Vulnerability
SOAR
Endpoint
AWS Security
Hub
Compliance Other
CWPP
CSPM
Amazon Amazon
Amazon Macie
Detective Macie
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Trend Micro?
Manage
misconfigurations of
cloud resources
Complete visibility
with a single
dashboard
Continuous
assurance
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Change Healthcare protects sensitive data
Using Trend Micro Cloud One™ Conformity
Benefits:
• Supports automation of
compliance
• Simplifies the
configuration and
deployment of rules
Example dashboard
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Xero gains advanced security for sensitive assets
With Check Point CloudGuard IaaS
Public Subnet 1
transactions to AWS
Public Subnet 2
• Automated security
without slowing Check Point Gateways Check Point Gateways
Check Point
Management
development Public Subnet 1 Public Subnet 2
Server
Instances Instances
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jabil enhances sensitive data visibility and control
Leveraging Digital Guardian’s Enterprise DLP Platform
Benefits:
• Gained visibility into all
data access and usage
across 52,000
workstations
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find Buy Deploy
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webinar summary
Leverage AWS Services that integrate with your AWS environment and can
enhance your network segmentation capabilities.
Current tools? Bring your own license to leverage benefits of AWS Marketplace.
New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sounil Yu
Creator of the Cyber Defense Matrix
Josh Thurston
Thank
you!
Sr. Category Lead, Security at AWS
Sagar Khasnis
Partner Solutions Architect at AWS
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.