How to prioritize security

controls for sensitive AWS

assets

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s speakers

Sounil Yu
Creator of the Cyber Defense Matrix

Josh Thurston
Sr. Category Lead, Security at AWS

Sagar Khasnis
Partner Solutions Architect at AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s Agenda

• Cloud opportunities and considerations

• Tools that can help protect your sensitive assets​
• How to apply these tools to​ manage “pets” and to design for
“cattle”
• Mapping capabilities to requirements
• Relevant AWS services and solutions in AWS Marketplace
• Customer success stories

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Managing the Security
of Your Pets and Cattle
in the Cloud

SOUNIL YU

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 AWS provides a fundamentally different model for how we can
build and operate IT infrastructure and applications, but we
need to be mindful of new security considerations
Opportunities Considerations
Everything is  More room for

highly configurable  configuration errors

Wide array of discrete Cloud sprawl with many

services can be mixed more individual resources
and matched that need to be tracked

Consolidated environments Erosion of network

provides unified API enabling perimeter and network
easier management and centric boundaries
economies of scale
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 These considerations require approaches that adapt to this
new operating model and can scale

Considerations Approach

 More room for 

Prevent misconfigurations

 configuration errors  at scale


Cloud sprawl with many Automatically discover

more individual resources cloud misconfigurations
that need to be tracked and exploits against them

Erosion of network Enable rapid remediation

perimeter and network of any discovered
centric boundaries misconfiguration

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 These risks can be addressed through native AWS capabilities
and through AWS Marketplace vendors

AWS Native AWS Marketplace

(non-exhaustive) (non-exhaustive)

Amazon Amazon AWS AWS

GuardDuty Macie WAF Shield

AWS AWS Secrets AWS AWS Systems

IAM Manager CloudTrail Manager

Amazon AWS CloudHSM Amazon AWS

Inspector CloudWatch Config

AWS AWS Amazon AWS Trusted SOUNIL YU

KMS Security Hub Detective Advisor Sponsored by:
@sounilyu
*The views and opinions of Sounil Yu are their own and do not necessarily reflect the positions of AWS or AWS Marketplace.
 The Cyber Defense Matrix is an adaptation of the CSF
https://cyberdefensematrix.com

Identify Protect Detect Respond Recover

Devices

Applications

Networks

Data

Users

Degree of Technology People

Dependency Process
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 This webinar will focus on cloud security on the left of boom

Identify Protect Detect Respond Recover

Devices
(compute, hosts)

Applications
(containers, serverless)

Pre-Event
Networks Structural Awareness Post-Event
(VPC, VPN, CDN, DNS)
Situational Awareness

Data
(storage, databases)

Users
(IAM roles)

Degree of Technology People

Dependency Process
Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Cloud Workload Protection Platforms (CWPP) and Cloud
Security Posture Management (CSPM) capabilities are adjacent
and complement each other
IAM Configuration

CSPM
Network Configuration
Control plane and
Control Plane
Storage Configuration PaaS configuration

PaaS Configuration

Cloud-Native Security Services

ADC, LB, WAF, DoS, FW, etc.

Cloud Workload Protection Platform

CWPP

Data Plane Workload Protection

CWPP CWPP CWPP
CWPP CWPP

Sponsored by:
SOUNIL YU
Source: Gartner Market Guide for Cloud Workload Protection Platforms, 2020
@sounilyu
*The views and opinions of Sounil Yu are their own and do not necessarily reflect the positions of AWS or AWS Marketplace.
 The Cyber Defense Matrix can show how cloud security can be
addressed with CWPP and CSPM capabilities

Identify Protect Data Plane

Cloud Workload Protection Platform

CWPP
Devices Cloud Workload Protection
(compute, hosts)
Platform (CWPP) CWPP CWPP CWPP
(containers) CWPP CWPP Cloud-Native
Applications Security
(serverless)
PaaS Configuration Services
ADC, LB,
Networks WAF, DoS,
(VPC, VPN, CDN, DNS)
Cloud Security Posture Network Configuration

CSPM
FW, etc.
Management
Data (CSPM) Storage Configuration
(storage, databases)

Users IAM Configuration

(IAM roles)

Control Plane
Source: Gartner Market Guide for Cloud Workload
Protection Platforms, 2020 (slightly modified)

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Mapping products, such as Trend Micro’s Cloud One, to the
Cyber Defense Matrix can help understand coverage

Identify Protect
Cloud Workload Protection Platform
Devices Cloud One™
(compute, hosts) Cloud One™ Workload Security

(containers) Cloud One™ Container Security

Applications
(serverless) Cloud One™ Application Security
Cloud One™ Conformity

Networks Cloud One™ Network Security

(VPC, VPN, CDN, DNS)

Data Cloud One™ File Storage Security

(storage, databases)

Users
(IAM roles) Cloud Security Posture Management

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 A more detailed breakdown of underlying capabilities provide
further insights on areas of need
Devices Applications Networks Data Users
(compute, hosts) (containers, serverless) (VPC, VPN, CDN, DNS) (storage, databases) (IAM Roles)

EC2 Instances, Software Bill of Materials,

Inventory IP Addresses, VPCs, FWs S3 Buckets, Databases Accounts
Stopped Machines Installed Applications
Identify

Classification of viruses,
Classification Unsupported O/S Admin Accounts
malware, PII, PHI, PCI

O/S Vulnerabilities, Weak Unintentionally Open Unintentionally Open Weak Passwords,

Vuln Assessment OSS Library Vulnerabilities
PWs, Insecure SSH Keys Ports, Improper Routing S3 Buckets, Exposed Keys No MFA

DNS, DHCP, IP Address

Identity Mgt SSH Key Management Secrets Management Key Management IAM Role Management
Management

Access Mgt EC2 Connect Firewall Manager S3 Bucket ACLs IAM Role Management
Protect

Code Fix, Password Reset,

Patching / Fixing O/S Patch
Component Update
Network Segmentation Encryption
Access Revocation

Network Intrusion Prevention

Exploit Mitigation Memory Protection Web Application Firewall
System
MFA Enablement

Logging, Monitoring System Logs Application Logs Flow Logs Access Logs Account Activity History

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Another fundamental benefit of cloud-native security
capabilities is that it helps us adhere to design patterns that
look more like “cattle” and less like “pets”

• Given a familiar name

• Taken to the vet when sick
• Hugged

• Branded with an obscure,

unpronounceable name
• Culled from herd

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 We can leverage AWS native capabilities to secure our “pets”
and address all three elements of the CIA Triad

Confidentiality Integrity Availability

AWS KMS AWS CloudHSM AWS WAF Amazon AWS Config AWS Cloud AWS Security Amazon AWS Firewall AWS Shield
Detective Trail Hub GuardDuty Manager

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Adhering to the DIE Triad helps us build “cattle”

Amazon AWS AWS Lambda

CloudFront CloudFormation

Distributed Immutable Ephemeral

DDoS Changes Easier to Drives Value of Assets

Resistant Detect and Reverse Closer to Zero
The best solution against a Unauthorized changes stand Makes attacker persistence
distributed attack is a out and can be reverted to hard and reduces concern for
distributed service known good assets at risk

Availability Integrity Confidentiality

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 There are many AWS native capabilities that align to the DIE
Triad to help us build “cattle”

Distributed

Elastic Load AWS Elastic Amazon CloudFront

Balancing Beanstalk

Amazon Elastic Amazon Elastic

Container Service
AWS Kubernetes Service AWS IAM AWS Systems
CloudFormation Amazon Managed Manager
(AWS STS)
Blockchain
AWS Fargate AWS Lambda

AWS Service
Catalog

Immutable Amazon S3 Glacier Amazon

EC2
Amazon EC2
Instance Store Ephemeral

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 The distribution of “Pets” and “Cattle” change across the
Shared Responsibility Model and with cloud native maturity

CWPP
PETs
CSPM

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Organizations desiring high
cloud native maturity should
exercise stringent pet control
Discourage / Disincentivize

• decommissioning • ssh’ing into a container

• creative destruction • letting an asset live longer than needed
• rebooting/reimaging • patching in place

Encourage / Incentivize

Sponsored by:
SOUNIL YU
*The views and opinions of Sounil Yu are their own and do not necessarily
reflect the positions of AWS or AWS Marketplace.
@sounilyu
 Mapping security coverage
from day one in AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Migration to AWS

Security Organization CSPM and CWPP

Requirements Requirements Facilitate
• Visibility • Confidentiality • Inventory of cloud
• Authority • Integrity assets
• Capability • Availability • Authority to access
• Compliance • Distributed via IAM
• Immutable • Capability to
protect, monitor,
• Ephemeral
measure
compliance and
risk

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Development in AWS

Security DevOps CSPM and CWPP

Requirements Requirements Facilitate
• Visibility • Easy Access • Inventory of cloud
• Authority • Speed / Agility assets
• Capability • Frictionless CI/CD • Authority to access
• Compliance pipeline via IAM
• Capability to
protect, monitor,
measure
compliance and
risk

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identify Assets
at launch

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect Assets
at launch

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Protecting sensitive assets in
AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS services that enable sensitive asset protection

AWS AWS AWS Transit Amazon Cloud Amazon Amazon

Amazon
Security Hub Organizations Gateway Directory GuardDuty Macie
Macie

AWS Amazon VPC

AWS Resource
Access AWS
Automate
Control Tower PrivateLink Security Hub
Manager

Identify Protect Detect Respond Recover

AWS Key
Management
Investigate
Service

AWS Well-
Architected AWS
Tool CloudHSM

Amazon
Detective

Snapshot Archive

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Discover your sensitive data with machine learning

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Increase visibility and secure sensitive assets

AWS forwarding findings into AWS Security Hub “Taking Action”

Firewalls SIEM

Vulnerability

SOAR
Endpoint
AWS Security
Hub

Compliance Other

CWPP

CSPM

AWS Security Services forwarding

findings into AWS Security Hub

Amazon Amazon
Amazon Macie
Detective Macie

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are AWS customers leveraging Trend Micro?

Manage
misconfigurations of
cloud resources

Complete visibility
with a single
dashboard

Continuous
assurance

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Change Healthcare protects sensitive data
Using Trend Micro Cloud One™ Conformity

Benefits:
• Supports automation of
compliance

• Simplifies the
configuration and
deployment of rules

• Able to quickly adopt

new AWS services while
maintaining compliance

Example dashboard

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Xero gains advanced security for sensitive assets
With Check Point CloudGuard IaaS

Benefits: AWS Cloud

• Securely moved 700,000 Internet

customers, 59 billion VPC

records, and $1 trillion in Availability Zone 1 Availability Zone 2

Public Subnet 1
transactions to AWS
Public Subnet 2

• Automated security
without slowing Check Point Gateways Check Point Gateways
Check Point
Management
development Public Subnet 1 Public Subnet 2
Server

Instances Instances

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jabil enhances sensitive data visibility and control
Leveraging Digital Guardian’s Enterprise DLP Platform

Benefits:
• Gained visibility into all
data access and usage
across 52,000
workstations

• Identified and located

critical IP as defined by
each business unit and its
customers

• Implemented more secure

data workflows

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AWS Marketplace?

Flexible consumption Quick and Helpful humans

and contract models easy deployment to support you

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How can you get started?
Find Buy Deploy

A breadth Through flexible With multiple

of security solutions: pricing options: deployment options:

Free trial Software as a Service (SaaS)

Pay-as-you-go Amazon Machine Image (AMI)
Hourly | Monthly | Annual AWS CloudFormation
| Multi-Year (Infrastructure as Code)
Bring Your Own License (BYOL) Amazon Elastic Container Service
Seller Private Offers (ECS)

Channel Partner Private Offers Amazon Elastic Kubernetes Service

(EKS)

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Webinar summary

Cloud Workload Protection Platforms and Cloud Security Posture Management

solutions can help protect your most sensitive assets.

Leverage AWS Services that integrate with your AWS environment and can
enhance your network segmentation capabilities.

Current tools? Bring your own license to leverage benefits of AWS Marketplace.

New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Sounil Yu
Creator of the Cyber Defense Matrix

Josh Thurston
Thank
you!
Sr. Category Lead, Security at AWS

Sagar Khasnis
Partner Solutions Architect at AWS

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.