Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud Security.

Similar presentations


Presentation on theme: "Cloud Security."— Presentation transcript:

1 Cloud Security

2 Agenda Amazon Web Services (AWS) Shared Responsibility Model Azure ….
Network Security Access Controls Audit Controls

3 AWS Shared Responsibility Model
-- hardening

4 Azure Security Design and operational security
Design and operational security -- security development lifecycle for their software. Identity and access -- MFA, AD Encryption & key management -- Azure key vault, IPSec protocol for data in transit, encryption for data at rest Penetration testing -- does themselves, has policy for you to do it Network security --Azure virtual network (own datacenter, private IP space, subnets and access control policies) Threat management --Microsoft Antimalware Monitoring, Logging and reporting Azure enables you to collect security events from Azure IaaS and PaaS. You can then use HDInsight to aggregate and analyze these events, and export them to on-premises security information and event management systems for ongoing monitoring. For applications that are deployed in Azure and virtual machines created from the Azure Virtual Machines Gallery, Azure enables a set of operating system security events by default

5 AWS Management Console
Ways to secure? admin End users admin End users WAF corporate data center VPC subnet security group AWS Management Console Web/app EBS EC2 Web/App S3 AMI Database RDS virtual private cloud Limit attack vectors Same: Application, OS, DB (access, audit) Differ: ‘homogenous’ environment (network) Secure backups Same: encryption Differ: Volumes, Snapshots vs. physical security Internal vs. external Same: insider threat, external hackers, bots Differ: automation

6 Network controls Capabilities Constraints VPC Direct connect Subnets
Route Tables NACLs Security Groups Monitoring IPS/IDS Human error Human error e.g. security groups wide open, enabling public IPs on ‘private’ services

7 Access controls Capabilities Constraints IAM STS Encryption
Users, roles, groups Instance profiles STS Encryption KMS, HMS SSL Server-side vs. client-side Account specific IAM Region specific KMS Human error Human error – e.g. sharing keys, publishing access keys on github,

8 Audit Controls Capabilities Constraints CloudTrail Config Inspector
CloudWatch + CloudTrail + Lambda AWS API only Human error – e.g. sharing keys, publishing access keys on github,

9 Takeaways – checklist from system perspective
Define use cases Role based access control Authentication mechanism? Authorization mechanism? Audit mechanism? Encryption at rest Encryption in transit Domain boundary controls What can be automated? How can that be protected and audited?

10 Takeaways – checklist for evaluating service
Access controls? Audit controls? Encryption of data at rest (including backups)? Encryption of data in transit? Network controls? Limits? Example of limit – S3 logging cannot be encrypted. S3 bucket name obfuscation. Route 53 DNS name hashing. SNS spam protection.


Download ppt "Cloud Security."

Similar presentations


Ads by Google