AWS Security Ideas - re:Invent 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Teri Radichel | @teriradichel

11/28/2016

AWS Security IdeasLeverage The Platform - Enhance Security

Many companies have gotten past the belief that the cloud is not secure...

But you still have to secure it.

Here are some ideas for a more secure cloud.

@teriradichel

Architect Systems For Security First

If system is designed by security professionals,

Security is built in from the ground up.

@teriradichel

Centralize and Automate Security Functions

Manage security via trained professionals.

Limit mistakes due to lack of knowledge.

@teriradichel

Build System as Gatekeeper

If changes have to go through gatekeeper…

Every change can be monitored.

@teriradichel

Build System as Security Training System

Automate security checks at deployment…

Train developers at the point of action.

@teriradichel

Leverage Event Driven Security Automation

Monitor for unwanted behavior…

Automatically respond.

@teriradichel

Separation of Duties by Design

If it takes multiple people to make a mistake…

Chances are someone will catch the problem.

@teriradichel

Immutable Infrastructure

If it cannot change once it has been deployed…

Malware cannot be installed after deployment.

@teriradichel

Eliminate Published CVEs

According to 2016 Verizon Data Breach Report:

Known CVEs cause majority of breaches.

@teriradichel

A Key is a Password

Keys: brute forced, lost, shared, stolen.

RBAC may be more easily managed.

@teriradichel

Use Key Hierarchies

Limit use of each key to subset of data.

If one key is stolen, limits the damage.

@teriradichel

Make It Easy For Developers

Automate common security related functions.

Simplify: authenticate, log, encrypt, deploy.

@teriradichel

Consider Process vs. Technical Controls

Think encrypting data in memory.

May be more feasible to secure via process.

@teriradichel

Think About Who Can Change Controls

If the control can be changed by lots of people…

It is not an effective control.

@teriradichel

Understand Reconnaissance

Network scans look for vulnerabilities to attack.

Secure all endpoints.

@teriradichel

The Benefit of Network Security

A kernel mode root kit makes machines lie.

The network doesn’t lie.

@teriradichel

Most Developers != Network Professionals

Implementing is not the same as securing.

One hole in the fence enables intrusion.

@teriradichel

Secure Your Logs

Write once, read only, replicated.

Ensure logs are not missing or deceiving.

@teriradichel

Thank you!

Teri Radichel | WatchGuard Technologies | @teriradichel