© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andy Chow Symantec Building a Secured Cloud Architecture with Symantec and AWS 赛门铁克携手AWS构建安全云架构
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andy Chow Symantec
Building a Secured Cloud Architecture with Symantec and AWS
赛门铁克携手AWS构建安全云架构
THE AWS-SYMANTEC PARTNERSHIP TO SECURE THE CLOUD
SYMANTEC IS AN AWS Advanced Technology Partner
We Combine Our Market and Technical Leadership to secure the cloud
• #1 Cyber Security market share
– Endpoint Protection
– Data Loss Prevention
– Managed Security Services
– Email Security.Cloud
• Largest civilian cyber intelligence network
• Leading protection for advanced threats (APTs)
• 75+ AWS accredited SE’s
• 36 engineers in an AWS Center of Excellence
Infrastructure OS Applications Firewalls Network Config.
Shared Security
AWS & SYMANTEC WORK TOGETHER AND SHARE CLOUD SECURITY
Wor
kloa
ds
Infr
astr
uctu
re
Customer
Who is responsible? What needs to be Protected? Where?
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client Side Data Encryption & Data
Integrity Authentication
Server Side Encryption (File system and/or Data)
Network Traffic Protection (Encryption, Integrity, Identity)
Compute Storage Database Networking
Regions Availability/Zones
Edge Locations AWS Global Infrastructure
Secures the Cloud Customers secure assets in the cloud
SSL
Mobile/BYOD/IoT Endpoints
The Cloud Generation Security Challenge A Shifting Expanse of Blind Spots
Headquarters Data Center
Regional Office
Traditional Security Stack
Expanding Use of Encryption Creates Blind Spots
Traditional Security Stack Has Lost Significant Visibility As Resources Go Direct-to-Net
Cloud Applications Causing Organizations to Lose Control Over Their Resources
Rapidly Growing Landscape of Unprotected Devices
Users
Cloud Applications And Services
Innovation for the Cloud Generation: Securing A New World of Devices, Networks and Applications
Protection from Advanced Threats
Securing the Mobile Workforce
Ensuring Safe
Cloud Usage
Information Protection
Advanced Threat Protection
Email Web Endpoint
Headquarters Data Center
Regional Office
Users
Innovation for the Cloud Generation: Protection from Advanced Threats
PROTECTION FROM ADVANCED THREATS
PROTECT AND MANAGE ENDPOINTS AND DEVICES
• Proactively block known and unknown threats with machine learning.
SECURE DATACENTER ENVIRONMENTS • Protect servers, data repositories, and ensure compliance across physical, virtual and
cloud-based workloads
PROTECT WEB & EMAIL • Inbound and outbound web and email security, with protection against targeted
attacks, spear phishing, advanced malware, spam and bulk mail
MANAGING ENCRYPTION RESPONSIBLY • Leveraging policy to responsibly decrypt and feed security controls for visibility
DISCOVER AND REMEDIATE • Leverage combined intelligence to automatically remediate impacted assets
THE MOST COMPREHENSIVE SECURITY PORTFOLIO: THREAT PROTECTION
Threat Protection
• File Upload/Download Scanning
Protection Engine Cloud
• Endpoint Protection • Data Center Security
Advanced • Advanced Endpoint
Protection Cloud
Workload Protection
• Advanced Persistent Threat
Advanced Threat Protection
• Compliance
Control Compliance Suite
Symantec LiveUpdate SEPM/
client traffic
TCP 8014
SEPM
SEP Client
AWS Cloud
SEP Client SEP Client
. .
. Symantec Insight Sonar
Symantec Endpoint Security Scenario 1: Born in the Cloud • Spins up a few hundred
servers for only 8 weeks of the year (peak need)
• Deletes the environment at the end
• Wants to only pay for the 8 weeks
TCP 80
TCP 443
On-Prem Network
SEPM/ client traffic
TCP 8014
Symantec LiveUpdate
SEP Client
AWS Cloud
SEP Client SEP Client
. .
.
SEPM SEP Client SEP Client SEP Client
VPC = One Big Network (via VPN or AWS Direct Connect)
Symantec Insight Sonar
Symantec Endpoint Security
TCP 443
Scenario 1: Born in the Cloud
• Spins up a few hundred servers for only 8 weeks of the year (peak need)
• Deletes the environment at the end
• Wants to only pay for the 8 weeks
Scenario 2: Expand to the Cloud
• Use VPC to make the AWS network a logical extension of the corporate network
• AWS Cloud workloads show up as they would anywhere else on the network
TCP 80
AWS Cloud
Scenario 1: Born in the Cloud • Spins up a few hundred servers for only 8
weeks of the year (peak need)
• Deletes the environment at the end
• Wants to only pay for the 8 weeks
Scenario 2: Expand to the Cloud
• Use VPC to make the AWS network a logical extension of the corporate network
• AWS Cloud workloads show up as they would anywhere else on the network
Scenario 3: Large Partner Managing from the Cloud • SEPM installed in AWS
acting as a cloud-based manager
• 190k clients managed from 14 SEPMs running in AWS
SEPM (4)
SEP Client SEP Client SEP Client
. . .
SEPM (4)
SEP Client SEP Client SEP Client
. . .
SEPM (6)
SEP Client SEP Client SEP Client
. . .
Regional Endpoints
SEP Client SEP Client SEP Client
. . .
Regional Endpoints
SEP Client SEP Client SEP Client
. . .
Regional Endpoints
SEP Client SEP Client SEP Client
. . .
Symantec Endpoint Security
Americas
Europe Asia
Secure File Sharing (Large Telco)
Amazon S3
RDS
1. Upload 6. Complete Upload
2. Save contents to S3
3. Update Meta Information (No check)
Mobile Device
User Information
File Sharing Systems
4. Subscriber Verification
12. Update Meta Information (Checked)
Amazon SQS
Amazon SQS
5. Asynchronous Queuing
8. Get Content
10. Input Asynchronous processing result
11. Get processing
result
7. Asynchronous processing
Symantec Protection Engine for Cloud Services
Amazon EC2
Amazon EC2
Amazon EC2
11
… 9. Threat Detection &
Content Control
• 42 AWS instances of SPE CS on average running
• AWS auto scaling as needed
• 80 million messages/day processed
• 28 million subscribers
Mobile/BYOD/IoT Endpoints
Innovation for the Cloud Generation: Ensuring Safe Cloud Usage
Headquarters Data Center
Regional Office
Users
ENSURING SAFE CLOUD USAGE
PROTECT INFORMATION • Inspect and classify sensitive content • Protect content before it leaves
organizational control • Encrypt and tokenize content as it interacts
with cloud applications and devices
MANAGE CLOUD APPLICATION USAGE • Consolidate security control and visibility
over sanctioned cloud applications • Gain visibility into shadow IT computing
usage
THE MOST COMPREHENSIVE SECURITY PORTFOLIO: INFORMATION PROTECTION
Information Protection
• Data Protection
Data Loss Prevention
• Multi-factor Authentication
Validation and ID Protection
• Asset encryption
Encryption
• Secure communications
SSL & mPKI
Blue Coat Tokenization Process Blue Coat
Web Gateway
Cloud Data Protection Token Map Repository
User Web Browser
Cloud Application
Blue Coat Cloud Data Protection User Experience
Authorized Users
Blue Coat Cloud Data Protection
Platform(s)
Info Stored & Processed in the Cloud
Non-authorized Users
Direct Connection to
Salesforce.com
FUNCTIONALITY PRESERVED
Global 100 Manufacturing Company CASE STUDY
Cloud Inhibitors:
Chinese Data Residency and State Secrecy Laws blocking ability to adopt cloud solutions with data center’s outside of China
Primary Concerns with Financial Services arm – arranges financing of large equipment & other financing services offerings
The Solution: Blue Coat Cloud Data Protection deployed to satisfy extremely strict data sovereignty/state secrecy
guidelines
The Business Requirement:
Needed to consolidate all global operations/divisions on a single platform
DLP Endpoint Prevent/Discover in AWS
Corporate Network
Registered TCP port (1024-49151)
DLP Endpoint Server
AWS Cloud
Roaming Endpoints
Enforce Platform
Policies
Incidents Created
. . .
Policies Incidents Created
. . .
Control usage of confidential data • Monitor and control the use
of data on endpoints connected to the Internet
Seamlessly integrate AWS and Symantec • Integrate Data Loss
Prevention with native AWS services like EC2, VPC and Route 53
• Rapidly spin up detection servers in AWS
• Extend data loss policies from your existing Data Loss Prevention system to AWS
Corporate Network
Registered TCP port (1024-49151)
DLP Network Discover
Exchange
AWS Cloud
CIFs / SMB Sharepoint
. .
.
Enforce Platform
Policies
Incidents Created
. . .
Discover and protect data stored in AWS with Symantec Data Loss Prevention • Files stored in AWS-hosted
instances of Microsoft SharePoint, Exchange, and CIFS/SMB
Seamlessly integrate AWS and Symantec • Integrate Data Loss Prevention
with native AWS services like EC2, VPC and Route 53
• Rapidly spin up detection servers in AWS
• Extend data loss policies from your existing Data Loss Prevention system to AWS
DLP Network Discover/Prevent in AWS
NOTE: CONFIGURATION NEEDED ON BOX ACCOUNT TO POINT TO DLP IN AWS CLOUD
DLP Network Prevent for O365 Email in AWS With Symc .Cloud for final mail delivery
Corporate Network
Registered TCP port (1024-49151)
DLP Network Prevent for O365 Email
AWS Cloud
Enforce Platform
Policies
Incidents Created
. . .
Monitor and protect Email in AWS with Symantec Data Loss Prevention • Email sent from AWS-
hosted instances of Microsoft Exchange
Seamlessly integrate AWS and Symantec • Integrate Data Loss
Prevention with native AWS services like EC2, VPC and Route 53
• Rapidly spin up detection servers in AWS
• Extend data loss policies from your existing Data Loss Prevention system to AWS
Symantec .Cloud MTA
End User Mailbox
Corporate Network
DLP Network Discover
Exchange
AWS Cloud
CIFs / SMB Sharepoint
Enforce Platform
Policies
Incidents Created
. . .
DLP Endpoint Server
Roaming Endpoints
Policies Incidents Created
. . .
Discover, monitor and protect data stored in AWS with Symantec Data Loss Prevention • Email sent from AWS-hosted
instances of Microsoft Exchange
• Files stored in AWS-hosted instances of Microsoft SharePoint, Exchange, and CIFS/SMB
Control usage of confidential data • Monitor and control the use of
data on endpoints connected to the Internet
Seamlessly integrate AWS and Symantec • Integrate Data Loss Prevention
with native AWS services like EC2, VPC and Route 53
• Rapidly spin up detection servers in AWS
Exchange
DLP Completely in AWS
Complications of Cloud Adoption
• Who Owns the Comprehensive Service Level Agreements?
• Single Pane of Glass?
• Redundancy & High-
Availability?
• Vendor Compatibility?
Cloud Web Gateway
Provider
Cloud DLP Provider
Cloud Data Encryption
Provider
Cloud Access Control
Provider
Cloud Sandbox Provider
Cloud Breach Analysis
Cloud Forensic / Recording
Cloud Email Scanning
Cloud DDoS
UBA
Innovation for the Cloud Generation: Industry Has Created Cloud Security Chaos
Advantages of a Consolidated Cloud
• Clear SLA and RCA • Single Pane of Glass • Unified Reporting and
Management • Inherent Performance
Benefits • Redundancy & High-
Availability • Global Scale • Same level of visibility,
protection, and forensic capabilities for remote traffic
Simplicity Delivered
SYMANTEC CLOUD SECURITY SERVICES
3rd PARTY INTEGRATION
For the growing % of traffic not transiting through HQ, how can we help our customers have the same level of visibility, protection, detection and forensic capabilities, without the complexity of managing many
security clouds?
Innovation for the Cloud Generation: Delivering a Consolidated and Consumable Cloud Security Model
THE MOST COMPREHENSIVE SECURITY PORTFOLIO: CYBER SECURITY SERVICES
Cyber Security Services
• Threat Monitoring and Analysis
Managed Security Services
• Visibility to Global Threats
DeepSight
• Incident Response
Incident Response
• Threat Simulation Training
Simulation
A Portfolio to Deliver Cloud Generation Security Positioned for a Continued Future of Industry Leadership
Endpoint Security
Data Loss Prevention
Server Security
User Authentication
Email Security ATP
Network Forensics
Web Security
Cloud Security
Encrypted Traffic Management
Protection from Advanced Threats
Securing a Mobile Workforce
Ensuring Safe Cloud Usage
Cloud Generation Security
CURRENT SYMANTEC PRODUCTS OFFERED THROUGH AWS
Market Place AWS Instance
• Symantec Endpoint Protection Manager (BYOL & Paid)
• Control Compliance Suite (BYOL & Paid))
• Symantec Protection Engine (BYOL & Paid)
• Complete Symantec Enterprise Security Portfolio
Payment Options
• Hourly/yearly billing
• BYOL
• Hourly billing (IaaS/PaaS)
• BYOL (ISV)
Test Drive
• Control Compliance Suite
• Symantec Protection Engine
• Symantec Endpoint Protection
• Data Center Security – Server Advanced
Free
NEXT STEPS
WORKSHOP POC/Test Drive