Security Innovations in the Cloud
-
Upload
amazon-web-services -
Category
Business
-
view
707 -
download
0
Transcript of Security Innovations in the Cloud
Securing Your Data on AWS
$6.53M 56% 70%Increase in theft of hard
intellectual property Of consumers indicated they’d avoid businesses
following a security breach
Average cost of adata breach
Your Data and IP are Your Most Valuable Assets
https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
https://www.csid.com/resources/stats/data-breaches/
In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?
Automating logging and monitoring
Simplifying resource access
Making it easy to encrypt properly
Enforcing strong authentication
AWS Can Be More Secure Than Your Existing Environment
AWS and You Share Responsibility for Security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer applications & contentYou get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
YouInventory & Config
Data Encryption
Constantly MonitoredThe AWS infrastructure is protected by extensive network and security monitoring systems:
Network access is monitored by AWS security managers daily
AWS CloudTrail lets you monitor and record all API calls
Amazon Inspector automatically assesses applications for vulnerabilities
Highly AvailableThe AWS infrastructure footprint protects your data from costly downtime
38 Availability Zones in 14 regions for multi-synchronous geographic redundancy
Retain control of where your data resides for compliance with regulatory requirements
Mitigate the risk of DDoS attacks using services like AutoScaling, Amazon Route 53
Integrated With Your Existing ResourcesAWS enables you to improve your security using many of your existing tools and practices
Integrate your existing Active Directory
Use dedicated connections as a secure, low-latency extension of your data center
Provide and manage your own encryption keys if you choose
Key AWS Certifications and Assurance Programs
Sophos Security for AWS
Bryan Nairn, CISSPDirector of Product Marketing – Sophos
Introduction to Sophos
Recognized leader in Endpoint Protection, Mobile Data Protection, and Unified Threat Management.
Long history of helping customer secure their applications, data, endpoints, and networks—both on-premises and more recently in the cloud.
Our solutions help secure more than 200,000 customers in over 150 countries.
Customers like Xerox, Under Armour, Pixar, Northrop Grumman, Ford, Avis, and Amazon.
AWS Security Competency Partner
AWS and You Share Responsibility for Security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Identity & Access Control
NetworkSecurity
Customer Applications & Content
You get to define your controls ON the Cloud
AWS takes care of the security OF the Cloud
You
Inventory & Config
Data Encryption
Sophos Host Security IPS NGFW OGW VPN WAF
Sophos UTM: Next Generation FirewallUnified Threat Management (UTM) Next Generation Firewall – combines multiple security tools into a single solution:
All in one solution that helps reduce complexity and save you money.
Infrastructure Protection Web Application Firewall (WAF)
Intrusion Prevention System (IPS)
Sandstorm Protection (ATP and Cloud Sandboxing)
High Availability (HA) and redundancy supporting multiple Availability Zones (AZ)
Auto Scaling WAF that automatically scales to inspect all web traffic
Built in load balancer support for ELB and site-to-site VPN configuration for VPC
CloudFormation templates that automatically deploy and configure Sophos UTM
Sophos UTM on AWSSophos UTM is integrated with AWS services to make deployment and management easy
Amazon Elastic Load Balancing
AWS CloudFormation
Amazon S3 Auto Scaling
Sophos UTM Deployment and Pricing Deploy directly from AWS
Marketplace Evaluate under free trial Easy pay-as-you-go pricing Leverage an existing
investment with bring-your-own-license (BYOL) option
Sophos UTM Security: Inbound & Outbound Traffic
Elasticity for inbound WAF traffic & outbound VDI traffic.
Supports VPC peering and solves Transitive Peering problem.
Supports share services architecture between multiple VPCs.
Provides redundancy and automatic failover of routes across Azs.
Same solution used by Amazon for “Office in a Box.” Steve Mueller’s presentation at re:Invent ISM403
https://www.youtube.com/watch?v=kawZBGCLBJU
Sophos UTM Deployment Options – Single Instance HA
Availability Zone #1
Availability Zone #2
Sophos UTM
Sophos UTMStand Bye (HA)
Instances
Instances
ELB
Sophos UTM WAF with Auto Scaling
Instances
Instances
Sophos UTMController
Sophos UTMWorkers
Sophos UTMWorkers
Amazon SNSAmazon S3 AWS CloudFormation
Amazon CloudWatch
AutoScaling
Amazon ELB
Amazon ELB
Sophos UTM OGW with Auto Scaling
Sophos UTMController
Sophos UTMWorkers
Sophos UTMWorkers
WorkSpacesOutbound Gateway (OGW)
WorkSpacesOutbound Gateway (OGW)
Amazon SNSAmazon S3 AWS CloudFormation
Amazon CloudWatch
AutoScaling
Amazon ELB
Amazon Office in a Box
Amazon Corp Net
Secure protocols, analogous to VPN (SSL and PCoIP w/ IPSec AES-265)
Kerberos/TGT ticket
Streaming gateway IP
US East Amazonians
AmazonCorp servers
Active directory
MFA 10.x.x.x/8
Amazon-provided hardware
Access from Corp (wired, wireless, VPN)
Internet
Users
Amazon Office in a Box
How client traffic flows1) Client authenticates (AD and MFA)
via Authentication Gateway (SSL)2) Client brokers desktop session with
Session Gateway (SSL)3) Client accesses desktop through
Streaming Gateway (PC oiPvs IPSec AES-256)
10.44.208.0/20
US East-1
KEY POINTAll corporate network access
untrusted prior to filtering
VGWSource
filtering by IP
Transit
WorkSpaces
Amazon.com VPC
InfoSec Logging
Zero Client Gateway
AuthenticationGateway
Session Gateway
Streaming Gateway
WorkSpaces Service BrokerA) AWS-managed (public)B) Customer-managed (public or private)
Regional proximity Tie into corp via DX Use existing IP space Restrict corp network access
Sophos
AB
Internet
Securing AWS Workloads with Sophos UTMSri Vasireddy, Managing Partner – REĀN Cloud
Established: 2013Presence: USA and IndiaNumber of Employees: 200+AWS Certifications: 100+ (including 10+ Professional Certifications)
Management team consisting of executives formerly from Fortune 500 Enterprises - AWS, Amdocs, Merck, and Cognizant with deep AWS cloud computing experience
Recognized by TechTarget as the top AWS Partner providing innovative DevSecOps services
24x7 follow the sun model with offices around the world with continuous operations in multiple time zones - EST, PST, and IST
REĀN Organization Profile
Premier Partner w/ DevOps Competency
REĀNservices
Business consulting
Infraservices
REĀN Service OfferingREĀN Enterprise Cloud Management (ECM) Portfolio
ROI & Business Case Justification
Cloud Adoption Strategy
Security & Risk Assessment
DR & Business Continuity
Planning (BCP)
Cloud Architecture
Devops Strategy
Account Management
Governance & Compliance
Cloud Operations Strategy
MigrationNative AWS Apllication
Development
Devops (CD | CI)
Implementation
Billing as a Service
Secure Infrastructure
Setup
Managed Cloud Services
AWS Infrastructure Hybrid On-prem Infrastructure
Roles and Responsibilities
Provides compute, network, storage infrastructure
Provides UTM applianceProvides design and integration services to secure infrastructure
using UTM appliance
REĀN Secure VPC Framework
BrowserMobile client
Users
Internet
HTM
L5 VPN connection
IPSec VPN connection
Disk encryption
key
Corporate Data Center
Administrators
DMZ
Continuous monitoring
Access policy
Auto scaling group
App tier
AZ-1
AZ-1
ElastiCache tier Amazon RDS
Web server Web server
App server App server
Multi-account Management
Multi-VPN Overlay
Instances
Instances
File Server Subnet
AWS Container
Customer VPC (172.16.0.0/16)
DMZ SubnetInternet Gateway
File Server Subnet
Customer Datacenter 03 (0.30.0.0/16)
Traditional server
VPN Connection
VPN Connection
VPN Connection
Sophos UTM
Customer Datacenter 02 (10.0.0.0/16)
Traditional server
Customer Datacenter 01 (172.16.0.0/16)
Traditional server
Internet of Things
Customer VPC 1
Customer VPC 2
Amazon RDS
MySQL
Amazon RDS
MySQL
Comm servers
Comm servers
VPC VGW
Site-to-site VPN
VPC VGW
Site-to-site VPN
Sophos UTM Site-to-site
VPN
Site-to-site VPN
Cust-1
Cust-2
Control VPC
Corporate Datacenter
Elastic IP
Public Subnet
VPN Endpoint
VPC VGW
VPN Endpoint
VPC VGW
Manage
Manage
Migrate
• Discover
• Move Image
Deploy
• Provisioning
• Update
Test
• Functional
• Performance
• Security
Document
• Architecture
• Assessment
• Compliance
Web Server (Apache, WP) App Server (Tomcat, Java) DB Server (MySQL, Inodb)
1
2 3
4
5 6
7 8 9
0
DevOps Automation
Next Steps Try out the REAN Cloud UTM Test Drive
powered by Sophos– http://www.reancloud.com/test-drive/rean-utm/
Promotion for Webinar Attendees– Purchase Sophos UTM through REAN Cloud and we
will configure it for Auto-Scaling for you for free.
Questions & Answers
Thank you