(SPOT303) Security Operations at Massive Scale
-
Upload
amazon-web-services -
Category
Technology
-
view
893 -
download
0
Transcript of (SPOT303) Security Operations at Massive Scale
![Page 1: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George Stathakopoulos, VP Amazon.com, Information Security
Stephen Schmidt, VP AWS Security Engineering & CISO
October 2015
SPT303
Security Operations
at a Massive Scale
![Page 2: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/2.jpg)
Brothers raised in the same household
With different viewpoints:
• George – responsible for security of Amazon.com
• Steve – responsible for security of AWS
![Page 3: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/3.jpg)
Two guys moving toward the same goal
What we share
• Amazon wants and needs speed and flexibility
• For flexibility, Amazon needs massive capacity
• Wasted when business is slow
• AWS provides speed, capacity, and flexibility
• What you need when you need it
![Page 4: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/4.jpg)
Why Move Amazon to AWS?
![Page 5: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/5.jpg)
So Why the Cloud?
AWS makes security
more agile
Lets you move fast while
staying safe
![Page 6: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/6.jpg)
AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for agility
![Page 7: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/7.jpg)
Security Ownership as Part of DNA
Promotes culture of “everyone is an owner” for security
Makes security stakeholder in business success
Enables easier and smoother communication
Distributed Embedded
![Page 8: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/8.jpg)
Operating Principles
Separation of duties
Different personnel across service lines
Least privilege
![Page 9: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/9.jpg)
Technology to Automate Operational Principles
Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
![Page 10: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/10.jpg)
Pack your bags. We’re moving!
![Page 11: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/11.jpg)
Enterprise Challenges
Fear of losing control
• Logs
• Data centers
• ACLs
• and and and
![Page 12: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/12.jpg)
AWS Advantages
AWS provides more: control, visibility, auditability, agility
• Logging
• CloudWatch Logs
• AWS Config
• VPC Flow Logs
• Data centers
• AWS Management Console
• ACLs
• AWS Identity and Access Management (IAM)
![Page 13: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/13.jpg)
Enterprise Challenges
Shared responsibility does not absolve you of your security
role, but lessens the load.
You still need to maintain control of the application layer.
![Page 14: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/14.jpg)
Shared Workload
Hosted services
• Amazon WorkMail
• Amazon WorkSpaces
• Amazon WorkDocs
• Don’t need team of people managing fleet of exchange servers
• Instead need to manage subscriptions to APIs
• Maintaining two infrastructures until tipping point where all new
apps are developed and launched in the cloud.
![Page 15: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/15.jpg)
Shared Workload
Iteratively migrate workloads until you reach that tipping point
![Page 16: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/16.jpg)
Looking Back
• Ensure move is coordinated well
• Move different sections of the business at different times
• Make sure you consider:
• Identity federation
• IAM
• Access control
• AWS Directory Service
• Logging
• CloudWatch
![Page 17: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/17.jpg)
Lessons Learned
• People move applications without considering all options
• “Gold Rush” mentality
• Snapping up instances that aren't needed
– Too big
– Too many
– Etc.
![Page 18: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/18.jpg)
Look Forward
There is a tipping point where you leave your traditional
mentality behind and embrace a new way of thinking
![Page 19: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/19.jpg)
Benefits of the Cloud
What are the advantages?
• Uptime
• Recoverability
• Lessons learned from others
• Tiny bubbles
• Small moves into the cloud
• Small blast radius should something go amiss
![Page 20: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/20.jpg)
Looking Forward
• The future is now!
• Improvements
• Logging
• Visibility
• Instantaneous firewall changes
• Coming challenges
• Collecting vast amounts of data
• Analyzing this data
• Acting on this data
![Page 21: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/21.jpg)
Structure your staff appropriately
![Page 22: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/22.jpg)
Design & Deploy
Define sensible defaults
Inherit compliance controls
Use available security features
Manage templates - not instances
![Page 23: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/23.jpg)
Operate & Improve
Constantly reduce the role of people
Reduce privileged accounts
Concentrate on what matters
![Page 24: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/24.jpg)
Remember to complete
your evaluations!
![Page 25: (SPOT303) Security Operations at Massive Scale](https://reader031.fdocuments.us/reader031/viewer/2022030309/58f2d3cd1a28abf7338b459d/html5/thumbnails/25.jpg)
Thank you!