Date post: | 20-Aug-2015 |
Category: |
Technology |
Upload: | cloudcamp-chicago |
View: | 355 times |
Download: | 1 times |
Organizer !Margaret WalkerCohesiveFT !!Tweet: @MargieWalker #AWSChicago
Sponsored by
Hosted by
#AWSChicago
!
AWS Chicago Meetup !
July?
6:00 pm Introductions 6:10 pm Lightning Talks !
Live from DC! - Ben Hagen, Senior Cloud Security Engineer at Netflix @benhagen "Securing your AWS installation" - Bryan Murphy, Technical Architect at Mediafly @bryanmurphy "Advanced Monitoring and Detection on Linux-based workloads in AWS" - Aaron Botsis, Lead Product Manager at ThreatStack @aaronb "AWS Security best practices" - Mattew Long, Founder and CEO at roZoom, Inc @mlong168 !
6:30 pm Q & A 7:00 pm Networking, drinks and pizza
Agenda Sponsored by
Hosted by
#AWSChicago
“Live from DC!” !Ben Hagen Senior Cloud Security Engineer at Netflix !Tweet: @benhagen#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
“Securing your AWS installation” !Bryan Murphy Technical Architect at Mediafly !Tweet: @bryanmurphy#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
Safe Harbor Statement: Our discussions may include predictions, estimates or other information that might be considered forward-looking. While these forward-looking statements represent our current judgment on what the future holds, they are subject to risks and uncertainties that could cause actual results to differ materially. You are cautioned not to place undue reliance on these forward-looking statements, which reflect our opinions only as of the date of this presentation. Please keep in mind that we are not obligating ourselves to revise or publicly release the results of any revision to these forward- looking statements in light of new information or future events. Throughout today’s discussion, we will attempt to convey some important factors relating to our business that may affect our predictions. © 2006-2014 Mediafly, Inc. | Confidential
Infrastructure Security Best PracticesOn Amazon Web Services
Bryan Murphy
© 2006-2014 Mediafly, Inc. | Confidential
Mediafly, Inc.Technical ArchitectBack-end services, video processing, scaling and architecture
Mobitrac, Inc.Senior DeveloperTravelling salesman problem, routing algorithms, and mapping
RBC/Centura MortgageLead Web DeveloperOnline loan officer hosting platform and rate search engine
Who am I?
© 2006-2014 Mediafly, Inc. | Confidential
Who are we?
“The Content Mobility Cloud”
We process and store highly sensitive content for Fortune 500 customers, and deliver that content to white-labeled mobile apps and the web
• Sales presentations and selling collateral• Pre-release/pre-air video
Customers include:• Global banks• Leading consumer-packaged goods companies• TV and theatrical studios
Small, passionate, growing team• We are hiring! Search mediafly careers
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security
Three major areas:
Content Infrastructure Operations
● Keeping content encrypted from ingest through delivery
● E.g. key exchange, at-rest encryption, DRM, more
● Hardening server security while ensuring reliability, performance and low cost
● E.g. users and roles, VPC, server bootstrapping
● Ensuring procedures and personnel keep content secure
● E.g. managing account termination, principles of least privilege
© 2006-2014 Mediafly, Inc. | Confidential
Secure All Communication
The cloud is a hostile environment• Service limitations (no private load balancers,
security group limits)• Network limitations (no multicast, no shared ip
addresses, etc.)• Noisy neighbors• Malicious third parties
What to do:• SSL/TLS everywhere• Encrypt: transports, configuration, data, binaries• Use standard tools (openssl/gnupg) • Implement authorization for internal services
© 2006-2014 Mediafly, Inc. | Confidential
Authorization and Access Control
Restricted Access• Many credentials, limited permissions• Restricted one-time-use accounts or accounts
with expiration where possible
Protecting Credentials• Use public key cryptography• Store encrypted credentials in source control
IAM Accounts vs. Roles• Roles: good for isolated servers, boot• Accounts: good for services, users
DENIED!
© 2006-2014 Mediafly, Inc. | Confidential
Isolate Services and CustomersIsolation
• Isolate services and environments from each other using bulkheads
• Examples: VPN, ssh proxy, REST API, message queues
Stateless Servers• Deliver credentials as needed using public key
cryptography• Execute in sandbox• Purge sandbox on completion
© 2006-2014 Mediafly, Inc. | Confidential
Verification
Automated Security Testing
Regular Audits• Manual internal audits• Third party automated testing• Third party security audits
Logging
Monitoring
© 2006-2014 Mediafly, Inc. | Confidential
Infrastructural Security is a Balancing Act
Secure Flexible
© 2006-2014 Mediafly, Inc. | Confidential
Thank you!
Bryan Murphy
twitter.com/bryanmurphy
twitter.com/mediafly
“Advanced Monitoring and Detection on Linux-based workloads in AWS” !Aaron Botsis Lead Product Manager at ThreatStack !Tweet: @aaronb#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
ADVANCED SECURITY MONITORING FOR
THE CLOUD
Aaron Botsis @aaronb, @threatstack
who is logging into my (machines|applications|SaaS accounts) !
what are they are running !
of running apps, what are making network activity, and where !
every kernel module loaded every library
every file created/modified/removed everything!!!!
but why stop there?
but aaron, why?
!
prevention fails
thanks, aaron
step 1: audit all of the things
logins processes
network activity file access
kernel modules shared libraries
// `curl google.com` emits this: !{ id: 1018103008, start: 1399236274, end: 1399236275, duration: 1, protocol: 'tcp', byte_count: 1195, packet_count: 11, src_ip_numeric: 3232300674, dst_ip_numeric: 1127355157, src_ip: '192.168.254.130', dst_ip: '67.50.19.21', src_port: 37814, dst_port: 80 }
by thinking inside the box
step 2: build behavior
profilesdoes apache always spawn a shell?
does that shell always switch privs to root? does root always make network connections to China?
..by thinking outside the box
step 3: anomalies help
prevent devs know app best
behavior deviations help identify attack new vectors create rules to looks for known misbehavior
disable behavioral detection programmatically
Why DevOps.!(…a tangent)
bonus: detection
thank you.
“AWS Security best practices” !Mattew Long Founder and CEO at roZoom, Inc !Tweet: @mlong168#AWSChicago !
Sponsored by
Hosted by
#AWSChicago
About Me
President & CEO @roZoomTwitter @mlong168Linkedin: http://linkd.in/T90u7l
AWS Security: Act One
To ensure a secure global infrastructure, AWS configures infrastructure components and provides services and features you can use to enhance security, such as the Identity and Access Management (IAM) service, which you can use to manage users and user permissions in a subset of AWS services. To ensure secure services, AWS offers shared responsibility models for each of the different type of service that we offer:
● Infrastructure services ● Container services ● Abstracted services
Infrastructure Services
Container Services
Abstracted Services
Security Best PracticesAWS Management Console/IAM
Security Best PracticesAWS Management Console: Enable Two Factor Authentication
Security Best PracticesAWS OS-Level Access to EC2
● Options for security of encryption keys:○ Store of on encrypted media○ CloudHSM○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8○ Gazzang: http://bit.ly/1lNkO9m
● Options for Os-Level Authentication○ LDAP/Active Directory/Kerbose, etc..○ Two-Factor auth: Google Authenticator (http:
//bit.ly/1lNtwo5),Wikid, RSA○ LDAP/IAM Bridge: http://bit.ly/1lNlgV8
Security Best PracticesProtecting Data at Rest
For regulatory or business requirement reasons, you might want to further protect your data at rest stored in Amazon S3, on Amazon EBS, Amazon RDS, or other services from AWS.
● Accidental information disclosure ● Data integrity compromise ● Accidental deletion ● System, infrastructure, hardware or software
availability
Security Best PracticesProtecting Data at Rest: S3
Security Best PracticesProtecting Data at Rest: EBS
Security Best PracticesProtecting Data at Rest: RDS/Databases/EMR,etc
● Ensure you encrypt any sensitive information on disk or at the database level
● Always segment out data layer from application layer● If access if require from outside of AWS regions or
network, make sure you use SSL or VPC to encrypt data
Security Best PracticesProtecting Data in Transit
Security Best PracticesNetwork Layering
Security Best PracticesOther Topics
● DDoS Protection: Black Swan, Cloudflare, Cloudfront ● Monitoring and Alerting: Garylog2, Fluentd, Splunk,
Cloudtrail● Unified Threat Management : AlienVault● Vulnerability Scanning: MetaSploit, Nessus● IDS: Snort, OSSEC● Web Application Firewalls: Imperva, Modsecurity● Data Loss Prevention● AWS VPC or Direct connect for on-premise network
access● AWS Trusted Advisor Scanning or Nessus
Credits
Credits go to the following:AWS Security Best Practices: http://bit.ly/T97y3I
Q & A !!Pizza’s almost here! !
!
Sponsored by
Hosted by
#AWSChicago