Securing Your Data on AWS

$6.53M 56% 70%Increase in theft of hard

intellectual property Of consumers indicated they’d avoid businesses

following a security breach

Average cost of adata breach

Your Data and IP are Your Most Valuable Assets

https://www.csid.com/resources/stats/data-breaches/ http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

https://www.csid.com/resources/stats/data-breaches/

In June 2015, IDC released a report which found that most customers can be more secure in AWS than their on-premises environment. How?

Automating logging and monitoring

Simplifying resource access

Making it easy to encrypt properly

Enforcing strong authentication

AWS Can Be More Secure Than Your Existing Environment

AWS and You Share Responsibility for Security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Identity & Access Control

NetworkSecurity

Customer applications & contentYou get to define your controls ON the Cloud

AWS takes care of the security OF the Cloud

YouInventory & Config

Data Encryption

Constantly MonitoredThe AWS infrastructure is protected by extensive network and security monitoring systems:

Network access is monitored by AWS security managers daily

AWS CloudTrail lets you monitor and record all API calls

Amazon Inspector automatically assesses applications for vulnerabilities

Highly AvailableThe AWS infrastructure footprint protects your data from costly downtime

38 Availability Zones in 14 regions for multi-synchronous geographic redundancy

Retain control of where your data resides for compliance with regulatory requirements

Mitigate the risk of DDoS attacks using services like AutoScaling, Amazon Route 53

Integrated With Your Existing ResourcesAWS enables you to improve your security using many of your existing tools and practices

Integrate your existing Active Directory

Use dedicated connections as a secure, low-latency extension of your data center

Provide and manage your own encryption keys if you choose

Key AWS Certifications and Assurance Programs

Sophos Security for AWS

Bryan Nairn, CISSPDirector of Product Marketing – Sophos

Introduction to Sophos

Recognized leader in Endpoint Protection, Mobile Data Protection, and Unified Threat Management.

Long history of helping customer secure their applications, data, endpoints, and networks—both on-premises and more recently in the cloud.

Our solutions help secure more than 200,000 customers in over 150 countries.

Customers like Xerox, Under Armour, Pixar, Northrop Grumman, Ford, Avis, and Amazon.

AWS Security Competency Partner

AWS and You Share Responsibility for Security

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability ZonesEdge Locations

Identity & Access Control

NetworkSecurity

Customer Applications & Content

You get to define your controls ON the Cloud

AWS takes care of the security OF the Cloud

You

Inventory & Config

Data Encryption

Sophos Host Security IPS NGFW OGW VPN WAF

Sophos UTM: Next Generation FirewallUnified Threat Management (UTM) Next Generation Firewall – combines multiple security tools into a single solution:

All in one solution that helps reduce complexity and save you money.

Infrastructure Protection Web Application Firewall (WAF)

Intrusion Prevention System (IPS)

Sandstorm Protection (ATP and Cloud Sandboxing)

High Availability (HA) and redundancy supporting multiple Availability Zones (AZ)

Auto Scaling WAF that automatically scales to inspect all web traffic

Built in load balancer support for ELB and site-to-site VPN configuration for VPC

CloudFormation templates that automatically deploy and configure Sophos UTM

Sophos UTM on AWSSophos UTM is integrated with AWS services to make deployment and management easy

Amazon Elastic Load Balancing

AWS CloudFormation

Amazon S3 Auto Scaling

Sophos UTM Deployment and Pricing Deploy directly from AWS

Marketplace Evaluate under free trial Easy pay-as-you-go pricing Leverage an existing

investment with bring-your-own-license (BYOL) option

Sophos UTM Security: Inbound & Outbound Traffic

Elasticity for inbound WAF traffic & outbound VDI traffic.

Supports VPC peering and solves Transitive Peering problem.

Supports share services architecture between multiple VPCs.

Provides redundancy and automatic failover of routes across Azs.

Same solution used by Amazon for “Office in a Box.” Steve Mueller’s presentation at re:Invent ISM403

https://www.youtube.com/watch?v=kawZBGCLBJU

Sophos UTM Deployment Options – Single Instance HA

Availability Zone #1

Availability Zone #2

Sophos UTM

Sophos UTMStand Bye (HA)

Instances

Instances

ELB

Sophos UTM WAF with Auto Scaling

Instances

Instances

Sophos UTMController

Sophos UTMWorkers

Sophos UTMWorkers

Amazon SNSAmazon S3 AWS CloudFormation

Amazon CloudWatch

AutoScaling

Amazon ELB

Amazon ELB

Sophos UTM OGW with Auto Scaling

Sophos UTMController

Sophos UTMWorkers

Sophos UTMWorkers

WorkSpacesOutbound Gateway (OGW)

WorkSpacesOutbound Gateway (OGW)

Amazon SNSAmazon S3 AWS CloudFormation

Amazon CloudWatch

AutoScaling

Amazon ELB

Amazon Office in a Box

Amazon Corp Net

Secure protocols, analogous to VPN (SSL and PCoIP w/ IPSec AES-265)

Kerberos/TGT ticket

Streaming gateway IP

US East Amazonians

AmazonCorp servers

Active directory

MFA 10.x.x.x/8

Amazon-provided hardware

Access from Corp (wired, wireless, VPN)

Internet

Users

Amazon Office in a Box

How client traffic flows1) Client authenticates (AD and MFA)

via Authentication Gateway (SSL)2) Client brokers desktop session with

Session Gateway (SSL)3) Client accesses desktop through

Streaming Gateway (PC oiPvs IPSec AES-256)

10.44.208.0/20

US East-1

KEY POINTAll corporate network access

untrusted prior to filtering

VGWSource

filtering by IP

Transit

WorkSpaces

Amazon.com VPC

InfoSec Logging

Zero Client Gateway

AuthenticationGateway

Session Gateway

Streaming Gateway

WorkSpaces Service BrokerA) AWS-managed (public)B) Customer-managed (public or private)

Regional proximity Tie into corp via DX Use existing IP space Restrict corp network access

Sophos

AB

Internet

Securing AWS Workloads with Sophos UTMSri Vasireddy, Managing Partner – REĀN Cloud

Established: 2013Presence: USA and IndiaNumber of Employees: 200+AWS Certifications: 100+ (including 10+ Professional Certifications)

Management team consisting of executives formerly from Fortune 500 Enterprises - AWS, Amdocs, Merck, and Cognizant with deep AWS cloud computing experience

Recognized by TechTarget as the top AWS Partner providing innovative DevSecOps services

24x7 follow the sun model with offices around the world with continuous operations in multiple time zones - EST, PST, and IST

REĀN Organization Profile

Premier Partner w/ DevOps Competency

REĀNservices

Business consulting

Infraservices

REĀN Service OfferingREĀN Enterprise Cloud Management (ECM) Portfolio

ROI & Business Case Justification

Cloud Adoption Strategy

Security & Risk Assessment

DR & Business Continuity

Planning (BCP)

Cloud Architecture

Devops Strategy

Account Management

Governance & Compliance

Cloud Operations Strategy

MigrationNative AWS Apllication

Development

Devops (CD | CI)

Implementation

Billing as a Service

Secure Infrastructure

Setup

Managed Cloud Services

AWS Infrastructure Hybrid On-prem Infrastructure

Roles and Responsibilities

Provides compute, network, storage infrastructure

Provides UTM applianceProvides design and integration services to secure infrastructure

using UTM appliance

REĀN Secure VPC Framework

BrowserMobile client

Users

Internet

HTM

L5 VPN connection

IPSec VPN connection

Disk encryption

key

Corporate Data Center

Administrators

DMZ

Continuous monitoring

Access policy

Auto scaling group

App tier

AZ-1

AZ-1

ElastiCache tier Amazon RDS

Web server Web server

App server App server

Multi-account Management

Multi-VPN Overlay

Instances

Instances

File Server Subnet

AWS Container

Customer VPC (172.16.0.0/16)

DMZ SubnetInternet Gateway

File Server Subnet

Customer Datacenter 03 (0.30.0.0/16)

Traditional server

VPN Connection

VPN Connection

VPN Connection

Sophos UTM

Customer Datacenter 02 (10.0.0.0/16)

Traditional server

Customer Datacenter 01 (172.16.0.0/16)

Traditional server

Internet of Things

Customer VPC 1

Customer VPC 2

Amazon RDS

MySQL

Amazon RDS

MySQL

Comm servers

Comm servers

VPC VGW

Site-to-site VPN

VPC VGW

Site-to-site VPN

Sophos UTM Site-to-site

VPN

Site-to-site VPN

Cust-1

Cust-2

Control VPC

Corporate Datacenter

Elastic IP

Public Subnet

VPN Endpoint

VPC VGW

VPN Endpoint

VPC VGW

Manage

Manage

Migrate

• Discover

• Move Image

Deploy

• Provisioning

• Update

Test

• Functional

• Performance

• Security

Document

• Architecture

• Assessment

• Compliance

Web Server (Apache, WP) App Server (Tomcat, Java) DB Server (MySQL, Inodb)

1

2 3

4

5 6

7 8 9

0

DevOps Automation

Next Steps Try out the REAN Cloud UTM Test Drive

powered by Sophos– http://www.reancloud.com/test-drive/rean-utm/

Promotion for Webinar Attendees– Purchase Sophos UTM through REAN Cloud and we

will configure it for Auto-Scaling for you for free.

Questions & Answers

Thank you