SHARED RESponsibilityin action

@marknca

Mark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro @marknca

Modelling security on AWS

TRADITIONAL ResponsibilitY

Physical Operating SystemInfrastructure ApplicationNetwork DataVirtualization

SHARED ResponsibilitY

Physical Operating SystemInfrastructure ApplicationNetwork DataVirtualization Security Groups

Network ConfigMore info on the model is available at hּמp://aws.amazon.com/security

SHARED ResponsibilitY

Physical Operating SystemInfrastructure ApplicationNetwork DataVirtualization Security Groups

Network Config

Verify

Compliance information available at hּמp://aws.amazon.com/compliance

Physical

Network

Virtualization

Operation System

Application

Data

DIY SaaSIaaS PaaS

*you

BETTER SERVICE TYPES

From AWS’ Mark Ryland talk at hּמp://4mn.ca/ZZeDbA

Infrastructure Abstract Container

SERVICE Examples

Fantastic reference by AWS’ Mark Ryland at hּמp://4mn.ca/ZZeDbA

Service Type *aaS

SQS, S3, Route53 Abstract SaaS

RDS, EMR, OpsWorks Container PaaS

EC2, EBS, VPC Infrastructure IaaS

Less responsibilities

More responsibilities

Less responsibilities

Options : Responsibilities

Re:Boot

Critical embargoed bug discovered in Xen, details at hּמp://4mn.ca/1rcXTTN

A small percentage on instances scheduled for a reboot

ACTIONS TO TAKE

From AWS’ Mark Ryland talk at hּמp://4mn.ca/ZZeDbA

Nothing for cloud-native architectures Manage availability

For EC2

Nothing for Multi-AZ instances Standard maintenance window for single instances

For RDS

POODLE

CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption

Aּמack forces an older cipher choice. Details at hּמp://4mn.ca/1EYfBEA

ACTIONS TO TAKE

From AWS’ Mark Ryland talk at hּמp://4mn.ca/ZZeDbA

Select a non-affected cipher suiteFor ELB

Enable TLS_FALLBACK_SCSV Disable support for SSL 3.0*

For Web Servers

Shellshock

More info on bash is available at hּמp://www.gnu.org/soﬞware/bash/

10/10 vulnerability. Widespread & easy to exploit

(){}; attacka:() { b; } | aּמack;

ACTIONS TO TAKE

Update bash Use an intrusion prevent system

For EC2

Applied at the boundary

Majority of security controls are traditionally applied at the boundary

Same controls applied in the AWS Cloud, now to each instance

Applied to each instance

Options : Responsibilities

@marknca

Thank you.Learn more at testdrive.trendmicro.com