DEM01-S

Armor cloud security: Continuous security

& compliance in the public cloud
Paul Sroufe
Director of Engineering, Armor Cloud Security
Armor Defense

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• The transformative force of the cloud
• The challenges facing the modern cloud CISO
• Using the cloud to your security advantage
• Secure cloud infrastructure as code
• CWPP + CSPM + CASB – The cloud security trinity

• 3 major takeaways
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Digital disruption scale

DD5: 2022 Dominance

Revolutionize
2017
DD4:
Reinvent
2012
DD3: Expansion
Transform
2007
DD2: Appearance
Extend

DD1:
Enhance

Elements affected: Technology Industry Business Society

Industry progression
Public cloud adoption will challenge traditional
managed services based on on-premises models

MDRs
Performance

MSSP

CWPP
Speed to value
SECaaS Simplicity
Flexibility
Lower cost

Time
In the future, everything
becomes a “workload”
How we’re evolving

On premises IaaS PaaS SaaS

Applications Applications Applications Applications

Data Data Data Data

Runtime Runtime Runtime Runtime

Middleware Middleware Middleware Middleware

OS OS OS OS

Virtualization Virtualization Virtualization Virtualization

Servers Servers Servers Servers

Storage Storage Storage Storage

Networking Networking Networking Networking

You manage CSP manages

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3 major challenges for today’s cloud CISO

Talent Vendor, How do I

shortages in tool, and keep pace with
DevOps and alert the rate of
security overload innovation?
Vendors should solve problems and stop
pitching technologies
Top problems for CISOs in today’s cloud era
• Identity and access management
• Ever-evolving “network perimeter” in a mobile, SaaS-ified world
• Compliance
• Hybrid cloud visibility and security policy management
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Infrastructure as code

Terraform AWS CloudFormation

Type: "AWS::S3::Bucket"
Properties:
BucketName: my-secret-phi
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: "AES256"
LoggingConfiguration:
DestinationBucketName: "my-secret-phi-logs"
LogFilePrefix: "phi"
VersioningConfiguration:
Status: "Enabled""
Tags:
- Key: "environment"
Value: "production"
- Key: "managed-by"
Value: "cloudformation"
- Key: "owner"
Value: "privo"
Collaborating and expanding
• Embrace DevOps with a
cloud-native strategy
• Work with a solutions
provider for hands-on Amazon EMR AWS

training and growth CodePipeline

Terraform
• Start with ready to scale GitHub
• Don’t be afraid to try
AWS Batch AWS Lambda

something new!
Amazon Elastic
Container Service AWS
CloudFormation
Secure, cloud-native infrastructure
AWS Cloud

Amazon
AWS WAF Amazon Route 53
CloudFront

Availability Zone 1 Availability Zone 2

AWS Transit Gateway

Public subnet Terraform

AWS KMS

NAT ELB NAT

AWS Config
GitHub
Private subnet

AWS Auto DNS queries

Scaling group
Amazon App
VPC, AWS server
Amazon VPC
PrivateLink
Data subnet Flow Logs
Amazon Aurora AWS
Multi-AZ Amazon CloudFormation
GuardDuty

AWS CloudTrail
Benefits of infrastructure as code and security as
code for clients

Distribution
Simplification Standardization
of confirmed Disaster Out-of-the-box
& repeatability with benefits of
golden image recovery compliance
of deployment customizability
deployments

Limits complex Ease of sharing and Start simple, and Customize Validated
deployment tasks collaboration build over time resources compliance controls
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The accidental: Misconfiguration

September 17

December 20

February 18
September

February 3

February 5
June 20
May 30

August
June 8
June
2017 2018

Dow Jones Deep Root Nice Recruiting Patient Home Accenture Alteryx MBM Bongo Local Box GoDaddy
& Company Analytics Systems vendor Monitoring – Company International -
– – – Corp Experian – – Scraped
RNC Verizon TigerSwan Walmart FedEx content

386M 6 out of 11
# of records exposed # of incidents that
involved data exposed
via an affiliate, partner,
or “customer”
The accidental
100% 57% of survey respondents
of incidents involved were either “concerned or very concerned that in the next 12 months,
an unsecured Amazon S3 misconfigured systems, such as server workloads and cloud services,
bucket on AWS could lead to a successful attack that threatened their infrastructure, data
assets, and business operations.”*

*Source: Oracle & KPMG

The accidental: Drift

Drift/risk
Cloud security
posture management
(CSPM) tools act
as checks and Adhere to policy

balances on
overall adherence
to security policy Drift/risk
Strengths: Posture management

Any workload (public and private cloud, virtualized, servers, containers)

Out-of-the-box Cloud-native Continuous security and
Unified visibility
compliance checks integrations compliance monitoring
Capabilities
Workload discovery Automated Policy 24/7 management
and visibility remediation management and monitoring

Simple to turn up Fast turn up Easily scalable Pay as you go

SECaaS
delivery model
Address IT, IT security, and DevOps needs
The intentional

Brute force
Managing an
increasing attack
surface that is
fundamentally Web
application
681M attacks, IoT
1,200 organizations attacks
unfamiliar to many attacks

IT and IT security
professionals
Vulnerability
exploits
Strengths: Workload protection

Any workload (public and private cloud, virtualized, servers, containers)

Host-based Unified
Security Compliance
protections visibility
Capabilities
Native tools Application control 24/7 management
Containers
integration and whitelist and monitoring

Simple to turn up Fast turn up Easily scalable Pay as you go

SECaaS
delivery model
Address IT, IT security, and DevOps needs
Understanding use cases: CASB

1,427 36 18.1%
# of distinct # of distinct cloud File uploads into
cloud services that services that an cloud-based services
an average average employee that contained
enterprise uses uses at work sensitive data

Source: https://www.skyhighnetworks.com/cloud-security-blog/12-must-know-statistics-on-cloud-usage-in-the-enterprise/
Strengths: Access brokerage

Any workload (public and private cloud, virtualized, servers, containers)

Data security DLP Secure shadow IT Unified visibility

Capabilities
24/7 management
Insider threat detection Native tools integration IAM and integrations
and monitoring

Simple to turn up Fast turn up Easily scalable Pay as you go

SECaaS
delivery model
Address IT, IT security, and DevOps needs
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3 major takeaways
1. Cloud has changed everything – we must secure our
workloads against accidental and intentional threats
2. The hard part of security is not a technology problem; it’s
a culture problem
3. You can use the cloud to deliver continuous security and
compliance
Thank you!
Paul Sroufe
Armor Cloud Security
Booth #2325

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.