Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security and DevOps:
Agility and Teamwork
- 4. What Drives Cloud Adoption?
• Developers are the driving force behind cloud adoption
• Main reason developers are using cloud services?
Innovation
ability to move
fast
deploy
infrastructure
without IT
overhead
ship code
without delays
- 9. Aligning DevOps with Security
Critical questions to answer:
1. What are we protecting?
2. What controls must be in place?
3. How do you integrate security into your daily workflow?
- 11. Rules of the Road
No Yes
1 Random opinions
Everyone works from same
security blueprint
2 General set of controls
Controls specific
to your cloud blueprint
3 Security gateways and overlays
Security is part of
immutable infrastructure
4 Periodic audits
Security testing part of
regression framework
5
Vulnerabilities are escalated
and negotiated for resolution
Vulnerabilities are bugs
Critical vulnerabilities are critical bugs
- 12. Perception versus Reality
Our ability to accurately estimate
attack surface is compromised by
our weak sense of perception
More reliable approach:
1. Identify your cloud assets
2. Measure your exposure
3. Implement controls
- 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blueprint Model for
Security
- 14. Enumerate Your Cloud Footprint
Generalize common workloads into infrastructure—“blueprints”
Blueprint-Driven Approach
Key target assets
Across the Full Stack
1. Magento application and plugins
2. PHP
3. Apache
4. Nginx
5. Redis
6. Maria DB, Elasticsearch
7. Linux OS and system tools
8. AWS services
EC2 instances
EC2 instances
VPC
Route 53
Users
Internet
gateway
ELB
MariaDB
MariaDB
AvailabilityzoneAAvailabilityzoneB
Auto scaling
group
Apache PHP
Auto scaling
group
EC2 instances
EC2 instances
FPM
S3
- 16. Cloud Attack Surface
Attacks
Web App
Attacks
OWASP
top 10
Platform/
library
attacks
App/
System
misconfig
attacks
Web Apps
Server-Side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Infrastructure
The Application Stack
Databases
Attackersaremovingupthestack
1. Wide range of attacks
at every layer of the
stack
2. Rapidly changing
codebase can
introduces unknown
vulnerabilities
3. Long tail of exposures
inherited from third-
party development
tools
4. Extreme shortage of
cloud and application
security expertise
- 17. Attack Surface Factors
Factor Impact Technology Triggers
Custom-built complex web
code
Broad attack surface and numerous opportunities
for hidden vulnerabilities
Open or commercial
development frameworks
Vulnerabilities inherited from open source
community or software vendors
Three-tier architecture with
relational databases
Increased risk of SQL injection—number one web
attack method in volume and impact
Open and interconnected Easily accessible from outside world by valid users
and attackers alike
Legacy code Technical debt means increases risk of compromise
Hybrid environments Risk of a breach is compounded when cloud and on-
premises datacenters are linked
- 18. Integrated Alert Logic Controls for Broad Coverage
Build Coverage Model Blueprint
Three-Tier
Classic Web
Micro-
service
E-Com
Blueprint
CMS
Blueprint
Magento
Blueprint
WordPress
Blueprint
Drupal
Blueprint
OWASP Top 10
SQL-injection attacks
LAMP target coverage
Critical application coverage
Deep HTTP inspection with anomaly detection
Supervised machine learning
Data-driven intrusion defense
Coverage for key app components
- 19. Full Stack Security Coverage
Pre-compromise Compromise Lateral Movement
Incident
Investigation
System
Visual | Context | Hunt
Collect
web, host,
network
data
Automatic
Detection
Block | Alert | Log
ML Algorithms
Rules & Analytics
SECURITY
EXPERTS
Assess
Exposure
Block
Critical
Attacks
- 20. Cloud Security Maturity Model
Basic Cloud
Security Tooling
2
2. Basic Cloud Security
• Agile development team,
coupled to immature security
program
• Minimal use of cloud provider
and OSS security tools
Traditional Security
1. Non-Cloud Native
• Lift & Ship infrastructure
migration
• Traditional on-premises
security tools and processes
• Limited agility
1
DevOps
Integration
3
3. Cloud Native Security
• Security infrastructure part of
deployment pipeline
• Full stack protection across
networks, systems, and
applications
• Security does not slow down
innovation
SecDevOps
Integration
D
4. Cloud Security Lifecycle
• Security process part of
continuous integration pipeline
• Mature security assessment
and testing program part of
code deployment process
• Maximum agility and security
- 21. Announcing Cloud Insight Essentials
$49 per account/month
Configuration Exposure ManagementIncident Response Support for Amazon GuardDuty
• Explains threats
• Shows context
• Recommends action
• Manages incidents
• Tracks progress
RES
TAPI
Simple. Affordable. Essential.
RES
TAPI
- 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Citrix Security
DevOps Journey
- 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
misha@alertlogic.com
joey.peloquin@citrix.com