aws partner webcast - web app security on aws: how to make shared security work for you
DESCRIPTION
The Amazon Web Services (AWS) cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. However, because you’re building systems on top of the AWS cloud infrastructure, the security responsibilities will be shared: AWS has secured the underlying infrastructure and you must secure anything you put on the infrastructure. Alert Logic has more than a decade of experience implementing cloud solutions that are secure, flexible and designed to work with hosting and cloud service providers. In this webinar, you'll learn from Alert Logic strategies for making this shared security model work for your web applications. The webinar includes a live demo of Alert Logic Web Security Manager. In this webinar, you’ll learn: - How to access Alert Logic Web Security Manager via AWS Marketplace for the quickest and easiest path to web application protection - How to integrate web application security in your AWS environment - An attractive approach to auto scaling web securityTRANSCRIPT
Web App Security on AWS: How to Make Shared Security Work for You
Welcome
Ryan Holland
Solutions Architect
Amazon Web Services
Webinar Overview Submit Your Questions using the Q&A tool.
A copy of today’s presentation will be made available on:
AWS SlideShare Channel@ http://www.slideshare.net/AmazonWebServices/
AWS Webinar Channel on YouTube@ http://www.youtube.com/channel/UCT-
nPlVzJI-ccQXlxjSvJmw
Ryan Holland Solutions Architect
Amazon Web Services
Johnathan Norman Solutions Architect
AlertLogic
Introducing
Amazon Web Services security overview
How to access Alert Logic Web Security Manager via AWS
Marketplace
How to integrate web application security in your AWS environment
Q&A
What We’ll Cover
Ryan Holland
Sr Manager, Partner Solution Architects
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Cu
sto
mer
s
• Culture of security and continual improvement
• Ongoing audits and assurance
• Protection of large-scale service endpoints
• Customers configure AWS security features
• Get access to a mature vendor marketplace
• Can implement and manage their own controls
• Gain additional assurance above AWS controls
Security is a shared responsibility between AWS and our customers
Every customer has access to the same security capabilities
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
• SOC 2 Security
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP (FISMA), ITAR, FIPS 140-2
• HIPAA and MPAA capable
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Let AWS take care of the heavy lifting for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
AWS partners can help you build secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =
AWS partner solutions
These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management
Your secure AWS
solutions
Public Cloud Security - AWS
Johnathan Norman
Cloud Solutions Architect
The Web Application Attack Threat
12
Web Application Attacks are
Prevalent and Dangerous • Half of all environments will be impacted by web
application attacks 30 times in a year1
• 83% of websites have at least one serious vulnerability2
• Web-based attacks increased 30% in 20123
• Web application security measures required by PCI DSS
Application Vulnerabilities are Common • On average, 12.1 security issues affect every web
application4
• The average web site has 56 serious vulnerabilities5
• The application layer is responsible for over 90% of all security vulnerabilities6
1 Alert Logic State of Cloud Security – Spring 2013 2 Frost & Sullivan: The Growing Hacking Threat to Websites 3 Symantec Corporation: Internet Security Threat Report 2013 4 Context Information Security - Web Application Vulnerability Statistics 2013 5 WhiteHat Website Security Report, May 2013 6 Ponemon Institute - The State of Application Security, August 2013
Public Cloud Shared Security Model
Cloud
Service
Provider
Responsibility
Foundation
Services
Hosts
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
Apps
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Network threat
detection
• Security monitoring
Networks
Customer
Responsibility
Compute Storage DB Network
Example: SQL Injection
14
… /showitem.asp
Choose a category:
Select an item:
Winter Coats
Fleece Jacket
Group=10
Item=4534
A customer makes selections in a shopping cart application:
Example: SQL Injection
15
… /showitem.asp?group=10&item=4534
Choose a category:
Select an item:
Winter Coats
Fleece Jacket
Group=10
Item=4534
User choices
translated into
application input
Example: SQL Injection
16
… /showitem.asp?group=10&item=4534;drop table products
Choose a category:
Select an item:
Winter Coats
Fleece Jacket
An attacker injects harmful code into the URL
Source: Verizon Data Breach Investigation Report, 2013
Result: Downtime, Data Loss
17
Solutions Address Specific Compliance Mandates
Alert Logic
Solution
PCI DSS SOX HIPAA & HITECH
Alert Logic
Web Security
Manager
• 6.5.d Have processes in place to protect applications
from common vulnerabilities such as injection flaws,
buffer overflows and others
• 6.6 Address new threats and vulnerabilities on an
ongoing basis by installing a web application firewall in
front of public-facing web applications.
• DS 5.10 Network Security
• AI 3.2 Infrastructure resource
protection and availability
• 164.308(a)(1) Security
Management Process
• 164.308(a)(6) Security Incident
Procedures
Alert Logic
Log Manager
• 10.2 Automated audit trails
• 10.3 Capture audit trails
• 10.5 Secure logs
• 10.6 Review logs at least daily
• 10.7 Maintain logs online for three months
• 10.7 Retain audit trail for at least one year
• DS 5.5 Security Testing,
Surveillance and
Monitoring
• 164.308 (a)(1)(ii)(D) Information
System Activity Review
• 164.308 (a)(6)(i) Login Monitoring
• 164.312 (b) Audit Controls
Alert Logic
Threat
Manager
• 5.1.1 Monitor zero day attacks not covered by anti-virus
• 6.2 Identify newly discovered security vulnerabilities
• 11.2 Perform network vulnerability scans quarterly by
an ASV or after any significant network change
• 11.4 Maintain IDS/IPS to monitor and alert personnel;
keep engines up to date
• DS5.9 Malicious Software
Prevention, Detection and
Correction
• DS 5.6 Security Incident
Definition
• DS 5.10 Network Security
• 164.308 (a)(1)(ii)(A) Risk
Analysis
• 164.308 (a)(1)(ii)(B) Risk
Management
• 164.308 (a)(5)(ii)(B) Protection
from Malicious Software
• 164.308 (a)(6)(iii) Response &
Reporting
Alert Logic Security Operations Center providing Monitoring, Protection, and Reporting
Alert Logic Web Security Manager WAF
Page 19
Active Protection for Web Applications, Management Included
Positive & Negative Security Active protection using signatures and leading learning engine
Key Compliance Coverage Supports PCI 6.6 and OWASP Top 10 risks
Management Included 24x7 management by experienced security analysts
AWS Auto Scaling Protection scales dynamically with your web apps
Security Where You Need It Works wherever you have your datacenter
20
Engineered for AWS Environments
Engineered for AWS
Supports auto-scaling & role aware
Automatable with APIs and scripts
Available across multiple regions
Manageable at scale
IP address & topology independant
Usage based utility pricing
Marketplace transactable
AMI and agent deployment options
Network and system visibility
Proven reference architectures
Runs on AWS
Web Security
Manager Demo
rep
licatio
n
AWS Infrastructure
Web
Traffic
Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
Web Server
Database
Read Replica
Database
Read Replica
Database
Master
rep
lica
tion
VPC
A
B
Elastic
Load
Balancer
Elastic
Load
Balancer
Elastic
Load
Balancer
rep
licatio
n
AWS Infrastructure + Web Security Manager
Amazon S3
Configuration
Master
Auto
Recover
Elastic
Load
Balancer
Web
Traffic
Alert Logic
Managemen
t Web Server
Web Server
Web Server
Web Server
App Server
App Server
App Server
App Server
Database
Database
Database
rep
lica
tion
VPC
A
B
Worker
Worker
Worker
Elastic
Load
Balancer
Elastic
Load
Balancer
Elastic
Load
Balancer
Web Security
Manager Free Trial
WAF Free Trial on AWS Marketplace
VISIT AWS MARKETPLACE FOR FREE
TRIAL: JUNE 10TH – JULY 10TH
Thank You
Johnathan Norman
Cloud Solutions Architect
Contacts and Q&A
Contacts: Alert Logic Info: [email protected]
AWS Contact: aws.amazon.com/contact-us