Secure Your New Public Cloud
21st Century IT Security
Cloud Security
Shared Responsibility Model
CUSTOMER DATA
PLATFORM & APPLICATION MANAGEMENT
OPPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION(ENCRYPTION/INTEGRITY/IDENTITY)
OPTIONAL – OPAQUE DATA: 0S & 1S (IN TRANSIT/AT REST)
FOUNDATION SERVICES
AWS GLOBAL INFRASTRUCTURE
AWS
ENDP
OINT
S AWS IAM
CUSTOMER IAM
COMPUTE STORAGE DATABASES NETWORKING
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
Managed by AWS Customers
Managed by Amazon Web Services
Shared Responsibility Model
CUSTOMER DATA
PLATFORM & APPLICATION MANAGEMENT
OPPERATING SYSTEM, NETWORK, & FIREWALL CONFIGURATION
CLIENT-SIDE DATA ENCRYPTION & DATA INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)
NETWORK TRAFFIC PROTECTION(ENCRYPTION/INTEGRITY/IDENTITY)
OPTIONAL – OPAQUE DATA: 0S & 1S (IN TRANSIT/AT REST)
FOUNDATION SERVICES
AWS GLOBAL INFRASTRUCTURE
AWS
ENDP
OINT
S AWS IAM
CUSTOMER IAM
COMPUTE STORAGE DATABASES NETWORKING
REGIONS AVAILABILITY ZONES
EDGE LOCATIONS
Managed by AWS Customers
Managed by Amazon Web Services
Security IN the Cloud
Security OF the Cloud
MORE VISIBILITYMORE CONTROL
MORE AUDITABILITYMORE AGILITY
Security is Visible
Who is accessing the resources?Who took what action?
§ When?§ From where?§ What did they do?§ Logs Logs Logs
EVERYTHING IS AN API CALL.
EVERYTHING GENERATES LOGS.
TERABYTES OF LOGS A DAY…
21st Century IT Security
Intelligent Security
Protect Sensitive Data: Macie
Protect Sensitive Data: Macie
AWS Shield: Managed DDoS Protection
CloudWatch Alert:More than 1,000
Open Connections to ELB from a single IP
Log an incident
WAF Rule: block source
Wait 1 hour
Remove WAF Rule
AWS WAF
AWS ELB
S3 Evidence Repository
ForensicsSave Logs
CloudWatch
Automated Incident Response: DDoS Attack
Intelligent Threat Detection: GuardDuty
Intelligent Threat Detection: GuardDuty
Cloud is Simply Better: Personal Data Protection & GDPR
Automated Incident Response: Infected Instance
Guard Duty Report: Instance ID
i-1234567890abcdef0
Log an incident
Isolate the Instance from the
network
Shut down instance
S3 Evidence Repository
Memory Dump
Disk Dump
Forensics
Establishing Secure Cloud Services
ISO 27001PCI/DSS
Personal Data Protection
CSP
Com
plia
nce,
Thre
at a
nd G
ap
Anal
ysis
Secu
rity
Stra
tegy
Desig
n
Secu
rity
Prog
ram
me
Desig
n
Secu
rity
Play
book
Impl
emen
tatio
n&
Test
ing
Secure & Compliant Cloud
Systems & Applications
Risk Management
Security Operations & Management
Legacy Cloud Systems &
Applications
Cloud Security
ConsiderationsPREPARE
PREVENT
DETECT
RESPOND
HeleCloud Company Overview
Maidenhead, UK1 Bell Street, Maidenhead, Berkshire, SL6 1BU, UK,
+44 20 3286 [email protected]
Thank you!