20. VM-SERIES:
PROTECT & SEGMENT CLOUD WORKLOADS
CLOUD APPLICATION
WEB APP
Web
Server
App
Server
Infrastructure-as-a-Service (IaaS)
OBJECT STORAGE CACHING DATABASE
Platform-as-a-Service (PaaS)
Application visibility and
workload segmentation
Centrally manage and automate
deployments
Prevent outbound and
inbound attacks
21. VALUE WHICH WE GET ON CLOUD
Identify applications
Control traffic based on application, not only port
Prevent known and unknown threats
Grant access based on user identity
NGFW Visibility and Control
Automated Scale up and Scale out
Provisioning/Hybrid
Lambda, Elastic/Application Load Balancing, CloudWatch,
Cloud Templates, Application Insight Manager, ASC
MULTI-CLOUDCLOUD SCALE
ENTERPRISE CLASS
SECURITY
POLICY MANAGEMENT
CLOUD INTEGRATION
22. VALUE WHICH WE GET ON CLOUD
§ Manage traffic with a single line
§ Determine the matching criteria of traffic by using
§ Network Zones, IP Addresses
§ User ID or Groups
§ Machine State
§ Applications (Layer 7)
§ Ports / Services
§ Define Content Scanning Profiles
Anti-Spyware Profile
All traffic scanned
URL Filtering Profile
Filter Unwanted URL Categories
AV Profile
All filles scanned
IPS Profile
All Exploits Scanned
FileBlocking Profile
Control File attachments
26. TOOLS TO AUTOMATE SECURITY IN THE CLOUD
Fully documented XML API
XML API
Dynamic Policy Updates
External Dynamic Lists
HTTP Log Forwarding
• Quarantine
• Service ticketing
• Other…
HTTP logsBootstrapping
27. AWS
CloudFormation
AWS
Lambda
Automation Tools
FRICTIONLESS SECURE CLOUD OPERATIONS
Template-based
deployment
Build
Bootstrapped
Configuration
Embed Agent
into Workloads
Operate
Segment Based on
Apps & Attributes
Orchestrate Policy
via XML API
Continuously
Monitor Resources
& Storage
Scale
Auto-scale Based
on Triggers
Policies Updated
Automatically
Integration into
Native Services
34. Deployment Use Cases
Protect your AWS deployment just as you would in your data center
Hybrid Segmentation Internet
Gateway Remote Access
Securely deploy
applications & extend your
data center into AWS
Separate data and
applications for compliance
and security
Protect Internet facing
applications
Security consistency for
your network, your cloud,
and your devices
35. > DCD Summit | Interpol World
AUTO SCALING OF INSTANCES
Cyber Monday
Start of work
day
Tax season
Snow day
Provisioned
Capacity
On-demand
scaling
Predictable
Less predictable
36. AUTO SCALING OF SECURITY SERVICES
Cyber Monday
Start of work day
Tax season
Snow day
Provisioned
capacity
On-demand
scaling
Predictable
Less
predictable
40. § Identity Access Management: Do passwords match policy? Is MFA used? Do only entitled users have
access?
§ Key Rotation & Management: Are keys being rotated adequately?
§ Security Monitoring & Logs: Is logging turned on?
§ Firewall / Security Group / ACL Configuration: What systems/people have access?
§ Load Balancer Configuration: Is it configured correctly? Are you using VPC security groups on ELBs?
§ VPC / Subnet Management: Do you have any empty VPCs? Are you nearing the EC2 Security Group limit for
your VPC?
§ Snapshot Management: Do we have a recent snapshot stored?
§ User & Access Management: Who has access to what resources/accounts? What actions did they take?
§ Data Encryption: Is encryption turned on for data at rest? In motion?
HOW ON MULTI-CLOUD ?
43. THE SOLUTION : EVIDENT.IO
CUSTOMER DATA
OS/PATCH MGMT IMAGE/SNAPSHOTS USER ACCESS MGMT
CLOUD INFRASTRUCTURE
SECURITY MONITORING
& LOGGING
ENCRYPTION / KEY
ROTATION
VPC / SUBNET SERVICE CONFIGURATION
SECURITY GROUPS
ACCESS MANAGEMENT
COMPUTE STORAGE DATABASE NETWORKING
YOUR
RESPONSIBLITY
THE CSP’s
RESPONSIBLITY
API
CONTROL
PLANE
WHERE EVIDENT
HELPS
CLOUD SERVICES
44. EVIDENT.IO ADDRESSES ALL REQUIREMENTS
• Deep integration and
extensibility
• Full understanding of
configuration and user
behavior
• Automated policy
enforcement
• Full regulatory
coverage: HIPAA, PCI,
NIST, GDPR…
• Full industry coverage:
CIS, ISO, SOC2…
• Customizable
compliance reports and
controls
Continuous
discovery
and monitoring
Complete and
continuous
compliance
reporting
• Risk exposure
• Malware analysis and
prevention
• Sensitive data discovery
• Content data discovery
Comprehensive
storage
security