It’s intentionally hard because you want to know when things change – if stuff changes and you don’t know about it, a control might fail.
And … Because if you screw something up, you can’t easily change it once they are underway – part of this is circular reasoning and infinitely regressive. “We have a process so that we don’t screw it up because if we screw it up, we have to repeat a bunch of other processes we don’t own.” /…./ Madness.
Change detection is actually hard:
Relies on near perfect asset control
Relies on mapping assets to business risk or data classification
Requires that systems react to stimulus and inform you when they are changed. You get sick, you vomit, if you break an arm, it hurts. If your infrastructure changes it should tell you.
Also, in traditional infrastructure security doing the actual changes is hard:
Most of the security processes are manual
not conducive to automation
Vendor selection tends to be a long tail based purely on feature and functionality, not just the finance and RFP stuff we discussed. You have to roll out vendor products (appliances, software, etc.)
It’s actually physical stuff in many cases
It’s hard break down security projects into smaller batches consisting of iterative, low-risk changes – these are big projects, such as expanding a data center, reconfiguring trust zones, redeploying application, redeploying servers.
So enterprise security comes first …
… because it’s enterprise security is hard and
… because it requires so much planning which takes so long and
… because there are so many processes and
… because it’s hard to detect change and ensure low-impact changes and failures ..
Because change is not automated and the size or complexity of change is too large.
Yes! I think by focusing on how we can improve the visibility of changes and the ability to make course corrections quickly or automatically /…./ and with low risk, we can greatly improve security.
The underlying reason enterprise security is top of mind in cloud adoption is because you want to know when controls change /…./
and because It’s currently very hard to repair a control /…./ or course correct a project if a control will be impacted.
You could say “it comes first because I don’t want to get hacked” – riiiiiight… that’s supposed to be the reason we have all this planning and process in place in the first place– but that’s not working otherwise we’d all say it was easy. It’s certainly not as fun as it should be…
For a long time, most organizations have had to make a choice between moving fast or maintaining a high degree of security
However, one of the fundamental benefits of the cloud is that it let’s you do both.
We look after the security OF the cloud, and you look after your security IN the cloud.
TALKING POINTS:
We’ve released a new security curriculum with two new classes.
· Security Fundamentals on AWS – free, online course for security auditors and analysts This self-paced course is designed to introduce you to fundamental cloud computing and AWS security concepts including AWS access control and management, governance, logging, and encryption methods. It also covers security-related compliance protocols and risk management strategies, as well as procedures related to auditing your AWS security infrastructure.
· Security Operations on AWS – 3-day class for Security engineers, architects, analysts, and auditors
This course teaches you how to stay secure and compliant in the AWS cloud. It covers AWS best practices for securing data and systems in the cloud, and addresses security features of key AWS services. This course also teaches you about regulatory compliance standards and use cases for running regulated workloads on AWS. You also get practice using tools for automation and continuous monitoring—taking your security operations to the next level.
Map your internal framework to our certifications – inheritence!
ISO 27017 – cloud specific control
ISO 27018 – protections on personal data
Just cover the basics, we aren’t going into a lot of depth on IAM today.
Workforce Lifecycle integration
AssumeRole APIs baked into the heart of developer behavior, federation, cross-account governance
Use SAML 2.0
Just-in-time access. Use APIs to only open up the network for management when necessary. Change and break/fix ticketing executes scripts to build bastions or open up Security Groups upon approval or stage.
Demo - console
Customer retain control and ownership of their data. Wherever the Customer put his data, the data doesn’t move.
Each region is completely independent and is designed to be completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability.
Security Groups serve as a layer-4 firewall and are logically defined within a VPC.
Security groups provide stateful inspection
Security groups span across a VPC at the regional level, meaning they go across subnets and AZ’s …. Providing a natural, logical way to group the assets in an application.
Author custom rules using AWS Lambda
Invoked automatically for continuous assessment
Use dashboard for visualizing compliance and identifying offending changes
View of a simple VPC
Can tie to CM system with name and/or tags as options passed into change set.
Can tie to CM system with name and/or tags as options passed into change set.
AWS Security Partners offer hundreds of industry-leading products that are equivalent, identical to, or integrate with existing controls in your on-premises environments. These products complement the existing AWS services to enable you to deploy a comprehensive security architecture and a more seamless experience across your cloud and on-premises environments.
Infrastructure Security
Designed to identify and protect your applications and data from cyber-attacks and other advanced threats vectors.
Logging & Monitoring
Maintain visibility and auditability of activity in your application infrastructure, while providing policy-driven alerting, and reporting.
Identity & Access Control
Help define and manage access policies to enforce business governance including, user authentication, SSO, and enforcement.
Configuration & Vulnerability Analysis
Help inspect your application deployments for security risks and vulnerabilities, while providing priorities and advice to assist with for remediation.
Data Protection
Assist with safeguarding your data from unauthorized disclosure and modification, through encryption, key management, and policy-driven controls.