Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
SHARED RESponsibility
in action
@marknca
Mark Nunnikhoven
Vice President, Cloud & Emerging Technologies
Trend Micro
@marknca
Modelling security on AWS
TRADITIONAL ResponsibilitY
Physical Operating System
Infrastructure Application
Network Data
Virtualization
SHARED ResponsibilitY
Physical Operating System
Infrastructure Application
Network Data
Virtualization Security Groups
Net...
SHARED ResponsibilitY
Physical Operating System
Infrastructure Application
Network Data
Virtualization Security Groups
Net...
Physical
Network
Virtualization
Operation System
Application
Data
DIY SaaSIaaS PaaS
*you
BETTER SERVICE TYPES
From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA
Infrastructure
Abstract
Container
SERVICE Examples
Fantastic reference by AWS’ Mark Ryland at h‫מּ‬p://4mn.ca/ZZeDbA
Service Type *aaS
SQS, S3, Route53 Abstr...
Less responsibilities
More responsibilities
Less responsibilities
Options : Responsibilities
Re:Boot
Critical embargoed bug discovered in Xen, details at h‫מּ‬p://4mn.ca/1rcXTTN
A small percentage on instances scheduled for a reboot
ACTIONS TO TAKE
From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA
Nothing for cloud-native architectures
Manage availabi...
POODLE
CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption
A‫מּ‬ack forces an older cipher choice. Details at h‫מּ‬p://4mn.ca/1EYfBEA
ACTIONS TO TAKE
From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA
Select a non-affected cipher suite
For ELB
Enable TLS_F...
Shellshock
More info on bash is available at h‫מּ‬p://www.gnu.org/soﬞware/bash/
10/10 vulnerability. Widespread & easy to exploit
(){}; attacka:() { b; } | a‫מּ‬ack;
ACTIONS TO TAKE
Update bash
Use an intrusion prevent system
For EC2
Applied at the boundary
Majority of security controls are traditionally applied at the boundary
Same controls applied in the AWS Cloud, now to each instance
Applied to each instance
Options : Responsibilities
@marknca
Thank you.Learn more at testdrive.trendmicro.com
Shared Responsibility In Action
Shared Responsibility In Action
Nächste SlideShare
Wird geladen in …5
×

Shared Responsibility In Action

An examination of how the shared responsibility model for cloud security works in the real world.

Using practical examples, you'll see how security responsibilities are balanced between the consumer (you the user) and the provider.

  • Als Erste(r) kommentieren

Shared Responsibility In Action

  1. 1. SHARED RESponsibility in action @marknca
  2. 2. Mark Nunnikhoven Vice President, Cloud & Emerging Technologies Trend Micro @marknca
  3. 3. Modelling security on AWS
  4. 4. TRADITIONAL ResponsibilitY Physical Operating System Infrastructure Application Network Data Virtualization
  5. 5. SHARED ResponsibilitY Physical Operating System Infrastructure Application Network Data Virtualization Security Groups Network Config More info on the model is available at h‫מּ‬p://aws.amazon.com/security
  6. 6. SHARED ResponsibilitY Physical Operating System Infrastructure Application Network Data Virtualization Security Groups Network Config Verify Compliance information available at h‫מּ‬p://aws.amazon.com/compliance
  7. 7. Physical Network Virtualization Operation System Application Data DIY SaaSIaaS PaaS *you
  8. 8. BETTER SERVICE TYPES From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA Infrastructure Abstract Container
  9. 9. SERVICE Examples Fantastic reference by AWS’ Mark Ryland at h‫מּ‬p://4mn.ca/ZZeDbA Service Type *aaS SQS, S3, Route53 Abstract SaaS RDS, EMR, OpsWorks Container PaaS EC2, EBS, VPC Infrastructure IaaS
  10. 10. Less responsibilities
  11. 11. More responsibilities Less responsibilities
  12. 12. Options : Responsibilities
  13. 13. Re:Boot
  14. 14. Critical embargoed bug discovered in Xen, details at h‫מּ‬p://4mn.ca/1rcXTTN
  15. 15. A small percentage on instances scheduled for a reboot
  16. 16. ACTIONS TO TAKE From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA Nothing for cloud-native architectures Manage availability For EC2 Nothing for Multi-AZ instances Standard maintenance window for single instances For RDS
  17. 17. POODLE
  18. 18. CVE-2014-3566 : Padding Oracle On Downgraded Legacy Encryption
  19. 19. A‫מּ‬ack forces an older cipher choice. Details at h‫מּ‬p://4mn.ca/1EYfBEA
  20. 20. ACTIONS TO TAKE From AWS’ Mark Ryland talk at h‫מּ‬p://4mn.ca/ZZeDbA Select a non-affected cipher suite For ELB Enable TLS_FALLBACK_SCSV Disable support for SSL 3.0* For Web Servers
  21. 21. Shellshock
  22. 22. More info on bash is available at h‫מּ‬p://www.gnu.org/soﬞware/bash/
  23. 23. 10/10 vulnerability. Widespread & easy to exploit (){}; attacka:() { b; } | a‫מּ‬ack;
  24. 24. ACTIONS TO TAKE Update bash Use an intrusion prevent system For EC2
  25. 25. Applied at the boundary Majority of security controls are traditionally applied at the boundary
  26. 26. Same controls applied in the AWS Cloud, now to each instance Applied to each instance
  27. 27. Options : Responsibilities
  28. 28. @marknca Thank you.Learn more at testdrive.trendmicro.com

×