AWS Security Best Practices for Cloud Adoption

© 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Driven by security: Legendary
Entertainment’s high-velocity cloud
transformation
Dan Meacham
VP, Global Security, CSO/CISO
Legendary Entertainment
S D D 3 2 5 - S
Slawomir Ligier
VP, Engineering, MVISION Cloud
McAfee

2
Today’s Agenda and Key Takeaways
Agenda
▪ Enterprise Customer Cloud Journey Challenges
▪ Legendary Entertainment’s Cloud Transformation
▪ How MVISION Cloud helped Legendary Entertainment
Key Takeaways
▪ IaaS cloud workloads on AWS must be carefully designed and continuously
audited to help reduce risk and potential data loss
▪ Monitoring cloud activity and users for anomalous behavior can help to
identify insider threats and compromised accounts
▪ Storing business data in Amazon S3 introduces different considerations that
didn’t exist in the traditional datacenter model

3
IaaS Fastest Growing Segment of Cloud
Source: Gartner Forecasts Worldwide Public Cloud Revenue press release, April 12, 2018
IaaS 35.9% CAGR
SaaS 22.2% CAGR

4
31%
13%
11%
16%
8%
5%
5%
7%
2%
2%
IaaS,
24%
Misc,
10%
Enterprise
SaaS, 66%
Where is Your Sensitive Data in the Cloud?
Enterprise SaaS and IaaS Top Concerns:
▪ Data Visibility
▪ User Behavior / Threat Detection
▪ Security Compliance / Configuration
Zero-to-60 for IaaS
▪ More than 3x growth
▪ Continued enterprise push for cloud
transformation

5
Shared Responsibility Model
Customer’s responsibility in
securing IaaS is much greater
than in SaaS

6
Average organization has
14 misconfigured IaaS services
running at a given time

7
Average organization experiences
1,527 DLP incidents in IaaS/PaaS
per month

8
How do I detect malicious or
insider activity in clouds I do not
control?

9
3.8 PB
On-Prem Data
(2 Shows)
15 TB
One Character Model
2 PB
Data in AWS
58
Films
Box Office
$16 Billion
325
Employees
Single Show
2,000

10
2013—Cloud First
Architecture
2014—95% IaaS / SaaS
2015 —User Centric
Security Architecture
2016—SSO and
Device Management
2017—CASB
2018—CASB
Insider Threat
Business Requirements
▪ Cloud First
▪ Secure Collaboration
▪ User Trust Model that supports
Cloud, SSO, and BYOD
Security Requirements
▪ Secure sensitive data
▪ Secure the device
▪ Enable employees and partners to
work from anywhere

11
IaaS Key CASB Use Cases
2. Managing Rogue IaaS Accounts
Discover shadow IT usage and reclaim control of risky IaaS usage.
1. Security Configuration Monitoring of IaaS Resources
Identify IaaS resources with security settings that are non-compliant to CIS Level 1, 2 policies.
3. Visibility of Confidential Data
Gain visibility of regulated/high-value data stored in Amazon S3 Storage.
4. Activity Monitoring, Advanced Threat Protection
Capture an audit trail of activity for forensic investigations. Detect compromised accounts.

12
Data Exfiltration Vectors—IaaS Infrastructure and Apps
Compromised
AccountsMisconfiguration
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS

13
Compromised
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS

14
Security Configuration Audit
Manage regulated/high-value data being stored in the cloud.
▪ 102 Unique Configuration
Checks and Policies
▪ Continuously monitor IaaS
security settings for
misconfiguration

15
Security Configuration Audit
Manage regulated/high-value data being stored in the cloud.
▪ As IaaS admins correct
misconfigured settings,
McAfee automatically resolves
the incident

16
Introducing MVISION Cloud “Shift Left”
What is CloudFormation?
▪ Agile Organizations use AWS CloudFormation Templates
▪ Allows for rapid rollout, preconfigured systems
MVISION Cloud “Shift Left” provides audit of AWS
CloudFormation
▪ Head off security and compliance issues BEFORE rollout
▪ Reduce risk for systems pushed into production
▪ Streamline DevSecOps
AWS
CloudFormation

17
Compromised
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS

18
Managing Rogue IaaS Instances
Discover shadow AWS usage and reclaim control of risky IaaS usage.
▪ Enforce governance policies
and coach users to approved
IaaS platform

19
Managing Rogue IaaS Instances
Discover shadow AWS usage and reclaim control of risky IaaS usage.
▪ Identify risky or unsanctioned
IaaS platforms in use
▪ Identify AWS Accounts not
under management

20
Compromised
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS

21
Visibility of Confidential Data
Gain visibility of regulated/high-value data stored in Amazon S3 Storage
▪ Perform on-demand scans to
identify sensitive or protected
data stored in IaaS storage
services
▪ Remediate with Amazon S3
Encryption, Stronger Policies, or
Network Boundaries

22
Compromised
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS
Activity Monitoring
& Forensics

23
Activity Monitoring and Forensics
Capture and categorize an audit trail of activity for forensic investigations.
▪ Categorizes 100s of activities
into 13 categories for easy
filtering/navigation

24
Capture and categorize an audit trail of activity for forensic investigations.
▪ Expand the scope of an
investigation and browse a
geo-location map

25
Capture and categorize an audit trail of activity for forensic investigations
▪ Investigate activities for a
specific user centered around
an incident

26
Capture and categorize an audit trail of activity for forensic investigations
▪ IP reputation to identify access
by a malicious IP such as a TOR
network

27
Compromised
Rogue User
Confidential Data
Leaks
Rogue IaaS
Accounts
IaaS
Advanced Threat
Detection

28
Advanced Threat Protection
Detect compromised accounts, insider threats, and malware
▪ Threat funnel correlates multiple
anomalies, minimizing false
positives

29
Advanced Threat Protection
Detect compromised accounts, insider threats, and malware
▪ No pre-defined policies or
thresholds, automatic models
based on activity

31
McAfee MVISION Cloud Integration—AWS Security Hub
MVISION Cloud
AWS Security Hub

32
▪ Achieved in 2019
▪ Long standing APN Partner
▪ Referenceable Customers
▪ Vetted solution by AWS
Only CASB with AWS Security Competency
MVISION Cloud

Enterprise Security
Platform Strategy

34
Security Platform for Cloud Adoption
Device Network
Network-centric controls
(Web protection, DLP, threat
protection, etc.)
Cloud-native controls
(DLP, configuration management, threat
protection, etc.)
Device-centric controls
(DLP, device control, encryption,
threat protection, etc.)
Cloud
End-to-end Policy Unified Incident Management

35
As You Progress on Your Cloud Journey…
Storing and identifying regulated business data in Amazon S3 storage
introduces different considerations that didn’t exist in a
traditional datacenter model
Rapid Cloud Adoption planning
must be carefully designed and
continuously audited to help
reduce risk and potential data loss
Monitor cloud activity and users
for anomalous behavior can help to
identify insider threats and
compromised accounts

36
AWS Vulnerability
Assessment
Definitive Guide to
AWS Security eBook
Gartner CASB MQ
Free AWS Security Resources

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2019 McAfee, LLC.

Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Dan Meacham
VP, Global Security, CSO/CISO
Legendary Entertainment
Slawomir Ligier
VP, Engineering, MVISION Cloud McAfee
@sligier

AWS Security Best Practices for Cloud Adoption

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to AWS Security Best Practices for Cloud Adoption

Similar to AWS Security Best Practices for Cloud Adoption (20)

More from Amazon Web Services

More from Amazon Web Services (20)

AWS Security Best Practices for Cloud Adoption