SESSION ID:
#RSAC
Hardeep Singh
Democratizing Cloud Security
Our Journey To Secure The Public Cloud
CSV-F02
Sr Principal Security Engineer
Symantec Corporation/Cloud Platform Engineering
Yunchao Liu
Sr Software Engineer
Symantec Corporation/Cloud Platform Engineering
#RSAC
Why The Need To Democratize Security?
2
Centralized static bureaucracy
Decentralized, agile adhocracy
On Premise – Private, limited
resources, defined vectors
Public Cloud – Unlimited
resources, unrestricted vectors
Strict separation of duties
DevOps wear many hats
Centralized SOC – Antiquated policies to secure them all
#RSAC
Journey To Secure The AWS Environment
3
Establish a cloud based security maturity framework
Identify security controls for environment
Implement processes & services for operators
Extend framework to cover forensics & SDLC
Implement processes & services for developers
& responders
Integrate compliance & audits
into the framework
Automate enforcement &
remediation
#RSAC
Security Maturity Framework
4
Established a working group of security leads from all BU’s
Identified ownership at all levels
Built consensus
Identified account onboarding
process
Identified time lines for
compliance
o
Defined security maturity polices
Observable, actionable &
enforceable polices only
Started with baseline CIS AWS
recommendations
Extended to identify insecure
resources
Enhanced to cover internal polices,
SDLC, forensics & compliance
Enforced compliance
•Established an exception process
•Created detailed reports on non
compliance
•Automated enforcement
•Created services to help
operators, developers &
responders in implementing
security policies
#RSAC
Security Maturity Policies
5
AWS Environment
Optimize IAM users & policies
All audit logs centralized
Restrict public access to resources
Encrypt all storage resources
Define a mandatory tagging policy
Facilitate Incident responders
(reactive)
SDLC
Golden Image - scans in build cycle
TVM- Response to new CVE’s
Threat Modeling of all services
Secret & credentials management
Pen testing, game days, bug bounties
Auditable processes
评论0
最新资源