Securing Your DevOps Pipeline On AWS

2017 CANADIAN EXECUTIVE CLOUD & DEVOPS SUMMIT

Link to the Conference Website: devopscloudsummit.com

Security Panel Discussion

The security panel tackled the following questions in a free form discussion (I've included some notes from the discussion below):

  1. Recently there has been a breach of security, known as the "Wanna Cry" ransomware. It's considered kind of a big incident - let’s talk about that and what your perspective is on this incident.
    • Vulnerability was disclosed / discovered on April 14th, 2017.
    • Exploit was released on May 12th, 2017.
    • Microsoft released a critical security patch, March 14th, 2017. This was two months prior to the ransomware being released!
    • Affected old or out-of-date versions of Windows.
    • Ransomware is an increasingly popular attack strategy for attackers, and currencies like bitcoin help that.
    • These attacks are very destructive to the target and lucrative for the attacker.
    • These criminals are responsible for a growing percentage of financial fraud, malware, and other cyber threats. They either make money directly from the attack, from the sale of the data, or from money laundering after cyber-attacks.
    • They will continually find new ways to penetrate accounts and corporate networks, and evade detection by tools deployed to counter such threats.
    • Compliance does not secure make.
  2. There is a growing impact from IoT devices and cloud technologies. Can you comment on how that reduces, or changes security for large scale attacks like the Mirai based attack on DynDNS in Oct?
    • We need to consider security of every device we build – if it can be exploited it will be. And if it's internet connected, then it can be.
    • Technology has promised convenience, and end users now are expectant of that promise. Companies are releasing refrigerators that can order groceries. Symbolizing advances in convenience.
    • Everything is becoming more digitally-driven and digitally-connected. Protocol changes, like IPv6 are enabling us to have an explosion of internet connected devices.
    • It is critically important to keep all transactions secure, whether financial or otherwise. I don’t want some stranger messing with my Netflix recommendations. PII data should generally be considered compromised, since the data is likely duplicated between organizations.
    • With the number of data breaches making headlines, fraud at scale is synonymous with automation.
    • Automated attacks are cheap, easy, and scale.
    • We need to focus on reducing customer friction, while increasing our ability to identify good users and identifying high risk anomalies.
    • This is where solutions like NuDetect come to the forefront – using a mix of active and passive biometrics to retain the frictionless user experience while making it more difficult for attackers.
  3. What trends are you seeing in your industry? Particularly in regards to the Financial Services or Financial Technology adoption rate of the cloud in Canada
    • At NuData Security, we have a SaaS offering that runs on AWS, a single tenant option (also on AWS), and an on premises option for those who want to run our software in their data center or competing cloud provider.
    • Our SaaS product is our most popular offering.
  4. The new common tagline is “You're more secure on the cloud”. How are you more secure in the Cloud?
    • Compared to an on premises environment, several concerns are taken care of automatically for you: strong perimeters and surveillance, controlled access, cybersecurity expertise + huge teams monitoring for threats, thorough and frequent auditing...
    • Looking at AWS specifically, they supply a plethora of strong tools for our consumption: CloudTrail, Config, Config Rules, S3 Logs, ELB Logs, CloudWatch Metrics, CloudWatch Logs, CloudWatch Alerts, VPC Flow Logs, CloudFront Logs...
    • These are easy to analyze, build triggers around, and consume./li>
    • There are other tools as well, that incorporate strong security – all based in user permissions or IAM (Identity and Access Management).
  5. What is the shared responsibility model on AWS
    • Companies are responsible for their security in the cloud: customer data, platform, applications, user management / permissions, Data encryption and integrity, and network traffic protection
    • AWS is responsible for the security of the cloud: compute, storage, database, networking, global infrastructure, regions, availability zones, edge locations...
  6. What’s going on with Machine Learning and AI within security? Obviously, it brings a whole new level of capabilities. How do you see that evolving?
    • - On one side, you have fraudsters and hackers, and they test various systems for weaknesses. Once a weakness is found, it’s exploited until someone writes a rule to address the weakness.
    • Imagine you’re running a business, eventually you’re just writing rules to try and stay ahead of attacks while you’re wishing you could be focusing on running a successful business. It’s inherently reactive. You can end up with whole teams and even departments just managing rules.
    • Machine learning algorithms learn which data points from a collection of hundreds or thousands are significant when detecting fraud. Instead of humans telling the system what it should look for, the algorithm automates the investigation of more data than is possible for a human to screen, correlating hundreds of data points like typing speeds, scrolling speed, preferred times of day to visit, top cities, countries, devices, credit card numbers, credit card types.
    • The program learns the telltale signs of fraud that are unique to each website, creating a customized solution that is always adapting. Beyond just learning what fraud looks like, the program also learns the signifiers of good users, removing the risk of false-positive fraud results.
    • Part of the layered approach to security.

Panel video: (Coming Soon!)

Securing the DevOps Pipeline with AWS

Here are the resources from my presentation:

Here are the related source articles:

<ul>
    <li>
        <a href="/articles/aws-developer-tools-for-cicd" target="_blank">Securing Your Development Pipeline with AWS</a>
    </li>
    <li>
        <a href="/articles/aws-config-rules" target="_blank">Advanced Auditing with AWS Config</a>
    </li>
</ul>
<p>
    Here are the links to related GitHub repositories:
</p>
<ul>
    <li>
        <a href="https://github.com/666jfox777/aws-codepipeline-example" target="_blank">aws-codepipeline-example</a>
    </li>
    <li>
        <a href="https://github.com/666jfox777/aws-config-rules-template" target="_blank">aws-config-rules-template</a>
    </li>
</ul>
<p>
    Presentation video: (Coming Soon!)
</p>