ultra secure cloud data center on aws
DESCRIPTION
This presentation is an introduction to Emind Systems' in-house best practice for an ultra-secure application deployment on the AWS cloud. This best practice is based on Emind's experience in performing dozens of infrastructure projects based on the Amazon Web Services’ platform.TRANSCRIPT
![Page 2: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/2.jpg)
About
Lahav Savir• 15+ years in on-line industry• Architect and CEO @ Emind Systems
Emind Systems (est. 2006)• Boutique system integrator• AWS solution provider• 100+ AWS customers
![Page 3: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/3.jpg)
Amazon (AWS) Certification
Amazon Solution Provider& Consulting Partner
https://aws.amazon.com/solution-providers/si/emind-systems-ltd
![Page 4: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/4.jpg)
What is secure data center ?
• Isolated and controlled• Firewalled• Secure access– VPN– SSL
• Audited• Intrusion detection &
prevention• Configuration analysis
• Data encryption• Antivirus• Frequent updates• User management– One time password
• One spot for monitoring– Centralized alerts and
notifications
• Regulatory compliance
![Page 5: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/5.jpg)
Emind’s best practice
![Page 6: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/6.jpg)
Access Management
• Control the data flow– AWS VPC– ACL– Routing– Handle all in/out traffic
• Access control– Security groups
• Identity access management– One-time-password– AWS IAM with MFA
![Page 7: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/7.jpg)
ACL & Routing in the VPC
7
![Page 8: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/8.jpg)
Emind’s best practice
8
VPC
IAM
Traffic
![Page 9: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/9.jpg)
Traffic Control
• Log in / out traffic• Terminate encrypted connection• Sanitize in / out packets– Real-time decisions– Accept / reject connections– Rate limiting
9
![Page 10: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/10.jpg)
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
![Page 11: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/11.jpg)
Anomalies detection
• Host based IDS– Detect configuration changes– Track running processes– Track file access– Resource access– Detect abnormal behavior !
• OS hardening• App cleanup
![Page 12: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/12.jpg)
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
![Page 13: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/13.jpg)
Data Protection
• In-flight– SSL encryption– IPSec
• In-rest– Storage level encryption– Data base encryption
![Page 14: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/14.jpg)
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
Data Enc.
Data Enc.
![Page 15: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/15.jpg)
Data aggregation
• Need to aggregate– VPN access logs– Traffic audit logs– Network IDS logs– Host IDS logs– Anti virus logs
• Detect patterns
15
![Page 16: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/16.jpg)
Emind’s best practiceVPC
IAM
TrafficEncryption
Sanitize
Host IDS
Hardening
Data Enc.
Data Enc.
Aggregate
Aggregate
![Page 17: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/17.jpg)
Security lifecycle management
• Ongoing log discovery & analysis– Access – Traffic– IDS– Anti virus– Encryption keys
• Act on analysis result• Revel and solve cloud infrastructure settings• Make them all orchestrate together !
17
![Page 18: Ultra Secure Cloud Data Center on AWS](https://reader033.vdocuments.site/reader033/viewer/2022061110/54530fe4b1af9f17128b468c/html5/thumbnails/18.jpg)
• goCloud – Emind’s optimal road to the cloud– Secure cloud architecture– Scalable & high-availability design– Customized system deployment– Orchestrating cloud and software– Cloud operation team– Monitoring and alerting– 24x7 SLA
18