Aptible Update Webinar Series - April 2017

Transcript

1. Ap#ble'Update'Webinar April&2017

2. Agenda • Enclave)features)and)updates • Gridiron)updates)and)availability • Open)Q&A

3. Logis&cs • Use%Zoom%Q&A%for%ques0ons • Recording%will%be%posted%at%www.ap0ble.com/resources

4. What's'new'on'Enclave? April&18,&2017

5. Before&we&start... The$Enclave$team$is$looking$for$feedback! We'd%like%to%schedule%301minute%customer%interviews%to%talk% through%how%you're%using%Enclave,%and%discuss%how%we%can%make%it% be=er. If#you're#interested,#please&send&a&direct&message&to&Frank.

6. Overview Our$vision$is$unchanged:$we$want$Enclave$to$be$the$best$place$to$ deploy$regulated$and$sensi8ve$projects. To#that#end,#this#quarter#we#invested#in: • Security*and*Compliance • Database*Self7Service • Usability*Improvements

7. >"Security"and"Compliance"< Database'Self+Service Usability)Improvements

8. Security)and)Compliance 3"main"direc+ons"here: • We're&making&it&easier&for&you&to&secure&your&apps. • We're&helping&you&meet&your&compliance&goals. • We're&improving&the&security&of&Enclave&itself.

9. App#Security 3"new"features"make"it"easier"to"secure"your"apps"on"Enclave: • IP$Filtering • Managed$HTTPS$for$Internal$Endpoints • Docker$Image$Security$Scanning$(Private$Beta)

10. App#Security IP#Filtering

11. IP#Filtering IP#Filtering#lets#you#firewall#app#Endpoints;#i.e.#restrict#traffic#to#a# set#of#allowed#IP#sources. Typical(use(cases(include: • Internal)apps)(e.g.)Kibana,)admin)dashboards). • Private)External)APIs)(e.g.)restricted)to)a)set)of)high?value) customers). •

    Pre?release)apps.
12. None

13. App#Security Managed'HTTPS'for'Internal' Endpoints

14. Internal(Endpoints Internal(Endpoints(are(great(for(isola1ng(apps(that(should(only(be( accessed(from(within(your(dedicated(Ap1ble(VPC. Typical(use(cases(include: • Microservices*consumed*by*other*apps*deployed*on*Ap7ble. • Internal*apps*/*dashboards*(e.g.*Kibana),*if*you*have*a*VPN* connec7on*set*up*to*tunnel*into*your*Ap7ble*VPC.

15. Managed'HTTPS Managed'HTTPS'makes'it'easier'to'create'Endpoints'on'Ap7ble'by' provisioning'and'renewing'SSL'/'TLS'cer7ficates'on'your'behalf. Using&Managed&HTTPS,&all&you&need&to&deploy&your&app&with& HTTPS&support&on&Ap:ble&is&a&domain&name. Under&the&hood,&Managed&HTTPS&relies&on&Let's&Encrypt.

16. Managed'HTTPS To#provision#a#cer-ficate#with#Let's#Encrypt,#Enclave#needs#to#verify# control#of#said#domain#first. Let's&Encrypt&offers&mul2ple&op2ons&to&do&so: • HTTP:#Let's#Encrypt#needs#to#make#a#HTTP#request#to#the#Endpoint • DNS:#Let's#Encrypt#needs#to#read#a#TXT#record#via#DNS. • TLS(SNI:#Let's#Encrypt#needs#to#complete#a#TLS#handshake#with#

    the#Endpoint.

17. Managed'HTTPS'for'Internal'Endpoints Enclave(historically(used(HTTP(verifica6on,(but(that(method(does( not(work(for(Internal(Endpoints:(Let's(Encrypt(can't(connect(to( them!(So,(Enclave(now(uses(DNS$verifica,on(as(well. Verifica(on+Method External+Endpoints Internal+Endpoints HTTP Supported Not-Supported

    DNS-(new!) Supported Supported!

18. App#Security IP#Filtering#vs.#Internal#Endpoints

19. IP#Filtering#vs.#Internal#Endpoints IP#Filtering#(new!) Internal#Endpoints Accessible(from A(set(of(IPs(you(allow All(clients(in(your( Ap6ble(VPC Managed(HTTPS Supported Supported((new!)

    Recommended(for Private(External(APIs,( Internal(tools Microservices, Internal(tools((if(VPN)

20. App#Security Docker'Image'Security'Scanning

21. Docker'Image'Security'Scanning We're%running%a%private(beta%of%Docker%Image%Security%Scanning. This%is%an%integra,on%of%Appcanary%(appcanary.com)%with%Ap,ble.%It% can%help%you%meet%compliance%requirements%for%security%scanning.

22. Docker'Image'Security'Scanning Here's&how&this&works: • You%sign%up%for%Appcanary • You%provide%your%Appcanary%API%key,%and%apps%to%monitor • We%no;fy%Appcanary%whenever%you%deploy • Appcanary(no*fies(you(of(security(vulnerabili*es

23. Docker'Image'Security'Scanning This%security%scanning%is%for%system&packages%installed%in%your% Docker%image.%It%supports%images%based%on: • Ubuntu • Debian • CentOS To#request#access#to#the#private#beta,#contact&Ap)ble&support,&or&

    send&a&message&to&Frank&if&you're&watching&this&live.

24. Compliance

25. Compliance We#introduced#2#changes#to#make#it#easier#for#you#to#meet# compliance#requirements: • ALB%Endpoints%now%let%you%customize%their%HTTPS%protocol%list • Databases%now%use%AES?256%encrypCon%by%default

26. Compliance Customizable-HTTPS-Protocols-on- ALB-Endpoints

27. Customizable-HTTPS-Protocols-on-ALB- Endpoints ALB$Endpoints$default$to$accep3ng$traffic$on$TLSv1.0,$TLSv1.1,$and$TLSv1.2. Unlike'SSLv3'(TLSv1.0's'predecessor),'these'protocols'are'all'secure,'but'your' auditors'may'restrict'you'to'a'subset'of'them:'oCen'TLSv1.1'or'greater1. You$can$now$easily$meet$their$requirements$using$the$SSL_PROTOCOLS_OVERRIDE$ variable$(note:$this$variable$was$already$supported$on$legacy$ELB$Endpoints). 1"A"number"of"implementa)ons"of"TLSv1.0"are"vulnerable"to"e.g."POODLE"(unlike"SSLv3,"where"the"protocol"itself"is" vulnerable),"so"while"the"protocol"itself"isn't"vulnerable,"it's"a"good"idea"to"disable"it"if"you"don't"need"it.

28. Using&SSL_PROTOCOLS_OVERRIDE $ curl --tlsv1.0 https://high-compliance.example.com Hello from high-compliance! $ aptible

    config:set "SSL_PROTOCOLS_OVERRIDE=TLSv1.1 TLSv1.2" INFO -- : App configure successful. $ curl --tlsv1.0 https://high-compliance.example.com curl: (35) Server aborted the SSL handshake $ curl --tlsv1.1 https://high-compliance.example.com Hello from high-compliance!

29. Compliance AES$256(Database(Disk(Encryp6on

30. AES$256(disk(encryp3on(for(databases New$Databases$on$Ap.ble$now$use$AES$256$for$disk$encryp.on$(it$ used$to$be$AES;192). There%is%no%security%concern%surrounding%AES3192,%but%if%you%have% a%compliance%requirement%to%use%AES3256,%Enclave%has%your%back!

31. Exis%ng(databases Older&databases&are&not&upgraded:&that&would&require&re5 encryp8ng&all&data&and&cause&significant&down8me.&You$can$dump$ and$restore$to$upgrade. You$can$find$out$which$encryp2on$algorithm$is$used$by$a$database$ through$the$Dashboard.

32. None

33. Enclave(Security

34. Enclave(Security 2"direc(ons"to"improve"the"security"of"Enclave"itself: • U2F%Authen,ca,on • Internal%Architectural%Changes

35. Enclave(Security U2F$Authen+ca+on

36. U2F$Authen+ca+on You$can$now$use$FIDO$U2F$Security$Keys$as$a$second$factor$to$log$ in$to$your$Ap=ble$account! U2F$Security$Keys$take$the$form$of$a$USB$key;$they... • ...#are#more#convenient#than#token0based#2FA • ...#protect#you#against#phishing We're%using%them%to%protect%the%accounts%of%Ap4ble%team% members,%but$they're$also$available$to$you!

37. U2F$Authen+ca+on To#get#started#with#U2F#authen3ca3on,#you'll#need#to: • Procure(a(U2F(Security(Key(from(a(trusted(vendor2 • Use(a(browser(that(supports(U2F(Security(Keys((Chrome) • Navigate(to(your(account(seAngs(in(the(Dashboard • Follow(the(instrucDons

    2"The"Ap(ble"team"uses"Yubikeys,"but"any"key"conforming"to"the"FIDO"U2F"specifica(on"is"usable"with"Ap(ble.

38. Enclave(Security Internal(Architectural(Changes

39. Internal(Architectural(Changes We're%con)nuously%working%to%improve%the%security%of%Enclave.% This%quarter,%we%focused%on%locking%down%access%to%AWS%APIs: • We're&now&using&short&term,*per&opera-on*AWS*creden-als3& for&~85%&of&AWS&API&calls&made&by&Enclave. • Long>term&creden@als&used&by&remaining&API&calls&have&very& narrow&permissions. 3"These"creden+als"are"valid"for"3"hours,"and"provide"a"strong"audit"trail:"AWS"API"Calls"made"by"Enclave"can"be"

    traced"back"to"the"specific"opera+on"that"required"them.

40. Creden&al)Comparison)(examples) Long%Term*Creden-als Short%Term*Creden-als Write&only+S3+access+for+ telemetry+and+logs Full+S3+access+to+a+per&customer+ bucket+for+Docker+images+ Configure+specific+internal+DNS+ records Provision,+aAach,+detach,+backup,+

    modify,+delete+database+volumes+ Provision,+configure,+and+delete+ load+balancers+ Configure+customer+app+and+ database+DNS+records

41. Security)and)Compliance Q&A

42. Security)and)Compliance >"Database"Self,Service Usability)Improvements

43. Database'Self+Service Feature'wise,,we,focused,our,efforts,this,quarter,towards,enabling, self'service,modifica;ons,for,databases. We're%ge'ng%very%close: • The%Ap(ble%CLI%now%supports%aptible db:reload. • Disk%resizes%are%now%predictably%fast. •

    Self@service%database%scaling%is%coming%very%soon.

44. Database'Self+Service aptible db:reload

45. aptible db:reload You$can$now$reload$your$database$on0demand.$This$restarts$your$ database$container$in0place. Use$cases: • Apply&changes&that&require&a&restart&(e.g.&a5er&using&ALTER SYSTEM SET&with&Postgres). •

    Restart&a&database&that&appears&to&be&misbehaving. This%opera+on%is%fast:%expect%~10%seconds%of%down+me.

46. Database'Self+Service Faster'disk'resizes

47. Faster'disk'resizes Un#l%recently,%resizing%your%database's%disk%meant%snapsho:ng%the% underlying%EBS%volume,%then%recrea#ng%it.%This%implied: • Occasionally+long+and+o.en+unpredictable+down%me:+it+could+ take+hours+to+resize+a+very+large+disk,+during+which+the+database+ must+be+offline. • A+nega@ve+performance-impact:+a.er+a+snapshot+restore,+EBS+ volumes+are+temporarily+slower.

48. Faster'disk'resizes Fortunately,,AWS,now,lets,us,resize&EBS&volumes&without& recrea4ng&them,,and,we,updated,Enclave,accordingly. • Resizing)consistently)takes)a"few"seconds. • Resizing)no)longer)impacts)the)performance)of)the)volume.

49. None
50. None

51. Database'Self+Service Coming'soon

52. Coming'soon:'self-service'database'scaling Probably(one(of(the(longest(standing(feature(requests(for(Enclave( (currently,(these(requests(must(go(through(support). It's%almost%here.!You'll!soon!be!able!to: • Resize'your'database'disks'(and'as'men4oned:'this'will'be'fast) • Resize'your'database'containers'(i.e.'memory'footprint)

53. Database'Self+Service Q&A

54. Security)and)Compliance Database'Self+Service >"Usability"Improvements"<

55. Usability)Improvements A"diverse"set"of"small"improvements"to"make"your"life"using"Enclave" be8er: • SSH$sessions$now$terminate$quickly$if$you$get$disconnected. • Memory$Management$no$longer$requires$coopera;ve$apps. • Log$Drains$now$offer$firstAclass$support$for$Sumo$Logic$and$ Logentries.

56. SSH#Sessions#terminate#quickly If#your#SSH#client#gets#disconnected#(e.g.#you#changed#networks,#or# lost#internet#connec:vity),#your#Ap:ble#SSH#sessions#now# terminate#within#2#minutes4. This%ensures%you're%never%le/%with%runaway%SSH%sessions%you% don't%have%access%to! 4"This"hasn't"shipped"just"yet"as"of"this"webinar;"it"will"be"live"this"week.

57. Memory'Management'no'longer'requires' coopera3ve'apps When%we%introduced%Memory%Management5%(6%months%ago!),%it%restarted%Docker% containers%in<place. Some%apps%were%incompa.ble%with%it:%they%would%fail%to%restart%because%they%e.g.%le:%a% stale%PID%file%behind! Memory'Management'now'restarts'your'app'in'a'pris1ne'container,'so'all#apps#are#now# compa-ble. 5"Memory"Management"automa.cally"restarts"your"apps"when"they"exceed"their"memory"limits;"this"ensures"your" apps"don't"go"down"due"to"e.g."a"memory"leak.

58. First&class*support*for*Sumo*Logic*and* Logentries Enclave(Log(Drains(now(support(Sumo(Logic(and(Logentries(with( minimal(set(up(required:(just(copy(paste(a(few(values! Both%these%providers%sign%BAAs.%If%your%logs%contain%PHI,%they%are%a% good%alterna;ve%to%a%self<hosted%ELK%stack%on%Ap;ble.

59. Usability)Improvements Q&A

60. Gridiron'Update April&2017

61. What%is%Gridiron? Gridiron'is'a'suite'of'tools'to'help'so1ware'engineers'build'and' maintain'industrial6strength'security'management'programs.

62. Why$Use$Gridiron? • Makes'the'administra/ve'side'of'protec/ng'data'easy • Helps'prep'for'regulatory'audits • Helps'prep'for'customer'security'reviews Quickbooks)helps)with)accoun2ng,)Gridiron)helps)with)security) management

63. None
64. None

65. Gridiron'Implementa/on • Ap$ble(guided-setup-process-with-hands(on-support-and-training • Decide-on-baseline-set-of-controls • Generate-all-repor$ng-and-documenta$on

66. None
67. None
68. None
69. None
70. None
71. None
72. None

73. How$is$This$Be+er? • Focused)on)so+ware)developers • It's)fast.)We)ask)smart)ques;ons)to)get)results)fast.)Onboarding) complete)in)<)10)hours. • It's)easy.)Gridiron)speaks)your)language.)No)obscure) ques;onnaires.

74. New$This$Quarter • Infrastructure,&,SaaS,Services • HIPAA,Security,Rule,Report • Security,Reviews,Tool • Incident,Response,Training

75. Pricing Gridiron'Baseline'-'First'Protocol • $2,499/month-paid-annually • Addi6onal-protocols-star6ng-at-$499/protocol/mo • Addi6onal-training-star6ng-at-$49/cer6fica6on/year

76. AWS$Private$Beta$Program • Customers*deployed*directly*on*AWS • Pricing:*early*access*+*50%*permanent*discount Interested(in(a(demo(or(learning(more?( Contact(Shah(Kader:([email protected]

77. Gridiron Q&A

78. Wrap%up • Recording+will+be+posted+at+www.ap4ble.com/resources • Next+webinar:+July+25,+11am+PDT/2pm+EDT