Taking IAM Protection To The Next Level

Transcript

1. Taking IAM protection to the next level with Dome9

2. Quick poll Is it possible that one of your AWS

   users or team members will have their credentials compromised sometime in the future? What if this compromised account belongs to a privileged user?

3. What is this session about? IAM best practices and core

   principles that will allow you to prepare in advance for extreme scenarios

4. Why IAM? Why this session? 30 years of isolated IT

   islands are converging now into a software defined data center. AWS IAM policy governs that converged IT and becomes the single most critical security policy in your organization.

5. About me Roy Feintuch @royfein 30 years fiddling with SW,

   15 professionally, 10 in security systems, 5 in cloud sec CTO / Co-founder of Dome9 Security An AWS Advanced Technology partner with Security Competency focusing on Network Security and IAM protection

6. To our user... In a software defined world a compromised

   privileged user account can mean: Data theft - cloning databases, S3 buckets, files DNS hijacking - redirecting traffic to rogue sites Deleting / encrypting data, infrastructure, encryption keys, backups Managing users - preventing legit admins from accessing their environments, adding new accounts

7. Our user is already fatally compromised, but you don't have

   to be. Let's take a trip back in our time machine to see what we could have done differently...

8. 2 main courses of actions 1. Preventative actions 2. Detection

   and containment measures We need them both!

9. Preventative Measures (1) • Create and use IAM users instead

   of your root account • Enable multi-factor authentication (MFA) for all users • Configure a strong password policy • Rotate security credentials regularly • Remove unused security credentials that are not needed

10. Preventative Measures (2) • Use IAM roles to share access:

    • For EC2 instances (and other AWS services) • For multi-account / federated access scenarios • For 3rd party service providers • Manage permissions with groups

11. Detection & Containment • Enable AWS CloudTrail to get logs

    of API calls • Grant least privilege • Restrict privileged access further with policy conditions • Use multiple AWS accounts to segregate between dev/test/prod and between different sub-systems with different security requirements

12. Still, something is missing... Adversaries constantly target our users One

    of our users will eventually make mistake Someone will break in A new breed of solution is needed

13. Meet Dome9 IAM Safe Dome9 IAM Safe is an AWS

    IAM Dynamic Authorization solution, providing protection and detection against malicious cloud control plane attacks and unintentional privileged user errors.

14. IAM Safe Added layer of IAM protection Prevents accidental or

    malicious invocation of risky actions “Just In time” authorization Out of band authorization via mobile application Multiple AWS accounts & regions SaaS delivered

15. IAM Safe Demonstration

16. Containing the Blast Radius Because IAM Safe users work at

    a lesser privilege day-to-day, the results of stolen credentials & compromises are limited to non- catastrophic actions. IAM Safe ensures that the riskiest AWS operations (as deemed by you) cannot be executed without Dome9 IAM Safe multi-factor authorization. Not all workloads are equal! Leverage the power of AWS IAM policy language to define specific actions and add conditions based on sensitivity, tags, etc...

17. Summary IAM is critical for AWS Security Apply AWS best

    practices Utilize the breadth of AWS partners ecosystem to take your posture to the next level The moment of the breach is too late - take ownership regarding your future and start preparing now!

18. You are invited to Dome9 booth to continue this discussion

    and for more AWS security solutions Or visit www.dome9.com and start a free trial