Dealing with an �Adolescent Cloud

Ross Young

CISO

CAT Financial

CYBERSECURITY

Caterpillar: Non-Confidential

Cloud Journey is Inevitable

• Europe and China require data to remain in their countries
• You already use 10+ SaaS solutions (GitHub, Salesforce, …)
• Your Executives believe it is cheaper 
• Your Fortran Developers and Mainframes are no longer supported

CYBERSECURITY

Caterpillar: Non-Confidential

And Then There Were Two

• AWS probably won your initial contract
• You still run Applications On-Premises for 3-5 years while you transition
• Another part of the organization decides they want a different cloud
• Azure - Enterprise Desktop Organization wants Office 365, OneDrive, & SharePoint
• Google Cloud - Data Scientists want Google's Machine Learning or Google Firebase/K8s

CYBERSECURITY

Caterpillar: Non-Confidential

Multi-Cloud Wasn't Enough 

• You are on a Digital Transformation
• Agile
• AI/ML
• Blockchain
• Containers
• DevOps
• DevSecOps
• IoT
• Kubernetes
• Serverless

CYBERSECURITY

Caterpillar: Non-Confidential

AWS Best Practices

Overwhelmed yet?

CYBERSECURITY

Caterpillar: Non-Confidential

7 Design Principles For Securing The Cloud

CYBERSECURITY

Caterpillar: Non-Confidential

1) Implement a strong identity foundation

Access Control, Authorization, Least Privilege, & Separation of Duties

Fundamental

• SAML 
• MFA

Advanced - Limit the AWS resources for each Application 

• Action Hero- Tells developers which API calls are being made
• Policy Sentry- Simple CRUD style YAML List to Create IAM JSON

CYBERSECURITY

Caterpillar: Non-Confidential

Action Hero By Anthony Barbieri

CYBERSECURITY

Caterpillar: Non-Confidential

Automated Tests with Helium 

CYBERSECURITY

Caterpillar: Non-Confidential

Policy Sentry by Kinnaird McQuade

CYBERSECURITY

Caterpillar: Non-Confidential

2) Enable Traceability

Monitor, alert, and audit actions and changes to your environment

Fundamental

• Cloudwatch – log everything
• Cloudtrail – record every AWS action

Advanced

• Cloud Custodian – Automate Security Monitoring & Response
• Scout Suite – Multi Cloud Security Auditing Tool
• Fargate + Prowler -> AWS Security Hub – Automate Cloud Findings

CYBERSECURITY

Caterpillar: Non-Confidential

Things to Monitor on AWS

CYBERSECURITY

Caterpillar: Non-Confidential

Cloud Custodian

CYBERSECURITY

Caterpillar: Non-Confidential

Scout Suite - Multi-cloud security-auditing tool

CYBERSECURITY

Caterpillar: Non-Confidential

3) Apply Security at All Layers

Defense in Depth approach with multiple security controls

Fundamental

• Basic patching a Web Server - OS, Runtimes, App Server, Web Frameworks, App Libraries
• Network Controls to limit access - VPC, Security Groups, & WAFs

Advanced

• Automated AMIs Vulnerability Assessments - AWS Inspector
• Realtime System Inventory - Vuln Management + RASP solution

CYBERSECURITY

Caterpillar: Non-Confidential

AWS Inspector – Automated AMI scanning

CYBERSECURITY

Caterpillar: Non-Confidential

Real Time Asset Inventory (Qualys Asset Inventory + Contrast Security)

CYBERSECURITY

Caterpillar: Non-Confidential

4) Automate security best practices

Make Security Policy Code

Fundamental

• Lock down S3 buckets

Advanced

• Automated Security Guidance
• Credentials/SAST/SCA/Licenses - ShiftLeft
• Cloud Environments - Checkov / Scout Suite / Cloudsploit
• Containers - Dockle / Docker-Bench / Trivy
• Kubernetes - Kube-Bench

CYBERSECURITY

Caterpillar: Non-Confidential

Shift Left

CYBERSECURITY

Caterpillar: Non-Confidential

Checkov GitHub Actions for Terraform and CloudFormation

CYBERSECURITY

Caterpillar: Non-Confidential

5) Protect data in transit and at rest

Encrypt, Tokenize, and Limit Access to Your Data

Fundamental

• TLS 1.2
• Encryption at Rest

Advanced

• Required WAF, VPC Flow Logs, Guard Duty, … – AWS Config
• API security scanning- OWASP Top 10
• Tokenization & Test Data (PCI, HIPAA, …)

CYBERSECURITY

Caterpillar: Non-Confidential

AWS Config

One Stop Shop for AWS Compliance

• Managed Rules
• Encryption
• Guard Duty
• Rotating Secrets
• Shield
• VPC Flow logs
• WAF

CYBERSECURITY

Caterpillar: Non-Confidential

6) Keep people away from data

Reduce or Eliminate Direct Access to Data

Fundamental

• Public Databases / S3 buckets

Advanced

• Remove unused accesses – IAM Access Analyzer
• Block all RDP/VNC/SSH access to Production
• We don’t remote into into production
• We write better logs & we generate better backups

CYBERSECURITY

Caterpillar: Non-Confidential

IAM Access Analyzer

Analyze Access Continuously and Remediate Broad Accesses

• Developers initially granted * access
• Use IAM access analyzer to monitor:
• IAM Roles, S3 Buckets, Lambda functions, KMS Keys, SMS Queues
• Identify when services were used by the development team
• aws iam get-service-last-accessed-details --job-id 98a765b4-3cde-2101-2345-example678f9
• If access isn’t used in X days, then remove

CYBERSECURITY

Caterpillar: Non-Confidential

7) Prepare for security events

Events happen! Have an incident response plan that’s tested

Fundamental

• Having Incident Response Teams

Advanced

• AWS Incident Response Guide
• Automated Incident Response in MultiCloud

CYBERSECURITY

Caterpillar: Non-Confidential

THANK YOU!

Questions

Ross Young

LinkedIn- https://www.linkedin.com/in/mrrossyoung/

SANS- https://www.sans.org/instructors/ross-young

CYBERSECURITY

Caterpillar: Non-Confidential