Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Serverless Architecture Security Patterns for Securing the Unseen

Jabez Abraham
Senior Cyber Security Cloud Architect at Paige
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Serverless Architecture Security Patterns for Securing the Unseen
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
65
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Jabez Abraham
Senior Cyber Security Cloud Architect at Paige

As a Cloud Security Architect working in the Enterprise Architecture team at Asurion, Jabez Abraham is passionate about cloud computing. He thrives on solving problems when leveraging native cloud services for building secure and supportable solutions. At Asurion, he helps in defining the strategies, roadmaps, and solutions to embrace the value of the public cloud as well as ensure the protection of Asurion infrastructure, applications, and data for cloud native, hybrid, and inter-cloud deployments. He has spent an extensive amount of time working through the various aspects of adoption while embracing a #Cloudbydefault approach. Abraham also leads organizational transformation in cloud and security domains specifically in AWS.

View the profile

About the talk

Jabez Abraham, Cloud Security Architect , Asurion Serverless Architectures bring the ability to independently scale, deploy, and heal based on workloads while moving away from monolithic designs. Serverless workloads also have a larger security risk surface due to many moving pieces. This talk will focus on key areas to consider for securing end-to-end with patterns for enabling DevOps while being able to protect and mitigate threats.

Share

Hey, thanks for joining my session on several of architecture patterns for securing the Unseen. I'm really excited to speak about this topic today at this conference. And there's such a crucial topic. I believe at all day and time where service is really taking off from a cloud perspective. And I'm really excited to share about some of the patterns and things that we can do to fix. My name is Jay was Abraham and I work as a cloud security architect at Asurion. I would like to start off with this one picture lot of times when they look at a picture, you know, you kind of

think about what does it represent in when you think about this, you think about a house. You think about dreams Visions goals, maybe aspiration for someone, who wants to build something or planned? For something for their future, but most importantly, we think about this picture, we see the importance of it is in that person and of course, you know, as much as we would like to look at this picture and saying, man, that's a beautiful house. What not the ultimate things that we look at security perspective, is the person that were trying to protect. And I, when we think about

service, lot of times people start jump right into and say I want to start securing at Watauga, Texas Dua Lipa man, how do I protect, what are some controls? I need to have? What are some areas that I did? Look at? But a lot of times I misdialed, what are they really trying to protect in? A, what are we really trying to do? So. Question? I believe it's very Central to this topic of securing. The Unseen. Does a lot of times what happens if we get caught up into our day today and doing the operational aspects of securing something, but forget about the plumbing work, the deep-dive, the

understanding of what am I really trying to protect? So this picture just serves as an image of what we want to think about. When you thinking about securing server, last asked, what is the crucial nature of what we're trying to protect the data that the data is, what is crucial that were trying to protect in this scenario? John de quickly on some of these topics that are going to be covered here, the life cycle of a data. Obviously, we're talked about the importance of what we're trying to protect and accessing the data. You know, how does somebody get into the gym

today. And we're going to talk about certain truck back to her when you're talkin about service. Again, Services, change the Dynamics of Sakura, where traditional security mindset is. It gets really hard to justify in applying the same mindset to a server does architecture. And so what we like to do is I like to talk about is how do you change your mindset when you're dealing with serverless technology and then we'll talk about some design principles. What are some things to be concerned when you are starting to Architects or less architectures? And then some applications in some

practical real-world applications and we'll use certain specific areas that will be talking about. Elsa jumping right into it. When you think about the life cycle, you know, anything about a data? You think about the aspects of creation, you know, somebody creates data whether it could be time-sensitive. I can use a cast or tweat or whatever it, maybe it's a very time-sensitive information. And then you also think about like the data types. The data types could be again or something that's publicly available or something. That's private. Like maybe there is in the stock market.

Then again things are happening in Lily, second time frame. And then of course the damage it's time for you and that is crucial as well. Is going to think about data not only could be time-sensitive. It could also be classified a certain type of data classification. But also what type of damage kind of produce? Do you slide the creation of the data by various entities, and then you have the storage of the data could be in a loud environment. It could be in your data center. Could be anywhere for that matter of the data, but there is Users weather is awesome artifact or

archival. Whatever it may be. How do you consume that data and make it available? And when we follow along, and from the perspective of the life cycle, we have to switch gears a little bit and talk about. So how do I access data? Not only does my life cycle matter, meaning that, how does the date of flow through my system? But how do I make it available? You know, that consumption that we talked about how these various different people that were talking about boundaries, you got consumers and then you got of course arbitrators. And when you think about in that perspective,

other producers could be anyone from the internet of things where they does accessible to the end-user and of course, what, what are some protection boundary that we can think about my privileges and authentication? Authorization logging, you know, what about? Technical debt, lot of times. People think about technical data something that's a behind-the-scenes, but it's real. A child and sometimes if you don't think about it ahead of time and then the consumers people rely on people who want to share it with people that I want to share the date of it and of course the perpetrators and

that's always there anything you saw the slide when it came up. But it was already there because the perpetrators are always always there, whether you have data or not. They're going to constantly be looking to infiltrate and try to access data. That is not allowed for them. And when we think about that perspective on, we think about the context of serverless, how do you think about serverless and the threat? It produces? I'm in this picture. If you look at it is, uninteresting representation on many of you may have seen it. The picture talks about in isberg, you know, you think

about an iceberg, got something that's visible. Something got from the Titanic or something. You know, I exist. But a lot of things. What people don't realize is that there's a massive amount of ice that's underneath, that's invisible. I may be talked about serving as the data is a lot of times that the threat is invisible to the user when you take data and pass it on to a public cloud. Provider. A lot of times, they are accountable for how they manage your protection of your data and how they store it. But ultimately it's invisible to you. But a lot of the aspects, you know, how does

the data get transferred in the? How does the data get stored? How does it is in the specifically? How did the date I get moved from one region to another lot of these different constructs that we talked about. From Publix provider perspectives are invisible to the user in a data center. I can walk in and look at it and think you are. My heart does Jeremih EMT drive, but in a cloud system, you don't have guaranteed of which data resides where from a regional perspective, you know, so you could be Monday, Arizona versus the other Sunni. Think about that. Type of we've seen really the

revolution of cloud from an infrastructure-as-a-service to function as a service from one. Stop locations to Microsoft services. And now again to Cerberus. I mean really seen the evolution of cloud Technologies in that in that level of evil may think that why do people really go into the service protection? But why is the real demand for Cerberus? There's obviously, there's many we can talk about, you know, today is just a few, there's no infrastructure to manage even have to pass. You not to worry about maintaining your infrastructure, making sure that your networking and cabling and

all of those things. And there's nothing to manage and you don't have to do a lot of the work that that is done to get the server ready for you. And then of course, I'll be able to quickly spin up a function to be able to do certain type of work, a small volume of work and being able to execute based on some of the requirements that you give it. Again. Sort of gives a lot of benefits for lot of users going to cost. You know, you use, you pay for what you use in a very, very small millisecond way and so I can Boss is a big driver for service and the ease of deployment, you know, where you

can deploy in multiple decentralized methods. And you're not having this massive monolithic applications has definitely a big driver in that sense. But then you think about the security aspects of it, the dot. Landscape really has changed with serverless thinking about application. We do you think about an application to somebody, right? And somebody put in the cloud, they can have the illusion that since I put in the cloud is secure or it because it's SS and it just very small, ephemeral time instances, that it could be secure a demo

briefly on serverless is not inherently. Secure is how you secure. It is what matters. And then of course, I O T. Bring the data to the end-user. Again. There's a different types of stress factor that we can talk about. And then when we think about the serverless and security just because it's the ephemeral system. It only lives 4 milliseconds or a minute or 5 minutes doesn't mean that is inherently a secure. An example in this example. If you see there's a Lander shoulder, is just to open a website

that anybody can go in and dig give you a shell into a land of function. Does the real Lambda function in Amazon music, as you're watching. There's a choice, a regular Unix kernel. If you see that, it's got a shell. It's got the body of, mine of scary. It's got different values of got the index. Today is Father's Day in any units machine. Now, in this example, this person has given a shell access into a Lambda function. Not when I doing an ottoman variable in that server, I see a bunch of different environment, but it was

just as you would expect in any system. In this case. I'm interested in certain things. I mean, which reason I'm running in, I'm running u.s. West one in California. What is the access key that I'm going to be interested? And there's access the secret key and multiple other things and hear. All I'm doing is I'm constructing basically a method to access this infrastructure or this loud environment from my laptop, my, from my personal laptop. So, all I'm doing here is capturing the artist, the secret key, and the token. And so basically what I'm going to be doing here is that

constructing these three elements that Amazon provides requires for me to be able to connect my child environment from my laptop, that's outside of a console or are on the company's cloud account. And the the token that is required for the time. And once I do these three different entities, at this point, I have access to that person's Cloud environment. So you don't bring a simple get a ride then today. He tells me that I'm an alarm, the basic execution roll.

The roads are super important in the cloud. And depending on the size of the road. I can get ladder aluminum. I'll be able to do that at the moment. In this case, amount of things lost dream, again, very, very minimal role, which is good. But even with this, there are certain things I can do. So I can try to mistral's of course, that's denied because it's a very restrictive type of role. And then also I'm going to try to do I start another function like creating a law group and now someone might say that while

those are very restricted functions or controls are, all roles that are given permission to. But Only what I can potentially do with Justice. Minimalistic permission is, I can still create a law group. I can create a log stream, and then I can start publishing events to the stream. And I think about it, even in the sense in this example where they're supposed to show that I've had. I have access from the sweat. From this website. I'm able to get into that person's account. I'm able to generate a log events and then I'm able to potentially kind

of Spike up, their bill, you know, he no sense where I can start sending multiple logins like an automated. Again. I can I get to token for an hour, which means that I can do around their system with laws that are meaningless, you know, which are just going to just like up there other their bill. Again. This is a very simple example, like this person has given access for people to be able to do that in the sense that he's opened it up for the world, so that people can get a feel for how secured a stand and different. Even has a bug Bounty program in the left side, but the important

aspect is that server Last by the term. Just because it's a Camaro doesn't mean that you cannot, you know, that it doesn't need to be secure important aspect of this demo. And when jumping into the next slide with some design principles, you know anything about threat modeling, you want to think about some from Newark Ohio State at what is my data movement in my architecture and how does that moment affect how I need to secure it? And we're going to look at a couple of days. Hopefully, tie all this together

is that they say, hey, I were secured the entry point. I want to take you out the back in storage, but then the data can move inside because it's in time inside my network and they don't account for things like Insider attacks or Did I leave gate or accidental that exposure things like that? So there are some very core principles that we have to think about when you're dealing with Cerberus, that if you have to think about in the same, so I have to share making sure that you know how much broader access than what is needed. In the previous example. We saw it was

just a lawn bags. You should go because a very minimalistic asses and if somebody gives admin role now, that is a real risk, why? Because somebody can get in, they can get access to that environment. And they'll be armed men from their laptop. And now they can pretty much do what they want to do in the other person's account including take. So that is a very challenging thing that can happen. And so I asked you look into some of these areas you think about things like anomaly detection in the sense of what is normal, you know, what is a normal flow of my data? The date of the secure, what? We

looked at earlier, the sensitivity of the data and what is normal from that perspective. I can protect it and I can understand what is normal know. I can on top of it, applied principles to say, if this changes, the special, then start alerting or start blocking or put that in quarantine and let's figure out what they're trying to do. And so does that term? That's used quite often but it's more like a like a freeway where you trust the people who are in the freeway for the rules and you could do spot checks once in awhile here and there for her from an Insider perspective. But ultimately

would say if you're on the freeway, we trust you, you're falling, the speed limit, you're going the right direction and you're not having erratic Behavior. But if you're outside the freeway and you're not supposed to be outside, then obviously that trust boundary has been broken rights of zero trust. Really come from the perspective of being able to isolate actors that are not following the norm and so is it possible? Yes, it is definitely possible from the perspective of being able to control what you can see or or You can argue that guardrails, you know, view of a

thing is a very fluid topic and different people have different perspectives of it or just from the perspective of being able to control of what you are. I'll try somebody to do in zero, trust is possible and then thinking about visualizing data, I guess we talked about how do you look at your data structure? Different aspects of it? And how do you visualize a little slide in the next one is going to be a busy slide, but I want you to take a few little of your items from this life. You think about in the cloud computing business, you have the edges. They are, you got the cloud

friends. You got the Assyrians from different providers. You've got the different areas on the, on the, on the, on the edge. That the data comes then. Then you have the computer, you know, where you're having a lot of processing. That is happening. And of course, the data itself, the data Integrity, in the confidence of the CIA that we commonly talked about, and of course message, Dreaming are very, very hot topic right now with the amount of data, that can be passed to an environment and Isis controls monitoring developments. But here, there are few key areas that you want to break your,

you're basically our infrastructure into you. Think about how does my eggs, they are look like, am I using a CDN? Is I do I have apis? Do I have you thought indication? Do I need geolocation blocking? Because I have that Authority rules that I have to manage and then in the Summer where you can map out your entire data flow, based on this view, you can say, for messaging, what is the velocity of the message, how much amount of message do I take it to my back and systems? Do I filter some out session Management in Access? That's a big topic or you don't finding actionable events in modern

and it's like, finding a needle in a haystack. If you just log all the events, but if I'm smart about what type of events that do. I really want to Monitor and take action on top of it or how many Everest and also like some of them are outside the scope of just a technology where the open-source, how do I handle open-source? How do I do security awareness program? Know how do I let people know? How do they need to do service? Not to give them a gift about Actors Access into our environment busy slide, but just to think about the data and a server

less broken down by layers. In a that is crucial when you are being able to map out your infrastructure and how do you want to manage serverless security in securing the Unseen and just a group, a couple of key design principles. I want to switch gears a little bit because we're going to be talking about starting the application of designs in this Recon text right to think about the, I am contxt identity and access management. And how do you manage identity? How do you manage access least privilege? How do you manage defense-in-depth, allowing multiple layers of control before people

can get into your network. And what are we talking about this? In this context, in the 4th of the slides? You won't be staying after that. So I just wanted to kind of called it out and we're going to jump into some Santana sample architecture and talk about. How that applies to yours a very typical architecture that we're looking at an Amazon. You got the content, Delaware, you got messaging and some, some sense about indication and I'll try station apis again. Event bass modeling in your events that are going to the Dollar Store and you potentially could have a separate account that

managers not up your death succumbs pipeline man is not a forensic. If there's a breach be able to take the data and moved into this other account so that you can do more than six on it and external logging into place that is not tampered with. And then if there's your security and governance of a comment, your a keys, how do you know, what keys do you use to manage? And on what is the RAF strategy logging accident and then stops? Slides and talk about, how does it apply from the grouping's that we saw in the previous

life. So, sure is the front end layer when you talk about data coming into my inbox, right? Where I have a user's getting my endpoint and trying to access some service that I'm providing. Maybe it's look up service. Maybe it's something to do some planes. Are you certain that sensitive information or entering their social security number? So you have different defense-in-depth type of application that you can do with protections that you can do like, you. And I be restrictions, or are we using your web application firewall or using

a single sign-on, if it's an internal user against, these are all different defense-in-depth that can be applied. When you're looking at a friend's and layer of silver, less bright and we're still seeing a lot of things, which we still doing a lot of things. The things that we don't see that Saturday off how maybe in this case, Amazon manage their infrastructure, but what we can do is that weekend, how these type of patterns that will allow our developers, allow our Security Professionals, to be able to take in and apply it in their in their company so that they can be secure in

that sense. I know you think about a sample S3, bucket policy to be very very specific from at least privilege, principal's perspective of saying, only allowed to get object or only allow these Source IP sour to reach my bucket, I guess the reason why is you want to be thinking about even though it's several us. Even so darn things that you don't say? You don't know how long is a manager or as you're our Google while you're still being able to do in your part and making sure that you're falling. This Pearl is principal, you're doing these kind of protection in the front end layer and

similarly from a Content distribution perspective. You can have things like security headers and forcing TLS. You know, how stupid is TBS, a r e Drive? And I just just many, many areas of these are just some examples that are there rate based rules are very important in a lost person. Being able to take the logs and applying maybe in reaching the laws with certain other information that you want to add on to it. And then starting to a centralized a search engine and that can be very, very important when people are trying to search for things that they feel like are an issue.

And jumping into the next area of the Middle where in the middle layer you think about area, such as talking about ization, sanitizing input, you know, we got the struts vulnerable to many other areas again application, be able to take to sanitize in. But now we saw earlier where the user allowed somebody to be able to get into a shell and a show that they were hosting. Now, obviously, in that case, they were just doing it right. Exact into that. She'll but if you think about it, that really would be something like input validation to say, what is someone trying to pass into my API

Gateway or however, that is being bow and do I need to take that data sanitize? The input, make sure that the input is is what I expected to be and then pass it on to the next. Next step in the in the flow of the application, to do with that is very, very crucial. Lot of times people don't think about it, but that is very true shots from a from a protecting from an access and management classes. A job token. It's as simple. A Watts application, where you've got a specific group names that I belonged to, or what is the audience, who's the issuer? What is a

spyri again, validating those things? And I'm kind of along those lines. Some of the best practices when dealing with the tokens. They are used across the board for making sure that when somebody signs and like your Facebook's are your signing with Google. Ok, Google. And Josh is just the way that they, make sure that the user who they say they are is who that who it is and then they pass it on to the back-end systems. They can validate it. Like, you're making sure that they are using stronger garden and validating making sure it's not expired and making

sure it's still the right issue. And the Right audience already seen the scope of the tokens. Don't allow more than your supposed to have. Just a simple example of how was Joshua can potentially would look like. And jumping back into the architecture and go back and lay our perspective. Being able to look at it on a daily base level being able to keep it elevated WBC. In this example of an Amazon, obviously different Cloud providers will have their own way of securing it. I can do the general principle, apply to any Cloud vendor and could not rest which

is very common and more than that, dinner will encryption. I know a lot of times traditionally people have done that when they were thinking about us having access to the data center, to be able to protect the data on your laptop's getting stolen, but really, there is much more important to think about from a cloud provider perspective. It's because the data centers are pretty well guarded nothing, but it is Google or Amazon, be able to get in somebody's trying to steal our desk and knowing which customer that is. That is huge super extremely hard for How to be able to do

that, but they I love and protection, you know, where, even if they get into your system and they try to expel trade your data. How do you protect that data from leaving your sister being able to do something like this trip, less draw, meaning that somebody cannot login as one user? I'm trying to do a lot of movement and see how much taxes does at user have in the cloud space from an. I am respectable and then be able to lure women into another application that they're not allowed to do it. So, being able to lock that down, using least, privilege, Ross. The minimum rice rolls that even want

me. So on the demo, it was a very, very least, a privileged access to that Lambda function. And and then again, it's something that you may want to think about something in my in an instance that is acting in a way that I don't expect it to you. What is a quick way of being able to isolate that out of the pool of other instances. Maybe It's Italia. Apply to It has an event base Lambda that goes in an isolated instance, takes a snapshot moving into the external account and then takes it out of the pool. And then another server is

added to the pool so that the business can continue to run but now you automatically contains that one instance, but you're not sure what's going on and then you can quarantine it at that point of time. You can take it and then you can apply it to the point where you can start doing some forensics on top of that. There's many ways to do these kind of things, but but he should have a plan of action. How do I secure my back and layer, you know, where my really my data is protected in the more than passing at some point. It's going to rest in my back and layer database policy. And she was very

specific about in dynamodb. I can get item and it is going to come from the store CPC. Maybe it's two accounts. You have two apiece. If you have and you're sharing a data from this, dynamodb instance, to the other alarm. That wants to carry it again. You're isolating it in a very very A specific way. And, you know, don't boil the ocean, right? I mean, this is a massive field. I mean it's a massive field because it's got so many entry points. You think about Denise's or streams? You think about cdm's? You think about the event based processing? Are you

think about their lights are already been built on top of service, Technologies are managed Services, if you think about that, offend you or around me and I'll give you all around me to look at the Gammage off servers or the server for the opportunities that stopped by to give us and say man. How do I secure this? Because it's such a big footprint. So I would say don't bother the ocean in the sense that make sure you understand. There are some immediate things that you can fix in your environment that are some short-term and there are some long-term, right? How strategy around your security

Planet when you're looking at so blessed and securing the Unseen one more? From a time-based bus back to email, say it's going to be 6 to 8 months and that may be a long-term plan again perspective, that is, how does a long time because they keep changing their features and advances in months, or weeks and even Amazon in many, many erections per month and Solo or, or even other providers for that matter, but you want to have a plan of saying my short-term is going to be going to want to 2 weeks or 3 weeks and then my, or my immediate maybe and then the short that maybe 3 to 4

months and the long-term maybe four to six months. Again. You may have a plan based on your company and then the hybrid deployments, I can also have its own understanding. How do I secure the integration point between my cloud and my data center things like Direct Connect or other areas that you can think about from the protection of the hottest day to move from one environment to the other. Can my production cloud account, talk to my development of machine. In my data center against all of those things have to be taken into consideration. I want I can come back to this

side that we looked at prior, but we talked about data and how does that apply in all of these layers? I know, I want to think about how to speak curity, apply in all of these layers, you think about it? Again? We looked at Edge Computing, and data and all of these different layers in the biggest slide by B. Look more from the perspective of the from the lens of a data, but now we're looking at it from the lens of security. And so I guess we talked about intermediate short-term long-term and taking things like the edge, you know, it's like rate limiting or managing your cash doing

something like why or what is a key part of the oven apply for API Gateway. And then summer concerts with a computer, making sure that there's tea management, but I'm dealing with moving out there that I sent it or processing of data that sensitive and similarly areas such as the data itself about. How do I do, do I sanitize? Then make sure this is something that I expect and Order started, right? Or or a beautiful forensics or or try to capture this. I be sending me a lot of bad data. I'm going to put that. I be in quarantine. I'm going

to talk to my Edge layer and tell Cloud front departing that IP for Gina for 15 minutes and then I'm going to love it. If it happens again, I'm going to put it away for, you know, 6 hours, a little bit. Maybe do you want to have that kind of strategies planned out enough for your environment? Things like, talking management or bad in a robot that has controls that so crucial when you're dealing with the service. Because what answers you, give that one small entity is going to carry on. A calls by The Entity. We have a Lambda functions at bars in the bed and you may have a thousand Lambda

functions that fired because their spouse coming in all the time. And that one Lambda or the permission that's assigned to the Atlanta function is going to inherit for any other land. That gets fired as well. And then, of course, he got a global context, meaning that any time I declare variable in the Lambda to grobo, the next time. Can pick up on the variable and use it as well. So I guess there's a lot of things that goes into the ER and in those areas or even death from a dolphin perspective, being able to do cic Automation and and some of the tools are available for a securing this

type of or applying Security in several areas as well. But I am hoping it'll be, it'll be a help so that we can look at it more from applying Security in a sense of different layers. Rather than thinking of security has this one solution or one-stop-shop for anywhere. You want to put it in the clouds saying What I really want to think of security as breaking it down by these different hours. And each tower has a different way. I approach Security in the savannah space and that is crucial mindset that a Security Professionals that we have to have. Or even

if we have to have to say, while I'm a dollar per, I'm going to be writing code for processing data. Well, you have to think about how do I sanitize my house? My data coming in, you know, who's picking it at the door, and you should ask those questions as well. Again, we definitely have to see this as a joint effort, that ties me into some of these final thoughts. When you think about a service or what are you really trying to solve? You know, we saw the first picture of that house with the, with the most important entity in that picture was a person. That was a

person you're trying to protect. That's what we're trying to salt and serving as the great, you know, great Paradigm that the cloud has brought for us. I am guilty of so much opportunity to be able to secure data to be able to do a lot of interesting things. From an architecture perspective, being able to bring in a streaming data bring in the mashups. Then again, there's the potential this massive but you really want to take a step back as a security professional or try to understand from a security perspective or a mindset to say. What am I really trying to solve? You

know, I'm I really trying to stall when I'm trying to protect the data and it comes to the door, or I'm trying to stall when I protected and I do understand no business wants to do something very different than, what a person who is, developing or personal security wants to do the business. May say that, hey, I want them to have the most easy experience from a user experience perspective to get in. They click it. They got a magic, they go and do their stuff, but the second apartment would be like, well. That is risky and that's not something. What do you want to do? You want to have a

little ground? Are you say, what compensating controls do I have? If the business wants to go this route and again, I'm here to support the business, but also making sure that I can give them an inline them to certain controls that will protect them as a company. And that's what that is. Very crucial. What are you trying to solve? And I can't hear. This is a very familiar topic about the sheriff security model by the public provider. Say, hey, we will manage the infrastructure that your stuff's. It's on that your data sets on or you possibly happen. That is our responsibility to protect

the data center, will make sure their schooling. There's backup systems. There's ups and making sure that it's secure your data is not going to bleed into another customer's data. We're going to make sure that all of their bottom lines protected but everything is secured. And on top of that everything is on us, right. So if you put them data on, somebody puts an S3 bucket on the public and there's a breach, you know, what is not going to come and say, well, I'm sorry, we shouldn't have done that. But that's really a customer engagement. That's really how the customers engaged by using

that account. Lighter, I made it publicly exposed and that that really comes under our responsibility. Right? That's not responsible to the provider. It's the responsibility of the user or the other company, that's using that service and they'll often gave me this crucial. You know, it's not a matter of like, okay, where a gate at the security professional unless dollar bills come after they're done. No, we have to get from the ground. We have to look at the data in those layers. You have to look at it from the perspective of, how do I help developers educate them and help them to be

security aware and be part of their spin cycle. I mean, that something. It's a rare thing that evolution of the security mindset that into death. Cops, and multiple other initiatives, where we really need to plug ourselves into a spin cycle to say. Hey, what are you working on? What are some things that can have an application on security and what are some things that I can do to help you be successful so that you're not trying to go out the door and then security comes and says, oh you shouldn't have done this. Night, so that is a very bad taste people. Get when they got kind of an

engagement. Is there a lot of friction, lot of challenges? But really need to have the box engagement that is very very crucial. In this scenario for securing it. But also education I'm making people aware of those type of layers in different ways of addressing it again, we looked at their security in several is based on a track. What is the threat? I'm on the edge layer. That's right. Is higher. Am I in the back end? The threat is there, but it's a different type of bread, right? It's not necessarily lower because you're protecting data and there's no, it's going to be very sensitive data.

The threat is there. But the different type of threat may be more of an Insider threat, more of an accidental exfiltration or other methods, but if somebody gets into the door, if they get there then obviously too much more pretty good rest at that point of time. So it's based on a threat Factor. I'm finally, you know, I just want to leave you all with this quote, in a sort of security, is about anticipating the journey more than reaching a goal in a, we're not trying to get you a goal right away. I'm secure. Well, Amazon. Just released a new product or Google. Just released a new feature

or as a release the new serviced. And we're back to square one. Do you? Do you have to really think about some of the security is anticipating the journey and saying, hey, here's where I am, and here's where I can improve. And I'm constantly iterating on that thought process right here, anticipating to Germany, more than trying to reach his goal. Right? It's a process. And it's a strategy that you want to have in all of the stuff that we felt about that can help you get to that and stay off being able to have a plan of us, all being secure insecure and guns are in the in the

Cerberus world. I know. I would really love to again how accommodation to really thank you for listening in this topic about some of the security and looking forward to hearing some questions. If you have any questions, be glad to answer that. I spell thank you.

Cackle comments for the website

Buy this talk

Access to the talk “Serverless Architecture Security Patterns for Securing the Unseen”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Mike Jankowski-Lorek
Director of Consulting at CQURE Inc.
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Pere Monclus
VP & CTO Network and Security BU at VMware
+ 1 speaker
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Brad Arkin
SVP at Cisco
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Serverless Architecture Security Patterns for Securing the Unseen”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content