© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jason Cradit, VP of Information Services, Willbros Group

Matt Yanchyshyn, Solutions Architect, AWS

Dawn Smeaton, Director, AWS Security, Trend Micro

April 21, 2015

How Willbros Builds Securely

in AWS with Trend Micro

AWS Global Infrastructure

Application Services

Networking

Deployment & Administration

DatabaseStorageCompute

Amazon Web Services

(AWS) provides flexible,

scalable, and cost-

effective IT infrastructure

for businesses of all

sizes around the world.

What sets AWS apart?

Building and managing cloud since 2006

40+ services to support any cloud workload

History of rapid, customer-driven releases

11 regions, 28 availability zones, 53 edge locations

47 proactive price reductions to date

Thousands of partners; 1,900+ Marketplace products

Experience

Service Breadth & Depth

Pace of Innovation

Global Footprint

Pricing Philosophy

Ecosystem

“Increasingly, organizations are

asking what can’t go to the cloud,

rather than what can…”

Security is Job Zero at AWS

Facilities

Physical security

Physical infrastructure

Network infrastructure

Virtualization infrastructure

• SOC 1, SOC 2 & SOC 3

ISO 27001

• PCI Level 1

• FedRAMP

• AWS GovCloud (US)

• MPAA best practices alignment

Customer are running SOX, HIPAA, FISMA,

DIACAP MAC III sensitive ATO, ITAR, …

The Forrester Wave™:

Public Cloud Platform

Service Providers'

Security, Q4 2014

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of

Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted

using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor,

product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect

judgment at the time and are subject to change.

Security with AWS

Auditability Visibility Control

Compliance reports Amazon CloudWatch

AWS CloudTrail

AWS Config

“Describe” APIs

AWS IAM

AWS CloudHSM

AWS CloudFormation

AWS KMS

Defense-in-depth

Security groups

VPC configuration

Netw

ork

Web application firewalls

Bastion hosts

Encryption in-transit

Hardened AMIs

OS and apppatch mgmt.

IAM roles for EC2

IAM credentialsSyste

m s

ecurity

Logical access controls

User authentication

Encryption at-restD

ata

security

AWS compliance

program

Third-party

attestationsPhysic

al

Encryption: data at rest in AWS

EBS

Volume encryption

EBS encryption OS toolsAWS

marketplace/partner

Object encryption

S3 server side

encryption (sse)

S3 SSE w/ customer provided keys Client-side encryption

Database encryption

Amazon

Redshift

encryption

RDS

PostgreSQL

KMS

RDS

MYSQL

KMS

RDS

ORACLE

TDE/HSM

RDS MSSQL

TDE

AWS Identity and Access Management (IAM)

Multi-factor authenticationAWS Identify and

Access Management

Temporary Credentials

User

Groups

Roles

User User Hardware Software

IAM AWS administrative users

Root accountPolicies

Enforce the principle of least privilege

Security Groups and NACLs

Security Groups• Instance level, stateful

• ALLOW rules only

• Default deny inbound, allow outbound

• Use as “whitelist” – least privilege

NACLs• Subnet level, stateless

• ALLOW and DENY

• Default allow all

• Use as “blacklist”/“guardrails”(port 135,21,23…)

Separation of duties. Changes audited via AWS CloudTrail

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

…

Virtual Interfaces

Firewall

Customer 1

Security Groups

Customer 2

Security Groups

Customer n

Security Groups

Security Groups

Configure and harden EC2 instances based on

security and compliance needsforce

consistent security on your hosts

Launch

instanceEC2

AMI catalog Running instance

Your instance

Hardening

Audit and logging

Vulnerability management

Malware and HIPS

Whitelisting and integrity

User administration

Operating system

Configure

instance

Host-based protection software

Restrict access where possible

Connect to existing services

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Jason Cradit

April 21st 2015

Oil and Gas Asset SecurityLearn How Willbros Created Secure & Flexible

Solutions with Trend Micro

Agenda

• Who is Willbros

• Willbros Integrity use-cases

• Security architecture and design considerations

Willbros

Willbros Group, Inc. is a global contractor specializing in energy infrastructure

serving the oil, gas and power industries. Our offerings include engineering, procurement and construction, refinery turnarounds, pipeline construction, pipeline integrity management, GIS consulting and other specialty services to industry and government entities worldwide.

Willbros Integrity Use-Cases

Pipeline Routing

Pipeline Routing

Analytical routing solution

• Land owners vs. corridors

• Wetlands or other crossings

• Populated areas

• Slope or ground rock

• Federal or conserved lands

Old time vs. new time

• 10x improvement!!

Integra Link

• Assets are bought and sold

• Who made it? Where is it? When was it maintained?

• Assets are replaced (or need to be)

• Asset classifications change in the world

• Lag time back to office

Integra Link

Collaboration

• Field, Office, and Partners

• Visualization

• Risk

• Location

Requirements

• Fast and familiar (secure)

• One version of the truth

Basic Infrastructure

Infrastructure

• VDI

• Web

• Dev

• Archive

Build and deploy promptly

• Project based IT costs

• Agile elasticity

Architecting for Security

Information Security

ConfidentialityOnly those that should have access, do.

IntegrityOnly those that should modify it, can.

AvailabilityThe service and information is there when you need it.

Security Reference Architecture

IDS/IPS FW WebServer FWInternet

Bad dude

Logs

Monitor

Security: In the old world

• Minimize egress/ingress

• Protections at the perimeter – impossible math

• Once the bad dude is in, he is in

• IDS definitions are BROAD!

• Lots to manage

• Endpoint, physical perimeter, network, server…etc…

• Scale vs. cost vs. security

• Scary patch cycles

• Could just implement this in the cloud

• Agility and scale, price

Security: In the old world

Brown fields:

• Bolt-on, forklift or remove (or $$$$)

• Incident response

• Keep service up vs. drop service to mitigate vulnerability

• Lessons learned are road-mapped

• Resources to manage the old and the new

• Rigorous change control processes

• Disaster recovery expense

• Manual testing not representative of actual failure

Security: New world

No physical, just logical

Multiple ingress/egress

Containerization

Protection closer to the information

Only necessary protections

Shared security analytics

Security: New world

Internet

Bad dude LogsMonitor

Security: New world

Always Green fields:

• Lessons learned enacted now

• DR testing and implemented as code

• IR failover or rebuild but retain old for investigation

• Manage scope

• One environment doesn’t impact another

• No cookie-cutters

• One new problem…

Trend Micro

Security with Trend

• Detect and enforce at the account level

• Auto load policy

• Alert on new or unsecured environments

• Reduce attack vectors by narrowing scope

• Improved 0-day hole

• Parallel IDS/IPS at each host

• File Integrity Management

• Log Inspection

Green or brown

Brown Green

Trend Micro Deep Security Protection

Defend against network attacks

Virtually patch software

Keep malware off workloads

Uncover suspicious changes

Copyright 2015 Trend Micro Inc.

Simplify your life with a single security solution, built for

AWS

Fits How You Want to Buy and Deploy

AWS Marketplace SoftwareSoftware as a Service

On your AWS bill

for simplified

procurement & billing

Annual license

for hybrid

environments or

maximum control

Usage based pricing

for small instances or

variable workloads

Copyright 2015 Trend Micro Inc.

aws.trendmicro.com