Embed Size (px)
DESCRIPTION
"In this session, learn how Trend Micro built Deep Security as a service on AWS. This service offers enterprise-grade security controls for AWS deployments in the form of intrusion detection and prevention, anti-malware, a firewall, web reputation, and integrity monitoring. With over 400 internal requirements set by their in-house Information Security and IT Operations teams, the Service team was challenged with building the case to deploy Deep Security as a service on AWS instead of in-house. This session walks through the reasons why the team chose AWS, the design decisions they made, and how they were able to meet or exceed their in-house requirements while deploying on AWS."
Citation preview
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Mark Nunnikhoven, Principal Engineer at Trend Micro
November 14, 2013
Learn How Trend Micro Used AWS to Build their Enterprise Security Offering (Deep Security as a Service)
Friday, November 15, 13
"The following story is fictional and does not depict any actual person or event"
Friday, November 15, 13
"The following story is completely real and depicts actual people & events"* Only the names have been changes to protect the innocent ;-)
Friday, November 15, 13
The stage
Friday, November 15, 13
What is Deep Security?
Centralized security control management
Friday, November 15, 13
What is Deep Security?
Centralized security control management
Manager
Friday, November 15, 13
What is Deep Security?
Centralized security control management
Manager Agent
Friday, November 15, 13
What could be...
Friday, November 15, 13
What could be...
• For the cloud
Friday, November 15, 13
What could be...
• For the cloud• In the cloud
Friday, November 15, 13
What was
Determine what an appropriate visual here would be (old style for contrast?)
Friday, November 15, 13
What was
• For the data center
Determine what an appropriate visual here would be (old style for contrast?)
Friday, November 15, 13
What was
• For the data center• In the data center
Determine what an appropriate visual here would be (old style for contrast?)
Friday, November 15, 13
The story so far...
Friday, November 15, 13
Deep Security—The Early Years
Security for servers and virtual machines
Friday, November 15, 13
Deep Security—The Early Years
Security for servers and virtual machines Product focus
• Enterprise only• Tight integration with virtualization platform• Focused on Windows platforms
Friday, November 15, 13
Deep Security—The Middle Years
Security for servers and virtual machines
Friday, November 15, 13
Deep Security—The Middle Years
Security for servers and virtual machines Big changes
• Acquired by Trend Micro in 2009• Provided more protection• Agentless protection is key• Expanded platform support
Friday, November 15, 13
Deep Security—Now
Friday, November 15, 13
Deep Security—Now
Product changes
• Protection regardless of location• “Single pane of glass”• Smart, simple, security that fits taken to heart
Friday, November 15, 13
Deep Security—Now
Security for servers, virtual machines
Product changes
• Protection regardless of location• “Single pane of glass”• Smart, simple, security that fits taken to heart
Friday, November 15, 13
Deep Security—Now
Security for servers, virtual machines
Product changes
• Protection regardless of location• “Single pane of glass”• Smart, simple, security that fits taken to heart
, & the cloud
Friday, November 15, 13
The Decision
Time to offer Deep Security as a service
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients• Work directly with clients
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients• Work directly with clients• Smaller feedback loop for new features
Friday, November 15, 13
The players
Friday, November 15, 13
Internal Teams
Friday, November 15, 13
Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
Friday, November 15, 13
Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
Friday, November 15, 13
Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
People to win overExecutivesInformation SecurityOperationsR&D Product Team
Friday, November 15, 13
Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
People to win overExecutivesInformation SecurityOperationsR&D Product Team
vsFriday, November 15, 13
Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
People to win overExecutivesInformation SecurityOperationsR&D Product Team
vsFriday, November 15, 13
+Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
People who helpedExecutivesInformation SecurityOperationsR&D Product Team
Friday, November 15, 13
+Internal Teams
The Service TeamExecutive sponsorKey R&D product team membersDevOps*
People who helpedExecutivesInformation SecurityOperationsR&D Product Team
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy
Friday, November 15, 13
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy• 400+ requirements for operational services
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy• 400+ requirements for operational services• Wants development of cloud best practices
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide• Rigid change management with complex schedules
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide• Rigid change management with complex schedules• Wants development of DevOps runbook
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product• Only operational work is emergency support
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product• Only operational work is emergency support• Wants tighter feedback loop
Friday, November 15, 13
The details
Friday, November 15, 13
High Level Architecture
Friday, November 15, 13
High Level Architecture
Agent
Friday, November 15, 13
High Level Architecture
Agent
Friday, November 15, 13
High Level Architecture
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Friday, November 15, 13
Load balancers
Friday, November 15, 13
High Level Architecture
Friday, November 15, 13
High Level Architecture
Agent
Friday, November 15, 13
High Level Architecture
Agent
Friday, November 15, 13
High Level Architecture
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Friday, November 15, 13
Load Balancers
Friday, November 15, 13
Load Balancers
Requirements
• 3 flows, all incoming on :443
Friday, November 15, 13
Load Balancers
Requirements
• 3 flows, all incoming on :443• SSL off loading
Friday, November 15, 13
Load Balancers
Requirements
• 3 flows, all incoming on :443• SSL off loading• High number of concurrent connections
Friday, November 15, 13
Load Balancers
HAProxyMet requirements2+ instances required (for HA)EC2 instance costsMore boxes to maintain
Friday, November 15, 13
Load Balancers
HAProxyMet requirements2+ instances required (for HA)EC2 instance costsMore boxes to maintain
Elastic Load BalancingCan meet requirements3 load balancers required (1x flow)CheapMinimal maintenance
Friday, November 15, 13
Load Balancer Architecture
LoadBalancer
Fix
Friday, November 15, 13
Load Balancer Architecture
LoadBalancer
Agent
Fix
Friday, November 15, 13
Load Balancer Architecture
LoadBalancer
Agent
Fix
Friday, November 15, 13
Load Balancer Architecture
Manager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Load Balancer Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Load Balancer Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Fix
Friday, November 15, 13
Manager + Relay
Friday, November 15, 13
High Level Architecture
LoadBalancer
Friday, November 15, 13
High Level Architecture
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Friday, November 15, 13
Manager + Relay
Friday, November 15, 13
Manager + Relay
Requirements
• Hosts JVM-based application
Friday, November 15, 13
Manager + Relay
Requirements
• Hosts JVM-based application• Memory, CPU, and network are constraints
Friday, November 15, 13
Manager + Relay
AWS Windows BaseMet requirementsHarder to scriptMore expensive
Friday, November 15, 13
Manager + Relay
AWS Windows BaseMet requirementsHarder to scriptMore expensive
AWS Linux BaseMet requirementsSimple scriptingCheaper
Friday, November 15, 13
Manager + Relay Architecture
LoadBalancer
Fix
Friday, November 15, 13
Manager + Relay Architecture
LoadBalancer
Agent
Fix
Friday, November 15, 13
Manager + Relay Architecture
LoadBalancer
Agent
Fix
Friday, November 15, 13
Manager + Relay Architecture
Manager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Manager + Relay Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Manager + Relay Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Fix
Friday, November 15, 13
Manager + Relay—Tips & Tricks
Friday, November 15, 13
Manager + Relay—Tips & Tricks
Tips & tricks
• We don’t use AMIs
Friday, November 15, 13
Manager + Relay—Tips & Tricks
Tips & tricks
• We don’t use AMIs• Auto-scale only for failover
Friday, November 15, 13
Database
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
Manager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Friday, November 15, 13
Database
Friday, November 15, 13
Database
Requirements
• MS SQL or Oracle
Friday, November 15, 13
Database
Requirements
• MS SQL or Oracle• Low latency path to Manager + Relay nodes
Friday, November 15, 13
Manager + Relay
on Amazon EC2Met requirements2x cost for clustered pairsMore maintenance
Friday, November 15, 13
Manager + Relay
on Amazon EC2Met requirements2x cost for clustered pairsMore maintenance
on Amazon RDSCan meet requirements1.3x cost for clustered pairsLess effort
Friday, November 15, 13
Manager + Relay
MS SQLTeams are more familiarBetter tools available*30 DB limit per Amazon RDS instance
Friday, November 15, 13
Manager + Relay
MS SQLTeams are more familiarBetter tools available*30 DB limit per Amazon RDS instance
OracleForces product improvements“Encourages” learningNo tablespace limits
Friday, November 15, 13
Database Architecture
Manager+ Relay
LoadBalancer
Fix
Friday, November 15, 13
Database Architecture
Manager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Database Architecture
Manager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Database Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Fix
Friday, November 15, 13
Database Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Bi-direction communications
Fix
Friday, November 15, 13
Final(ish) Design
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Bi-direction communications
Agent
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Add highly detailed graphic here
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Agent
Add highly detailed graphic here
Friday, November 15, 13
High Level Architecture
DatabaseManager+ Relay
LoadBalancer
Bi-direction communications
Agent
Add highly detailed graphic here
Friday, November 15, 13
Supporting Services
Friday, November 15, 13
Supporting Services
Amazon Route 53 for all DNS
Friday, November 15, 13
Supporting Services
Amazon S3 for deployment storage
Friday, November 15, 13
Supporting Services
AWS Trusted Advisor for sanity checks
Change graphic
Friday, November 15, 13
Supporting Services
Premium Support for CYA
Change graphic
Friday, November 15, 13
“Soft” (not easy) changes
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy
Validating lessons for the team
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy• 400+ requirements for operational services
Validating lessons for the team
Friday, November 15, 13
Team Profile
Information Security• Own existing security policy• 400+ requirements for operational services• Wants development of cloud best practices
Validating lessons for the team
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide
Validating lessons for the team
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide• Rigid change management with complex schedules
Validating lessons for the team
Friday, November 15, 13
Team Profile
Operations• Run several data centers worldwide• Rigid change management with complex schedules• Wants development of DevOps runbook
Validating lessons for the team
Friday, November 15, 13
Chart Example
2007
2008
2009
2010
0 25 50 75 100
Region 1 Region 2
Add stats for Service
Add goals for other Trend services
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product
Validating lessons for the team
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product• Only operational work is emergency support
Validating lessons for the team
Friday, November 15, 13
Team Profile
R&D Product Team• Develop & maintain the product• Only operational work is emergency support• Wants tighter feedback loop
Validating lessons for the team
Friday, November 15, 13
Chart Example
2007
2008
2009
2010
0 25 50 75 100
Region 1 Region 2
Add bug/feature stats
Friday, November 15, 13
Team Profile
Service Team• Own existing security policy
Validating lessons for the team
Friday, November 15, 13
Team Profile
Service Team• Own existing security policy• 400+ requirements for operational services
Validating lessons for the team
Friday, November 15, 13
Team Profile
Service Team• Own existing security policy• 400+ requirements for operational services• Wants development of cloud best practices
Validating lessons for the team
Friday, November 15, 13
Chart Example
2007
2008
2009
2010
0 25 50 75 100
Region 1 Region 2
Add stats for support?
Friday, November 15, 13
Well?
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients• Work directly with clients
Friday, November 15, 13
Why a Service?
Security for servers, virtual machines
Drivers
• Face the same challenges as our clients• Work directly with clients• Smaller feedback loop for new features
Friday, November 15, 13
Please give us your feedback on this presentation
As a thank you, we will select prize winners daily for completed surveys!
Thank YouSEC307
Friday, November 15, 13
