Started out as a security researcher and developer at a Security SaaS company. Then was an Operations and Security architect for the web presence of a Fortune 10 company and for the past years have been leading operations and security at Coupa.
Everyone has to spend money – whether they like it or not. People with kids might relate. Wish there was a month where I did not have to spend money and I could watch my bank account grow. Companies need to spend money. However, most companies don’t have any idea who is spending the money…on what..does it need to spent?...can it be spent on something better?The founders of Coupa saw that people love to file expense reports and create requisitions… They saw that companies were using green terminal software at work and using cool sites like…Amazon.com to shop at home. That’s how Coupa was born to…mission statementSo that companies can save money and use it towards their core business.
When we see new challenges with customers, I ask AWS – how are other companies solving this problem. So our AWS account manager said… Sanket, you guys have solved some problems that other AWS customers would like to hear about. That’s why I am here today to share some of our experiences and get network with peers and get feedback. To see if there is something that you could use, something that we could do better.What is the core thing that Enterprise security really addresses?
There are different kinds of data that your company may need to store based on it’s business needs. This data might be regulated by various government laws and regulations. Enterprises have policies and procedures to protect this data and comply with the regulations and they need assurance this extends to the IaaS.
This slide shows some of the things that Enterprise IT security traditionally looks for in a Secure solution. An IaaS like AWS does not completely fit the traditional enterprise security model. So we look at AWS through the lens of enterprise security.AWS provides physical security like building security, personnel access controls, etc. which would be really demanding and expensive for a company whose core business is not IT. AWS also provides firewalls and IDS even though they are not exposed to customers.
This slide shows the various security facets that might come into play for creating an enterprise security architecture based on the data protection needs of your business or your customers.We are still responsible for the other mechanisms for protecting data. Here are some possible ways to implement those mechanisms.Host IDS. You can use commercial solutions or open source solutions like OSSEC to implement this.Web application firewall. You can use commercial solutions or open source solutions like ModSecurity.Like an anti-virus these solutions are only as good as the signatures that they run. So in addition to installing and configuring these systems, you need to think of operationalizing them and having procedures to keep the rulesets and signatures up to date.The next aspect of operationalization is to have incident response for any alerts generated by these systems. So a simple incident response policy could be to send any low level alerts to logs, medium alerts to email, and high alerts to your NOC or 24x7 on-call.Running in an enterprise also requires stricter change management. One way to achieve this is to have completely separate AWS accounts for Dev & QA and Production for separation of privileges and duties between developers and operations. You can use IAM to further restrict access to specific assets. For example, your support team might need write access to certain S3 buckets and not others and you can use IAM to enforce that policy. You can further use MFA with say Google Authenticator or SecurID tokens to raise the bar to someone getting access to your systems.There is a high cost to protecting data. So your data protection mechanisms need to be appropriate for the class of data that you are protecting. For PCI compliance, shared EC2 instances might be sufficient as long as the data is encrypted. For HIPAA compliance, you might need additional protection with dedicated instances. For government data, you need to host the data in the govCloud and restrict access to US persons. So build your configuration and infrastructure management to be reusable across multiple clouds so that you could have separate clouds for each data type and be compliant without breaking the bank.Vulnerability management