Monday, 14. August 2017

Amazon Macie and Deep Security

Amazon S3 stores trillions of objects and regularly peaks at millions of requests per second. By any metric, it’s massive. With unparalleled durability and availability, it’s the backbone of AWS’ data services.

This morning at the AWS Summit in New York City, AWS launched a new service: Amazon Macie. Trend Micro is proud to support this exciting new service at launch.

Amazon Macie provides automated insights into the usage of your Amazon S3 data.

Amazon S3 is secure by default and has always provided a strong set of security controls but it has been challenging to effectively monitoring the usage of the service. AWS CloudTrail and AWS Config let you examine the usage of your data while AWS Config Rules–another service Trend Micro supported at launch—lets you react to configuration changes. But these solutions have required some legwork in order to pull the signal from the noise.

Now, Amazon Macie presents that signal to you automatically. This provides much needed insight into your business uses as well as your security.

What is Amazon S3? As a quick recap, Amazon S3 works with two simple objects: buckets and keys. A bucket is essentially a root folder where you data will be stored. A key is a data object.

These basics structures allow you to store your data in any way that makes sense for your application. From a security perspective, the service provides a number of tools to help you configure access to your data:

•  Bucket policies
•  IAM policies
•  Access Control Lists (ACLs)
•  Query string authentication/URL-based access

An Amazon S3 bucket is private by default (only the user who created it has access) and these methods give you the tools you need to provide access to the users or roles that require it.

Up until now, you had to comb through Amazon S3 logs in order to determine who was accessing your data and what the normal patterns of that access was.

What is Amazon Macie? Amazon Macie leverages machine learning in order to automatically profile your Amazon S3 usage using a number of indicators like: content-types, file extensions, managed regex patterns, and managed data themes.

Once Amazon Macie establishes a baseline, it then continuously monitors the usage of your data and provides actionable alerts based on the risk posed to your data.

You might think of Amazon Macie as your own personal data security assistant. It sits tirelessly monitoring every access to your Amazon S3 data. It learns about patterns and profiles that determine what’s “typical” for your application. Anytime anything out of the ordinary happens, it raises an alert.

You can then react to these alerts by changing your Amazon S3 settings, adjust the configuration of you application, or change other security controls in your deployment.

Jeff Barr has a fantastic post up about the inner workings of Amazon Macie and how to get started with the service over on the AWS blog.

Combined Defences At Trend Micro, we’ve built the Deep Security platform in order to help you fulfill your responsibilities in shared responsibility model. It helps you lock down your Amazon EC2 instances and Amazon ECS workloads and ensure that your application is doing what it’s supposed to…and only what it’s supposed to.

Deep Security applies it’s protections based on policy. The platform can automatically create and apply a policy for your workloads based on what’s running. This automation makes it easy to keep your security settings up to date.

The challenge comes downstream. Amazon S3 is an abstract service which means that you have very little day-to-day responsibility for it’s operations. The (slight) down side of that is that you don’t get the quite as granular insights you would expect from running a data backend—nor the cost, headache, or pain-in-the-you-know-what.

Amazon Macie provides those insights. With the alerts generated by Amazon Macie, you can make better decisions about security policies within Deep Security. You can make smarter security choices for the Amazon EC2 instances and containers running in Amazon ECS that access that data in Amazon S3.

We will shortly have a simple AWS Lambda workflow available on GitHub to demonstrate how Amazon Macie and Deep Security can work together. Here’s a quick look at the high level design:

The goal with this simple integration is to strengthen your applications security posture in order to better protect your data. With Amazon Macie providing insights on the backend and Trend Micro’s Deep Security protecting the frontend, you’ll get a much smarter security policy tailored to your AWS workflow.

What do you think of Amazon Macie? What are you going to use it’s automated insights for? Let me know on Twitter where I’m @marknca.