Author: Lars Thorsen

Date: May 19, 2020

As many know, AWS deploys a shared responsibility security model, which starts with AWS taking responsibility for the security of the underlying cloud infrastructure— compute, storage, database, and networking—within its various regions and domains. In parallel, as an AWS customer, you are responsible for the security of your applications, workloads, and data—including network security, identity and access controls, data encryption, and operating system—while running in the AWS cloud. The question naturally emerges: How do you effectively do this?

To help AWS customers, Cisco—a market leader in security—has built a security architecture around four key pillars: visibility, segmentation, threat protection, and identify and access management. 

Visibility

Visibility is about seeing everything. It’s about having complete visibility into users, devices, networks, applications, workloads, and processes running in the AWS cloud. To accomplish this, Cisco offers a number of products:

  • Cisco Tetration agents running on AWS instances forward “network flow and process information” that is essential to visibility and policy enforcement, which in turn enables enhanced automated threat defense.
  • Cisco Stealthwatch Cloud (SWC) consumes Amazon Virtual Private Cloud (VPC) flow logs, cloud trail, AWS Inspector, AWS IAM and other data sources. Cisco SWC includes compliance-related observations while it provides visibility into your AWS cloud infrastructure.
  • Cisco Advance Malware Protection (AMP) for Endpoint threat response helps you gain visibility into the scope of a breach, such as how many endpoints are affected by subject malware. You can discover patient zero: when the malware was first seen, on which computer in your environment, its lineage, and how it moves between hosts.
  • Cisco Threat Response offers API-driven integration with Cisco Umbrella, Cisco AMP for Endpoints, and SWC. Using this integration, security ops teams can gain increased visibility while hunting down threats.

AWS VPC flow logs can be combined with these Cisco tools to enable you to capture information about IP traffic going to and from network interfaces in your VPC.

Segmentation

Segmentation is about reducing the attack surface. It’s about preventing attackers from moving laterally—east to west—through application whitelisting and microsegmentation. To accomplish this, Cisco offers a number of products running on AWS:

  • Cisco Next-Generation Firewall (NGFWv) provides capabilities like stateful firewall, “application visibility and control,” next-generation IPS, URL-filtering, and network AMP in AWS.
  • Cisco Adaptive Security Appliance Virtual (ASAv) provides a stateful firewall, network segmentation, and VPN capabilities in AWS VPC.
  • Cisco Tetration enables zero-trust security using application segmentation.
  • Cisco Defense Orchestrator (CDO): CDO can now manage the AWS security group. CDO provides microsegmentation capability by managing firewall hosts on the workload.

Working with Cisco products, AWS security architecture around segmentation includes AWS security groupAWS gateway, AWS VPC, and AWS subnets.

Threat protection

Threat protection is about stopping breaches by quickly detecting, blocking, and responding to attacks before hackers can steal data or disrupt operations. To accomplish this, Cisco offers a number of products:

  • Cisco NGFWv delivers threat inspection throughput of up to 1.1 Gbps to help protect virtual data center and AWS cloud environments from sophisticated threats.
  • Cisco Tetration uses advanced security analytics to speed detection.
  • Cisco AMP for Endpoints provides comprehensive protection against the most advanced attacks. It prevents breaches and blocks malware at the point of entry, then rapidly detects, contains, and remediates advanced threats that evade front-line defenses and penetrate your network. It stops malware, eliminates blind spots, and discovers unknown threats
  • Cisco Umbrella virtual appliance is available for AWS. Using dynamic host configuration protocol (DHCP) options, administrators can configure Cisco Umbrella as a primary DNS. Cisco Umbrella cloud provides a way to configure and enforce DNS layer security for workloads in the cloud.
  • Cisco Threat Response helps detect, investigate, and take corrective action against cyber threats.

AWS security architecture for threat protection also includes:

  • AWS Web Application Firewall (WAF) which protects against web exploits
  • AWS Shield (DDoS – Basic or Advanced) which protects against DDoS

As an alternative to AWS applications—and based on your requirements and preferences—you might consider Radware WAF and DDoS mitigation solutions, which also provide WAF and DDoS capabilities offered through as a service business models.

Identity and Access Management (IAM)

IAM assigns robust access control to help ensure appropriate access to technology resources. Cisco Duo provides multi-factor authentication (MFA) service for AWS consoles and applications running on workloads. 

Coupled with Cisco DUO is AWS IAM, which enables you to manage access to AWS services and resources securely.

Certified reference architecture

To help you deploy security architecture that utilizes these tools to secure your applications, workloads, and data running in AWS, Cisco provides a certified reference architecture.

In closing, Cisco is committed to helping our mutual customers with AWS securely run applications, workloads, and data in the AWS Cloud. For more information regarding this partnership, visit AWS and Cisco.

Used with permission from Cisco.