Network Perimeter Security With Syeed Shareef

TLDR;

  • Data Perimeter provides additional security capabilities on top of current AWS offerings by combining power from SCP, Resource Policies, Identity Policies, Network Policies, etc. to build a perimeter around your data.
  • It’s recommended to focus on all the areas of Data Perimeter like Identity, Network & Resource while defining policies.
  • When it comes to Security focus should be on Use cases and not on the latest and greatest tools. Technology is means to an end and not an end in itself.

Transcript

Host: Hi everyone. Thanks for tuning into our Scale to Zero show. I’m Purusottam Co-founder and CTO of Cloudanix. Scale to Zero is a forum where we invite security experts to learn about their journeys, discuss on security topics, and get answers to questions received from curious security professionals.

Our goal is to build a community where we learn about security together and leave no questions unanswered. I was recently introduced to data perimeters in AWS and was blown away by the power that it could provide to practitioners. I’m pretty sure similar concepts apply to other clouds as well.

So to discuss this topic further, I’m super excited to invite Sahad Shareef to today’s episode. Syed is a senior security engineer at AWS. Prior to this, he has had various roles in risk management, sector security, engineering, vulnerability assessment over the last decade. Syed, it’s wonderful to have you in the show. For our viewers who may not know you, do you want to briefly share about your journey?

Syed: Thank you. Purusottam. Excited to be here today. My name is Syed Shareef as Purusottamjust said, I got into security like many people because I was good at breaking things and one thing led to another. My career has taken a lot of it turns as pushed to mention. But now I find myself building security tools for security practitioners using it. If you are excited to be here today, thank you.

Host: It’s a pleasure to have you here. So, the way we do the podcast is we have two sections.

The first section focuses on security questions and second section, which is the fun part, is the rapid fire. So let’s start with the security questions.

So, as we all know, right, data is one of the most, if not the most important asset for any organization. With that data security is always in mind for security leaders. And recently AWS launched a new capability called Data perimeter. And I have many questions around it. So maybe let’s start with

What is data perimeter?

Syed: Thank you.

I agree with you. Data has become as companies are using more and more abstracted services, using providers, they have moved more and more away from managing service to virtual machines now function as code and such. And what that means is the true asset. And Economist magazine had that famous poster that we all remember that data is a new oil. In some senses it is actually more valuable than oil and it will continue to be and protecting and as we all know, data is growing exponentially with every passing year the amount of data being generated, so now we are finding ourselves in a very interesting place where we’re protecting larger and larger amounts of data that is becoming more and more valuable as it grows.

Usually things, as they grow, become less valuable.

Having said that, what data perimeters is a collection of existing capabilities that exist on AWS and putting them together from a customer use case. So, one of the best quotes I’ve ever learned was from the Harvard Business School professor who said that “customers are especially this is true for sometimes us technically minded people. We love talking about drills and drill machines. But what the customer is looking for is actually how to hang a picture on the wall. They want a picture of their family on the wall, but we tell them about my drill has all these superpowers and this power and this power and this many HPS and this much battery life lithium ion and that is not relevant to the customer”. The customer is focused on solving a use case and in this case a use case or what their objective customers objective is they want to ensure that their data is accessed or stored only on their resources and accessed only by their personnel or trusted personnel over trusted networks. Now, taking that objective back, now what data perimeter is a concept does is tries to create a set of capabilities and share that and socialize them with customers so they can build a set of solutions that can meet that business use case that we just discussed.

Host: Okay, makes sense. So I love the analogy of hanging the picture versus showing off what capabilities your tool has, right? Like solving a use case versus showing the power of it.

Where do you see data perimeter fit into the whole data security spectrum?

Syed: Excellent question. So, data security is huge. Everything from about you now, the data lifecycle being large, we are focused on more about like you already have the data, you have it stored in the cloud and now you need to provide access for legitimate business reasons while keeping the bad guys out. And it also has a safety element to it. As in you also want to make sure that the good actors, your own people unintentionally do not do insecure things or unsafe things so while also making sure that bad actors intentionally do not cause losses.

Host: Okay, that makes a lot of sense.

Syed: Yeah. Sorry if I didn’t answer the question really properly. Okay, cool.

Host: So one of the things that you might have seen with users of cloud is enterprises use many security capabilities, right? If we stick to AWS terminology for now, there is security hub, there is guard duty and organizations use SCPs and guard rails. Very religiously, right?

Would organizations still need data perimeter?

Syed: Excellent question again.

Right? And I think what you just described is again, all the different types of drills, drill bits, Dell machines, start, finders and to take our analogy further, we are talking about data perimeters is again, it’s nothing, a new functionality per se. It’s basically saying how do I take SCPs, how do I take resource based policies, how do I take identity policies and use them to put together a holistic solution that can achieve that use case of making sure my data is only accessed by my personnel over trusted network.

Host: Okay, so how do you see this either complementing or sort of differing from the current capabilities like guardrails or SCPs?

Syed: I think they complement them. Right. Data parameters, if you look through, they’re really about how do I put a principal org id condition in my resource based policies to ensure that only people from my organization can access that resource? Similarly, how do I put a condition on my identity policies or my SCPs to say a put object cannot be made unless it is called via a certain service and other conditions. If you dig deep into that, it’s about how to use these powerful IAM constructs like policies and conditions to build a framework that can help you achieve that outcome of keeping your data in the right hands.

Host: So I love that we started with the analogy of tools versus use case, right? So I want to drill a little further into it. There are many security capabilities that cloud customers can currently benefit from, as you highlighted let’s say identity based policies, network based policies, service based policies, or resource based policies. And now we have one more. Right.

Where should cloud practitioners start from?

Syed: Excellent question again, and to make that easy, because this is a question that customers ask, and AWS has done, I think, a fairly admirable job in ensuring that all these best practices and this knowledge and this trove of knowledge has been learned from talking to hundreds of customers and thousands and millions of customers, actually, then we use that scale. So the IAM best practices, for example, that are documented is a great starting point.

But then the data perimeters also has its own page, and I’ll obviously share the links with you that the audience can then produce at the end of this for their benefit.

And then we also have GitHub repos for this, can start taking these and start building their own constructs with instructions on how to do so.

Host: Okay, and how should the practitioners prioritize one over other? Like there are IAM, data perimeter network policies? Is it like I can do just I am and I am okay, or I need to COVID all of them?

How does prioritization work in this world?

Syed: Obviously, when it comes to data security, we talked about those three key components my people, my resources, or trusted network. So we know that at a very bare minimum, there are these three components resources, identities, and network. Like VPC endpoint policies to keep your traffic private. So obviously, I would recommend customers to take a look at this as a holistic tiramisu of these three layers to begin with. As they evolve further, they can then add more to this term suit and remove as they feel the bit. But I think in my mind, at a bare minimum, the tiramisu needs these three layers of network resources and identity.

Host: Again, another fine analogy there. So some of these capabilities, they apply to different people in the organization. Let’s say SCPs are more managed at an org level, these sort of place. Maybe at a team level they manage right. When it comes to data perimeter, what’s the right persona who should be using this?

Syed: Ideally there are multiple personas who should be using them. But from the central security standpoint, the Central Cloud Excellence team, they would be prime for definitely talking about when you’re talking about the organizational level. But what they can also ensure is to say that hey put requirements on the developers to say when you create a resource based policy that you’re using, you’re going to put these conditions in and then that way building that culture of basically saying hey and helping them understand why they are doing so.

And then when they in the pipeline, checking for that potentially would allow developers and central security teams to enable Developer Velocity, which is what we’re trying to achieve, while ensuring that the Right Guardrails are in place so we can achieve both those objectives, as in being fast and secure. And we will say that that’s not possible. And I always argue that better brakes allow us to drive faster. If your car had bad brakes, you would not drive as fast as you would if you had better brakes, right?

Host: Makes a lot of sense.

Syed: Exactly. And it’s not just about brakes, it’s also about having the right airbags and inspections and the whole slew of safety and security features that go into your car that allow you to know that. And some of that is also institutional and larger than you like.

You trust that other people are also not going to just move over into your lane. You get to be in your lane.

There are things that are bigger than just talking about what we’re talking about here. But for us, like again, going back to our notion of developer Velocity is our core goal, which is true for most customers. Then also there is a twin objective of making sure that we are good guardians of the trust that our customers, customers entrust us with. So then if we have to achieve both of these objectives together at the same time, the best way to do that is to think about how to put in these guardrails so that our developers can do what they’re looking to do without potentially exposing the company to any further risk.

Host: So there are two things that you highlighted which I really like. One is the developer Velocity that’s anyway one of the core challenges, right, or core incentives of moving to cloud or using new tools and technologies. And the other thing is the culture. And both of them are sort of challenges around least privilege, right? What type of privilege are you providing to the developers or as a culture of the organization, do you follow list privilege or not? Right? And generally list privilege principle recommends that you have a fine grained control or permissions, you should define fine grained controls, but data perimeter works at a course level, right?

So how does it solve today’s challenges? Like,

How does it help in solving the challenge of least privilege when it comes to accessing the data or the crown jewels?

Syed: Again, excellent question again and I hear your point. I want to highlight the data parameters. What we are trying to do is actually put not grant privileges, but actually put parameters or boundaries on what those maximum of those privileges can be or what actions can be taken. Now, coming back to granting lease privilege, to quote one of my favorite people at AWS, Eddie Brand Wyman , whose tops everybody should go watch, he says, “least privilege is maximum effort” and I agree with that. I tried to do at my previous company, I used to spend months doing entitlement reviews wherein I would literally sit through and look at each employee and see what actions, down to what actions of each machine do they have and then determine if that is optional or needed. Optional or needed. And I would spend months doing that.

The great thing is, AWS also helps customers in this regard, as in like one, by helping them with providing all these IAM constructs like conditions that we talked about and such, and different policies like permission, boundaries, SCPs, identity policies, session policies to first build very good policies that are aligned with these privileged principles. But as we all know, it’s really hard to know what you actually need. So the prevailing phenomenon that I’ve seen with many customers is to give a lot more conservatively and be like, I’m going to give you liberally, sorry and say, I’ll give you a whole lot more permissions because I don’t know what you need.

There used to be a joke my previous boss used to make “it’s harder to take entitlements away than it is to take the first born”. Many people would give their first born away rather than their entitlements. And I think the jokes aside, it’s a strong thing. Agreed. Because once people agree that they have entitlements, they do not want to give them away.

But what if you presented data to them that you have not actually used this permission so you don’t need it? So that’s where something like IAM Access Analyzer comes in, which uses automated reasoning to determine and based on your existing activity to say, hey, Purusottam, you have permission to do A, B and C, but in the last 90 days, I see you only doing A. I should actually only give you access to A and not B and C. And it helps you by showing that what a new policy that is aligned with a privilege would look like. And then you can modify that to your extent, fit your business needs, and then use it for your users.

Excellent thing to do. One of my key features, not just because it’s free, but also because it really moves the bar in terms of when it comes to security to use bad metaphors and Michael Jordan famously said “you miss 100% of the shots you don’t take”. I say “you miss 100% of the problems for the privileges you don’t have, for the privilege to do something I cannot do bad, something bad with it”. So obviously to get on this privileged journey using automated tools like Access Analyzer and using other IAM constructs like all the different policies to craft good policies to begin with because our third landscape by definition is constantly evolving. And based on that, we can use things like Access analyzer to constantly monitor and evolve our policies and permissions to give people exam permissions they need to do their business activities and nothing else.

Host: Again, another excellent analogy, right? On the permissions least privilege is the most difficult thing and we see that with customers as well. We always start with the most liberal permissions and then we try to cut down and that becomes a challenge. So you are spot on on that.

So when it comes to data perimeter, I understand that, hey, we are trying to set up a perimeter but now let’s look at a practical scenario, right? Like how will this work? Let’s say I’m a data analyst and I use with Amazon data leak capabilities from home all the time. But a few days a week, let’s say I work from a cafe.

How can let’s say my admin use that information to either allow or restrict me to access data in AWS so that we are not sort of exposing our data to outside world all the time and at the same time I am not blocked to like again, it goes back to the dev velocity, right? I’m not moving slow, rather it should not impact me at all. So how will data perimeter help me in this case?

Syed: Excellent question. Again, this is one tough net to crack and the pandemic forced us, a lot of us to do this on the fly. And this is an interesting challenge because obviously there is a whole zero trust element to this which is like what am I trusting? Am I trusting networks or am I trusting devices and identities? I’m on the firm believer that you should not trust. “Your trust should be handled not based on proximity as in being on the same network only, but also enhanced by your identity about who you are and how you come”. So using those things, like having, in this case, a good onion metaphor with all the different layers for this, in my mind, which of them would be obviously they would be using, say, company devices that have the right amount of software and the correct certificate so they can connect securely. And you’re using Https and benefiting from that. But then secondly would be like using MFA to log into their identity provider that then gives them access shortlived credentials to go into AWS. So now you raise the bar suddenly like, okay, one, I’m not giving you persistent access, only giving you temporary access and I have a higher level of identity verification required for those customers that I want to take even more. Like, as I said, proximity and identity approach. They can even use conditions like source IP to say, hey, first my developers would have to go to my corporate VPN, log into the corporate VPN, and then only can they access AWS. And then they could put conditions in their policies to say that, I will allow you to assume this role, but only if you’re coming from a source IP that I trust.

These are approaches, these are again plethora of options that are available to our customers to do what they’re trying to achieve. And personally this is me personally speaking, I believe that identity centric and device centric approach is a stronger approach versus purely using VPNs and using network as your policy making your policy enforcement choices. So I think stronger MFA and that’s why it’s like one of the first identity best practices we have is like using an IDP and using an MFA to ensure that the people who are you can authenticate people on who they are based on multiple factors.

Host: I want to pivot a little bit to organizations setting up their data security on a continuous manner, right? So most organizations when they go through the business transformation process focus on initial setup of the cloud and from a security perspective they set up guard duty or security hub. And let’s say they get notified when something goes wrong and they address that. So that is more of a reactive, those are more reactive controls. Right?

So how should organizations think about continuous data security and what should they start from?

Syed: Interesting and really excellent question. Obviously detective controls are essential and needed at all times for most customers because they need to know what they have deployed and whether it is in alignment with their security tails.

But for some customers that might be too late to be notified. That’s like telling you that the horses have left the bond. You’re trying to prevent a lock. They are trying to put a lock on the bond so the horse never leaves or the bond is never built in a manner or the bond is never left unlocked. So to meet that demand and to meet that customer need, a doubles control tower has launched something called Proactive controls. What they do is if you’re using cloud formation on a specific organizational unit you can enable some controls. When these controls are enabled it will check any cloud formation resource, any resource being deployed by cloud formation to be in alignment with the controls you’ve enabled.

An example, we’re talking about S3 buckets. So you can then say, hey, if you’re going to create an S three bucket I want you to put a request a bucket policy on it or when you’re creating bucket, I want to put the block public access on it enabled. You cannot create that unless that is there. But as you all know that’s a new announcement has been made, but this is for like even if you do an update on an existing bucket, just for the sake of clarity, the new announcement is about any new buckets that are going to be created after may are going to have more public access enabled by default. But here what we are talking about is any bucket. Whenever your cloud formation resource type, the S Three packet is completed, it has certain controls enabled and these can be of very different types. Not just for S Three buckets like if I have a Kms key and you have rotation enabled on it, things like that, which help customers meet, settle regulatory and compliance needs.

Because these controls are not just what somebody thinks about. These are then mapped back to meaningful comprehensive control frameworks like 53 PCI DSS, Shi, Seven or four. So customers can help use these controls to help meet their compliance and regulatory objectives as well. So this what it will do is like now this is taking the posture to a whole new level, as in the central teams that we talked about who want to enable developer velocity but do not have control over. Those what developers actually do and are almost in that reactive mode trying to fix issues or like plugging holes after they’re there now saying like, hey, I want you to only be able to deploy resources that meet organizational security objectives using these controls that have enabled on that. So that definitely further. But it also buttresses these as it complements them by also having detective controls because drift is a thing, we know it happens.

I can say that, hey, you built the bond, right? But now I need to ensure that people are still things don’t change over time, right? So Detective controls again, that built and suspenders approach is so key here because just because you have proactive controls, you should not give away your detective controls. So you’ll have proactive and Detective controls both enabled at the same time, ideally helping you to one ensuring that your developers have the velocity to develop and put resources in a compliant manner at the same time. Also that if these resources do get in non compliance at a later stage, you are notified about that and can take remedial action. And when these productive controls were written, they would definitely want to. Developer Velocity and developedness was a key element as in it’s not just about like failing your template because you do not have that template that’s frustrating.

It’s about telling the developer like you failed this and here is a fixed message and going further than that. And if you see in the documentation in the console you can see sample compliant templates for that resource. So if a developer wants to know, hey, how do I I just want to deploy an S three bucket. I want to build whatever that I’m trying to build. I don’t care about what the requirements of this SD bucket are to the integrity, just show me what a compliant template looks like, I will add all the other things that I need to and then go on with it.

Host: Makes sense. So you highlighted cloud formation, right, as a way of incorporating these policies. There are different ways to create resources as well, right? Like APIs or CLI. Do these apply to those channels as well?

Syed: At this point now, but obviously that’s feedback we’ve been hearing from customers and we’re working hard to make sure that how we can best meet those as well for our customers.

Host: Makes sense. I love how you put all the areas together, right, and the importance of them, like the identity layer, network layer devices, resources. It’s not that you can pick one area and you are secure, but rather it’s a combination of all the areas and applying the right policies to make sure you are secure from both from a reactive perspective and also from a proactive perspective. That’s a great way to end the security questions section.

Thank you so much for these amazing insights.

Rapid Fire:

Host: So now let’s move on to the fun part, right, the Rapid file section.

So the first question is a one-liner code that keeps you going.

Syed: Bruce Nyer, he said, if you think technology can solve your security problems, you do not understand technology and you definitely do not understand security. And again, as you talked about, right, it’s more than just technology. It’s about people. It’s about processes and technology. Technology by itself has a huge role to play, obviously. But unless you have the right training in the people and there’s a culture in addition to that, you also have this processes. You build that and add that and the technology to the mix, just like we talked about this holistic, there is no such thing as a simple silver bullet.

Host: Makes a lot of sense. I love it because technology is one of the primary factors, but not the entire thing, right? So it’s an enabler. It makes sense.

What advice would you give to your 25 year old self starting in security and why?

Syed: I would say I would have said learn about security and safety from different ways outside of technology. Like, I was a technology focused security person and I learned it very quickly, but painfully so. My father always told me to that good decisions come from experience, experience comes from bad decisions, not necessarily yours. So I would teach him that don’t learn from my experience, learn from my experience and don’t make the same mistakes.

So learn about security from a holistic perspective and think about how to build better security models that would work.

Host: Makes a lot of sense.

What are the three, let’s say blogs or books or websites that you go to to stay up to date on security?

Syed: Definitely read AWS What’s New because that’s my bread and butter and the platform changes so fast. A good one I also like is the Cloud security podcast by Google

I really like how Anton and Tim talk about the things and the guests they bring on. And then my third resource is all just YouTube, just like finding things. Just the other day I found a great talk on Usenix about system security and what that means. I found YouTube to be such an amazing treasure trove. The key factor with YouTube is to keep autoplay off and also not look at the recommendations because you’re only six steps away from some conspiracy. But other than that, especially when you’re reading on security and stuff, the recommendations are horrible. So turn off recommendations out of play.

Host: I like your suggestion and I’ve seen that not just in security but sometimes in technology when you are running from programming language or a new area, then you get drifted away from the core topics sometimes when you are in YouTube. I totally agree.

So yeah, thank you so much Syed. It was a very insightful discussion. I learned a lot around data perimeters, how it can be applied with some scenarios, proactive controls, reactive controls. So thank you so much for coming to the show and helping us learn in the new area.

Syed: Oh, thank you. I really appreciate you guys giving me the opportunity. And best of luck for everything.

Host: And to our viewers, thanks for watching. Hope you have learned something new. If you have any questions around security, share those at scale to zero. We’ll get those answers by an expert in the security space.

See you in the next episode. Thank you.