Definitive Guide to
Amazon Web Services Security
Table of Contents
3 Introduction
5 AWS Adoption Trends
6 AWS Security Challenges
6 Threats to applications and data in AWS
8 Shared responsibility model
11 AWS Security Best Practices
11 Security monitoring
13 Secure authentication
15 Secure configuration
17 Inactive entities
18 Access restrictions
19 Custom Applications Security Best Practices
21 How a Cloud Access Security Broker Helps Secure AWS
22 How a Cloud Access Security Broker Helps Secure
Custom Applications Deployed in AWS
Introduction 60.9%
While the number of custom applications at an When the company refused, the attacker began to The worst-case scenario
enterprise varies, the average enterprise has 465 systematically delete Code Spaces’ resources hosted on
can be far worse than
custom applications deployed. Larger enterprises tend AWS, including all elastic block store (EBS) snapshots,
to have more applications—organizations with more Simple Storage Service (S3) buckets, Amazon Machine
downtime.
than 50,000 employees have an average of 788 custom Images (AMIs), some EBS instances, and a number of
applications. Enterprises increasingly rely on these machine instances. While Code Spaces maintained
applications to handle business-critical functions. Most backups of their resources, those too were controlled
organizations today have at least one custom application from the same panel and were permanently erased.
that, if it experienced several hours of downtime, could The attack was so devastating it forced Code Spaces, a
have a significant impact on the business. As a result, thriving company, to shut down for good.
these applications and the infrastructure they run on
The threat landscape is evolving rapidly, but with the
are targets of cyberattacks.
788
right preparation, any company can implement security
We ’re
practices that significantly reduce the potential impact
r r y
So
S E Ds
LO sines
of a cyberattack. In this eBook, we will discuss the
current state of AWS adoption, Amazon’s model for AWS
security, security challenges and threats to applications
Cut of Bu
O
and data in AWS, and AWS infrastructure security
347 best practices, as well as security best practices for
applications built on AWS. Lastly, we will explore how a
208
cloud access security broker (CASB) can help enterprises
85 secure their AWS environments and the custom
44
22 applications deployed in them.
AWS
Figure 2. Number of custom applications—by company size
AWS Adoption Trends The overall percentage of custom application workloads As it stands today, the
deployed in the public cloud is expected to surge from
According to Gartner, IaaS was a $16.2-billion market
2
IaaS market consists of
in 2015, and is estimated to grow 38% to reach $22.4 22.6% to 34.2% in the next twelve months, and it’s likely
many of these applications will be deployed in AWS.
three dominant players:
billion in 2016, making it the fastest-growing segment in
Underneath these numbers, enterprises have more widely Amazon, Microsoft, and
the public cloud market. A report by Structure Research3
showed that the vast majority of the $22.4-billion market deployed test and QA workloads in the public cloud. Today, Google.
will be dominated by a handful of IaaS providers, with 23.6% of the test/QA workloads are in the public cloud,
AWS leading the pack at nearly $10 billion in sales. which is slightly higher than the percentage of production
workloads. However, in the next 12 months, test/QA
Today, an impressive 41.5% of custom applications in workloads will migrate to the public cloud at an even faster
the public cloud are deployed in AWS, giving it a larger rate, to 38.2% of workloads. Production workloads are
market share than Microsoft Azure, Google Cloud migrating at a slightly slower pace, with 32.9% expected to
Platform, IBM Softlayer, and Rackspace combined. What’s be in the public cloud 12 months from now.
even more remarkable is that, according to the 2016
38.2%
IaaS Magic Quadrant report4 released by Gartner, AWS’s
32.9%
computing capacity is 10 times larger than the next Today
14 IaaS providers combined. Amazon’s massive scale
23.6%
22.3%
has positioned the company to respond to the rapidly In 12 months
41.5% Amazon
20.7% Other Web Services
2.9% Rackspace
Production Workloads Test/QA Workloads
■■ Sensitive data uploaded against policy/regulation— According to Gartner, from now through 2020, 95%
Many organizations have industry-specific or regional of security incidents in the cloud will be the fault of
regulations, or internal policies, that prohibit certain the customer, not the cloud provider. As enterprises
types of data from being uploaded to the cloud. In continue to migrate to or build their custom applications
some cases, data can be safely stored in the cloud, but in AWS, the threats they face will no longer be isolated
only in certain geographic locations (for example, a to on-premises applications and endpoint devices. While
data center in Ireland but not in the United States). the move to the cloud transfers some responsibility for
■■ Software development lacks security input— security from the enterprise to the cloud provider, as we
Unfortunately, IT security isn’t always involved in the will see in the next section, preventing many of these
development or security of custom applications. threats falls on the shoulders of the AWS customer.
IT security professionals are only aware of 38.6%
of the custom of the custom applications in use in
their organizations. This means when it comes to
custom application development, IT security is often
circumvented, making the task of securing these
applications more difficult.
QA 2.6%
Operations 4.3%
IT security 38.6%
DevOps 50.2%
Developer 27.8%
Figure 6. Awareness of custom applications by job role as a percentage of total custom applications
Amazon’s responsibility
Since it has little control over how AWS is used by its
customers, Amazon has focused on the security of
AWS infrastructure, including protecting its computing,
storage, networking, and database services against
intrusions. Amazon is responsible for the security of the
software, hardware, and the physical facilities that host
AWS services. Amazon also takes responsibility for the
security configuration of its managed services such as
Amazon DynamoDB, RDS, Redshift, Elastic MapReduce,
WorkSpaces, and others.
While there are a number of services in AWS, Amazon’s for example, falls under the customer’s responsibility as
primary IaaS services consist of Elastic Compute Cloud well. The customer is also responsible for configuring
(EC2), Amazon Virtual Private Cloud (VPC), and Amazon the security groups (Amazon’s firewall), ensuring that
S3. The customer is fully responsible for configuring the individual user accounts are set up with Amazon Identity
security controls of these services. Updating or applying and Access Management (IAM), and enabling activity
security patches to guest operating systems for EC2, logging with AWS CloudTrail.
Customer Data
Customer
Client-side Data
Server-side Encryption Network Traffic Protection
Encryption & Data
(File System and/or Data) (Encryption/Integrity/Identity)
Integrity Authentication
Responsible for
AWS
Security Regions
“of” the Cloud AWS Global Edge
Infrastructure Locations
Availability zones
Customer AWS
Data breach fallout AWS Security Best Practices AWS customers need to consider
the best practices within five
While Code Spaces is perhaps the worst-case scenario of Amazon has invested heavily in building a powerful key areas in securing their AWS
what could happen when a hacker successfully attacks set of security controls for its customers to use across environment:
an organization’s AWS environment, an incident that all AWS services. With CloudTrail and CloudWatch, for 1. Security monitoring
results in downtime of even a few hours could have a example, customers can monitor and track both the
sizable impact. For example, in August 2016, a six-hour 2. Secure authentication
health and security of their AWS resources. The Identity
application outage at Delta Airlines delayed flights for and Access Management service gives AWS customers 3. Secure configuration
hundreds of thousands of passengers, and is estimated granular control over managing users and enforcing 4. Inactive entities
to have cost the company tens of millions of dollars. access control policies. It is therefore incumbent on the 5. Access restrictions
With stakes this high, a data breach will likely lead to AWS customers to configure AWS’s security controls
people getting fired. Both the CEO and CIO of Target appropriately to tighten their security posture.
were fired after a breach in 2014 that compromised Security monitoring
payment card numbers for upwards of 40 million 1. Ensure CloudTrail is enabled across all AWS.
customers. In a 2017 survey of IT security leaders,
By enabling global CloudTrail logging, it will be able
50.3% of respondents said the IT security personnel
to generate logs for all AWS services including those
responsible for securing AWS would likely get fired in the
that are not region specific, such as IAM, CloudFront,
case of a breach. However, responsibility extended all
and others.
the way to the CIO—29.1% said the top IT leader would
be let go following a damaging and costly data breach.
The CIO
29.1%
50.3%
31.5%
21.8%
2. Turn on CloudTrail log file validation. 6. Enable access logging for Elastic Load Balancer
When log file validation is turned on, any changes (ELB).
made to the log file itself after it has been delivered Enabling ELB access logging will allow the ELB
to the S3 bucket will be identifiable. This capability to record and save information about each TCP
provides an additional layer of protection for the and HTTP request made. The access logging data
integrity of the log files. can be extremely useful for security audits and
3. Enable CloudTrail multi-region logging. troubleshooting sessions. For example, your ELB
logging data can be used to analyze traffic patterns
The AWS API call history provided by CloudTrail
that may be indicative of different types of attacks,
allows security analysts to track resource changes,
which can then inform custom protection plans that
audit compliance, investigate incidents, and ensure
should be implemented.
that security best practices are followed. By having
CloudTrail enabled in all regions, organizations will 7. Enable Redshift audit logging.
be able to detect unexpected activity in otherwise Amazon Redshift is an AWS service that logs details
unused regions. about user activities such as queries and connections
4. Integrate CloudTrail with CloudWatch. made in the database. By enabling it, you can
perform audits and support post-incident forensic
CloudWatch can be used to monitor, store, and
investigations for a given database.
access log files from EC2 instances, CloudTrail, and
other sources. With this integration, real-time and 8. Enable Virtual Private Cloud (VPC) flow logging.
historic activity logging based on user, API, resource, VPC flow logs provide visibility into network traffic
and IP address is facilitated. It also supports setting that traverses the VPC and can be used to detect
up alarms and notifications for anomalous or anomalous traffic and provide insight during security
sensitive account activity. workflows. It is one of AWS’s network monitoring
5. Enable access logging for CloudTrail S3 buckets. services, and enabling it will allow you to detect
security and access issues such as overly permissive
CloudTrail S3 buckets contain the log data that
security groups, network access control lists
is captured by CloudTrail, supporting activity
(ACLs), and alert on anomalous activities such as
monitoring and forensic investigations. By enabling
rejected connection requests or unusual levels of
access logging for CloudTrail S3 buckets, customers
data transfer.
can track access requests and identify potentially
unauthorized or unwarranted access attempts.
5. Ensure IAM policies are attached to groups or roles. 8. Set the password expiration period to 90 days, and
Instead of assigning policies and permissions to users ensure the IAM password policy prevents reuse.
directly, provision permissions to users at the group Employees tend to use the same password across
and role level. Doing so makes managing permissions multiple services despite the inherent security
more efficient, makes it simpler to remove or reassign risks of doing so. As a best practice, configure the
permissions based on a change in responsibilities, IAM password policy to record at least the past 24
and minimizes the risk of an individual user getting passwords for each user, preventing password reuse.
excessive and unnecessary permissions or privileges Prompt users to change their passwords no sooner
by accident. than every 90 days, as setting this too high exposes
6. Rotate IAM access keys regularly, and standardize the organization to account compromise from
on the selected number of days. credentials that are phished or stolen, and too low
encourages users to employ easy-to-remember (and
Sending requests from the AWS Command Line
therefore easy-to-guess) passwords.
Interface (CLI) to AWS APIs requires an access key,
which is comprised of an access key ID and secret 9. Don’t use expired SSL/TLS certificates.
access key. Rotating access keys regularly ensures Using expired SSL/TLS certificates with AWS services
that data cannot be accessed with a potential lost or may lead to errors on services such as ELB or custom
stolen key. applications hosted on AWS, which would impact
7. Set up a strict password policy. business productivity.
Secure configuration the EBS volume. In order to encrypt EBS volumes that
1. When using CloudFront, ensure CloudFront weren’t encrypted at creation, you must create a new
distributions use HTTPS. encrypted EBS volume and transfer the data from the
unencrypted volume to the encrypted one.
Enabling SSL/TLS ensures all traffic to and from
CloudFront is encrypted and minimizes the risk of 5. Provision access to resources using IAM roles.
a man-in-the-middle attack. Provisioning access to resources using IAM roles is
2. Restrict access to CloudTrail bucket. recommended versus providing an individual set of
credentials for access. This ensures that credentials
Unrestricted access to CloudTrail logs should never
are not lost or misplaced accidentally, leading to
be enabled for any user or administrator account.
account compromise.
While most AWS users and administrators will not
have any malicious intent to cause harm, they are 6. Ensure EC2 security groups don’t have large
still susceptible to phishing attacks that could expose ranges of ports open.
their account credentials and lead to an account With large port ranges open, vulnerabilities could be
compromise. Restricting access to CloudTrail logs will exposed. An attacker can scan the ports and identify
decrease the risk of unauthorized access to the logs. vulnerabilities of hosted applications without easy
3. Encrypt CloudTrail log files at rest. traceability due to large port ranges being open.
7. Configure EC2 security groups to restrict inbound 11. Use standard naming (tagging) convention for EC2.
access to EC2. EC2 instances must use a standard/custom
Excessive permission to access EC2 instances convention to reduce the risk of misconfiguration.
should not be allowed. Instead of whitelisting large For example, you can use ec2-RegionCode-
IP ranges to access EC2 instances, be specific and AvailabilityZoneCode-EnvironmentCode-
only whitelist individual private IP addresses for EC2 ApplicationCode, which could turn into ec2-us-west-
instance access. 1-2b-p-nodejs.
8. Avoid using root user accounts. 12. Encrypt Amazon’s Relational Database Service
The root user is created automatically when creating (RDS).
an AWS account for the first time. This user has As an added layer of security and to ensure you’re
access to all services and resource in the AWS compliant with possible data security policies,
account, making it the most privileged user account. ensure that your database is being encrypted.
As such, the root user account should only be used 13. Ensure access keys are not being used with
in the instance of creating the first IAM user. Beyond root accounts.
that, root user credentials should be securely locked
Using access keys with the root account is a direct
away and access to them forbidden.
vector for account compromise. Anyone who gets
9. Use secure SSL ciphers when connecting between access to the key has access to all the services in
the client and ELB. the AWS account. Creating role-based accounts
Using stale or insecure ciphers, or those with known with appropriate privileges and access keys is the
vulnerabilities, could lead to an insecure connection recommended best practice.
between the client and the ELB load balancer. 14. Use secure CloudFront SSL versions.
10. Use secure SSL versions when connecting Using stale, deprecated, or SSL versions with
between the client and ELB. known vulnerabilities could lead to an unsecure
Using stale or deprecated SSL versions, or those connection or man-in-the-middle attack in your
with known vulnerabilities, could lead to an insecure CloudFront traffic.
connection or man-in-the-middle attack between
the client and the ELB load balancer.
15. Enable the require_ssl parameter in all 3. Disable access for inactive or unused IAM users.
Redshift clusters. As a best practice, unused IAM user accounts, or
To encrypt all Redshift traffic on the wire and users who haven’t logged into their AWS accounts in
minimize the risk of a man-in-the-middle attack, over 90 days, should have their accounts disabled.
all Redshift clusters must have the require_ssl This reduces the likelihood of an abandoned account
parameter enabled. being compromised and leading to a data breach.
16. Rotate SSH keys periodically. 4. Remove unused IAM access keys.
Rotating SSH keys periodically will significantly reduce Removing unused AWS IAM credentials can
the risk of account compromise due to developers significantly reduce the risk of unauthorized access
accidently sharing SSH keys inappropriately. to your AWS resources. Access must not be enabled
17. Minimize the number of discrete security groups. to resources for IAM users who have left the
organization, or applications or tools that are no
Enterprises must consciously minimize the number
longer using these resources.
of discrete security groups to decrease the risk of
misconfiguration leading to account compromise. 5. Delete unused SSH Public Keys.
Deleting unused SSH Public Keys lowers the risk
Inactive entities of unauthorized access to data using SSH from
1. Reduce the number of IAM groups. unrestricted locations.
Reducing unused or stale IAM groups also reduces
the risk of accidentally provisioning entities with older
security configurations.
2. Terminate unused access keys.
Unused access keys increase the threat surface of
an enterprise to a compromised account or insider Tom
threat. It is highly recommended that any access keys
The user’s account has expired.
unused for over 30 days be terminated.
OK
7. Restrict access to well-known ports such as: i. Remote desktop—Ensure that access through
a. CIFS—Ensure that access through port 445 port 3389 is restricted to required entities only.
is restricted to required entities only. CIFS is a j. RPC—Ensure that access through port 135 is
commonly used protocol for communication and restricted to required entities only
sharing data. Unrestricted access could potentially k. SMTP—Ensure that access through port 25 is
lead to unauthorized access to data. restricted to required entities only. Unrestricted
b. FTP—Ensure that access through port 20/21 SMTP access can be misused to spam your
is restricted to required entities only. FTP is a enterprise, and launch DoS and other attacks.
commonly used protocol for sharing data, and l. SSH—Ensure that access through port 22 is
if left unrestricted, could lead to unauthorized restricted to required entities only.
access to data or an accidental breach.
m. Telnet—Ensure that access through port 23 is
c. ICMP—Ensure that access for ICMP is restricted to restricted to required entities only.
required entities only. Unrestricted access could
n. DNS—Ensure that access through port 53 is
lead to unauthorized access to data, as attackers
restricted to required entities only.
could use ICMP to test for network vulnerabilities
or employ DoS against the infrastructure. Custom Applications Security Best Practices
d. MongoDB—Ensure that access through port Information security is a shared responsibility, and
27017 is restricted to required entities only. not just between Amazon and its customers. While
e. MSSQL—Ensure that access through port 1433 is developers may prioritize speed above all, IT security
restricted to required entities only. needs to be part of the software development process.
f. MySQL—Ensure that access through port 3306 is Whether you follow a waterfall or agile methodology,
restricted to required entities only. there is a role for IT security in the architecture planning,
auditing, and testing of applications. Experience has
g. Oracle DB—Ensure that access through port 1521
demonstrated that application security is improved
is restricted to required entities only.
when the IT security team is involved from the
h. PostgreSQL—Ensure that access through port beginning, instead of bringing in the security team after
5432 is restricted to required entities only. an application has been developed.
What follows are recommendations for creating a 3. Grant the fewest privileges possible for
successful DevOps workflow that integrates security. application users.
1. I nventory and categorize all existing custom Unrestricted or overly permissive user accounts
applications by the types of data stored, increase the risk and damage of an external or internal
their compliance requirements, and the threat. Internally, a user with too many permissions
possible threats they face. might inadvertently cause data loss. Externally, a
hacker who compromises an account with too many
The first step in securing custom application
permissions can easily wreak havoc. For this reason,
development and usage is to inventory all existing
application administrators should limit a user’s
applications and the data uploaded to them. IT
permissions to a level where they can only do what’s
security and audit teams should have visibility not
necessary to accomplish their job duties.
only into the number of these applications running
on AWS but also on whether sensitive data is being 4. Enforce a single set of data loss prevention
uploaded. Visibility into sensitive data enables the policies across custom applications and all
security team to identify which internal and external other cloud services.
regulations apply to an app and its data, and what The first step in enforcing DLP policies is
kind of security controls must be in place to protect it. inventorying existing DLP policies for all cloud
2. I T security should be involved in testing services, on-premises applications, and endpoints,
throughout the development process. and identifying the policies that would apply to
custom applications. Enterprises also need to
DevOps should invite the IT security team to bring
understand how a custom application is being
their own application testing tools and methodologies
used, including the number of files containing
when pushing production code, without slowing down
sensitive data, the number of files being shared,
the process. Security should team up with the QA
and anomalous usage events indicative of threats.
team to define test cases and qualifying parameters
Some of the types of sensitive data that should be
that should be met before code can be promoted.
protected are:
Developing a secure application isn’t enough. IT
◆◆ Credit card numbers
security should also ensure that end users are using
◆◆ Social Security numbers
the application in a secure manner. With that in
◆◆ Account numbers
mind, there are a few steps the security team can
◆◆ Salaries
take to ensure appropriate use of these applications.
◆◆ IP addresses
◆◆ Account credentials
◆◆ Intellectual property
5. Encrypt highly sensitive data such as On the infrastructure side, a mature CASB can provide
protected health information (PHI) or comprehensive threat protection, monitoring, auditing,
personally identifiable information (PII). and remediation to secure all your AWS accounts. What
It is important to encrypt files containing sensitive follows are some of the things a CASB enables you to do.
information such as Social Security numbers or 1. Detect compromised accounts, insider
protected health information. In some cases, policies threats, and privileged access misuse
may be put in place that would block users from across AWS
uploading files containing sensitive data that may
CASBs combine machine learning and user and
not be encrypted.
entity behavior analytics (UEBA) to analyze cloud
How a Cloud Access Security Broker Helps activity across multiple heuristics. This allows a
Secure AWS CASB to develop a model for typical user behavior
and detect anomalous activity patterns across AWS
Infrastructure accounts and other cloud services that may be
Administrators indicative of a threat. For example, if a user generally
logs into AWS from Austin, Texas, and one day they
API log in from Beijing, China in a time frame so short it
would be impossible to travel, a CASB can highlight
this event and flag it for further investigation.
CASBs detect compromised accounts based on
impossible travel as well as excessive failed login
Amazon offers many built-in security capabilities, attempts, brute-force attacks, login attempts
giving enterprises the ability to enforce a wide range of from untrusted or disparate locations, and other
security, compliance, and governance policies. However, scenarios. CASBs can also detect potential insider or
AWS settings can be very deep. In sprawling AWS privileged user threats by monitoring inappropriate
environments, it can be prohibitive from a resource escalation of privileges or repeated authorization
standpoint to manually check security configurations failures. Machine learning makes it possible to
and user permissions for potential risks, and next to detect these threats without configuring any rules
impossible to sift through the events provided by AWS or policies. CASBs also support the ability to tune
CloudTrail to uncover potential threats. A cloud access the sensitivity of detection to narrow in on certain
security broker (CASB) helps automate the process of threats or cast a wider net.
securing AWS—both the AWS platform and services, as
well as the custom applications you deploy in AWS.
2. Perform forensic investigations with a settings are configured appropriately, and that
complete audit trail of user activity any misconfiguration or change in configuration “By 2020, 85% of large
CASBs provide complete and granular visibility into is identified and remediated in real time. To that enterprises will use a
how users are using AWS, including root, IAM, and end, CASBs provide enterprises with the necessary
security auditing that can automatically flag any
cloud access security
federated users. Using a CASB, an enterprise can
readily detect (in real time) creation, modification, security misconfiguration across all AWS accounts. broker product for their
or removal of AWS resources by any user. Security Misconfigurations flagged include: cloud services, which
analysts can view the entire audit trail and filter by ◆◆ CloudTrail not enabled is up from fewer than
activity type, user, geography, and other dimensions. ◆◆ Unrestricted access to a CloudTrail S3 bucket 5% today.”
In doing so, a CASB can dramatically accelerate ◆◆ Multifactor authentication not required to delete a
—Gartner, “Market Guide For
post-incident investigations and decrease incident CloudTrail S3 bucket
Cloud Access Security Brokers”
response time. ◆◆ Access logging not enabled for a CloudTrail S3
3. I dentify excessive IAM permissions and bucket
dormant accounts ◆◆ MFA not enabled for root accounts
A CASB can highlight dormant user accounts that
◆◆ MFA not enabled for IAM users with console
have a heightened risk of being compromised. password
For example, if an IAM user has been inactive How a Cloud Access Security Broker Helps
for 90 days, a security alert can be triggered by Secure Custom Applications Deployed in AWS
the CASB for further investigation. Once the IAM
Traditionally, CASBs have focused on securing SaaS
user has been disabled, the alert will be resolved
applications such as Salesforce, Box, and Office 365 by
automatically without requiring any further action
providing DLP, activity monitoring, threat protection,
by the AWS administrator. CASBs can also identify
access control, and encryption. Today, a mature
excessive IAM permissions such as when an account
CASB can extend these same controls to all custom
has access to the AWS console, has unrestricted
applications an enterprise deploys in AWS. One of the
access to a CloudTrail S3 bucket, or when excessive
challenges today is that IT security is often not involved in
IAM permissions and policies are associated to a
the development process for new custom applications. A
user account instead of IAM groups or roles.
CASB makes it possible to extend these security controls
4. Analyze and audit AWS security configurations to custom applications without any code changes to
to ensure compliance and lower risk the application, enabling organizations to secure their
While Amazon has provided a set of configurable existing applications without any development resources.
controls to help protect an AWS account, it is What follows are some of the things a CASB enables you
entirely up to the customer to ensure that these to do to secure custom applications.
Unmanaged devices
On-network users
Off-network users
1. Capture a complete audit trail of user security risks. This is because sensitive data could
activity within the application be exposed after downloading to an unmanaged or
CASBs provide complete and granular visibility unsecure bring-your-own-device (BYOD) endpoint.
into user and administrator activity within custom CASBs provide contextual access controls that
applications and across all other cloud services. enforce distinct access policies for custom
CASBs reveal who is accessing which applications, applications based on whether the device is
what types of data are being uploaded or managed or unmanaged, if the IP is blacklisted
downloaded, with what kind of device, and by or safe, or whether the traffic originates from a
whom. This level of visibility into activity supports trusted or untrusted location. CASBs can also force
compliance efforts and helps accelerate post- additional authentication steps if predefined risk
incident forensic investigation while decreasing conditions are met.
incident response time. 3. Detect insider/external threats and
2. Limit access to data on BYOD devices, compromised accounts
and enforce other access control policies Given the ubiquity of compromised accounts, insider
as needed threats, and privileged user threats, CASBs provide
While deploying custom applications on AWS threat protection to custom applications hosted
provides the fundamental benefit of letting in the cloud. CASBs not only analyze anomalous
employees access critical resources from anywhere, activities within a custom application, but also
at any time, using any device, it also introduces correlate activities across all custom and SaaS
www.mcafee.com
2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.
Santa Clara, CA 95054 Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC. 3820_0418
888.847.8766 APRIL 2018
www.mcafee.com