Security must be the number one priority for any cloud provider and that's no different for AWS. Stephen Schmidt, vice president and chief information officer for AWS, will share his insights into cloud security and how AWS meets the needs of today's IT security challenges. Stephen, with his background with the FBI and his work with AWS customers in the government and space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.

1. AWS Security
Stephen E. Schmidt, Chief Information Security Officer
November 13, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Different customer viewpoints on security:
• CEO: protect shareholder value
• PR exec: keep out of the news
• CI{S}O: preserve the confidentiality, integrity
and availability of data

3. AWS Viewpoint on Security
Art
Science

4. Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload

5. AWS Cloud Security
“Based on our experience, I believe that we can be
even more secure in the AWS cloud than in our
own data centers.”
-Tom Soderstrom, CTO, NASA JPL

6. AWS Security Offers Customers More
Visibility
Auditability
Control

7. Visibility
– In the AWS cloud, see your entire infrastructure at the click of a
mouse
– Can you map your current network?

8. AWS Security Delivers More Auditability
• Consistent, regular, exhaustive 3rd party
evaluations with commonly understood results

9. Introducing AWS CloudTrail
You are
making API
calls...
On a growing
set of services
around the
world…
CloudTrail is
continuously
recording API
calls…
And
delivering log
files to you

10. Use cases enabled by CloudTrail
• Security Analysis
 Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
• Track Changes to AWS Resources
 Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues
 Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid
 Easier to demonstrate compliance with internal policies and regulatory standards.

11. What is AWS CloudTrail?
• CloudTrail records API calls in your
account and delivers a log file to your S3
bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately
every 5 minutes.
• Multiple partners offer integrated
solutions to analyze log files.
Image Source: Jeff Barr

12. Visibility
• Logs == one component of visibility
– Obtain
– Retain
– Analyze

13. Sumo Logic
• Enterprise Class Log Management & Analytics
– Availability and Performance
– Security and Compliance
– User and Application Analytics
• Sumo Logic Application for AWS CloudTrail
– Real-time Security Monitoring and Alerting
– Compliance Auditing
– Operational Visibility and Cost

20. • Come see us @ booth #117
• CTO, Christian Beedgen
– Wednesday: 3:00 PM - 4:00 PM – San Polo 3501A

21. Control
• Defense in Depth
– Multi level security
•
•
•
•
Physical security of the data centers
Network security
System security
Data security

22. AWS Security Delivers More Control & Granularity
Customize the implementation based on your business needs
AWS IAM
Defense in depth
Rapid scale for security
Amazon VPC
Automated checks with AWS Trusted Advisor
Fine grained access controls
AWS Storage
Gateway
Server side encryption
Multi-factor authentication
AWS Direct
Connect
Dedicated instances
Direct connection, Storage Gateway
AWS
CloudHSM
HSM-based key storage

23. Control
• SSO Federation using SAML
– Support for SAML 2.0
– Use existing SAML identity providers to access AWS Resources
• You don’t have to add additional software!
– AWS Management Console SSO
• New sign-in URL
– https://signin.aws.amazon.com/SAML?Token=<yourdatahere>
– API federation using new assumeRoleWithSAML API

24. Amazon DynamoDB Fine Grained Access Control
• Directly and securely access
application data in Amazon
DynamoDB
• Specify access permissions at
table, item and attribute levels
• With Web Identity Federation,
completely remove the need
for proxy servers to perform
authorization

25. Control
• AWS Staff Access
– Staff vetting
– Staff has no logical access to customer instances
– Staff control-plane access limited & monitored
• Bastion hosts
• Least privileged model
– Zoned data center access
• Business needs
• Separate PAMS

26. Control
• Shared Responsibility
– Let AWS do the heavy lifting
– Focus on your business
• AWS
•
•
•
•
•
•
Facility operations
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization
Infrastructure
Hardware lifecycle
management
•
Customer
•
•
•
•
•
•
Choice of Guest OS
Application Configuration Options
Account Management flexibility
Security Groups
ACLs
Identity Management

27. Control
• Your data stays where you put it
Australia

28. Control
• Encryption
– Customers choose the solution that’s right for them
• Regulatory
• Contractual
• Best-practices
– Options
• Automated – AWS manages encryption for the customer
• Enabled – customer manages encryption using AWS services
• Client-side – customer manages encryption using their own means

29. Control
AWS CloudHSM
• Managed and monitored by AWS,
but you control the keys
AWS CloudHSM
• Increase performance for
applications that use HSMs for key
storage or encryption
EC2 Instance
• Comply with stringent regulatory
and contractual requirements for
key protection
AWS CloudHSM

30. AWS IAM: Recent Innovations
Securely control access to AWS services and resources
•
Delegation
•
–
–
–
–
– Roles for Amazon EC2
– Cross-account access
•
Powerful integrated permissions
– Resource level permissions:
Amazon EC2, Amazon RDS,
Amazon DynamoDB, AWS
CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon
SWF, Amazon EMR, AWS Storage
Gateway, AWS CloudFormation,
Amazon Redshift, Elastic Beanstalk
Federation
•
Web Identity Federation
AD and Shibboleth examples
Partner integrations
Case study: Expedia
Strong authentication
– MFA-protected API access
– Password policies
•
Enhanced documentation and
videos

31. Authentication Market
• Consumers are demanding stronger
authentication
• Banks want to reduce fraud
• Regulators are requiring banks to
implement stronger PKI-based
authentication

32. Entersekt’s Transakt Product End-to-End
Bank’s
firewall
User’s web
browser
Bank web
server
Mutually secured User’s mobile
channel using
with Transakt
the Entersekt
system
AZ-USE1d
AZ-USE1a
Auto scaling Group
CloudHSM
Entersekt
Cloud Router
Entersekt Security
Gateway

33. Why the Cloud?
• AWS CloudHSM
– We issue X.509 certificates securely from AWS
– We augment the entropy generation on the phone
– Only Entersekt has access to the keys in CloudHSM – AWS does not
• Mobile phone connections fronted by AWS cloud
– Mitigates DDoS attacks
– Manages large number of persistent connections
– Maintains end-to-end encryption between enterprise and phone

34. Entersekt’s Track Record
Global Top 500 Banking Customer: 2012 – 450 000 users
80
70
60
Nedbank sees 99% reduction
in phishing losses
Nedbank reports a 99% reduction in phishing losses
since launching its internet banking security feature,
Approve-it.
50
Source: businesstech.co.za
40
30
Entersekt
go-live
20
10
0
30-Jun
26-Jun
22-Jun
18-Jun…
14-Jun
10-Jun
06-Jun
02-Jun
29-May
25-May
21-May…
17-May
13-May
09-May
05-May
01-May
27-Apr
23-Apr…
19-Apr
15-Apr
11-Apr
07-Apr
03-Apr
30-Mar
26-Mar…
22-Mar
18-Mar
14-Mar
10-Mar
06-Mar
02-Mar
27-Feb…
23-Feb
19-Feb
15-Feb
11-Feb
07-Feb
03-Feb
30-Jan…
Attempts
Fraud

35. Entersekt in Action

36. IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013

37. What to Watch for This Week
• Key Sessions to See
– SEC201 – Access Control for the Cloud: AWS Identity & Access
Management
– SEC203 – Security Assurance & Governance in AWS
– SEC205 – Cybersecurity Engineers: You’re More Secure in the
Cloud!
– SEC304 – Encryption & Key Management in AWS
– SEC305 – DDOS Resiliency with AWS
– SEC402 – Intrusion Detection in the Cloud
– CPN401 – A Day in the Life of a Billion Packets

38. Come talk security with AWS!
• When: Thursday 11/14, 4:00-6:00 PM
• Where: Toscana 3605
or
• AWS Booth
– Wednesday 10:30 AM – 5:30 PM
– Thursday 10:30 AM – 6:30 PM
– Friday 9:00 AM – Noon
or
– https://aws.amazon.com/security

39. We are sincerely eager to hear
your feedback on this
presentation and on re:Invent.
Please fill out an evaluation form
when you have a chance.