AWS Summit London - Keynote - Stephen Schmidt

Stephen Schmidt
Chief Information Security Officer, AWS
Monday, April 29, 13

Cloud Security is:
• Universal
• Visible
• Auditable
• Transparent
• Shared
• Familiar

Universal Cloud Security
Every&customer&has&access&to&the&same&security&
capabili3es,&and&gets&to&choose&what’s&right&for&their&
business
- Start<Ups
- Social&Media
- Home&Users
- Retail
- Governments
- Financial&Sector
- Pharmaceu3cals
- Entertainment

Visible Cloud Security
AWS$allows$you$to$see$your$en#re$infrastructure$at$the$click$of$a$
mouse.$Can$you$map$your$current$network?
This
Or
This?

Auditable Cloud Security
How$do$you$know$AWS$is$right$for$your$business?$$
- 3rd$Party$Audits
• Independent$auditors
- Ar<facts
• Plans,$Policies$and$Procedures
- Logs
• Obtained
• Retained
• Analyzed

SOC 1/2 – Control Objectives
• Control Objective 1: Security Organization
• Control Objective 2: Amazon User Access
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security and Environmental Safeguards
• Control Objective 6: Change Management
• Control Objective 7: Data Integrity, Availability and Redundancy
• Control Objective 8: Incident Handling

Steve Howes
Chief Executive Officer

An$Integrated$Network
• 21#franchised#rail#
companies
• 2,500#stations
• 10,000#miles

National#Reservations#Service
Data#Distribution#Service
Product#Management#Service
Ticket#on#Departure#Service
Points
Of
Sale
X10,000
Apportionment#Engine
Settlement#Service
System$Schema<c
PreFsales
PostFsales

National#Reservations#Service
Data#Distribution#Service
Product#Management#Service
Ticket#on#Departure#Service
Points
Of
Sale
X10,000
Apportionment#Engine
Settlement#Service
System$Schema<c
AWS#Hosted
PreFsales
PostFsales

£#7.5#billon
Annual$rail$industry$revenue......

• Our#systems#handle#£7.5B#of#transactions#annually
• Revenue#collected#by#the#retailer#must#be#correctly#settled#to#
the#operators#to#the#penny,#auditable#to#the#highest#standards
• We#handle#£5B#of#payment#card#transactions#annually
• Our#passengers#depend#absolutely#on#our#services
RSP$and$Security

• We#need#a#‘trusted’#environment,#more#than#the#narrow#
meaning#of#security:
– Compliance#
– Governance
– Risk#management
– Availability
– Integrity
– Privacy
• Simply,#through#AWS#and#our#SI#Partner#Smart421#we#are#able#
to#meet#all#of#these#requirements
Why$AWS?

Shared Responsibility
• Let$AWS$do$the$heavy$liWing
• This$is$what$we$do$–$and$we$do$it$all$the$<me
• As$the$AWS$customer$you$can$focus$on$your$business$and$not$be$distracted$
by$the$muck
• AWS
• Facili<es
• Physical$Security
• Physical$Infrastructure
• Network$Infrastructure
• Virtualiza<on$
Infrastructure
• Customer
• Choice$of$Guest$OS
• Applica<on$Conﬁgura<on$Op<ons
• Account$Management$ﬂexibility
• Security$Groups
• Network$ACLs

Customer’s
Network
Amazon
Web$Services
Cloud
Secure&VPN&Connec-on&over&
the&Internet
Subnets
Customer’s$isolated$
AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway
AWS&Direct&Connect&–&
Dedicated&Path/Bandwidth

Customer’s
Network
Amazon
Web$Services
Cloud
the&Internet
Subnets
AWS$resources
Router
VPN&Gateway
$Internet

Customer’s
Network
Amazon
Web$Services
Cloud
the&Internet
Subnets
AWS$resources
Router
VPN&Gateway
$Internet
NAT

Customer Challenge: Encryption (part 1)
• Customers have requirements that require them to use specific
encryption key management procedures not previously possible
on AWS
– Requirements are based on contractual or regulatory mandates for
keeping encryption keys stored in a specific manner or with specific
access controls
– Good key management is critical

Customer Challenge: Encryption (part 2)
• Customers want to run applications and store data in AWS but
previously had to retain keys in HSMs in on-premises data centers
– Applications may slow down due to network latency
– Requires several DCs to provide high availability, disaster recovery and
durability of keys

AWS Data Protection Solutions
• AWS offers several data protection mechanisms including access control,
encryption, etc.
• AWS data encryption solutions allow customers to:
– Encrypt and decrypt sensitive data inside or outside AWS
– Decide which data to encrypt
• AWS CloudHSM complements existing AWS data protection and encryption
solutions
• With AWS CloudHSM customers can:
– Encrypt data inside AWS
– Store keys in AWS within a Hardware Security Module
– Decide how to encrypt data – the AWS CloudHSM implements cryptographic
functions and key storage for customer applications
– Use third party validated hardware for key storage

HSM – Hardware Security Module
•  A hardware device that performs cryptographic operations and key storage
•  Used for strong protection of private keys
•  Tamper resistant – keys are protected physically and logically
–  If a tampering attempt is detected, the appliance destroys the keys
•  Device administration and security administration are logically separate
–  Physical control of the appliance does not grant access to the keys
•  Certified by 3rd parties to comply with government standards for physical and
logical security:
–  FIPS 140-2
–  Common Criteria EAL4+
•  Example vendors include: SafeNet, Thales
•  Historically located in on-premises datacenters
HSM

What is AWS CloudHSM?
• Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances
• Physically managed and monitored by AWS, but customers control their
own keys
• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
AWS$CloudHSM

AWS CloudHSM Service Highlights
• Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM
• Contractual and Regulatory Compliance – helps customers comply with
the most stringent regulatory and contractual requirements for key
protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in
multiple Availability Zones and Regions to help customers build highly
available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the
customer’s VPC
• Better Application Performance – reduce network latency and increase
the performance of AWS applications that use HSMs

How Customers Use AWS CloudHSM
• Customers use AWS CloudHSM as an architectural building block
in securing applications
– Object encryption
– Digital Rights Management (DRM)
– Document signing
– Secure document repository
– Database encryption
– Transaction processing

Customer use cases
• Large Silicon Valley company: video DRM
• Start-up document rights management service: enterprise document
protection
• Very large tech company: Root of trust for Public Key Infrastructure (PKI)
authentication system
• Very large financial services organization: Root of trust for key
management system for virtual machine authentication & encryption

On-Premises Integration with AWS CloudHSM
HSM
Customers’ applications continue to
use standard crypto APIs
(PKCS#11, MS CAPI, JCA/JCE,
etc.).
SafeNet HSM client replaces
existing crypto service provider
libraries and connects to the HSM to
implement API calls in hardware
SafeNet HSM$Client$can$share$load$and$
store$keys$redundantly$across$mul<ple$
HSMs
Key$material$is$securely$replicated$to$
HSM(s)$in$the$customer’s$datacenter
B
A
C
D
AWS
Amazon$Virtual$Private$Cloud
AWS$CloudHSMAmazon$VPC$Instance
Corporate$Datacenter
SSL
VPN INTERNET
AWS$Direct$
Connect
Application
HSM Client
A
C
D
B
SSL

Key Storage & Secure Operations for AWS Workloads
CloudHSMs are in the customer’s VPC
and isolated from other AWS networksE
Secure key storage in tamper-resistant/
tamper-evident hardware available in
multiple regions and AZs
D
Application performance improves (due to
close network proximity with AWS
workloads)
C
Customers control and manage their own
keys
B
AWS manages the HSM appliance but
does not have access to customers’
keys
A
AWS
Amazon Virtual Private Cloud
AWS CloudHSM Amazon VPC Instance
SSL
Application
HSM Client
C
D
E
B
A

AWS Deployment Models
Logical Server and
Application
Isolation
Granular
Information Access
Policy
Logical
Network
Isolation
Physical server
Isolation
Government Only
Physical Network and
Facility Isolation
ITAR Compliant
(US Persons
Only)
Sample Workloads
Commercial$Cloud # $ # $ $ $ Public$facing$apps.$Web$
sites,$Dev$test$etc.
Virtual$Private$Cloud$
(VPC)
# $ # $ # $ # $ $ Data$Center$extension,$TIC$
environment,$email,$FISMA$
low$and$Moderate
AWS$GovCloud$(US) # $ # $ # $ # $ # $ # $ US$Persons$Compliant$and$
Government$Speciﬁc$Apps.

AWS Security Resources
• http://aws.amazon.com/security/
• Security Whitepaper
• Risk and Compliance Whitepaper
• Regularly Updated
• Feedback is welcome

Thank you.

Bronze sponsors
Silver sponsors
Gold sponsor

AWS Summit London - Keynote - Stephen Schmidt

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à AWS Summit London - Keynote - Stephen Schmidt

Similaire à AWS Summit London - Keynote - Stephen Schmidt (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

AWS Summit London - Keynote - Stephen Schmidt