The cloud is not an 'All or Nothing' approach with regards to replacing workloads inside your datacenter. Enterprises with existing datacenters can easily extend their Infrastructure into the cloud to seamlessly leverage the benefits of cloud while using the same set of controls familiar to their business. However availability and security still remain among the top two concerns for CIOs when deciding on cloud adoption for their organization.
Amazon Web Services has infrastructure across multiple geographical Regions spanning five continents, with multiple Availability Zones in each Region along with a set of global edge locations. Building a similar infrastructure for high availability with your traditional datacenter would be non-trivial and cost prohibitive. Join this session to understand how you can achieve high availability across geographies, deploy your applications close to your users, control where your data is located, achieve low latency, and migrate your applications around the world in a cost-effective and easy manner using AWS services. You will also learn how AWS builds services in accordance with security best practices, provides appropriate security features in those services, has achieved industry standard certifications, and other third-party attestations. In addition, in line with the shared security model on the cloud, AWS customers must leverage on security features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
Similaire à AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve High Availability with Reliable Security at Low Cost, Santanu Dutt
Similaire à AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve High Availability with Reliable Security at Low Cost, Santanu Dutt (20)
10. 3. Cost
Project X
Potential impact: LOW
Cost of infrastructure: HIGH
Denied
Project Z
Potential impact: LOW
Cost of infrastructure: LOW
Approved
Project Y
Potential impact: HIGH
Cost of infrastructure: HIGH
Denied Corporate
Data Center
11. 3. Cost
Corporate Data
Center
Project X
Potential impact: LOW
Cost of infrastructure: HIGH
Denied
Project Z
Potential impact: LOW
Cost of infrastructure: LOW
Approved
Project Y
Potential impact: HIGH
Cost of infrastructure: HIGH
Denied
Cost of infrastructure can inhibit innovation
Corporate
Data Center
21. The New Enterprise IT
Network Architecture
Public Subnet
Private Subnet
Corporate
Data Center
Corporate
Headquarters
Branch
Offices
VPN Gateway
Customer Gateway
Internet Gateway
NAT Instance
Cloud Services
44. AWS Certifications
• Based on the Shared Responsibility model
• AWS Environment
– SSAE 16 / SOC 1 (SAS70 Type II) Audit
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS)
Level 1
– FedRAMP (FISMA)
• Customers have deployed various compliant applications:
– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA (US Federal Government)
– DIACAP MAC III Sensitive IATO
46. Physical Security of Data Centers
• Amazon has been building large-scale data centers for many
years
• Important attributes:
– Non-descript facilities
– Robust perimeter controls
– Strictly controlled physical access
– 2 or more levels of two-factor auth
• Controlled, need-based access
• All access is logged and reviewed
• Separation of Duties
– employees with physical access don’t have logical privileges
47. Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
…
Virtual Interfaces
Firewall
Customer 1
Security Groups
Customer 2
Security Groups
Customer n
Security Groups
48. Storage Device Decommissioning
• All storage devices go through process
• Uses techniques from
– DoD 5220.22-M (“National Industrial Security
Program Operating Manual “)
– NIST 800-88 (“Guidelines for Media Sanitization”)
• Ultimately
– degaussed
– physically destroyed
49. Network Security Considerations
• Distributed Denial of Service (DDoS):
– Standard mitigation techniques in effect
• Man in the Middle (MITM):
– All endpoints protected by SSL
– Fresh EC2 host keys generated at boot
• IP Spoofing:
– Prohibited at host OS level
• Unauthorized Port Scanning:
– Violation of AWS TOS
– Detected, stopped, and blocked
– Inbound ports blocked by default
• Packet Sniffing:
– Promiscuous mode is ineffective
– Protection at hypervisor level
51. • Users and Groups within Accounts
• Unique security credentials
• Access keys
• Login/Password
• optional MFA device
• Policies control access to AWS APIs
• API calls must be signed by either:
• X.509 certificate
• secret key
• Deep integration into some Services
• S3: policies on objects and buckets
• AWS Management Console supports User log on
• Not for Operating Systems or Applications
• use LDAP, Active Directory/ADFS, etc...
AWS Identity and Access Management (IAM)
52. Multi-tier Security Approach Example
Web Tier
Application Tier
Database Tier
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier,
which acts as Bastion
All other Internet ports
blocked by default
Sync with on-premises
database
Amazon EC2
Security Group
Firewall