Security of your data in AWS
Stephen Schmidt
VP Security Engineering & Chief Information Security Officer

• Universal
• Visible
• Auditable
• Transparent
• Shared
• Familiar
Cloud Security is:

Every customer has access to the same security capabilities,
and gets to choose what’s right for their business.
– Governments
– Financial Sector
– Pharmaceuticals
– Entertainment
– Start-Ups
– Social Media
– Home Users
– Retail
Universal Cloud Security

AWS allows the customer to see their ENTIRE
infrastructure at the click of a mouse
Visible Cloud Security
This
Or
This?

• How does a customer know AWS is right for their
business?
– 3rd Party Audits
• Independent auditors
• Artifacts
– Plans, Policies and Procedures
• Logs
– Obtained
– Retained
– Analyzed
Auditable Cloud Security

Choose the audit/certification that’s right for them:
– ISO-27001
– SOC-1, SOC-2, SOC-3
– FedRAMP
– PCI
Transparent Cloud Security

Control Objective 1: Security Organization
– Who we are
– Proper control & access within the organization
Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access
Security & Compliance Control Objectives

Control Objective 3: Logical Security
– Our staff start with no systems access
– Need-based access grants
– Rigorous systems separation
– Systems access grants regularly re-evaluated &
automatically revoked
Security & Compliance Control Objectives

Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our
datacenters
– Media destruction consistent with US Dept. of Defense Directive
5220.22
Control Objective 5: Physical Security and
Environmental Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters
Security & Compliance Control Objectives

Control Objective 6: Change Management
– Continuous Operation
Control Objective 7: Data Integrity, Availability and
Redundancy
– Ensuring your data remains safe, intact & available
Control Objective 8: Incident Handling
– Processes & procedures for mitigating and managing potential issues
Security & Compliance Control Objectives

• Let AWS do the heavy lifting
• This is what we do – and we do it all the time
• The customer can focus on their business and not be distracted by
the muck
AWS Shared Responsibility Model

• Large non-descript facilities
• Robust perimeter controls
• 2 factor authentication for entry
• Controlled, need-based access for AWS
employees
• All access is logged and reviewed
Physical Security

Physical Security
Asia Pacific (Sydney)

• DDoS attacks defended at the border
• Man in the Middle attacks
• SSL endpoints
• IP Spoofing prohibited
• Port scanning prohibited
• Packet Sniffing prevented
Network Security

• AWS offers several data protection mechanisms including access
control, encryption, etc.
• AWS data encryption solutions allow customers to:
– Encrypt and decrypt sensitive data inside or outside AWS
– Decide which data to encrypt
• AWS CloudHSM complements existing AWS data protection and
encryption solutions
• With AWS CloudHSM customers can:
– Encrypt data inside AWS
– Store keys in AWS within a Hardware Security Module
– Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions and
key storage for customer applications
– Use third party validated hardware for key storage
– AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards)
AWS Data Protection Solutions

• http://aws.amazon.com/security/
– Security Whitepaper
– Risk and Compliance Whitepaper
– Regularly Updated
– Feedback is welcome
• http://blogs.aws.amazon.com/security
AWS Security Center