Elevate_your_security_with_the_cloud

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
H O N G K O N G
Elevate your security with the cloud
-- AWS Security & Compliance for Enterprises
Michael Chen, Ph.D.
Sr. Engagement Manager
Professional Services, AWS
18OCT2019

Cloud first, cloud by default, and cloud native
Cited benefits
• Cost saving/better way to manage
cost
• Agility, speed, continuous
improvement
• Elasticity, scalability
• Improve resiliency
• Technology capability
• Operational efficiency
• Security
Government-
published cloud
policy
United States (2011)
Saudi Arabia
(2019)

Top concerns in cloud adoption
Legacy
systems
Budget
Skill/
Expertise
Security
Develop &
maintain
Types of
workloads, how
to decide
Skill/expertise
Authorization
policy
Time to
authorization
Addition of new
services

Why is security traditionally so hard?
Low degree of automationLack of visibility
A set of risk management challenges: Compliance, Organizational, Communication

ORMove fast Stay secure
Before…

ORAND
Now…
Move fast Stay secure

Automate with
comprehensive,
integrated
security services
Inherit global
security and
compliance
controls
Highest standards
for privacy and
data security
Largest network
of security
partners and
solutions
Scale with
superior visibility
and control
Elevate your security with the AWS Cloud

Shared responsibility model
Customer
Security OF
the Cloud
AWS is responsible for protecting the
infrastructure that runs all of the
services offered in the AWS Cloud
Security IN
the Cloud
Customer responsibility will be
determined by the AWS Cloud
services that a customer selects
AWS

Customers
Responsibility for end-to-end
security in their on-premises
data centers
Software
Platform, applications, identity, and access management
Operating system, network, and firewall configuration
Customer data
Traditional on-premises security model
Client-side data
Encryption & data integrity
authentication
Server-side data
File system and/or data
Network traffic
Protection (encryption,
integrity, identity)
Hardware/AWS global infrastructure
Compute Storage Database Networking
Regions Availability Zones Edge locations

Understanding the AWS shared responsibility model
Customers
Responsibility for security
“in” the cloud
Customer data
Client-side data
authentication
Server-side data
Network traffic
Software
AWS
“of” the cloud
ProvableSecurity

Customers
“in” the cloud
Customer data
Client-side data
authentication
Server-side data
Network traffic
Software
AWS
“of” the cloud
ProvableSecurity
“Could my AWS IAM policy allow unintended users access
to my Amazon S3 bucket?”
“How do we know that the AWS crypto primitives are
correctly implemented?”

Customers
“in” the cloud
Customer data
Client-side data
authentication
Server-side data
Network traffic
Software
AWS
“of” the cloud
ProvableSecurity
“Could my AWS IAM policy allow unintended users access
to my Amazon S3 bucket?”
“How do we know that the AWS crypto primitives are
correctly implemented?”
Provable security refers to a suite of AWS technology,
powered by automated reasoning, that helps verify the
correctness of critical security and compliance
components in the cloud.
1. AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401):
https://youtu.be/U40bWY6oVtU
2. AWS re:Invent 2018: The Theory and Math Behind Data Privacy and Security
Assurance (SEC301): https://youtu.be/F3JmBhTQmyY

=
ISO
11
12
13
14
15
16
PCI
# Req Summary
99.52 ✓
✓
99.53
✓
99.54 ✓
✓
✓
99.55
✓
99.56 ✓
✓
✓
✓
SOC
Control Criteria Test Result
CTRL5 CC1;
CC2
CTRL6 CC3;
CC4
CTRL7 CC5;
CC6;
CC7;
CC8;
CC9
CTRL8 CC6;
CC7
CTRL9 CC5;
CC6;
CC11
Customer Cloud
Control Framework
# Domain Objective Implementatio
n
1
2
3
4
5
6
=
Controls inherited
from AWS
Enterprise-wide
controls
Service-specific
controls
Workload-specific
controls
+
Customer Controls
in the AWS Cloud
Applying the shared responsibility model to your Cloud Control Framework

Environmental Perimeter Infrastructure Data Hardware
At AWS, security is job zero
The AWS global
infrastructure is built on
Amazon hardware and
provides customers with the
highest levels of reliability
AWS protects the data layer
by maintaining a separation
of privilege for each layer
and deploying threat
detection devices and
system protocols
AWS monitors equipment
and performs preventative
maintenance to maintain
continued operability
Data center access is
granted only to employees
and third-parties with a
valid business justification
AWS data centers are secure by design
Data center locations are
selected to mitigate
environmental risk and
Availability Zones are
independent and physically
separated

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS global infrastructure is built for resiliency
22 Geographic Regions – 69 Availability Zones – 187 Points of Presence*
*As of July 2019
• Regions are autonomous and
isolated
• Availability Zones are physically
separated and independent
• Points of presence securely deliver
data, videos, and APIs globally
with low latency
To avoid single points of failure, AWS minimizes interconnectedness within our global
infrastructure:

AWS services are designed for security and compliance
Security and compliance are built into our service development lifecycle
Idea Design Security Risk
Assessment
Threat
modeling
Security design
reviews
Secure code
reviews
Security testingVulnerabilityPenetration
testing
ApprovalConfiguration
management

Customers rely on AWS’s compliance with global standards
Certifications & Attestations Laws, Regulations and Privacy Alignments & Frameworks
Cloud Computing Compliance Controls
Catalogue (C5)
🇩🇪 CISPE 🇪🇺 CIS (Center for Internet Security) 🌐
Cyber Essentials Plus 🇬🇧 GDPR 🇪🇺 CJIS (US FBI) 🇺🇸
DoD SRG 🇺🇸 FERPA 🇺🇸 CSA (Cloud Security Alliance) 🌐
FedRAMP 🇺🇸 GLBA 🇺🇸 Esquema Nacional de Seguridad 🇪🇸
FIPS 🇺🇸 HIPAA 🇺🇸 EU-US Privacy Shield 🇪🇺
IRAP 🇦🇺 HITECH 🌐 FISC 🇯🇵
ISO 9001 🌐 IRS 1075 🇺🇸 FISMA 🇺🇸
ISO 27001 🌐 ITAR 🇺🇸 G-Cloud 🇬🇧
ISO 27017 🌐 My Number Act 🇯🇵 GxP (US FDA CFR 21 Part 11) 🇺🇸
ISO 27018 🌐 Data Protection Act – 1988 🇬🇧 ICREA 🌐
MLPS Level 3 🇨🇳 VPAT / Section 508 🇺🇸 IT Grundschutz 🇩🇪
MTCS 🇸🇬 Data Protection Directive 🇪🇺 MITA 3.0 (US Medicaid) 🇺🇸
PCI DSS Level 1 💳 Privacy Act [Australia] 🇦🇺 MPAA 🇺🇸
SEC Rule 17-a-4(f) 🇺🇸 Privacy Act [New Zealand] 🇳🇿 NIST 🇺🇸
SOC 1, SOC 2, SOC 3 🌐 PDPA - 2010 [Malaysia] 🇲🇾 Uptime Institute Tiers 🌐
PDPA - 2012 [Singapore] 🇸🇬 Cloud Security Principles 🇬🇧
PIPEDA [Canada] 🇨🇦
🌐 = industry or global standard Agencia Española de Protección de Datos 🇪🇸
26
AWS engages with global regulatory bodies on an ongoing basis

https://www.atlas.aws/
The AWS Artifact tool supports
increased transparency
And provide resources to help you learn more about our controls
A portal that provides on-demand access to:
Customers can use the reports to align
AWS controls to their own control
frameworks, and verify that AWS
controls are operating effectively.
• Information on AWS policies, processes,
and controls
• Documentation of controls relevant to
specific AWS services
• Validation that AWS controls are
operating effectively
The AWS Compliance Center provides
research on cloud regulations
The AWS Compliance Center provides a central
location to research cloud regulations in specific
countries and learn about AWS Compliance programs

APAC
• Financial Services Regulations Guidelines in
Singapore
• Hong Kong Insurance Authority Guide to Financial
Services Regulations and Guidelines
• Hong Kong Monetary Authority Guide to Financial
Services Regulations & Guidelines
• AWS User Guide to Banking Regulations & Guidelines
in India
• AWS User Guide to Financial Services Regulations &
Guidelines in Australia
• The APRA CPG 234 Workbook(available in the
console from AWS Artifact)
• The MAS TRM Guidelines Workbook (available in the
console from AWS Artifact)
• The HKMA TM-G1 Workbook (available in the console
from AWS Artifact)
Workbooks and guidelines for national privacy considerations, government-
issued compliance guidance, and best practices

Design control
objectives
Repeat process throughout cloud
journey to build a cloud control library
Classify solution
and identify
applicable risks,
requirements,
and regulations
Building a cloud control framework with AWS
3 4 5 62
Identify
strategic
objective(s) or
solution(s)
Conduct due
diligence of
AWS services
Document and
implement
enterprise,
service, and
workload
controls
Verify control
objectives are
met and
controls are
operating
effectively
1

• Data Protection
• Identity and Access Management
• Logging and Monitoring
• Compliance Validation
• Resilience
• Infrastructure Security
• Configuration and Vulnerability Analysis
• Security Best Practices
Assess AWS services and identify service-specific controls
Documented Risk
Position & Identified
Security
Configurations
OUTPUT
Directive: Cloud
Service Policy
Detective Controls
Preventive Controls
APPROVED SERVICE
& SERVICE-SPECIFIC
CCONTROLS
Dedicated security chapters for over 40 AWS services
The AWS documentation for over 40 services now
contains dedicated security chapters with information
about topics such as:

Capability
Things you
know
Things you
do
What a stakeholder executes
to support the organization’s
business strategy
The knowledge
used to execute
the capability
The processes
used to execute
the capability
The AWS Cloud Adoption Framework (AWS CAF)
Learn more about the CAF online:
https://d0.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf
Core 5 Security Epics

Use AWS security services to implement and automate controls
Identity and
Access Management
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS Security Hub
Centrally view and manage security alerts
and automate compliance checks
AWS Control Tower
Automates the set up and governance of a secure,
compliant multi-account AWS environment
New services:
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-Side Encryption
Amazon S3 Object Lock
Amazon S3 Cross-Region
Replication
AWS Backup
AWS Config Rules
AWS Lambda
AWS Personal Health
Dashboard
AWS Cross Service
Integration

The fundamentals pattern of AWS cloud security
Data encryption:
AWS Key Management Service
(AWS KMS)
Network security controls:
Amazon Virtual Private Cloud
(Amazon VPC)

Profiles are intended to convey the organization’s as-is and desired risk postures
Tiers characterize an organization’s aptitude for managing cybersecurity risk
The core represents a set of cybersecurity practices, outcomes, and technical, operational,
and managerial security controls (referred to as informative references) that support the
five risk management functions
• The NIST CSF offers a simple, yet effective risk-based, outcome-focused framework
consisting of three elements: core, tiers, and profiles.
Core
Tiers
Profiles
Identify Protect Detect Respond Recover
Tier 4:
Adaptive
Tier 3:
Repeatable
Tier 2: Risk
informed
Tier 1:
Partial
Current Target
These three elements enable organizations to prioritize and address
cybersecurity risks consistent with their business and mission needs
NIST Cybersecurity Framework (CSF)

How to use this resource
• Executive level
o Summary of AWS and customer responsibilities to
align to each of the five functions in the CSF
(identify, protect, detect, respond, and recover)
o Third-party attestation
• Technical level
o Detailed mapping of AWS services and resources
(beyond FedRAMP and ISO 27001)
o Customer responsibilities
o AWS responsibilities
Aligning to the NIST CSF in the AWS Cloud

“I have come to realize that as a
relatively small organization, we can
be far more secure in the cloud and
achieve a higher level of assurance at a
much lower cost, in terms of effort and
dollars invested. We determined that
security in AWS is superior to our on-
premises data center across several
dimensions, including patching,
encryption, auditing and logging,
entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading
over nearly 6 billion shares traded in U.S.
equities markets every day
• Processes approximately 6 terabytes of data
and 37 billion records on an average day
• Went from 3–4 weeks for server hardening
to 3–4 minutes
• DevOps teams focus on automation and
tools to raise the compliance bar and
simplify controls
• Achieved incredible levels of assurance
for consistencies of builds and patching
via rebooting with automated
deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority

“Previously all our servers were configured
and updated by hand or through limited
automation, we didn’t take full advantage
of a configuration management…All our new
services are built as stateless docker
containers, allowing us to deploy and scale
them easily using Amazon’s ECS.”
“AWS allowed us to scale our business to
handle 6 million patients a month and
elevate our security—all while maintaining
HIPAA compliance-–as we migrated 100%
to cloud in less than 12 months”
• Migrated all-in on AWS in under
12 months, becoming a HIPAA
compliant cloud-first organization
• New York based startup leveraged
infrastructure as code to securely scale
to 6 million patients per month
• Data liberation—use data to innovate and
drive more solutions for patients, reducing
patient wait times from 24 days to 24 hours
• Maintain end to end visibility of patient
data using AWS
Online medical care scheduling
—Brian Lozada, chief information security officer

“Amazon Web Services was the clear
choice in terms of security and PCI DSS
Level 1 compliance compared to an on-
premises or co-location data center
solution.”
“Using AWS, we were able to design and
launch a security-compliant solution in
three months while reducing our capital
expenses by 30 percent.”
• Vodafone Italy is a prominent player in the Italian
mobile phone market with over
30 million users.
• With a rise in SIM transactions, the company
wanted to find a way to make it easier for
customers to top up using a credit or debit card—
and since each SIM card contains valuable personal
information, that solution needed to be not only
flexible, but also secure.
• With AWS Cloud, Vodafone Italy was able to users
to purchase credits online with strong security and
be compliant with the Payment Card Industry Data
Security Standard (PCI DSS).
• With the muscle of the AWS cloud behind it,
Vodafone easily managed top-up requests through
the new service as it grew to several thousand daily
and spread to multiple online channels, including
social media platforms.
Mobile top-up service
—Stefano Harak, online senior product manager

Security and Compliance Technology Partner ecosystem
Data Protection and Encryption
Governance, Risk, and Compliance
Identity & Access
Management
Host and Endpoint Security Logging, Monitoring,
Threat Detection, and
Analytics
Detective (Some Responsive)
Preventative Compliance Archiving
Application Security
User
External
Network
Network and Infra Security
Vulnerability and Config Assessment

Security and Compliance Consulting Partners
Security engineeringSecurity engineering
Governance, Risk,
and Compliance
Security operations
and automation

Ready to start building?
Work with your AWS
account team to
understand how AWS can
help you build secure,
compliant workloads in
the cloud.
Work with an APN
Partner to integrate
control monitoring
with your existing on-
premises solutions.
Contact the Professional
Services Security and
Compliance team to
schedule a workshop with
AWS Compliance specialists.
2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.

Path to Production
1. Identify & Engage
Stakeholders
2. Capability &
Enablement
4. Security of
the Cloud
3. Operational Model 5. Security in
the Cloud
6. Regulations
7. Legal Agreements 8. Establish Security
Controls (Prevent,
Detect, Respond,
Recover)
10. Regulator
Approval or
Notification
9. Internal & External
Assessment

Thank you!
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
https://aws.amazon.com/products/security/
Michael Chen, cxiaowei@amazon.com

Define, enforce, and audit
user permissions across
AWS services, actions,
and resources
Identity & access
management
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Single Sign-On (SSO)
Centrally manage SSO access to multiple AWS accounts
& business apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
Amazon Cognito
Add user sign-up, sign-in, and access control to your web/
mobile apps
AWS Organizations
Policy-based management for multiple AWS accounts
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials,
API keys, and other secrets through their lifecycle
AWS Resource Access Manager
Simple, secure service to share AWS resources

Gain the visibility you need to
improve your security posture,
reduce the risk profile of
your environment, and spot
issues before they impact the
business
Detective controls
AWS Security Hub
Centrally view & manage security alerts and automate compliance checks
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect your
AWS accounts and workloads
AWS Config
Record and evaluate configurations of your AWS resources to enable
compliance auditing, resource change tracking, and security analysis
AWS CloudTrail
Track user activity and API usage to enable governance, compliance,
and operational/risk auditing of your AWS account
Amazon CloudWatch
Complete visibility of your cloud resources and applications to collect
metrics, monitor log files, set alarms, and automatically react to changes
VPC Flow Logs
Capture info about the IP traffic going to and from network interfaces in
your VPC; flow log data is stored using Amazon CloudWatch Logs

Reduce surface area to
manage and increase privacy
for and control of your
overall infrastructure on AWS
Infrastructure
protection
AWS Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems
to apply OS patches, create secure system images, and configure
secure operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS WAF—Web application firewall
Protects your web applications from common web exploits ensuring
availability and security
AWS Firewall Manager
Centrally configure and manage AWS WAF rules across accounts
and applications
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Amazon Virtual Private Cloud (Amazon VPC)
Provision a logically isolated section of AWS where you can launch
AWS resources in a virtual network that you define

In addition to our automatic
data encryption and
management services,
employ more features
for data protection
(including data management,
data security, and encryption
key storage)
Data protection
AWS Key Management Service (AWS KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for
use with AWS services
Amazon Macie
Machine learning-powered security service to discover,
classify, and protect sensitive data
Server-side encryption
Flexible data encryption options using AWS service-managed keys,
AWS-managed keys via AWS KMS, or customer-managed keys

During an incident,
containing the event and
returning to a known
good state are important
elements of a response plan;
AWS provides these tools to
automate aspects of this
best practice
Incident response
AWS Config Rules
Create rules that automatically take action in response to
changes in your environment, such as isolating resources,
enriching events with additional data, or restoring
configuration to a known good state
AWS Lambda
Use our serverless compute service to run code without
provisioning or managing servers so you can scale your
programmed, automated response to incidents

Elevate_your_security_with_the_cloud

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Elevate_your_security_with_the_cloud

Similaire à Elevate_your_security_with_the_cloud (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Elevate_your_security_with_the_cloud