AWS Security from A-Z: Governance & Compliance in VPC

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security From A-Z: Governance &
Compliance in your VPC
Stephen McDermid
Sr. Solution Architect - Security & Compliance

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
All AWS customers benefit from a data center and network architecture
built from the ground up to satisfy the requirements of the most security-
sensitive organizations.
At AWS, cloud security is job zero
Designed for
Security
Constantly
Monitored
Highly
Available
Constantly
Accredited
Highly
Automated
https://aws.amazon.com/security/
https://aws.amazon.com/compliance

AWS Global Infrastructure
21 Regions – 66 Availability Zones – 180 Points of Presence
Region & Number of Availability Zones
AWS GovCloud (3) 2X EU
Ireland (3)
US West Frankfurt (3)
Oregon (3) London (3)
Northern California (3) Paris (3)
Stockholm (3)
US East
N. Virginia (6), Ohio (3) Asia Pacific
Singapore (3)
Canada Sydney (3), Tokyo (4),
Central (2) Seoul (2), Mumbai (2)
Osaka-Local (1)
South America China
São Paulo (3) Beijing (2)
Ningxia (3)
Announced Regions
Bahrain, Hong Kong SAR, Cape Town, Milan

PoPs in Europe / Middle East / Africa
Europe (Ireland) Region
AZs: 3 - Launched 2007
Europe (London) Region
Europe (Frankfurt) Region
Europe (Paris) Region
AWS Edge Network Locations
Edge locations - Amsterdam, The Netherlands (2); Berlin, Germany (2); Cape
Town, South Africa; Copenhagen, Denmark; Dubai, United Arab Emirates; Dublin,
Ireland; Frankfurt, Germany (8); Fujairah, United Arab Emirates; Helsinki, Finland;
Johannesburg, South Africa; London, England (9); Madrid, Spain (2); Manchester,
England; Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway;
Palermo, Italy; Paris, France (4); Prague, Czech Republic; Stockholm, Sweden (3);
Vienna, Austria; Warsaw, Poland; Zurich, Switzerland
Regional Edge Caches - Frankfurt, Germany; London, England
Direct Connect Locations: https://aws.amazon.com/directconnect/features/
Europe (Stockholm) Region

Zoom In: AWS Region
Zoom In: AWS AZ
Sample Region
Datacenter Datacenter
Datacenter
Sample Availability Zone
Availability
Zone B
Availability
Zone A
Availability
Zone C
• Independent Geographic Areas, isolated from other Regions (security boundary)
• Customer chooses in which Region(s) to deploy services
• Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of High-
Availability Architecture
• AZs are Independent Failure Zones; Physically separated; On separate Low Risk Flood Plains
• Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities
• DCs in AZ less than ¼ ms apart
• Each AZ is 1 or more DC
• No data center is in two AZs
• Some AZs have as many as 6 DCs

Example AWS Region
AZ
AZ
AZ AZ AZ
Transit
Transit
• Mesh of Availability Zones (AZ) and Transit
Centers
• Redundant paths to transit centers
• Transit centers connect to:
– Private links to other AWS regions
– Private links to customers
– Internet through peering & paid transit
• Metro-area DWDM links between AZs
• 82,864 fiber strands in region
• AZs <2ms apart & usually <1ms
• 25Tbps peak inter-AZs traffic

Amazon Global Network
• Redundant 100GbE network
• Redundant private capacity
between all Regions except China

Direct Connect Gateway
• Customers reach every AWS
region from the local
Direct Connect location

Why have a backbone network?
Security
Traffic traverses our
infrastructure rather than the
internet
Availability
Controlling scaling and
redundancy
Traffic operates over Amazon-
controlled infrastructure
Reliable performance
Controlling specific paths
customer traffic traverses
Connecting closer to customers
Avoiding internet “hot spots” or
sub-optimal external
connectivity
All commercial Region-to-Region traffic
traverses the backbone except China

24
48
61
82
159
280
516
722
1017
1430
1,957
0 300 600 900 1200 1500 1800 2100
1
2
3
4
5
6
7
8
9
10
11
Pace of innovation | Launches

Adopting AWS you can…
…concentrate on securing your own application, using automation and many built-
in security tools designed to meet the most stringent regulations and requirements
+ =
• Facilities
• Physical security
• Compute infrastructure
• Storage infrastructure
• Network infrastructure
• Virtualization layer (EC2)
• Hardened service endpoints
• Rich IAM capabilities
• Extensive set of security services
• Extensive assurance program
• Network configuration
• Security groups
• OS / Network firewalls
• Operating systems security
• Application security
• Proper service configuration
• AuthN and account management
• Authorization policies
• Data Security
• Operational Security Automation
More secure and
compliant
systems

More secure in the cloud
AWS customers tell us that the workloads they have
running in AWS are more secure than the workloads they
are running on premise.
"I have come to realize that as a relatively small organization, we can be far more secure in the cloud
and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested.
We determined that security in AWS is superior to our on-premises data center across several
dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.” -
John Brady, CISO FINRA
What key AWS features are these customers using to
achieve this?

Common Security Enablers
Visibility &
Knowledge
Automation /
Repeatable
Processes
Cross-team /
cross-process
synchronisation
Fast
Implementation /
Reaction Time

Advantages to the API
• Authoritative - The interface to, and between, AWS services
• Auditable – always know what, and who, is doing what
• Secure – verified integrity, authenticated, no covert channels
• Fast - can be read and manipulated in sub-second time
• Precise – defines the state of all infrastructure and services
• Evolving – continuously improving
• Uniform - provides consistency across disparate components
• Automatable - Enables some really cool capabilities

Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture

The status (knowledge), and control (automation), of the ENTIRE
infrastructure one click of a mouse, or API call, away
Security policies for the whole system (in code not paper) constantly
and automatically evaluated (visibility, synchronization, time)
Consistent tooling and processes, and built-in solutions, for the whole
environment using a common interface
Detection and/or reaction time reduced to seconds
Ubiquitous encryption, in transit, at rest, AWS-managed, customer-
managed, and with customer imported keys
Some of the AWS security enablers…

Immutable systems and/or Self-healing infrastructures (that
automatically protects from attacks)
Focus on security applications and business assets (instead of
managing the infrastructure necessary to manage security)
Improved security whilst reducing complexity in a standardised manner
Comply with new regulations easily and with low cost
Laser-focused, incremental, changes or improvements without impacting
other controls/workloads
Providing things such as…

And also…
Dedicated, programmable hardware (FPGAs) and GPUs for HPC
and/or security applications
Edge computing, for either:
• Connected devices controlled by the customers
• Local (customer premises) workloads in remote or offline location
• AWS Edge locations
ML, AI, IoT, Serverless computing
https://aws.amazon.com/stateandlocal/justice-and-public-safety/
https://aws.amazon.com/smart-cities/

The security paradigm shifted
On AWSOn-premises
Big Perimeter
End-to-End Ownership
Build it all yourself
Server-centric approach
De-centralised Administration
Focus on physical assets
Multiple (manual) processes
Micro-Perimeters
Own just enough
Focus on your core values
Service-Centric approach
Central control plane (API)
Focus on protection data
Everything is automated

SecurityAssurance - Comparison
Start with bare concrete
Periodic checks
Workload-specific compliance
Must keep pace and invest in
security innovation
Heterogeneous governance
processes and tools
Typically reactive
Start on accredited services
Continuous monitoring
Ubiquitous compliance
Integrated Security innovation
drives broad compliance
Integrated governance
processes and tools
Focus on prevention
On AWSOn-premises

“CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly, and reliably leverage the benefits of this
increasingly ubiquitous computing model.”
Source: Clouds Are Secure: Are You Using Them Securely?

The shared responsibility model
RESPONSIBLE FOR
SECURITY
“IN” THE CLOUD
RESPONSIBLE FOR
SECURITY
“OF” THE CLOUD
SOFTWARE
HARDWARE / AWS GLOBAL INFRASTRUCTURE

Security OF the
Cloud

Global Certifications
GLACIER VAULT LOCK
& SEC RULE 17A-4(F)
SOC 1
SOC 2
SOC 3
PSN

Self-service Compliance Reports – AWS Artifact
e-NDA

How do we do it?
100+
services
Controls,
Artefacts, Audits
Thousands of Controls, Artefacts, Audit requirements
Set on the highest bar,
standardisation and automation

Data Security &
Privacy

Overview
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and
doesn’t move unless customer chooses to move it
Customers manage access to their customer content
and AWS services and resources
Customers choose how their content is secured
https://aws.amazon.com/compliance/data-privacy-faq/

In-Country vs. EU vs. Global
Unless there is a specific need to comply with a local law or regulation, customers
can run workloads anywhere in Europe - because of AWS compliance with the
GDPR Regulation (EU) 2016/679 as a processor.
And with our EU-approved Data Processing Addendum and ‘Model Clauses’, AWS
customers can continue to run their global operations outside EU (including in US)
in full compliance with EU law - as confirmed by the Article 29 Working Party
The AWS Data Processing Addendum is available to all AWS customers that are
processing personal data whether they are established in Europe or a global
company operating in the European Economic Area
As discussed, customer – as the sole owner of their content - are still responsible
for classifying their data and deciding how it is protected
Data Residency whitepaper: https://d1.awsstatic.com/whitepapers/compliance/Data_Residency_Whitepaper.pdf

Security IN the
Cloud

AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Single Sign-On
AWS Secret Manager
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Security Hub
Amazon EC2
Systems Manager
AWS Shield
AWS Web Application
Firewall (WAF)
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service
AWS CloudHSM
Server/Client Side
Encryption
Amazon Macie
AWS Certificate
Manager
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
AWS CAF Security Perspective:
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf

Access a deep set of cloud security tools
Encryption & Data Protection
Networking & Infrastructure Monitoring & Governance
Identity & Access Management
Security
Groups
Endpoints
g
VPN
Gateway
Customer
gateway
Internet
gateway
Network access
control list
Route
table
Alarm Rule AutomationInventory Parameter
Store
Patch
manager
Run
command
State
manager
Change
set
Checklist
security
Flow logs
Checklist
AWS
Organizations
AWS
STS
Temporary
security
credential
Permissions Long-term
security
credential
MFA
token
Role Federation Data
encryption
key
SAML, OAuth
OpenID
Connect
Template
Server-Side
Encryption
Client-Side
Encryption

Governance

Largest ecosystem
of security partners and solutions

Consulting competency partners
with demonstrated expertise

Thank you!

AWS Security from A-Z: Governance & Compliance in VPC

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à AWS Security from A-Z: Governance & Compliance in VPC

Similaire à AWS Security from A-Z: Governance & Compliance in VPC (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

AWS Security from A-Z: Governance & Compliance in VPC