Intro & Security Update

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
December 1st 2015
AWS Data Security
Security Update

Data Security Agenda
1:00 pm – AWS Security Overview + What’s New
2:00 pm – Network Security & Access Control in AWS
2:55 pm – Refreshment Break (15 minutes)
3:10 pm – Protecting Your Data in AWS
4:10 pm – Securing Systems at Cloud Scale
5:00 pm – Closing Remarks + Open Q&A

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Overview
+
What’s New

AWS Security Team
Operations
Application Security
Engineering
Security Assurance
Aligned for agility

Security ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security a stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded

Operating principles
Separation of duties
Different personnel across service lines
Least privilege

Technology to automate operational principles
Visibility through automation
Shrinking the protection boundaries
Ubiquitous encryption

Intro to AWS
11 Regions
30 Availability Zones
53 Edge Locations
Over 1 Million Active Customers
Across 190 Countries
Everyday, AWS adds enough new server capacity to support Amazon.com
when it was a $7 billion global enterprise.

A European view of Cloud
• Regions:
– Dublin (EU-West) – 3 x Availability Zones
• Launched in 2007
– Frankfurt (EU-Central) – 2 x Availability Zones
• Launched in 2014
• Edge Locations:
– Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt,
Germany (3), London, England (3), Madrid, Spain, Marseille,
France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and
Warsaw, Poland
• Direct Connect POPs:
– Dublin, London, Frankfurt

Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t
move unless you choose to move it

AWS Global Infrastructure
Your Applications
Regions Availability Zones Edge Locations
Foundation
Services
Application
Services
Deployment &
Management
Compute Storage Networking Databases
Content Delivery Applications Distributed Computing Libraries & SDK’s
EC2 S3 EBS Glacier Storage
Gateway
VPC Direct
Connect
ELB Route53 RDS ElastiCacheDynamo RedShift
CloudFront SES SNS SQS Elastic
Transcoder
CloudSearch SWF EMR
CloudWatch
Monitoring
BeanStalk OpsWorks Cloud
Formation
DataPipe
Deployment & Automation
IAM Federation
Identity & Access
Management
Console
Billing
Web Interface Human Interaction
Mechanical
Turk
Enterprise
Applications
Workspaces Zocalo
Virtual Desktop Document Collaboration
Overview of AWS Services

How does a customer interact with AWS
services?
Common Protocols
• SSH, RDP, HTTP, SSL, SQL etc
API Calls
(Management Console, SDKs, Unified CLI)
• S3, EC2, RDS

API Calls
• Authentication is provided by IAM (Identity Access Management)
• API calls are secured within an TLS connection
• API Calls are made to AWS Service endpoints deployed globally
• A full list of endpoints available here:
– http://docs.aws.amazon.com/general/latest/gr/rande.html
• AWS Unified CLI
– aws ec2 start-instances
– aws ec2 stop-instances
– aws s3 ls
– aws s3 cp <source> <destionation>

Lets look at how customers traditionally manage IT

Core Services
Server Storage Networking
Platform & Applications Management
Customer Data
Customer view
Customer Responsibility:
- Data & Network
Protection
- High Availability
- Disaster Recovery
- Backup
- Scalability
- Audit
Operating System
Data Centre
HVAC UPS Security
Data Encryption
Data
Integrity/Backup
Network Protection
Management,Monitoring&Logging

AWS Shared Responsibility Model
Lets talk about Security within the Cloud and who is responsible for which parts?
Security OF the Cloud
vs
Security IN the Cloud

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Customer content
Customers
AWS Shared Responsibility Model:
for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption
& Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity / Identity
AWSIAM
CustomerIAM
Operating System, Network & Firewall Configuration
Server-Side Encryption
File System and/or Data
APIEndpoint

Infrastructure Service
Example – EC2
• AWS Responsibility:
• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
•Customer Responsibility:
• Customer Data
• Customer Application/Platform
• Operating System
• Network & Firewall
• Customer IAM
• High Availability, Scaling
• Instance Management,
• Data Protection (Transit, Rest, Backup)

AWS Global
Availability Zones
Edge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Operating System, Network Configuration
Customer content
Customers
for Container Services
Managed by
Managed by
Client-Side Data encryption
Network Traffic Protection
Encryption / Integrity / Identity
APIEndpointCustomerIAM
AWSIAM

Example – RDS
• AWS IAM
• Platform / Application
• Customer Data
• Firewall (VPC)
• Customer IAM (DB Users, Table Permissions)
• High Availability
• Data Protection (Transit, Rest, Backup)
• Scaling

AWS Global
Availability Zones
Edge Locations
Operating System, Network & Firewall Configuration
Customer content
Customers
for Abstract Services
Managed by
Managed by
Optional – Opaque Data: 1’s and
0’s
(in flight / at rest)
Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the Platform
Protection of Data at in Transit
Client-Side Data Encryption
APIEndpoint
AWSIAM

Example – S3
• AWS IAM
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
• Customer Data
• Data Protection

Shared Responsibility
Summary of Security IN the Cloud (Customer Responsibility
Infrastructure Services
Applications
Operating System
Container Services Abstract Services
Networking/Firewall
Data
Customer IAM
AWS IAM
Networking/Firewall
Data
AWS IAM
Data
Customer IAM
AWS IAM

What about Security OF the Cloud?
Shared Responsibility

Security Shared Responsibility Model
Compute Storage Database Network
AWS Global
Infrastructure
Regions
AWS is responsible
for the security OF
the cloud
AWS
Availability Zones Edge Locations

on AWS
•Start on base of accredited services
•Functionally necessary – high watermark of
requirements
•Audits done by third party experts
•Accountable to everyone
•Continuous monitoring
•Compliance approach based on all workload
scenarios
•Security innovation drives broad compliance
on-Prem
• Start with bare concrete
• Functionally optional
– (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in security innovation
Auditing - Comparison
on-Prem vs on AWS

What this means
• You benefit from an environment built for the most security sensitive
organizations
• AWS manages 1,800+ security controls so you don’t have to
• You get to define the right security controls for your workload
sensitivity
• You always have full ownership and control of your data

AWS Assurance Program Updates
SOC:
New services in scope after successful assessment
KMS, Workspace, SES
PCI:
New services in scope after achieving PCI DSS 3.1 certification
KMS, Cloudtrail, Cloudfront
ISO 27017:
International code of practice focusing on Cloud providers
ISO 27018:
International code of practice that focuses on protection of PII in the cloud.

AWS Global
Availability Zones
Edge Locations
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits Customer scope and
effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
Customers

Why AWS?
How AWS Security features and services
can help our Customers

Amazon Inspector (Preview)
Security assessment tool analyzing end-to-end
application configuration and activity

Why Amazon Inspector?
Applications testing key to moving fast but staying safe
Security assessment highly manual, resulting in delays or
missed security checks
Valuable security subject matter experts spending too
much time on routine security assessment

Amazon Inspector features
Configuration Scanning Engine
Activity monitoring
Built-in content library
Automatable via API
Fully auditable

Amazon Inspector rulesets
CVE
Network Security Best Practices
Authentication Best Practices
Operating System Best Practices
Application Security Best Practices
PCI DCSS 3.0 Readiness

Detailed remediation recommendations

AWS WAF features
Web filtering
Amazon CloudFront integration
Centralized rule management
Real-time visibility
API automation

AWS WAF benefits
Increased protection
against web attacks
Ease of deployment and
maintenance
Security embedded in
development process

AWS WAF in action
AWS Management
ConsoleAdmins
Developers AWS API
Web app in
CloudFront
Define rules
Deploy
protection
AWS WAF

AWS WAF Partner integrations
• Alert Logic, Trend Micro, and Imperva integrating with AWS WAF
• Offer additional detection and threat intelligence
• Dynamically modify rulesets of AWS WAF for increased protection

Fully managed service which provides:
• An Inventory of your AWS resources
• Lets you audit the resource configuration
history
• Notifies you of resource configuration
changes
• Logs are placed in customer defined S3
bucket
AWS Config

AWS Config Rules features
Flexible rules evaluated continuously and
retroactively
Dashboard and reports for common goals
Customizable remediation
API automation

AWS Config Rules – example rules
Is Cloudtrail Enabled?
Are in-use volumes encrypted?
Are resources appropriately tagged?
Is incoming SSH disabled?
Are instanced running in the correct VPC?
Are Elastic IPs attached to the correct EC2 instances?

AWS Config Rules
Broad ecosystem of solutions

AWS Config Rules benefits
Continuous monitoring for
unexpected changes
Shared compliance
across your organization
Simplified management of
configuration changes

Evolution of security & compliance at AWS
AWS
certifications
Customer
enabler docs
Customer
case studies
Security by
Design
(SbD)
AWS
CloudTrailAWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config

Security by Design - SbD
Security by Design (SbD) is a modern, security
assurance approach that formalizes AWS
account design, automates security controls, and
streamlines auditing.
It is a systematic approach to ensure security;
instead of relying on after-the-fact auditing, SbD
provides control insights throughout the IT
management process.
AWS
CloudTrail
AWS
CloudHSM
AWS IAM
AWS KMS
AWS
Config

Putting it all together (SbD)
Build your AWS
applications
using Security by
Design
Continuous
Compliance
through Config
Rules
Continuous
Compliance
through
Inspector
Customer
Workload

New security training
Training
Security Fundamentals on AWS
– Free online course for Security
Auditors, Analysts and Management
– 5 modules over 3 hours
 Progress is saved
Details at aws.amazon.com/training

New security training
Training
Security Operations on AWS
– 3 day class for:
 Security Engineers/Architects
 Security Analysts and Auditors
– 11 modules with X Labs
Details at aws.amazon.com/training

• Infrastructure Security – gateway, firewall, router, WAF, network, UTM
• Identity & Access Control - allowed/authorized access
• Logging & Monitoring - SIEM/ Governance, Risk, & Compliance (GRC)
• Configuration & Vulnerability Analysis – scanning/pen testing and
IPS/IDS
• Data Protection - DRM/DLP/Encryption
• Threat Analytics - continuous monitoring
AWS Marketplace
Offers customers a choice of security configurations IN the Cloud

AWS Marketplace Network/Security Partner Eco-system
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
SaaS
SaaS
SaaS

Getting help - Trusted Advisor
Performs a series of security
configuration checks of your AWS
environment:
----------------
• Open ports
• Unrestricted access
• IAM use
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor authentication
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer configuration

Getting Help - AWS Auditing Checklists

Getting help - AWS Compliance:
Workbooks
• IT Grundschutz (TUV Trust IT)
• CESG UK Security Principles
• PCI Workbook – Anitian
• Audit Checklists
Whitepapers
• EU Data Protection
• Risk & Compliance
• Overview of Security Processes
• FERPA
FAQs
• PCI, HIPAA, EU Data Protection, ISO 27001, 9001 etc…
Training
• eLearning – Security Fundamentals – 3hour free online course
• Instructor Lead Training – 3day course for Security Professionals
• Qwiklabs - Security & Auditing Self Paced Lab
Blogs
• http://blogs.aws.amazon.com/security/

Getting help - Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
Compliance Center Website: https://aws.amazon.com/compliance
Security Center: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: awsaudittraining@amazon.com
AWS Security Training: https://aws.amazon.com/blogs/aws/new-aws-security-courses/

Intro & Security Update

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Intro & Security Update

Similaire à Intro & Security Update (20)

Plus de Amazon Web Services

Plus de Amazon Web Services (20)

Dernier

Dernier (20)

Intro & Security Update