Contenu connexe Similaire à Introduction to AWS Security (20) Plus de Amazon Web Services (20) Introduction to AWS Security1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security and Compliance
An Overview
Tzoori Tamam
Solutions Architect
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of
visibility
Low degree
of automation
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate
with deeply
integrated
security services
Inherit
global
security and
compliance
controls
Highest
standards
for privacy
and data
security
Largest
network
of security
partners and
solutions
Scale with
superior visibility
and control
Move to AWS
Strengthen your security posture
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The security paradigm shifted
On AWSOn-premises
Big Perimeter
End-to-End Ownership
Build it all yourself
Server-centric approach
De-centralised Administration
Focus on physical assets
Multiple (manual) processes
Micro-Perimeters
Own just enough
Focus on your core values
Service-Centric approach
Central control plane (API)
Focus on protection and data
Everything is automated
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our data centers provide
protection at every layer:
ü Perimeter Layer
ü Infrastructure Layer
ü Data Layer
ü Environmental Layer
Our Data Centers
https://aws.amazon.com/compliance/data-center/data-centers/
Take a virtual tour:
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ø ACCESS IS SCRUTINIZED
Ø ENTRY IS CONTROLLED AND MONITORED
Ø AWS DATA CENTER WORKERS ARE SCRUTINIZED, TOO
Ø MONITORING FOR UNAUTHORIZED ENTRY
Ø AWS SECURITY OPERATIONS CENTERS MONITORS GLOBAL SECURITY
Perimeter Layer
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ø LAYER-BY-LAYER ACCESS REVIEW
Ø MAINTAINING EQUIPMENT IS A PART OF REGULAR OPERATIONS
Ø EMERGENCY-READY BACKUP EQUIPMENT
Infrastructure Layer
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ø TECHNOLOGY AND PEOPLE WORK TOGETHER FOR ADDED SECURITY
Ø PREVENTING PHYSICAL AND TECHNOLOGICAL INTRUSION
Ø SERVERS AND MEDIA RECEIVE EXACTING ATTENTION
Ø THIRD-PARTY AUDITORS VERIFY OUR PROCEDURES AND SYSTEMS
Data Layer
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ø PREPARED FOR THE UNEXPECTED
Ø HIGH AVAILABILITY THROUGH MULTIPLE AVAILABILITY ZONES
Ø SIMULATING DISRUPTIONS & MEASURING OUR RESPONSE
Ø GREENER IN THE AWS CLOUD
Environmental Layer
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale
with keys managed by
our AWS Key Management
Service (KMS) or managing
your own encryption keys
with Cloud HSM using
FIPS 140-2 Level 3
validated HSMs
Meet data
residency
requirements
Choose an AWS Region
and AWS will not replicate
it elsewhere unless you
choose to do so
Access services and tools
that enable you to
build compliant
infrastructure
on top of AWS
Comply with local
data privacy laws
by controlling who
can access content, its
lifecycle, and disposal
Highest standards for privacy
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure
security
Logging
& monitoring
Identity &
access control
Configuration
& vulnerability
analysis
Data
protection
Largest ecosystem
of security partners and solutions
Infrastructure
security
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security
engineering
Governance, risk &
compliance
Security operations
& automation
Consulting competency partners
with demonstrated expertise
Security
engineering
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Security OF the Cloud” - AWS is responsible for protecting the
infrastructure that runs all of the services offered in the AWS Cloud.
“Security IN the Cloud” - Customer responsibility will be determined
by the AWS Cloud services that a customer selects.
Shared
Responsibility
Model
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
Infrastructure
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers are
responsible for
end-to-end security
in their on-premise
data centers
Traditional On-Premise Security Model
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Foundation Services
Compute Storage Database Networking
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers
AWS Security Model when using Infrastructure Services (EC2 instances)
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Foundation Services
Compute Storage Database Networking
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Customer’s
responsibility
AWS takes over
responsibility from
customers
AWS Security Model when using Abstract Services (managed services)
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access
Management (IAM)
AWS Organizations
AWS Cognito
AWS Directory Service
AWS Secrets Manager
AWS Single Sign-On
AWS CloudTrail
AWS Config
Amazon
CloudWatch
Amazon GuardDuty
VPC Flow Logs
Security Hub
AWS Systems Manager
AWS Shield
AWS WAF – Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
Identity
Detective
control
Infrastructure
security
Incident
response
Data
protection
AWS security solutions
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity and Access Management (IAM)
Securely control access to AWS services and resources
AWS Organizations
Policy-based management for multiple AWS accounts
Amazon Cognito
Add user sign-up, sign-in, and access control to your web
and mobile apps
AWS Directory Service
Managed Microsoft Active Directory in the AWS Cloud
AWS Secrets Manager
Easily rotate, manage, and retrieve database credentials, API keys,
and other secrets through their lifecycle
AWS Single Sign-On
Centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications
Define, enforce, and audit
user permissions across
AWS services, actions
and resources.
Identity & access
management
Identity and access
management
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CloudTrail
Enable governance, compliance, and operational/risk auditing of your
AWS account
AWS Config
Record and evaluate configurations of your AWS resources. Enable
compliance auditing, security analysis, resource change tracking, and
troubleshooting
Amazon CloudWatch
Monitor AWS Cloud resources and your applications on AWS to
collect metrics, monitor log files, set alarms, and automatically
react to changes
Amazon GuardDuty
Intelligent threat detection and continuous monitoring to protect
your AWS accounts and workloads
VPC Flow Logs
Capture information about the IP traffic going to and from network
interfaces in your VPC. Flow log data is stored using Amazon
CloudWatch Logs
Gain the visibility you need
to spot issues before they
impact the business, improve
your security posture, and
reduce the risk profile of
your environment.
Detective
control
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Systems Manager
Easily configure and manage Amazon EC2 and on-premises systems to
apply OS patches, create secure system images, securely connect to
servers, and configure secure operating systems
AWS Shield
Managed DDoS protection service that safeguards web applications
running on AWS
AWS WAF – Web application firewall
Protects your web applications from common web exploits ensuring
availability and security
AWS Firewall Manager
Centrally configure and manage AWS WAF rules across accounts and
applications
Amazon Inspector
Automates security assessments to help improve the security and
compliance of applications deployed on AWS
Amazon Virtual Private Cloud (VPC)
Provision a logically isolated section of AWS where you can launch AWS
resources in a virtual network that you define
Reduce surface area to manage
and increase privacy for and
control of your overall
infrastructure on AWS.
Infrastructure
security
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service (KMS)
Easily create and control the keys used to encrypt your data
AWS CloudHSM
Managed hardware security module (HSM) on the AWS Cloud
Amazon Macie
Machine learning-powered security service to discover, classify, and
protect sensitive data
AWS Certificate Manager
Easily provision, manage, and deploy SSL/TLS certificates for use
with AWS services
Server-Side Encryption
Flexible data encryption options using AWS service managed keys,
AWS managed keys via AWS KMS, or customer managed keys
In addition to our automatic
data encryption and
management services,
employ more features for
data protection.
(including data management, data
security, and encryption key storage)
Data
protection
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Config Rules
Create rules that automatically take action in response to changes in your
environment, such as isolating resources, enriching events with additional
data, or restoring configuration to a known-good state
AWS Lambda
Use our serverless compute service to run code without provisioning or
managing servers so you can scale your programmed, automated
response to incidents
During an incident, containing
the event and returning to a
known good state are important
elements of a response plan.
AWS provides the following
tools to automate aspects of
this best practice.
Incident
response
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“I have come to realize that as a relatively small organization, we can be far more secure in the cloud
and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested.
We determined that security in AWS is superior to our on-premises data center across several
dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.”
• Looks for fraud, abuse, and insider trading over
nearly 6 billion shares traded in U.S. equities
markets every day
• Processes approximately 6 terabytes of data
and 37 billion records on an average day
• Went from 3–4 weeks for server hardening
to 3–4 minutes
• DevOps teams focus on automation and tools to raise
the compliance bar and simplify controls
• Achieved incredible levels of assurance for
consistencies of builds and patching via rebooting
with automated deployment scripts
—John Brady, CISO FINRA
Financial industry regulatory authority
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Previously all our servers were configured and updated by hand or through limited automation, we didn’t
take full advantage of a configuration management …All our new services are built as stateless docker
containers, allowing us to deploy and scale them easily using Amazon’s ECS.”
“AWS allowed us to scale our business to handle 6 million patients a month and elevate our security
—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months”
• Migrated all-in on AWS in under
12 months, becoming a HIPAA compliant
cloud-first organization
• New York based startup leveraged infrastructure
as code to securely scale to 6 million patients
per month
• Data liberation—use data to innovate and drive
more solutions for patients, reducing patient
wait times from 24 days to 24 hours
• Maintain end to end visibility of patient data
using AWS
Online medical care scheduling
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you
https://aws.amazon.com/security/
https://aws.amazon.com/compliance/
https://aws.amazon.com/products/security
Tzoori Tamam
tzoorit@amazon.com