2. Different customer viewpoints on security
PR exec
keep out of the news
CEO
protect shareholder
value
CI{S}O
preserve the
confidentiality, integrity
and availability of data
3. Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
23. You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
24. Security Analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational Issues
Quickly identify the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.
25. ‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files.
33. Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security DATA
34. AWS Security Delivers More Control & Granularity
Customize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
35. AWS STAFF ACCESS
‣ Staff vetting
‣ Staff has no logical access to customer instances
‣ Staff control-plane access limited & monitored
Bastion hosts, Least privileged model, Zoned data center access
‣ Business needs
‣ Separate PAMS
50. Amazon DynamoDB Fine Grained
Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify access permissions at table, item
and attribute levels
With Web Identity Federation, completely
remove the need for proxy servers to
perform authorization
57. DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
58. AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
59. ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
…
61. • 11,000 customers
• 100 countries
• 332,5M € revenue in 2013
• 1,700+ employees
• HQ in Phoenix, AZ USA
• Offices in 19 countries
Governing the flow of data
DATA FLOW GOVERNANCE
62. Axway Cloud and AWS
• Start Quickly
• Everywhere
• No initial cost
• Pay per use
• Scale up and down
• No commitment
• Repeatable
• Reliable
• Secure
VPC (Virtual Private
Cloud) – Privatization for
Cloud components.
Data centers (zones) -
Tier IV and compliant
with all major third-party
certifications.
Storage – 99.999999999
durability
Database – Multizone
configuration
Elastic Load Balancers –
Zone independence
VPN – AWS Direct
Connect provides
dedicated private
networking for increased
bandwidth and reliability.
EC2 Instances – Elastic
computing
Cloud Formation –
Reliable delivery from
Web Services
Applications – Designed
for no single points of
failure and non-
repudiation.
All services are
monitored through a
centralized location
utilizing, SES, SNS,
Cloud Watch, Nagios,
etc.
63. Axway Cloud threat mitigation
Architecture and
Datacenter
Vulnerabilities
Service Platform
Availability
Information
Confidentiality and
Integrity Loss
Decrease in
Functional
Performance
Human Activities
• Multi AZ Auto-Scaling groups
Very High
Availability
• Solution deployed by Axway
OS Patch
management
• Data encryption at rest and for
communications
• Backup policy based on snapshots
Data loss and
confidentiality
• Access to environments is centralized and all
activity is trackedHuman activity
• Security and monitoring tools (Ossec, syslog,
Nagios, CloudWatch, …)
• Splunk to receive, process and present
security events
Real time
monitoring
64. Axway Cloud security architecture
• SOC1 Type 2 certification achieved in March
• ISO27001 Beginning of 2015
Management
Solution
Access
Control
Axway data center
Amazon
Route 53
Axway
workforce
VPN
Elastic Load
Balancing
Supervision
Monitoring
& Security
tools
VPC peering
Solution
Elastic Load
Balancing
VPC peering
Monitoring
& Security
data
Acce
ss
CloudWatch
Amazon SES
Auto Scaling group
AZ #1
AZ #2
Auto Scaling group
AZ #1
AZ #2
CloudTrail
65. • Axway governs the flow of data in the Cloud
• Axway Cloud is based on a strong AWS partnership
• Security = AWS + Axway + Processes+ People
Takeaways from Axway
68. IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service
Providers] provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013