We've heard from our customers that using AWS allows them to operate even more securely than they could in their own data centres. Why is this? We will tackle the most commonly asked security & compliance questions customers ask when adopting the AWS Cloud. We will demonstrate practical ways to make sure you're operating securely, and hear first-hand from an AWS customer about how they are using the platform today and the importance of getting this right.
Speaker: Matthew Jobson, Account Manager, Amazon Web Services & Ben Chung, Head of Security Assurance, Amazon Web Services, APAC
Featured Customer - Health Direct Australia
2. Quote – Capital One
The financial service industry attracts some of the
worst cyber criminals. We worked closely with AWS
to develop a security model that we believe enables
us to operate more securely in the public cloud
than we can in our own data centers.
Rob Alexander
CIO, Capital One
”
“
3. Why is Security Your #1 Priority?
Because it’s important, and it’s hard
4. Security is Job Zero
Familiar Security
Model
Validated and Certified by
Independent Auditors
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Benefits All Customers
5. Rapid Pace of Innovation
2009
48
159
722
82
2011 2013 2015
8. Data Ownership
You choose where to place your data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t
move unless you tell us to do so
You always own your data, the ability to encrypt it, move it
and delete it
9. Where Can I Place My Data?
Region
Edge Location
12 Regions
32 Availability Zones
54 Edge Locations
10. What is a Region?
AWS Region
Availability Zone
Availability ZoneAvailability Zone
Region
Edge Location
11. What is an Availability Zone?
Data Center Data Center
Data Center Data Center
Availability Zone
Availability
Zone A
Availability
Zone B
Availability
Zone C
Sample Region
~ Data Center
15. How do we Securely Dispose of Disks?
This To This
16. Does AWS look after Security for Me?
Yes, and No! It’s a Shared Responsibility
17. Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Customer Content
AWS Global
Infrastructure Regions
Availability
Zones Edge
Locations
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Operating System, Network, & Firewall Configuration
Customers
18. Classification
Security Policy
Customer Provided and Managed Controls
Encryption
Governance
ITDaM
ITSM
Monitoring
Operations
Malware
Risk
Management
You Control how you Manage your Own Risks
AWS Managed and Audited Controls
SOC 1 SOC 2 PCI-DSS NIST 800-53 ISO 27001
AWS Provided, Customer Configured and Managed Controls
Virtual Private
Cloud
Key
Management
Logging Other AWS features and services
Customer Risk Appetite and Desired Control Environment
Business Risks Sourcing Risks
Technology
Risks
Security Risks Compliance
AWSCustomers
27. Third Party Tools
Encryption &
Key Mgmt
Server &
Endpoint
Protection
Application
Security
Vulnerability
& Pen
Testing
Advanced
Threat
Analytics
Identity and
Access
Mgmt
Network
Security
28. Don’t take my word for it…..
Tom Soderstrom
CTO, NASA JPL
“ Based on our experience, I believe that
we can be even more secure in the AWS
Cloud than in our own data centers
”
32. Healthdirect Australia – The Cloud
Much like the turtle in “Over The Hedge” I was the singular voice saying
NO don’t go over the hedge (in this case AWS) !
33. Healthdirect Australia – The Cloud
• Healthdirect was an anchor tenant for AWS here in Australia.
• Our use was restricted to Non-Production environments
whilst we housed our Production systems elsewhere.
34. Why was I the Turtle?
Certified for everything but what I needed
35. When the Turtle Changed his Tune!
Certified for Australian Government Information Security Manual (ISM)
36. When the Turtle Changed his Tune!
Certified for Australian Government Information Security Manual (ISM)
signed off by Australian Signals Directorate (ASD).
• A total 1377 controls, 932 controls applicable to Healthdirect,
AWS provide a base of 463 implemented controls UNCLASSIFIED
Compared to;;
• PCI V3.1 with 400 controls
• FISMA with 861 controls
• ISO 27001:2013 with 114 controls
• FedRamp Rev. 4 with 325 controls
38. Shared Responsibility and We Do!
Healthdirect Australia instantiated its own security wrapper as per the
shared responsibility model;;
• VMs build and hardened as per CIS Security Benchmarks
• All VMs have Host based firewalls/IDS-IPS/Virtual Patching/Malware
Protection
• Front door is protected by a WAF and API Manager
• All VMs are scanned for vulnerabilities nightly
• Admin and Privileged access tightly managed and recorded
• We have our own CA services
• All solutions are independently penetration tested
• All solutions are independently audited by an IRAP Assessor
39. Healthdirect Australia in AWS
We are entirely in AWS with a farm of some 800 to 900 virtual machines
– approximately 200 in PRODUCTION at any stage !
40. Healthdirect Australia in AWS
Advantages
• Masters of our destiny – ability to spin up and takedown as required
• Able to increase instance sizes as required
• Price points for instances
• No data center and associated costs
• Storage capability
• Elastic compute environment grow as required
• Dual availability zones for “High Availability”
• Able to take advantage of new services as they complete ISM Certification
• Information remains On Shore
• Instantiated a continuous delivery mode of operation
• Enabled us to automate deployments and builds
• Everything is a software based API
41. Healthdirect Australia in AWS
3 Pieces of Advice……..to leave you with !
• Understand your Corporate Legal and Regulatory Requirements
• Identify a Security Stack that will assist you in meeting these
requirements
• Plan Plan and Plan – have a devils advocate throw the worst
case scenarios at you during your planning
42.
43. Security is Job Zero
YOU ARE BETTER OFF IN AWS THAN YOU ARE IN
YOUR OWN ENVIRONMENT
“Nearly 60% of organizations agreed that CSPs (cloud
service providers) provide better security than their own
IT organizations.”
- Source: IDC 2013 U.S. Cloud Security Survey. Doc #242836, September 2013
44. Resources / Further Reading
• AWS Cloud Security
https://aws.amazon.com/security/
• AWS Security Blog
http://blogs.aws.amazon.com/security/
• AWS Answers
https://aws.amazon.com/answers/
• Case Study – Capital One
https://aws.amazon.com/solutions/case-studies/capital-one/
• Whitepaper: AWS Security
http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf
• Whitepaper: AWS Risk & Compliance
https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
• CIS (Centre for Internet Security) – Guidance for configuring security options on AWS
https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
• Getting Started – Documentation
http://aws.amazon.com/documentation/gettingstarted/
45. AWS Training & Certification
Intro Videos & Labs
Free videos and labs to
help you learn to work
with 30+ AWS services
– in minutes!
Training Classes
In-person and online
courses to build
technical skills –
taught by accredited
AWS instructors
Online Labs
Practice working with
AWS services in live
environment –
Learn how related
services work
together
AWS Certification
Validate technical
skills and expertise –
identify qualified IT
talent or show you
are AWS cloud ready
Learn more: aws.amazon.com/training
46. Your Training Next Steps:
ü Visit the AWS Training & Certification pod to discuss your
training plan & AWS Summit training offer
ü Register & attend AWS instructor led training
ü Get Certified
AWS Certified? Visit the AWS Summit Certification Lounge to pick up your swag
Learn more: aws.amazon.com/training