Contenu connexe Similaire à Strengthen Your Organizations Security and Privacy.pdf (20) Plus de Amazon Web Services (20) Strengthen Your Organizations Security and Privacy.pdf1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Strengthen Your Organization’s Security and
Privacy Using the AWS Cloud
Ryan Jaeger
Senior Solutions Architect
Amazon Web Services
2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
3. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is Cloud Computing?
Private Datacenter /
Colocation
Compute / Storage /
or Network Hardware
Virtual
Infrastructure
Grow and Shrink
Capacity on-demand
Only pay for
what you use
$ $ $
4. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Cloud
No Up Front Expense
Pay for what you Use
Improve Time to
Market & Agility
Scale Up and
Down
Self-Service
Infrastructure
Equipment
Resources and
Administration
Contracts Cost
Traditional
Infrastructure
5. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Millions of active customers every
month across 190 countries
Public Sector
6,500+ government agencies
11,000+ educational institutions
29,000+ non-profit organizations
Primary drivers for moving to the cloud
$
Move from
capital expense
to variable
expense
Elasticity,
Stop
guessing
capacity
Increased
agility
Go global in
minutes
Breadth of
services
6. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gain faster,
deeper
insights with
analytics
Ensure security,
compliance and
resiliency
Adopt modern
application
development
practices
Migrate and
free-up
resources
Bridge skills and
experience gaps
rapidly
How to reach your business goals with AWS
7. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Canadian Public Sector AWS Customers
8. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Traditional on-premises security model
Compute Storage Database Networking
Regions Availability zones Edge locations
9. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Working together
https://aws.amazon.com/compliance/shared-responsibility-model/
Security in the Cloud is a Shared Responsibility
Customer Data
Platform & Application Management
Operating System, Network & Firewall Configuration
Client Side Data Encryption &
Data Integrity Authentication
Server Side Encryption
File System and / or Data
Network Traffic Protection
Encryption / Integrity /
Identity
Optional – Opaque Data: 0s and 1s (In Transit and At Rest)
Foundation
Services
AWS Global
Infrastructure
AWS
Endpoints
AWSIAMCustomerIAM
Compute Storage Databases Networking
Regions
Availability
Zones
Edge
Locations
Security
in The
Cloud
Security
of The
Cloud
10. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer Data
Platform & Application Management
Operating System, Network & Firewall Configuration
Client Side Data Encryption &
Data Integrity Authentication
Server Side Encryption
File System and / or Data
Network Traffic Protection
Encryption / Integrity / Identity
Optional – Opaque Data: 0s and 1s (In Transit and At Rest)
Foundation
Services
AWS Global
Infrastructure
AWS
Endpoints
AWS
IAM
CustomerIAM
Compute Storage Databases Networking
Regions Availability
Zones
Edge
Locations
Customer Data
Client Side Data Encryption &
Data Integrity Authentication
Network Traffic Protection
Encryption / Integrity /
Identity
Optional – Opaque Data: 0s and 1s (In Transit and At Rest)
Foundation
Services
AWS Global
Infrastructure
AWS
Endpoints
AWS
IAM
CustomerIAM
Compute Storage Databases Networking
Regions Availability
Zones
Edge
Locations
Firewall
Configuration
Operating System & Network Configuration
Platform & Application Management
Customer Data
Client Side Data Encryption & Data Integrity Authentication
Optional – Opaque
Data: 0s and 1s (In
Transit and At Rest)
Foundation
Services
AWS Global
Infrastructure
AWS
Endpoints
AWSIAM
Compute Storage Databases Networking
Regions Availability
Zones
Edge
Locations
Operating System & Network Configuration
Platform & Application Management
Server Side Encryption Provided By The Platform
Protection of Data at Rest
Network Traffic Protection Provided By The Platform
Protection of Data in Transit
Infrastructure Services Abstracted Services
Working together
Shared Responsibility
is not Static.
Container Services
Customer AWS
Service Providers
Software Vendors
Other 3rd Parties
https://aws.amazon.com/compliance/shared-responsibility-model/
11. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shared Responsibility – alternative view
12. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Privacy | Maintaining Customer Trust
AWS delivers
services to millions
of active customers
over 190 countries
13. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential
Encryption at scaleMeet data
residency requirements
build compliant
infrastructure
Comply with local
data privacy laws
Highest standards for privacy
14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data Privacy
British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA) sets out the access and privacy rights of
individuals as they relate to the public sector.
30.1 - A public body must ensure that personal information in its custody or under its control is stored only in Canada
and accessed only in Canada
Supporting Features:
• AWS Region: Canada. You choose the AWS Region(s) in which your content is stored and the type of storage.1
• AWS Direct Connect: The primary fiber path between the Vancouver Direct Connect site and the AWS Canada (Central)
Region complies with Freedom of Information and Protection of Privacy Act (FOIPPA) requirements.2
• Encryption: You choose how your content is secured. We offer you strong encryption for your content in transit and at rest,
and we provide you with the option to manage your own encryption keys.
• AWS complies with ISO 27018, a code of practice that focuses on protection of personal data in the cloud.
• All AWS services GDPR ready.3
15. What is risk?
Risk is commonly defined as:
risk = impact * likelihood
Where:
• Impact: defines ‘how bad’ things can get, the worst-case scenario.
• Likelihood: defines the probable frequency, or rate at which the impacts we assessed may occur.
16. Standard scales help us reason
Scale Scoring
• How much attention, impact, effort?
• What is our target remediation time?
• Gives a common language to use.
https://www.youtube.com/watch?v=E1NaYN_fJUo
17. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of
Visibility
Low degree
of Automation
Lack of
Resiliency
Defense-in-Depth
Challenges
19. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Four Security Benefits of the Cloud
• Increased visibility
• Increased availability and resiliency
• True Defense-in-Depth
• Ability to automate for governance and Security
Operations
20. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Means of obtaining Visibility
Use of resource tags
CLI Describe
Console
Business
Intelligence
Tools
API Queries
21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Region Announced Regions
Spain, Jakarta, Milan, Cape Town, Osaka
Scale globally with resilience in every regionThe largest global foot print consistently built with a multi-AZ and multi-datacenter design
AWS Availability Zone (AZ)AWS Region
A Region is a physical location
in the world where we have
multiple Availability Zones.
Availability Zones consist of one
or more discrete data centers,
each with redundant power,
networking, and connectivity,
housed in separate facilities.
Transit
Transit AZ
AZ
AZ
AZ
Datacenter Datacenter
Datacenter
22. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS at the Perimeter
DDoS Protection
Web Application Firewall
VPN Gateway
Secure DevOps Comms
VPC
w/ Subnet ACLs
Stateless Firewall
Internet Gateway
Path to Public Internet
(Not present by default)
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
Private Fiber Between
AWS & Customer
Partner Solutions
Firewall, IDS/IPS, WAF
VPC
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
AWS
Marketplace
23. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS between Workloads
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 1
AWS Cloud
AWS Region
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC
w/ Subnet ACLs
Stateless Firewall
VPC 2
Public Subnet
Web Server
App Subnet
DB Subnet
DB Primary
App Server
VPC Peering
(Private network connection
between VPCs)
Internet gateway w/ VPN
(Public path to Internet)
Default
No Communications
Between VPCs
Private Link
(1-way secure comms)
24. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Defense-in-Depth in AWS inside the Workload
Signature & Behavioral-based
Intrusion Detection System
using Machine Learning
VPC
AWS Cloud
AWS Region
Web Security Group
App Security Group
DB Security Group
DB Server
3rd Party EPS
OS Anti-virus, Firewall,
Host Intrusion
Protection System
AWS
Marketplace
Security & Compliance
assessment
Event Management
and Alerting
API Logging
Operational View &
Control of ResourcesStatefull Firewall
between
Each application tier
Does NOT allow peer-to-
peer communications by
default
Web
Servers
App Servers
25. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automate - Remove Humans from the Data
26. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty IDS
Reconnaissance
Instance recon:
• Port probe / accepted comm
• Port scan (intra-VPC)
• Brute force attack (IP)
• Drop point (IP)
• Tor communications
• Account recon
• Tor API call (failed)
Instance compromise
• C&C activity
• Malicious domain request
• EC2 on threat list
• Drop point IP
• Malicious comms (ASIS)
• Bitcoin mining
• Outbound DDoS
• Spambot activity
• Outbound SSH brute force
• Unusual network port
• Unusual traffic volume/direction
• Unusual DNS requests
Account compromise
• Malicious API call (bad IP)
• Tor API call (accepted)
• CloudTrail disabled
• Password policy change
• Instance launch unusual
• Region activity unusual
• Suspicious console login
• Unusual ISP caller
• Mutating API calls (create, update,
delete)
• High volume of describe calls
• Unusual IAM user added
• Detections in gray are signature based,
state-less findings
• Detections in blue are behavioral, state-
full findings / anomaly detections
27. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
28. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CAF perspectives and executing each step
Applying the framework to drive cloud adoption
Envision
Clarify business outcomes and
align with organizational goals
Define measurable success
criteria (metrics)
Demonstrate how technology
will enable business outcomes
Alignment
Identify critical-to-success
stakeholders
Foster stakeholder consensus
and alignment
Understand how stakeholders will
benefit from cloud
Create a comprehensive
Action Plan
Launch
Execute your cloud projects
Start the incremental business
value of leveraging the cloud
Proactively address stakeholders’
questions, concerns, and blockers
Realize value
Recognize ongoing incremental
business value
Continually evaluate cloud strategy
and align with envisioned outcomes
Identify additional cloud projects
that deliver value
1 2
3 4
2
34
1
29. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The security perspective
Focused on:
• Managing access and authorization
• Aligning cloud security controls with current
security requirements
• Compliance
30. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Launch & Scale
Goals
Business
Outcomes
Innovation
Migration
Align Launch Scale Optimize
Deliver and Operationalize
Security on
AWS
Workshop
AWS Jam
SRC
Blueprint
Identity &
Access Mgt
Data
Protection
Logging &
Monitoring
Infrastructure
Security
Incident
Response
5 Core Security Epics Accelerator Engagements
Deliver solutions based on a specific scope & objective
aligned with security / product teams
Operationalize and automate to optimize coverage and
efficiency for each security epic
Security
Incident
Response
Simulation
Security
Assessment
31. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudTrail Logs
(Customer Dependent)
Respond SwiftlyGain VisibilityEncrypt Your DataProtect Your Cloud InfraControl Systems Access
Security Epics Accelerator
Engagements Tailored to Customer
Identity &
Access Mgt
Logging &
Monitoring
Infrastructure
Security
Data
Protection
Incident
Response
Security Design &
Build: AWS Accounts
and IAM
Cloud Directory or
Set Up Federation
AWS Users Access
Control Lifecycle
Approach
Privileged Access
Management
(Marketplace Partner)
VPC Perimeter,
Subnet, SG Definition
Account Level Security
Baselines Monitoring
AWS Config
DDOS and
WAF Setup
Centralize Key
Management with
AWS KMS
Centralize
CloudTrail
Security Logs
Visibility with
GuardDuty /
Security Hub
Encryption Key
Management
Approach
Forensic
Instance
Definition
Automated
Response
with Lambda
Privileged Access
Management
(System Manager)
VPC Flow Logs + DNS
Logs (Independent)CloudTrail Logs
(Customer Dependent)
Automate Patching
Approach with
Systems Manager
Host Level Security
Baselines Monitoring
AWS Config
Endpoint
Protection
(Marketplace Partner)
AWSLandingZone
Security SIEM
and SOC
(Marketplace Partner)
OperationalizeIAM
Privileged Access Management Web Application Defense
Host Hardening
EC2 Incident Response
SOC Integration
Key Management Centralized Visibility
SRC
Blueprint
Engagements are guided
by target state architecture design and
Cloud Security Strategy aligned with customer.
32. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
cloud
more secure
33. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
34. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Call to Action
• AWS Cloud Adoption Framework - Security Perspective
• AWS Well-Architected Framework - Security Pillar
• Tagging Best Practices
• AWS Security Best Practices
• AWS Security Incident Response Guide
• Aligning to the NIST CSF in the AWS Cloud
• AWS Governance at Scale
• Amazon Web Services: Risk and Compliance
35. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Security Training Resources
Onlinematerials
AWS Security Workshops
• 5 workshops at 200 and 300-level complexity
• Aligned with the NIST Cybersecurity Framework
• https://awssecworkshops.com/workshops/
AWS Security Fundamentals (2 hours)
• https://aws.amazon.com/training/course-descriptions/security-
fundamentals/
AWS Well-Architected Security Labs
• https://wellarchitectedlabs.com/Security/README.html
36. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.