4. Customers control how they manage their own risks
AWS Managed and Audited Controls
SOC 1
AWS
SOC 2 PCI-DSS NIST 800-53 ISO 270001
Virtual Private
Cloud
Key
Management
Logging
AWS Provided, Customer Configured and Managed Controls
Other AWS features and services
Classification
Security Policy
Customer Provided and Managed Controls
Encryption
Governance
ITDaM
ITSM
Monitoring
Operations
Malware
Risk
Management
Customers
Customer Risk Appetite and Desired Control Environment
Business Risks Sourcing Risks
Technology
Risks
Security Risks Compliance
5. Compliance Programs
Reports and letters of attestation are available for a number of certifications
SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period.
Evaluates control design, and evidence of controls working (Formerly SAS 70)
SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP
ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of
information security risks that affect confidentiality, integrity and availability of
company and customer information
PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing,
processing and transmitting credit card information to the cloud
6. Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Foundation Services
AWS Global
Infrastructure
Regions
AWS
Availability Zones Edge Locations
Hypervisor Compute Storage Network
7. Customer applications and content
Security Shared Responsibility Model
AWS Foundation Services
Hypervisor Compute Storage Network
AWS Global
Infrastructure
Regions
AWS is responsible
for the security OF
the cloud
Platform, Applications, Identity and Access Management
Operating System, Network and Firewall Configuration
Client-side data
encryption
Server-side data
encryption
Network Traffic
Protection
The customer is
responsible for
configuring security
IN the cloud
CustomersAWS
Availability Zones Edge Locations
8. Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t
move unless you choose to move it
9. AWS Employee Access
Staff vetting and enforcement of the principle of least privilege
• No logical access to customer instances
• Control-plane access limited and monitored
Bastion hosts, least privileged model, zoned data center access
• Access based on strict business needs
• Separate privileged account management systems
10. For more on compliance…
http://aws.amazon.com/compliance
•Whitepapers
•Work books
•Reference Architectures
•Security and privacy resources
12. “Based on our experience, I believe that we can be even more
secure in the AWS cloud than in our own data centers.”
Tom Soderstrom, CTO, NASA JPL
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey
doc #242836, September 2013
13. AWS Security in Context
VISIBILITY
AUDITABILITY
CONTROL
AGILITY
Customer get more…
Through our…
15. Visibility
Customers can see their entire infrastructure at a click of a mouse
Using AWS CloudTrail customers can continuously record activities happening on the AWS platform
16. Use cases enabled by AWS CloudTrail
Security Analysis
Use log files as an input into log management and analysis solutions to perform security analysis and to
detect user behavior patterns
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon
VPC security groups and Amazon EBS volumes
Troubleshoot Operational Issues
Identify the most recent actions made to resources in your AWS account
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards
19. Auditability
The AWS Config Service lets customers audit the historical configuration of resources and
send notifications when those resources change
Use Cases
Security Analysis Am I safe?
Audit Compliance Where is the evidence?
Change Management What will this change affect?
Troubleshooting What has changed?
22. Control
AWS offers several flexible encryption options
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
Customer
Managed
AWS
Managed
AWS manages the method,
storage and KMI
AWS Key Management Service
AWS provides key storage
Customer manages encryption
method & management layer of
KMI
AWS CloudHSM
Customer controls everything
E.g. KMI / keys stored on-
premise and client side
encryption used
A B C
23. Control
AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use your
encryption keys
• Integrated with AWS SDKs and AWS services including storage, compute and
database / data warehouse
• CloudTrail support
AWS CloudHSM
• Dedicated Safenet Luna-based solution (FIPS 2 compliant)
24. Control
Data Destruction
• Storage media destroyed before being permitted outside our datacenters
• Media destruction consistent with US Dept. of Defense Directive 5220.22
25. Control – Customers choose what they need
AWS
CloudHSM
Defense in depth
Application log file capture
Isolated, private networking environments
Fine grained access controls
Segregation of duties
Multi-factor authentication, identity federation
Single tenant / dedicated servers
Direct connections
HSM-based key storage
Multiple tiers of firewalls
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS delivers more control and granularity
27. New Security
Features year to date
RDS Encryption using KMS
Oracle TDE with
CloudHSM
S3 Endpoints in VPC
IAM Managed Policies
Glacier Vault Access
Policies
…
So how do we demonstrate to customers that we are doing our job as a CSP properly?
AWS has an extensive assurance in place today covering a range of certifications including SOC1 SOC2, ISO27001 and PCI DSS plus others you can see here.
Many of these were achieved in just the last few months and there are others that are not listed.
From: Stephen Quigg
Customers decide on the appropriate controls and manage and monitor the effectiveness of those controls
Customers take reliance on AWS control reports
Customer defines their risk appetite and desired control environment
implements the controls that are appropriate to that system
some of the controls the customer will provide and others will be provided by aws
The SOC 1 report attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The report is carried out by independent auditors under the AT 801 standard, and is issued every 6 months.
The SOC 2 report involves an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the American Institute of Certified Public Accountant’s Trust Services Principles criteria. This report provides additional transparency into AWS security and availability based on a defined industry standard. Again, it is carried out by independent auditors, and the report is issued every 6 months.
ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. AWS is certified under ISO 27001, and renews that certification annually.
\
----- Meeting Notes (5/27/15 11:58) -----
SOC2 Type 2 includes controls around BCP
Constant improvement process. It’s not a static craft. It’s continually advancing.
The customer is responsible for management of the guest operating system, right up to the highest layer of content.
That means that an FSI controls their ARCHITECTURE that is built on AWS.
control the design and architecture of their applications and solutions that run on our physical infrastructure.
control the configuration of access controls and firewall settings,
control the encryption of content, and how often they archive and backup their content.
AWS recognises that there are legal and regulatory directives around the location of data.
One of the fundamental principles we adopt in managing Security OF the cloud is the principle of least privilege. We give access to information and facilities only where necessary for a legitimate purpose. That means that I don’t know where our data centres are. The only people who even know where they are are people who build them, operate them, secure them, and audit them,.
Security is job zero because its foundational to our business, what customers demand, and something that we will not have a business if we don’t do right.
People think that security is different in the cloud. But actually security is very familiar at AWS. What is different though is that it’s more visible.
Everyone gets the same level of security.
I’m going to talk about some of the features of our platform that differentiate AWS security vs on-premise
So I want to start by setting some context
Can you map your network?
----- Meeting Notes (5/27/15 11:58) -----
Cloudtrail is a great system of record
So I want to start by setting some context
e.g. What systems will be impacted when I change this firewall setting
e.g. Integration with Change Management Systems to identify out of band changes
Configuration surveillance and monitoroing
So I want to start by setting some context
KMS is designed to meet FIPS2 logical and FIPS3 physical security
So I want to start by setting some context
Agility in security
Ops – vulnerability management
Engineering – build security tools including scanners, incident management systems, we build a lot of our own software
Application Security – PenTesting blackbox (outsider attack) and whitebox (insider attack) – we repeat these anytime we do a substantive change to the service, code reviews, security engineers are embedded in our service teams, principle of least privilege,
Compliance – is part of our security team (talk about this later)
Our CISO reports to the CEO of Amazon.
Pro-active Every week Andy Jassy goes through security issues with the senior management team to address issues and identify areas for improvement
.
----- Meeting Notes (5/27/15 11:58) -----
Amazon's has created a culture that supports out focus on customer security