Cloud Security, Risk and Compliance on AWS
•Télécharger en tant que PPTX, PDF•
1 j'aime•850 vues
Presented at the Hong Kong Enterprise Summit. Aimed at financial services audiences
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Cloud Security, Risk and Compliance on AWS
Similaire à Cloud Security, Risk and Compliance on AWS (20)
Dernier
Dernier (20)
Cloud Security, Risk and Compliance on AWS
- 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Karim Hopper, Solution Architecture APAC 27 May 2015 Governance, Risk and Compliance Considerations for the Cloud Hong Kong
- 3. AWS Assurance Programs Consistent, regular and exhaustive 3rd party evaluations
- 4. Customers control how they manage their own risks AWS Managed and Audited Controls SOC 1 AWS SOC 2 PCI-DSS NIST 800-53 ISO 270001 Virtual Private Cloud Key Management Logging AWS Provided, Customer Configured and Managed Controls Other AWS features and services Classification Security Policy Customer Provided and Managed Controls Encryption Governance ITDaM ITSM Monitoring Operations Malware Risk Management Customers Customer Risk Appetite and Desired Control Environment Business Risks Sourcing Risks Technology Risks Security Risks Compliance
- 5. Compliance Programs Reports and letters of attestation are available for a number of certifications SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period. Evaluates control design, and evidence of controls working (Formerly SAS 70) SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of information security risks that affect confidentiality, integrity and availability of company and customer information PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing, processing and transmitting credit card information to the cloud
- 6. Security Shared Responsibility Model AWS is responsible for the security OF the cloud AWS Foundation Services AWS Global Infrastructure Regions AWS Availability Zones Edge Locations Hypervisor Compute Storage Network
- 7. Customer applications and content Security Shared Responsibility Model AWS Foundation Services Hypervisor Compute Storage Network AWS Global Infrastructure Regions AWS is responsible for the security OF the cloud Platform, Applications, Identity and Access Management Operating System, Network and Firewall Configuration Client-side data encryption Server-side data encryption Network Traffic Protection The customer is responsible for configuring security IN the cloud CustomersAWS Availability Zones Edge Locations
- 8. Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
- 9. AWS Employee Access Staff vetting and enforcement of the principle of least privilege • No logical access to customer instances • Control-plane access limited and monitored Bastion hosts, least privileged model, zoned data center access • Access based on strict business needs • Separate privileged account management systems
- 10. For more on compliance… http://aws.amazon.com/compliance •Whitepapers •Work books •Reference Architectures •Security and privacy resources
- 11. Security is our #1 priority
- 12. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” Tom Soderstrom, CTO, NASA JPL Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey doc #242836, September 2013
- 13. AWS Security in Context VISIBILITY AUDITABILITY CONTROL AGILITY Customer get more… Through our…
- 14. Visibility
- 15. Visibility Customers can see their entire infrastructure at a click of a mouse Using AWS CloudTrail customers can continuously record activities happening on the AWS platform
- 16. Use cases enabled by AWS CloudTrail Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes Troubleshoot Operational Issues Identify the most recent actions made to resources in your AWS account Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards
- 17. Visibility AWS Trusted Advisor Recommends security best practices (identifies potential security issues)
- 18. Auditability
- 19. Auditability The AWS Config Service lets customers audit the historical configuration of resources and send notifications when those resources change Use Cases Security Analysis Am I safe? Audit Compliance Where is the evidence? Change Management What will this change affect? Troubleshooting What has changed?
- 20. Auditability AWS Config Service Review the historical configuration of resources and send notifications when those resources change
- 21. Control
- 22. Control AWS offers several flexible encryption options KMI Encryption Method Key Storage Key Management KMI Encryption Method Key Storage Key Management KMI Encryption Method Key Storage Key Management Customer Managed AWS Managed AWS manages the method, storage and KMI AWS Key Management Service AWS provides key storage Customer manages encryption method & management layer of KMI AWS CloudHSM Customer controls everything E.g. KMI / keys stored on- premise and client side encryption used A B C
- 23. Control AWS Key Management Service • A managed service that makes it easy for you to create, control, and use your encryption keys • Integrated with AWS SDKs and AWS services including storage, compute and database / data warehouse • CloudTrail support AWS CloudHSM • Dedicated Safenet Luna-based solution (FIPS 2 compliant)
- 24. Control Data Destruction • Storage media destroyed before being permitted outside our datacenters • Media destruction consistent with US Dept. of Defense Directive 5220.22
- 25. Control – Customers choose what they need AWS CloudHSM Defense in depth Application log file capture Isolated, private networking environments Fine grained access controls Segregation of duties Multi-factor authentication, identity federation Single tenant / dedicated servers Direct connections HSM-based key storage Multiple tiers of firewalls AWS IAM Amazon VPC AWS Direct Connect AWS delivers more control and granularity
- 26. Agility
- 27. New Security Features year to date RDS Encryption using KMS Oracle TDE with CloudHSM S3 Endpoints in VPC IAM Managed Policies Glacier Vault Access Policies …
- 28. Chief Info. Security Officer (CISO) Operations Engineering Application Security Compliance CEO Amazon.com AWS Security Organization Amazon’s Culture •Everyone’s an owner •Decentralize – security engineers are embedded in service teams •Executive accountability •Metrics driven – measuring constantly •Five Why’s to establish the cause of error •Test Constantly •Understand normal and then identify anomalies
Notes de l'éditeur
- [Speaker note: allow at least 30 mins]
- So how do we demonstrate to customers that we are doing our job as a CSP properly?
- AWS has an extensive assurance in place today covering a range of certifications including SOC1 SOC2, ISO27001 and PCI DSS plus others you can see here. Many of these were achieved in just the last few months and there are others that are not listed.
- From: Stephen Quigg Customers decide on the appropriate controls and manage and monitor the effectiveness of those controls Customers take reliance on AWS control reports Customer defines their risk appetite and desired control environment implements the controls that are appropriate to that system some of the controls the customer will provide and others will be provided by aws
- The SOC 1 report attests that the AWS control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The report is carried out by independent auditors under the AT 801 standard, and is issued every 6 months. The SOC 2 report involves an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the American Institute of Certified Public Accountant’s Trust Services Principles criteria. This report provides additional transparency into AWS security and availability based on a defined industry standard. Again, it is carried out by independent auditors, and the report is issued every 6 months. ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. AWS is certified under ISO 27001, and renews that certification annually. \ ----- Meeting Notes (5/27/15 11:58) ----- SOC2 Type 2 includes controls around BCP
- Constant improvement process. It’s not a static craft. It’s continually advancing.
- The customer is responsible for management of the guest operating system, right up to the highest layer of content. That means that an FSI controls their ARCHITECTURE that is built on AWS. control the design and architecture of their applications and solutions that run on our physical infrastructure. control the configuration of access controls and firewall settings, control the encryption of content, and how often they archive and backup their content.
- AWS recognises that there are legal and regulatory directives around the location of data.
- One of the fundamental principles we adopt in managing Security OF the cloud is the principle of least privilege. We give access to information and facilities only where necessary for a legitimate purpose. That means that I don’t know where our data centres are. The only people who even know where they are are people who build them, operate them, secure them, and audit them,.
- Security is job zero because its foundational to our business, what customers demand, and something that we will not have a business if we don’t do right. People think that security is different in the cloud. But actually security is very familiar at AWS. What is different though is that it’s more visible. Everyone gets the same level of security.
- I’m going to talk about some of the features of our platform that differentiate AWS security vs on-premise
- So I want to start by setting some context
- Can you map your network? ----- Meeting Notes (5/27/15 11:58) ----- Cloudtrail is a great system of record
- So I want to start by setting some context
- e.g. What systems will be impacted when I change this firewall setting e.g. Integration with Change Management Systems to identify out of band changes
- Configuration surveillance and monitoroing
- So I want to start by setting some context
- KMS is designed to meet FIPS2 logical and FIPS3 physical security
- So I want to start by setting some context
- Agility in security Ops – vulnerability management Engineering – build security tools including scanners, incident management systems, we build a lot of our own software Application Security – PenTesting blackbox (outsider attack) and whitebox (insider attack) – we repeat these anytime we do a substantive change to the service, code reviews, security engineers are embedded in our service teams, principle of least privilege, Compliance – is part of our security team (talk about this later) Our CISO reports to the CEO of Amazon. Pro-active Every week Andy Jassy goes through security issues with the senior management team to address issues and identify areas for improvement . ----- Meeting Notes (5/27/15 11:58) ----- Amazon's has created a culture that supports out focus on customer security