Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Karim Hopper, Solution Architecture APAC
27 May ...
Demonstrating Compliance
AWS Assurance Programs
Consistent, regular and exhaustive 3rd party evaluations
Customers control how they manage their own risks
AWS Managed and Audited Controls
SOC 1
AWS
SOC 2 PCI-DSS NIST 800-53 ISO...
Compliance Programs
Reports and letters of attestation are available for a number of certifications
SOC 1 (Type 2) Control...
Security Shared Responsibility Model
AWS is responsible
for the security OF
the cloud
AWS Foundation Services
AWS Global
I...
Customer applications and content
Security Shared Responsibility Model
AWS Foundation Services
Hypervisor Compute Storage ...
Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicate...
AWS Employee Access
Staff vetting and enforcement of the principle of least privilege
• No logical access to customer inst...
For more on compliance…
http://aws.amazon.com/compliance
•Whitepapers
•Work books
•Reference Architectures
•Security and p...
Security is our #1 priority
“Based on our experience, I believe that we can be even more
secure in the AWS cloud than in our own data centers.”
Tom So...
AWS Security in Context
VISIBILITY
AUDITABILITY
CONTROL
AGILITY
Customer get more…
Through our…
Visibility
Visibility
Customers can see their entire infrastructure at a click of a mouse
Using AWS CloudTrail customers can continuo...
Use cases enabled by AWS CloudTrail
Security Analysis
Use log files as an input into log management and analysis solutions...
Visibility
AWS Trusted Advisor
Recommends security best practices (identifies potential security issues)
Auditability
Auditability
The AWS Config Service lets customers audit the historical configuration of resources and
send notifications ...
Auditability
AWS Config Service
Review the historical configuration of resources and send notifications when those resourc...
Control
Control
AWS offers several flexible encryption options
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Met...
Control
AWS Key Management Service
• A managed service that makes it easy for you to create, control, and use your
encrypt...
Control
Data Destruction
• Storage media destroyed before being permitted outside our datacenters
• Media destruction cons...
Control – Customers choose what they need
AWS
CloudHSM
Defense in depth
Application log file capture
Isolated, private net...
Agility
New Security
Features year to date
RDS Encryption using KMS
Oracle TDE with
CloudHSM
S3 Endpoints in VPC
IAM Managed Polic...
Chief Info.
Security
Officer
(CISO)
Operations
Engineering
Application Security
Compliance
CEO
Amazon.com
AWS Security Org...
Thank you
aws.amazon.com/compliance
aws.amazon.com/security
http://www.linkedin.com/in/karimhopper
Prochain SlideShare
Chargement dans…5
×

Cloud Security, Risk and Compliance on AWS

Presented at the Hong Kong Enterprise Summit. Aimed at financial services audiences

  • Identifiez-vous pour voir les commentaires

Cloud Security, Risk and Compliance on AWS

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Karim Hopper, Solution Architecture APAC 27 May 2015 Governance, Risk and Compliance Considerations for the Cloud Hong Kong
  2. 2. Demonstrating Compliance
  3. 3. AWS Assurance Programs Consistent, regular and exhaustive 3rd party evaluations
  4. 4. Customers control how they manage their own risks AWS Managed and Audited Controls SOC 1 AWS SOC 2 PCI-DSS NIST 800-53 ISO 270001 Virtual Private Cloud Key Management Logging AWS Provided, Customer Configured and Managed Controls Other AWS features and services Classification Security Policy Customer Provided and Managed Controls Encryption Governance ITDaM ITSM Monitoring Operations Malware Risk Management Customers Customer Risk Appetite and Desired Control Environment Business Risks Sourcing Risks Technology Risks Security Risks Compliance
  5. 5. Compliance Programs Reports and letters of attestation are available for a number of certifications SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period. Evaluates control design, and evidence of controls working (Formerly SAS 70) SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of information security risks that affect confidentiality, integrity and availability of company and customer information PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing, processing and transmitting credit card information to the cloud
  6. 6. Security Shared Responsibility Model AWS is responsible for the security OF the cloud AWS Foundation Services AWS Global Infrastructure Regions AWS Availability Zones Edge Locations Hypervisor Compute Storage Network
  7. 7. Customer applications and content Security Shared Responsibility Model AWS Foundation Services Hypervisor Compute Storage Network AWS Global Infrastructure Regions AWS is responsible for the security OF the cloud Platform, Applications, Identity and Access Management Operating System, Network and Firewall Configuration Client-side data encryption Server-side data encryption Network Traffic Protection The customer is responsible for configuring security IN the cloud CustomersAWS Availability Zones Edge Locations
  8. 8. Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
  9. 9. AWS Employee Access Staff vetting and enforcement of the principle of least privilege • No logical access to customer instances • Control-plane access limited and monitored Bastion hosts, least privileged model, zoned data center access • Access based on strict business needs • Separate privileged account management systems
  10. 10. For more on compliance… http://aws.amazon.com/compliance •Whitepapers •Work books •Reference Architectures •Security and privacy resources
  11. 11. Security is our #1 priority
  12. 12. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” Tom Soderstrom, CTO, NASA JPL Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey doc #242836, September 2013
  13. 13. AWS Security in Context VISIBILITY AUDITABILITY CONTROL AGILITY Customer get more… Through our…
  14. 14. Visibility
  15. 15. Visibility Customers can see their entire infrastructure at a click of a mouse Using AWS CloudTrail customers can continuously record activities happening on the AWS platform
  16. 16. Use cases enabled by AWS CloudTrail Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes Troubleshoot Operational Issues Identify the most recent actions made to resources in your AWS account Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards
  17. 17. Visibility AWS Trusted Advisor Recommends security best practices (identifies potential security issues)
  18. 18. Auditability
  19. 19. Auditability The AWS Config Service lets customers audit the historical configuration of resources and send notifications when those resources change Use Cases Security Analysis Am I safe? Audit Compliance Where is the evidence? Change Management What will this change affect? Troubleshooting What has changed?
  20. 20. Auditability AWS Config Service Review the historical configuration of resources and send notifications when those resources change
  21. 21. Control
  22. 22. Control AWS offers several flexible encryption options KMI Encryption Method Key Storage Key Management KMI Encryption Method Key Storage Key Management KMI Encryption Method Key Storage Key Management Customer Managed AWS Managed AWS manages the method, storage and KMI AWS Key Management Service AWS provides key storage Customer manages encryption method & management layer of KMI AWS CloudHSM Customer controls everything E.g. KMI / keys stored on- premise and client side encryption used A B C
  23. 23. Control AWS Key Management Service • A managed service that makes it easy for you to create, control, and use your encryption keys • Integrated with AWS SDKs and AWS services including storage, compute and database / data warehouse • CloudTrail support AWS CloudHSM • Dedicated Safenet Luna-based solution (FIPS 2 compliant)
  24. 24. Control Data Destruction • Storage media destroyed before being permitted outside our datacenters • Media destruction consistent with US Dept. of Defense Directive 5220.22
  25. 25. Control – Customers choose what they need AWS CloudHSM Defense in depth Application log file capture Isolated, private networking environments Fine grained access controls Segregation of duties Multi-factor authentication, identity federation Single tenant / dedicated servers Direct connections HSM-based key storage Multiple tiers of firewalls AWS IAM Amazon VPC AWS Direct Connect AWS delivers more control and granularity
  26. 26. Agility
  27. 27. New Security Features year to date RDS Encryption using KMS Oracle TDE with CloudHSM S3 Endpoints in VPC IAM Managed Policies Glacier Vault Access Policies …
  28. 28. Chief Info. Security Officer (CISO) Operations Engineering Application Security Compliance CEO Amazon.com AWS Security Organization Amazon’s Culture •Everyone’s an owner •Decentralize – security engineers are embedded in service teams •Executive accountability •Metrics driven – measuring constantly •Five Why’s to establish the cause of error •Test Constantly •Understand normal and then identify anomalies
  29. 29. Thank you aws.amazon.com/compliance aws.amazon.com/security http://www.linkedin.com/in/karimhopper

×