AWS Public Sector

Jerusalem | 19 Nov 2014

AWS Security & Compliance CJ Moses  General  Manager,  Government  Cloud  Solu3ons    

Security Is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM

SECURITY

AWS  Public  Sector  

   

SECURITY  IS  SHARED  

AWS  Public  Sector  

WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE

AWS  Public  Sector  

WHAT WE DO

FOR YOU WHAT YOU DO YOURSELF

AWS  Public  Sector  

   

EVERY  CUSTOMER  HAS  ACCESS    TO  THE  SAME  SECURITY    

CAPABILITIES    

CHOOSE  WHAT’S  RIGHT  FOR  YOUR  ENTERPRISE  

AWS  Public  Sector  

 “Based  on  our  experience,  I  believe  that  we  can  be  even  more  secure  in  the  AWS  cloud  than  in  our  own  data  centers”  

         Tom  Soderstrom  –  CTO  NASA  JPL  

AWS  Public  Sector  

IDC  Survey  

APtudes  and  Percep3ons  Around  Security  and  Cloud  Services    Nearly  60%  of  organiza3ons  agreed  that  CSPs  [Cloud  Service  Providers]  provide  beYer  security  than  their  own  IT  organiza3on  

Source:  IDC  2013  U.S.  Cloud  Security  Survey  Doc  #242836,  September  2013  

AWS  Public  Sector  

 AWS  SECURITY  OFFERS  MORE  

 VISIBILITY  

AUDITABILITY  CONTROL  

AWS  Public  Sector  

   

MORE  VISIBILITY  

AWS  Public  Sector  

 

CAN  YOU  MAP  YOUR  NETWORK?    

WHAT  IS  IN  YOUR  ENVIRONMENT  RIGHT  NOW?  

AWS  Public  Sector  

   

TRUSTED  ADVISOR  

AWS  Public  Sector  

   

MORE  AUDITABILITY  

AWS  Public  Sector  

AWS  Public  Sector  

 

LOGS  OBTAINED,  RETAINED,  ANALYZED  

AWS  Public  Sector  

You are making API calls...

On a growing set of services around

the world…

CloudTrail is continuously recording API

calls…

And delivering log files to you

AWS  Public  Sector  

AWS  CLOUDTRAIL    

Security  Analysis  Use  log  files  as  an  input  into  log  management  and  analysis  solu3ons  to  perform  security  analysis  and  to  detect  user  behavior  paYerns.  

 Track  Changes  to  AWS  Resources  

Track  crea3on,  modifica3on,  and  dele3on  of  AWS  resources  such  as  Amazon  EC2  instances,  Amazon  VPC  security  groups  and  Amazon  EBS  volumes.  

 Troubleshoot  Opera@onal  Issues  

Quickly  iden3fy  the  most  recent  changes  made  to  resources  in  your  environment.  

 Compliance  Aid  

Easier  to  demonstrate  compliance  with  internal  policies  and  regulatory  standards.    

AWS  Public  Sector  

   

MORE  CONTROL  

AWS  Public  Sector  

Defense  in  Depth    

Mul3  level  security  •  Physical  security  of  the  data  centers  •  Network  security  •  System  security  •  Data  security  

DATA

AWS  Public  Sector  

AWS Security Delivers More Control & Granularity Customize  the  implementa3on  based  on  your  business  needs

AWS CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct Connect

AWS Storage Gateway

AWS  Public  Sector  

     

LEAST  PRIVILEGE  PRINCIPLE  AT  AWS    

AWS  Public  Sector  

 

LEAST  PRIVILEGE  PRINCIPLE    

CONFINE  ROLES  ONLY  TO  THE  MATERIAL  REQUIRED  TO  DO  SPECIFIC  WORK  

AWS  Public  Sector  

   

LEAST  PRIVILEGE  PRINCIPLE    

SEPARATE  NETWORKS  FOR  CORPORATE  WORK  VS.  ACCESSING  CUSTOMER  DATA  

AWS  Public  Sector  

   

LEAST  PRIVILEGE  PRINCIPLE    

MUST  HAVE  A  BUSINESS  NEED-­‐TO-­‐KNOW  ABOUT  SENSITIVE  INFORMATION  LIKE  DATA  CENTER  LOCATIONS  

AWS  Public  Sector  

   

LEAST  PRIVILEGE  PRINCIPLE    

MUST  HAVE  A  BUSINESS  NEED-­‐TO-­‐KNOW  IN  ORDER  TO  ACCESS  DATA  CENTERS  

AWS  Public  Sector  

   

SIMPLE  SECURITY  CONTROLS    

ARE  THE  EASIEST  TO  GET  RIGHT,  EASIEST  TO  AUDIT,  AND  EASIEST  TO  ENFORCE  

AWS  Public  Sector  

   

AWS  IAM  IDENTITY  &  ACCESS  MANAGEMENT  

AWS  Public  Sector  

 

CONTROL  WHO  CAN  DO  WHAT    WITH  YOUR  AWS  ACCOUNT  

AWS  Public  Sector  

AWS  Public  Sector  

 

MFA  DELETE  PROTECTION  

AWS  Public  Sector  

AWS  Public  Sector  

YOUR  DATA  STAYS  WHERE  YOU  PUT  IT

AWS  Public  Sector  

AWS Global Infrastructure!

11 Regions

28 Availability Zones

54 Edge Locations

AWS  Public  Sector  

USE  MULTIPLE  AZs    

AMAZON  S3  

AMAZON  DYNAMODB  

AMAZON  RDS  MULTI-­‐AZ  

AMAZON  EBS  SNAPSHOTS  

AWS  Public  Sector  

ENCRYPT  YOUR  DATA  AWS  CLOUDHSM  

AWS  Key  Management  Service  

AMAZON  EBS  

AMAZON  S3  SSE    AMAZON  GLACIER  AMAZON  REDSHIFT  

AMAZON  RDS  

AWS  Public  Sector  

 DATA  ENCRYPTION  

CHOOSE  WHAT’S  RIGHT  FOR  YOU:    

Automated  –  AWS  manages  encryp3on    (e.g.  S3  SSE)  

Enabled  –  user  manages  encryp3on  using  AWS    (e.g.  AWS  CloudHSM,  AWS  KMS)  

 Client-­‐side  –  user  manages  encryp3on  using  their  own  means  

AWS  Public  Sector  

AWS CloudHSM Managed and monitored by AWS, but you control the keys

Increase performance for applications that use HSMs for key storage or encryption

Comply with stringent regulatory and contractual requirements for key protection EC2 Instance

AWS CloudHSM

AWS CloudHSM

AWS  Public  Sector  

AWS  Key  Management  Service Managed  service  that  makes  it  easy  for  you  to  create  and  control  the  encryp3on  keys  used  to  encrypt  your  data,  and  uses  Hardware  Security  Modules  (HSMs)  to  protect  the  security  of  your  keys.    Integrated  with  other  AWS  services  including  Amazon  EBS,  Amazon  S3,  Amazon  Redshim  and  AWS  CloudTrail  to  provide  you  with  logs  of  all  key  usage  to  help  meet  your  regulatory  and  compliance  needs.  

AWS  Public  Sector  

 

AWS  CodeDeploy    AWS  CodeDeploy  is  a  service  that  automates  code  deployments  to  Amazon  EC2  instances.  AWS      CodeDeploy  makes  it  easier  for  you  to  rapidly  release  new  features,  helps  you  avoid  down3me  during    deployment,  and  handles  the  complexity  of  upda3ng  your  applica3ons.  You  can  use  AWS  CodeDeploy  to    automate  deployments,  elimina3ng  the  need  for  error-­‐prone  manual  opera3ons,  and  the  service  scales    with  your  infrastructure  so  you  can  easily  deploy  to  one  EC2  instance  or  thousands.  

AWS  CodeCommit  AWS  CodeCommit  is  a  secure,  highly  scalable,  managed  source  control  service  that  hosts  private  Git  repositories.  CodeCommit  eliminates  the  need  for  you  to  operate  your  own  source  control  system  or  worry  about  scaling  its  infrastructure.  You  can  use  CodeCommit  to  store  anything  from  code  to  binaries,  and  it  supports  the  standard  func3onality  of  Git  allowing  it  to  work  seamlessly  with  your  exis3ng  Git-­‐based  tools.  Your  team  can  also  use  CodeCommit’s  online  code  tools  to  browse,  edit,  and  collaborate  on  projects.  CodeCommit  will  be  available  in  early  2015.  

AWS  CodePipeline  AWS  CodePipeline  is  a  con@nuous  delivery  and  release  automa@on  service  that  aids  smooth  deployments.  You  can  design  your  development  workflow  for  checking  in  code,  building  the  code,  deploying  your  applica3on  into  staging,  tes3ng  it,  and  releasing  it  to  produc3on.  You  can  integrate  3rd  party  tools  into  any  step  of  your  release  process  or  you  can  use  CodePipeline  as  an  end-­‐to-­‐end  solu3on.  CodePipeline  enables  you  to  rapidly  deliver  features  and  updates  with  high  quality  through  the  automa3on  of  your  build,  test,  and  release  process.  CodePipeline  will  be  available  in  early  2015.  

AWS  Public  Sector  

   

MORE  AUDITABILITY  MORE  VISIBILITY  MORE  CONTROL  

AWS  Public  Sector  

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES SECURITY BEST PRACTICES

AWS  Security  Whitepapers

AWS  Public  Sector  

AWS Government Jerusalem | 19 Nov 2014!

Thank You ! CJ Moses  General  Manager,  Government  Cloud  Solu3ons    

AWS.AMAZON.COM  /  SECURITY