Innovation (and security) by design · | #cloudsec Innovation (and security) by design SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea

www.cloudsec.com | #cloudsec

Innovation (and security) by design

SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Where are Enterprises Innovating?

AI/ML HPCIoT/Edge Big Data


Dev & test New applications Digital Analytics

Mobile Datacenter migration Mission-critical applications All-in

Common Use Cases for Cloud Adoption

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Innovation atAmazon


1994 Founded

1995 Amazon.com

1998 Added CDs & DVDs

2006 Amazon Web Services

2007 Kindle

2011 Video

2012 Groceries

2014 Alexa/Echo

2015 Bookstores

2017 Go

http://phx.corporate-ir.net/phoenix.zhtml?c=176060&p=irol-corporatetimeline


and move faster

How can enterprises devote more resources to the things that matter

while being more secure?


Why is security traditionally so hard?

Lack of visibility

Low degree of automation


ORMove fast Stay secure

Before…


ORANDMove fast Stay secure

Now…


The most sensitive workloads run on AWS

“With AWS, DNAnexus enables enterprises worldwide to perform

genomic analysis and clinical studies in a secure and compliant

environment at a scale not previously possible.”

— Richard Daly, CEO DNAnexus

“The fact that we can rely on the AWS security posture to boost our

own security is really important for our business. AWS does a much

better job at security than we could ever do running a cage in a data

center.”

— Richard Crowley, Director of Operations, Slack

“We determined that security in AWS is superior to our on-premises data

center across several dimensions, including patching,

encryption, auditing and logging, entitlements, and compliance.”

—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)


Automatewith deeply integrated

security services

Inheritglobal

security and compliance

controls

Highest standards for privacy and data security

Largest network

of security partners and

solutions

Scale with superior visibility and

control

Move to AWS Strengthen your security posture


Inherit global security and compliance controls


Scale with visibility and control


Encryption at scale with keys managed by

our AWS Key Management Service (KMS) or managing your own encryption keys

with Cloud HSM using FIPS 140-2 Level 3

validated HSMs

Meet data residency requirements

Choose an AWS Region and AWS will not replicate it elsewhere unless you choose

to do so

Access services and tools that enable you to

build compliant infrastructure

on top of AWS

Comply with local data privacy laws

by controlling who can access content, its lifecycle, and disposal

Highest standards for privacy


Automate with integrated services

CloudWatch Events

Amazon CloudWatch

CloudWatch Event

Lambda

Lambda Function

AWS Lambda

GuardDuty

Amazon GuardDuty

Automated threat remediation


Infrastructure security

Logging & monitoring

Identity & access control

Configuration & vulnerability

analysis

Data protection

Largest ecosystem of security partners and solutions

Infrastructure security


AWS Identity & Access Management (IAM)

AWS Directory Service

AWS Organizations

AWS Secrets Manager

AWS Single Sign-On

Amazon Cognito

AWS CloudTrail

AWS Config

AmazonCloudWatch

Amazon GuardDuty

VPC Flow Logs

AWS Systems Manager

AWS Shield

AWS WAF – Web application firewall

AWS Firewall Manager

Amazon Inspector

Amazon Virtual Private Cloud (VPC)

AWS Key Management Service (KMS)

AWS CloudHSM

Amazon Macie

AWS Certificate Manager

Server-Side Encryption

AWS Config Rules

AWS Lambda

IdentityDetective

controlInfrastructure

securityIncidentresponse

Dataprotection

AWS security solutions


AWS Customers control their own security policy

Customers have their choice of

security configurations IN

the Cloud

AWS is responsible for the security OF

the Cloud

Shared responsibility model


A Financial Customer’s Journey to the Cloud


2 Accounts | 20 VPCs

Production

Non-Prod

2015



29 Accounts | 62 VPCs2 Accounts | 20 VPCs

Production

Non-Prod

2016

+

2015



Shared Services

Security

Data Center

29 Accounts | 62 VPCs 35 Accounts | 35 VPCs2 Accounts | 20 VPCs

Production

Non-Prod

2016 2017

+

2015



AWS CLOUD

VIRTUAL PRIVATE CLOUD

AWS IAM AWS KMS Amazon CloudWatch

AWSCloudTrail

AWSConfig

AMI Flow logs

Amazon EC2

Elastic Load Balancing

AmazonRDS

AmazonSQS

AmazonSES

AmazonS3

AWS Direct Connect

VPC SUBNET

AUTO SCALING GROUP

SECURITY GROUP

Non-Prod Prod

VPCpeering

DNS SSO

Logging

Log Analysis

SHARED SERVICES SECURITY

Corporate data center

Financial Customer: Where are they today


Shared Services

Security

Data Center

AWS CLOUD

VIRTUAL PRIVATE CLOUD

AWS IAM AWS KMS Amazon CloudWatch

AWSCloudTrail

AWSConfig

AMI Flow logs

Amazon EC2

Elastic Load Balancing

AmazonRDS

AmazonSQS

AmazonSES

AmazonS3

AWS Direct Connect

VPC SUBNET

AUTO SCALING GROUP

SECURITY GROUP

Non-Prod Prod

Financial Customer: Where are they today


Automate and Orchestrate Incident response when a potential threat is detected

Use Case 1: Deep Security with AWS GuardDuty


Easily integrates with Security Information and Event Manager (SIEM) solutions

Easily integrates with SIEM, e.g. Sumo Logic, through installed Collector and Syslog source

Use Case 2: Deep Security SIEM Integration


Directory Server

Identity Provider Deep Security Manager

Group Claim Roles

User account

Seamlessly signing on to Deep Security using organisation account and possible to implement user authentication access control such as: - Password strength or change enforcement- One-time Password- Two-factor Authentication (2FA) or Multi-factor Authentication (MFA)

Use Case 3: Deep Security SAML Integration


Automate deployment using AWS CloudFormation- Uses AWS Best Practices- High Availability through

multi-AZ- Pre-configured Security

Group

Use Case 4: Deep Security Rapid Deployment using CloudFormation


Managed Security Services

• Security Operations Monitoring• Security Logs & Event Management• Security Analytics• Intrusion Detection and Prevention• Web Application Security• Next Generation Firewalls• Endpoint Protection• Data Loss Prevention• Websites & Content Filtering• Advanced Threat Intelligence• Periodic Vulnerability Assessment• Cloud Audit & Compliance• Container Security

Use Case 5: Managed Security Services

더 이상, 보안은클라우드 도입을 가로막는

걸림돌이 아닙니다!

이제는, 보안과 규정준수가클라우드를 도입하는

중요한 이유가 되고 있습니다!

www.cloudsec.com | #cloudsec

SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea

THANK YOU

Documents

Innovation (and security) by design · | #cloudsec Innovation (and security) by design SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea