Upload
kimberly-macias
View
173
Download
1
Embed Size (px)
Citation preview
Over A Million Active Customers Running Every Imaginable Use Case
1500+ Government
Agencies
3600+ Education Institutions
190 Countries 11,200+ Nonprofits
Rate of Customers Requesting Compliance Reports and Certifications
Top 10 Top 25 Top 50 Top 100 Top 500 Top 50000%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
50%
40%36%
12%17%
5%
50% 60% 64% 88% 83% 95%
No Compliance Report Re-quested
Compliance Report Re-quested
Revenue Tier
Perc
enta
ge o
f Cus
tom
ers
Req
uest
ing
Com
plia
nce
Rep
orts
/Cer
ts
Customers
Based on our experience, I believe that wecan be even more secure in the AWS
cloud than in our own datacenters.
CTOSpace Agency
Industry Analysts
… We’ll also see organizations adopt cloud servicesfor the improved security protections and compliance
controls that they otherwise could not provide asefficiently or effectively themselves.
Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013
Legacy Datacenters• Big Perimeter• End-to-End Ownership• Build it all yourself• Server-centric approach• Self-managed Services• Static Architecture• De-centralized Administration
The security paradigm shifted
AWS• Micro-Perimeters• Own just enough• Focus on your core value• Service-Centric• Platform Services• Continuously Evolving• Central Control Plane (API)
Security & compliance requirements from every industry
Nothing better for the entire community than a tough set of customers…
Everyone’s Systems and Applications
Financial Health Care Government
Requirements Requirements
Security Infrastructure
Requirements
Security & compliance is a shared responsibility
Customer Applications & Content
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
AWS Foundation Services
AWS GlobalInfrastructure
Cus
tom
ers
Client-side Data Encryption
Server-side Data Encryption
Network TrafficProtection
Compute Storage Database Networking
Availability Zones
RegionsEdge Locations
Customers are responsible for their security IN the Cloud
AWS is responsible
for the securityOF the Cloud
Let AWS take care of the heavy lifting for you
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
Rapid pace of security innovation & customer driven improvementsSecurity, compliance, governance, and audit related launches and updates
2007 2008 2009 2010 2011 2012 2013 2014
48 61 82159
280
516
40%
Physical Security of Data Centers
Amazon has been building large-scale data centers for many years
Important attributes:‒ Non-descript facilities‒ Robust perimeter controls‒ Strictly controlled physical access‒ 2 or more levels of two-factor auth
Controlled, need-based access
All access is logged and reviewed
Separation of Duties‒ Employees with physical access don’t have logical privileges
Network SecurityDistributed Denial of Service (DDoS):• Standard mitigation techniques in effect
for AWS API endpoints
Man in the Middle (MITM):• All endpoints protected by SSL• Fresh EC2 host keys generated at boot
IP Spoofing:• Prohibited at host OS level
Unauthorized Port Scanning:• Violation of AWS TOS• Detected, stopped, and blocked• Inbound ports blocked by default
Packet Sniffing:• Promiscuous mode is ineffective• Protection at hypervisor level
AWS reduces common attack vectors at the infrastructure level.
Your Role in Securing AWS is Well-Defined
Customer Data
Applications Identity Access Mgmt
OS Network Firewall
Client-side Encryption
Server-side Encryption
Network Traffic Protection
Compute Storage Networking
AWS Global Infrastructure (Regions, Azs, Edge Locations)
AWS: Security of the Cloud
Customer: Security in the Cloud
… but the security technology has lagged
Customer Data
Applications Identity Access Mgmt
OS Network Firewall
Client-side Encryption
Server-side Encryption
Network Traffic Protection
Network Appliances
Host-based Agents
IP-based scanners
Log Analytics
DLP & Encryption
Manual Audits
These technologies don’t embrace cloud values…
Host-centric Security Strategies fail in AWS
Protecting the host while ignoring the services is a bad decision.
Your most critical data often lives in S3, Glacier, RDS, Redshift, and other key services.
EC2
Security by Design – SbD
• Systematic approach to ensure security• Formalizes AWS account design• Automates security controls• Streamlines auditing
AWS CloudTrail
AWS CloudHSM
AWS IAM
AWS KMS
AWS Config
AmazonInspector
Provides control insights throughout the IT management process
Amazon Virtual Private Cloud (VPC)
Specify your private IP address range into one or more public or private subnets
Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups
Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection
Create a logically isolated environment in Amazon’s highly scalable infrastructure
AWS Key Management Service (KMS)
• Centralized control of YOUR encryption keys
• Designed for Scalability and Throughput
• Is a multi-tenant service
• Integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift
• Integrated with CloudTrail – logs key usage
• Easily implement and audit key creation, rotation, usage policies
CloudHSM
Hardware Security Modules: real hardware in the cloud.• Secure, Reliable & Durable Key Storage: available in multiple
AZs and Regions, or replicate to on premise HSMs• Tamper-resistant and Tamper Evident• Customer controlled hardware security module within your VPC• Only customer has access to keys (including Amazon
administrators who manage and maintain the appliance). • Common Criteria EAL4+, NIST FIPS 140-2 Level 2.
Key governance questions
• What do I have?• How it is performing?• Who is controlling it?• What is it costing me?• Is it secure and compliant?
• Are changes occurring with the right processes and protections?
The AWS cloud allows for advanced governance
Manual auditing in a simple world
Governance in a complex world
Thick procedure manuals Software-enforced processes
Periodic surveys Alarming/triggering
Few truly automated controls
Ubiquitous, software-driven, predictable controls
Sample testing, hoping Full population monitoring, test of 1
AWS and governance
AWS capabilities and services provide key building blocks for systems that answer these questionsBetter answers than ever before in traditional infrastructureIntegration challenges remain, but don’t be constrained by on-prem systems when leveraging the cloud
AWS Config Relationships
Resources are related to each other• Permissions applied to a server or instance• Amazon EBS volume attached to an
Amazon EC2 instance• Network interfaces• An instance is contained in subnet or VPC
AWS Config Rules
• Flexible rules evaluated continuously and retroactively• Dashboard and reports for common goals• Customizable remediation• API automation
AWS Config Rules benefits
Continuous monitoring for unexpected changes
Shared compliance across your organization
Simplified management of configuration changes
Why?
Securing infrastructure is often expensive and hard to do effectively.
• Inspector is automated, repeatable, and designed to reduce cost.
• Use AWS security knowledge to strengthen customer servers, services, and infrastructure.
• Delivery of actionable findings that are carefully explained and help their resolution.
Features
• Configuration Scanning and Activity Monitoring Engine• Selectable built-in rules• Security findings – guidance and management• Automatable via APIs
37
Rule packages
• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness
Amazon Inspector benefits
Increased agility
Embedded expertise
Improved security posture
Streamlined compliance
Risk & Compliance Whitepaper
“Shared Responsibility Model”
Compliance Governance FedRAMPSM
Risk Management
FIPS 140‐2SOC1/SSAE16/ISAE3402
SOC2
SOC3
FISMA &DIACAP
CSA Consensus Assessment Questionnaire PCI DSS
Level -1
MPAA
AWS Global Regions
ITARISO27001
Control EnvironmentInformation
Security
HIPAA
http://media.amazonwebservices.com/AWS Risk_and_Compliance_Whitepaper.pdf
PCI Overview
AWS is a Level 1 service provider (the highest level)
Compliant with new released DSS version 3.1 published in April 2015.
https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
PCI Package Use Case
Customer wants to process, store or transmit credit card information using AWS
Customer wants to learn more about AWS PCI Compliance
Customer is being audited by their
QSA (Qualified Security Assessor)
Customer is preparing for an audit and/or monitoring their environment for PCI compliance
PCI Package: What we ProvideAWS provides customers and customer’s auditors with:
• Attestation of Compliance (AoC)• PCI Responsibility Summary
AWS PCI Responsibility Summary provides:• Description of the in-scope services• Customer implementation considerations• Overview of shared responsibility
Additional resources for Customers
aws.amazon.com/compliance
AWS Certifications and FAQs
SOC 1 FAQs ISO 27001FAQs
PCI DSSLevel 1 FAQs
FEDRampFAQs
ISO 9001FAQs
DoD CSMFAQs
Conclusions
Security is critical
We’re creating tools to make it easierWe’re creating ways to help you build a world-class teamYou can move fast and stay safe