1. aws security and compliance wwps pre-day sao paolo - markry
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Meeting Government Security & Compliance
Requirements with Secure AWS Infrastructure
Mark Ryland
Chief Solutions Architect
Worldwide Public Sector Team
Security is the foundationof everything we do at AWS
Physical
Security
Network
Security
Platform
Security
People &
Procedures
Familiar security model
Requirements from toughest
customers; audited and validated
by expertsEvery Customer Benefits
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability
Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
usto
me
rs
Security & compliance is a shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Build everything on a constantly improving security baseline
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability
Zones Edge
Locations
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS is
responsible for
the security OF
the Cloud
The AWS approach to security of
the cloud
Simple Security Controls
Easy to Get Right
Easy to Audit
Easy to Enforce
11 Regions
28 Availability Zones
53 Edge Locations
Single Security Posture Across Global Infrastructure
Customer chooses regional location of systems and data
Security is familiar
• We make security at AWS familiar (mostly)
based on what you are doing right now
– Control and isolation
– Visibility
– Auditability
– Agility
AWS Marketplace: One-stop shop for familiar tools
Advanced Threat
Analytics
Application Security
Identity and Access Mgmt
Encryption & Key Mgmt
Server & Endpoint
Protection
Network Security
Vulnerability & Pen Testing
Rich control with AWS’s powerful
Identity & Access Management capabilities
Authentication:
• Multiple options including rich SAML
federation capabilities, MFA, web
identities
• Clean separation of identity from
proof of identity
• Roles are powerful and flexible
pseudo-principals that can be
assumed by other identities• Federation scenarios
• Cross-account access
Rich control with Identity & Access Management…
Authorization:
• Groups and roles are the “containers”
for access policies
• Flexible, powerful policy language
with extremely granular controls and
conditions• E.g., time of day or week, source
CIDR, MFA required, user agent, etc.
• Applies to all infrastructure and
services
• Applies to all forms of access,
regardless of tools (console/CLI/API)
Network isolation with Virtual Private Cloud
Define your own address space as
extension of private network
Connect to private network with VPN
tunnel or Direct Connect
Configure Security Groups (virtual
firewalls) for all EC2 instances; update
fleet firewall rules with a single API call
Configure Network Access Control Lists
for subnet level isolation and control
Enhanced isolation and control with encryption
Automatic encryption with managed keys
(Key Management Service)
Dedicated hardware security modules
(Cloud HSM)
Bring and use your own keys
AWS Key Management Service
• Highly-available managed regional service that makes it easy for you to create, control, and use your data protection keys
• Integrated with AWS SDKs and AWS services including Amazon EBS, Amazon S3, and Amazon Redshift
• Integrated with AWS CloudTrail to provide auditable logs to help your regulatory and compliance activities
Security is Visible
• Who is accessing the resources?
• Who took what action?– When?
– From where?
– What did they do?
– Logs Logs Logs
AWS CLOUDTRAIL
You are making
API calls...On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
Use cases enabled by CloudTrail
• Security Analysis
• Track Changes to AWS Resources
• Troubleshoot Operational Issues
• Compliance Aid
AWS Config
AWS Config is a fully managed service that
provides you with an inventory of your AWS
resources, lets you audit the resource
configuration history and notifies you of resource
configuration changes.
Continuous ChangeRecordingChanging
Resources
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
Use cases enabled by Config
• Security Analysis: Am I safe?
• Audit Compliance: Where is the evidence?
• Change Management: What will this change
affect?
• Troubleshooting: What has changed?
CloudWatch and CloudWatch Logs
CloudWatch provides metrics and visibility into every
aspect of your AWS environment
Metrics are actionable and can fire alarms, run
arbitrary code, etc.
CloudWatch Logs provides a central service to
absorb, store, analyze, and take action on a variety
of log sources
• Operating system logs
• Webserver logs
• Application logs
Cloud automation allows for security agility
“Programmable infrastructure” allows
you to automate every aspect your
environment.
Security properties are “baked in,”
constantly checked via logging and
auditing, and deviations / alarms are
actionable via code
Change and speed of change become
an asset, not a liability
Cloud automation allows for security agility…
“The advantage of elasticity [is that it] turns the entirety of
your security into a giant shell game,’ said Hunt... ‘The
ability to reimage — either when workloads scale up or
down — or to reimage periodically — with the intent to
completely wipe and restart a complete machine with
something that is guaranteed out of your vaulted set of
images — allows you to have very high confidence you are
not had and you are not hooked. You basically turn yourself
into a polymorphic surface to which the attack guy has a
much tougher time getting at. That, ultimately, is the real key
advantage to drive security and make things much better for
us across the board.” – Gus Hunt, former CTO of USA CIA
http://www.federalnewsradio.com/?nid=130&sid=2598667
Improving your security with AWS
For more details, see Re:Invent 2013 presentations by NASA JPL cyber
security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4)
“Based on our experience, I believe that we can be
even more secure in the AWS cloud than in our
own datacenters.”
-Tom Soderstrom, CTO, NASA JPL
Improving your security with AWS…
“From a physical and logical security standpoint, I
believe that, if done right, public cloud computing is as or
more secure than self-hosting.” – Steve Randich, EVP and CIO, Financial Industry Regulatory Authority in the USA
• FINRA now deploying multiple Hadoop-based and Redshift-based
analytics apps core to their regulatory mission
• Multi-petabyte clusters growing by terabytes per day
• Going to full production in January 2015
• Two year plan to go “all in” to the AWS cloud
Improving your security with AWS…
“… We’ll also see organizations adopt cloud
services for the improved security protections
and compliance controls that they otherwise
could not provide as efficiently or effectively
themselves.” Security’s Cloud Revolution is Upon Us
Forrester Research, Inc., August 2, 2013
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
More information..
http://aws.amazon.com/security/security-resources/
http://aws.amazon.com/compliance