©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Meeting Government Security & Compliance

Requirements with Secure AWS Infrastructure

Mark Ryland

Chief Solutions Architect

Worldwide Public Sector Team

markry@amazon.com

Security is the foundationof everything we do at AWS

Physical

Security

Network

Security

Platform

Security

People &

Procedures

Familiar security model

Requirements from toughest

customers; audited and validated

by expertsEvery Customer Benefits

SECURITY IS SHARED

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability

Zones Edge

Locations

Client-side Data

Encryption

Server-side Data

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & contentC

usto

me

rs

Security & compliance is a shared responsibility

Customers have

their choice of

security

configurations IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Build everything on a constantly improving security baseline

AWS Foundation Services

Compute Storage Database Networking

AWS Global

InfrastructureRegions

Availability

Zones Edge

Locations

GxP

ISO 13485

AS9100

ISO/TS 16949

AWS is

responsible for

the security OF

the Cloud

The AWS approach to security of

the cloud

Simple Security Controls

Easy to Get Right

Easy to Audit

Easy to Enforce

This

To This

11 Regions

28 Availability Zones

53 Edge Locations

Single Security Posture Across Global Infrastructure

Customer chooses regional location of systems and data

SECURITY IS FAMILIAR

Security is familiar

• We make security at AWS familiar (mostly)

based on what you are doing right now

– Control and isolation

– Visibility

– Auditability

– Agility

AWS Marketplace: One-stop shop for familiar tools

Advanced Threat

Analytics

Application Security

Identity and Access Mgmt

Encryption & Key Mgmt

Server & Endpoint

Protection

Network Security

Vulnerability & Pen Testing

SECURITY IS CONTROL AND ISOLATION

Rich control with AWS’s powerful

Identity & Access Management capabilities

Authentication:

• Multiple options including rich SAML

federation capabilities, MFA, web

identities

• Clean separation of identity from

proof of identity

• Roles are powerful and flexible

pseudo-principals that can be

assumed by other identities• Federation scenarios

• Cross-account access

Rich control with Identity & Access Management…

Authorization:

• Groups and roles are the “containers”

for access policies

• Flexible, powerful policy language

with extremely granular controls and

conditions• E.g., time of day or week, source

CIDR, MFA required, user agent, etc.

• Applies to all infrastructure and

services

• Applies to all forms of access,

regardless of tools (console/CLI/API)

Network isolation with Virtual Private Cloud

Define your own address space as

extension of private network

Connect to private network with VPN

tunnel or Direct Connect

Configure Security Groups (virtual

firewalls) for all EC2 instances; update

fleet firewall rules with a single API call

Configure Network Access Control Lists

for subnet level isolation and control

Enhanced isolation and control with encryption

Automatic encryption with managed keys

(Key Management Service)

Dedicated hardware security modules

(Cloud HSM)

Bring and use your own keys

AWS Key Management Service

• Highly-available managed regional service that makes it easy for you to create, control, and use your data protection keys

• Integrated with AWS SDKs and AWS services including Amazon EBS, Amazon S3, and Amazon Redshift

• Integrated with AWS CloudTrail to provide auditable logs to help your regulatory and compliance activities

AWS Key Management ServiceIntegrated with AWS IAM Console

AWS Key Management ServiceIntegrated with Amazon EBS

SECURITY REQUIRES VISIBILITY

VISIBILITY

HOW OFTEN DO YOU MAP YOUR NETWORK?

WHAT’S IN YOUR ENVIRONMENT

RIGHT NOW?

Security is Visible

• Who is accessing the resources?

• Who took what action?– When?

– From where?

– What did they do?

– Logs Logs Logs

AWS CLOUDTRAIL

You are making

API calls...On a growing set of

services around the

world…

AWS CloudTrail

is continuously

recording API

calls…

And delivering

log files to you

Use cases enabled by CloudTrail

• Security Analysis

• Track Changes to AWS Resources

• Troubleshoot Operational Issues

• Compliance Aid

SECURITY IS AUDITABLE

AWS Config

AWS Config is a fully managed service that

provides you with an inventory of your AWS

resources, lets you audit the resource

configuration history and notifies you of resource

configuration changes.

Continuous ChangeRecordingChanging

Resources

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

Use cases enabled by Config

• Security Analysis: Am I safe?

• Audit Compliance: Where is the evidence?

• Change Management: What will this change

affect?

• Troubleshooting: What has changed?

CloudWatch and CloudWatch Logs

CloudWatch provides metrics and visibility into every

aspect of your AWS environment

Metrics are actionable and can fire alarms, run

arbitrary code, etc.

CloudWatch Logs provides a central service to

absorb, store, analyze, and take action on a variety

of log sources

• Operating system logs

• Webserver logs

• Application logs

SECURITY IS AGILE

Cloud automation allows for security agility

“Programmable infrastructure” allows

you to automate every aspect your

environment.

Security properties are “baked in,”

constantly checked via logging and

auditing, and deviations / alarms are

actionable via code

Change and speed of change become

an asset, not a liability

Cloud automation allows for security agility…

“The advantage of elasticity [is that it] turns the entirety of

your security into a giant shell game,’ said Hunt... ‘The

ability to reimage — either when workloads scale up or

down — or to reimage periodically — with the intent to

completely wipe and restart a complete machine with

something that is guaranteed out of your vaulted set of

images — allows you to have very high confidence you are

not had and you are not hooked. You basically turn yourself

into a polymorphic surface to which the attack guy has a

much tougher time getting at. That, ultimately, is the real key

advantage to drive security and make things much better for

us across the board.” – Gus Hunt, former CTO of USA CIA

http://www.federalnewsradio.com/?nid=130&sid=2598667

CLOUD SECURITY CAN BE SUPERIOR

Improving your security with AWS

For more details, see Re:Invent 2013 presentations by NASA JPL cyber

security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4)

“Based on our experience, I believe that we can be

even more secure in the AWS cloud than in our

own datacenters.”

-Tom Soderstrom, CTO, NASA JPL

Improving your security with AWS…

“From a physical and logical security standpoint, I

believe that, if done right, public cloud computing is as or

more secure than self-hosting.” – Steve Randich, EVP and CIO, Financial Industry Regulatory Authority in the USA

• FINRA now deploying multiple Hadoop-based and Redshift-based

analytics apps core to their regulatory mission

• Multi-petabyte clusters growing by terabytes per day

• Going to full production in January 2015

• Two year plan to go “all in” to the AWS cloud

Improving your security with AWS…

“… We’ll also see organizations adopt cloud

services for the improved security protections

and compliance controls that they otherwise

could not provide as efficiently or effectively

themselves.” Security’s Cloud Revolution is Upon Us

Forrester Research, Inc., August 2, 2013

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

More information..

http://aws.amazon.com/security/security-resources/

http://aws.amazon.com/compliance

LONDON