security and compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Security & Compliance

Dob Todorov

Regional Head – Public Sector Solutions Architecture

Principal Security & Compliance Solutions Architect

EMEA

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Security Is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE &

PROCEDURES

NETWORK

SECURITY

PHYSICAL

SECURITY

PLATFORM

SECURITY

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

SECURITY IS SHARED

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

WHAT NEEDS

TO BE DONE

TO KEEP THE

SYSTEM SAFE

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

WHAT

WE DO

FOR YOU

WHAT YOU DO

YOURSELF

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

“Based on our experience, I believe that we

can be even more secure in the AWS cloud

than in our own data centers”

Tom Soderstrom – CTO

NASA JPL

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

IDC Survey

Attitudes and Perceptions Around Security and Cloud Services

Nearly 60% of organizations agreed that CSPs [Cloud Service Providers]

provide better security than their own IT organization

Source: IDC 2013 U.S. Cloud Security Survey

Doc #242836, September 2013

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS SECURITY OFFERS MORE

VISIBILITY

AUDITABILITY

CONTROL

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE VISIBILITY

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

TRUSTED ADVISOR

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE AUDITABILITY

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS CLOUDTRAIL

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

You are making

API calls...On a growing set of

services around the

world…

CloudTrail is

continuously

recording API

calls…

And delivering

log files to you

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.

Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.

Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LOGSOBTAINED, RETAINED,

ANALYZED

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE CONTROL

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Defense in Depth

Multi level security• Physical security of the data centers

• Network security

• System security

• Data security

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs

AWS

CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct

Connect

AWS Storage

Gateway

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

AT AWS

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO SPECIFIC WORK

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

SEPARATE NETWORKS FOR CORPORATE WORK VS.

ACCESSING CUSTOMER DATA

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT

SENSITIVE INFORMATION LIKE DATA CENTER

LOCATIONS

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER

TO ACCESS DATA CENTERS

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

SIMPLE SECURITY CONTROLS

ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,

AND EASIEST TO ENFORCE

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS IAMIDENTITY & ACCESS MANAGEMENT

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

CONTROL WHO CAN DO WHAT

WITH YOUR AWS ACCOUNT

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MFA DELETE PROTECTION

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

YOUR DATA STAYS

WHERE YOU PUT IT

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

USE MULTIPLE AZs

AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

DATA ENCRYPTIONCHOOSE WHAT’S RIGHT FOR YOU:

Automated – AWS manages encryption

Enabled – user manages encryption using AWS

Client-side – user manages encryption using their own mean

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS CloudHSM

Managed and monitored by AWS, but you

control the keys

Increase performance for applications that

use HSMs for key storage or encryption

Comply with stringent regulatory and

contractual requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

ENCRYPT YOUR DATA

AWS CLOUDHSM

AMAZON S3 SSE

AMAZON GLACIER

AMAZON REDSHIFT

AMAZON RDS

AMAZON EBS

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE AUDITABILITY

MORE VISIBILITY

MORE CONTROL

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS Security Whitepapers

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS.AMAZON.COM/

SECURITY