aws summit barcelona - security keynote
DESCRIPTION
TRANSCRIPT
AWS Summit 2013 Barcelona Oct 24 – Barcelona, Spain
Bill Shinn
AWS Principal Security Solutions Architect
AWS CLOUD SECURITY
SECURITY IS UNIVERSAL
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
AWS GOV CLOUD
ITAR COMPLIANT
SECURITY IS VISIBLE
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
AWS API + CLOUDFORMATION ENVIRONMENT ARCHITECTURE DEFINITION
AND CHANGE DETECTION
SECURITY IS TRANSPARENT
SOC 1 SOC 2 SOC 3 PCI DSS L1 ISO 27001
ITAR FIPS FedRAMP HIPAA
SECURITY IS FAMILIAR
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO A SPECIFIC WORK
USE AWS IAM IDENTITY & ACCESS MANAGEMENT
CONTROL WHO CAN DO WHAT IN
YOUR AWS ACCOUNT
IAM USERS & ROLES
ACCESS TO
SERVICE APIs
NO PASSWORDS
USE SEPARATE SETS OF
CREDENTIALS
ROTATE YOUR AWS SECURITY
CREDENTIALS
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
YOUR DATA IS YOUR
MOST IMPORTANT ASSET
…
MFA DELETE PROTECTION
ENCRYPT YOUR DATA
AMAZON S3 SSE DATA AT REST
AWS CloudHSM
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
NEED TO KNOW
+
CCTV, GUARDS, MAN TRAPS,
FENCES, ETC…
…
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
CHANGES IN PRODUCTION
HAVE TO BE AUTHORIZED
DEV & TEST ENVIRONMENT
AWS ACCOUNT A
PRODUCTION ENVIRONMENT
AWS ACCOUNT B
DEPLOYMENT PROCESS
HAS TO BE CONSTRAINED
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
CONTINUOUS DELIVERY MODEL
CONTINUOUS DEPLOYMENT
SESSION 13:30 START-UP TRACK
REDUNDANCY & INTEGRITY
CHECKS
USE MULTIPLE AZs AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
SECURITY IS AUDITABLE
VULNERABILITY / PENETRATION
TESTING
VULNERABILITY / PENETRATION
TESTING
LOGS
OBTAINED, RETAINED, ANALYZED
OBTAIN, RETAIN, ANALYSE
YOUR LOGS
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
TRUSTED ADVISOR
SECURITY IS SHARED
NETWORK SECURITY:
DDOS
NETWORK SECURITY:
SSL
NETWORK SECURITY:
SPOOFING
NETWORK SECURITY:
PORT SCANNING
AMAZON EC2 SECURITY:
HOST OS SSH KEYED LOGINS VIA BASTION HOST
ALL ACCESSES LOGGED AND AUDITED
AMAZON EC2 SECURITY:
GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL
AWS ADMINS CANNOT LOG IN
CUSTOMER-GENERATED KEYPAIRS
“If you need to SSH into your
instance, improve your deployment
process.”
AMAZON EC2 SECURITY:
STATEFUL & STATELESS FIREWALL MANDATORY INBOUND
DEFAULT DENY MODE
SECURITY IS
UNIVERSAL
VISIBLE
TRANSPARENT
FAMILIAR
AUDITABLE
SHARED
AWS.AMAZON.COM / SECURITY
AWS.AMAZON.COM/COMPLIANCE
BLOGS.AWS.AMAZON.COM/SECURITY
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS MARKETPLACE
SECURITY SOLUTIONS