security and compliance

45
AWS Government, Education, and Nonprofits Symposium London | 21 Oct 2014 AWS Government, Education, and Nonprofits Symposium London | 21 Oct 2014 AWS Security & Compliance Dob Todorov Regional Head Public Sector Solutions Architecture Principal Security & Compliance Solutions Architect EMEA

Upload: amazon-web-services

Post on 28-Nov-2014

478 views

Category:

Technology


1 download

DESCRIPTION

This session provides real guidance and practical answers to government users’ questions about security and compliance, helping agencies move away from the “worry-based fiction” of the cloud

TRANSCRIPT

Page 1: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Security & Compliance

Dob Todorov

Regional Head – Public Sector Solutions Architecture

Principal Security & Compliance Solutions Architect

EMEA

Page 2: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Security Is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE &

PROCEDURES

NETWORK

SECURITY

PHYSICAL

SECURITY

PLATFORM

SECURITY

Page 3: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

SECURITY IS SHARED

Page 4: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

WHAT NEEDS

TO BE DONE

TO KEEP THE

SYSTEM SAFE

Page 5: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

WHAT

WE DO

FOR YOU

WHAT YOU DO

YOURSELF

Page 6: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE

Page 7: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

“Based on our experience, I believe that we

can be even more secure in the AWS cloud

than in our own data centers”

Tom Soderstrom – CTO

NASA JPL

Page 8: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

IDC Survey

Attitudes and Perceptions Around Security and Cloud Services

Nearly 60% of organizations agreed that CSPs [Cloud Service Providers]

provide better security than their own IT organization

Source: IDC 2013 U.S. Cloud Security Survey

Doc #242836, September 2013

Page 9: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS SECURITY OFFERS MORE

VISIBILITY

AUDITABILITY

CONTROL

Page 10: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE VISIBILITY

Page 11: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

Page 12: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 13: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 14: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

TRUSTED ADVISOR

Page 15: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 16: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE AUDITABILITY

Page 17: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 18: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS CLOUDTRAIL

Page 19: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

You are making

API calls...On a growing set of

services around the

world…

CloudTrail is

continuously

recording API

calls…

And delivering

log files to you

Page 20: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.

Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.

Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.

Page 21: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LOGSOBTAINED, RETAINED,

ANALYZED

Page 22: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE CONTROL

Page 23: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Defense in Depth

Multi level security• Physical security of the data centers

• Network security

• System security

• Data security

Page 24: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs

AWS

CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct

Connect

AWS Storage

Gateway

Page 25: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

AT AWS

Page 26: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO SPECIFIC WORK

Page 27: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

SEPARATE NETWORKS FOR CORPORATE WORK VS.

ACCESSING CUSTOMER DATA

Page 28: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT

SENSITIVE INFORMATION LIKE DATA CENTER

LOCATIONS

Page 29: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

LEAST PRIVILEGE PRINCIPLE

MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER

TO ACCESS DATA CENTERS

Page 30: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

SIMPLE SECURITY CONTROLS

ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,

AND EASIEST TO ENFORCE

Page 31: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 32: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS IAMIDENTITY & ACCESS MANAGEMENT

Page 33: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

CONTROL WHO CAN DO WHAT

WITH YOUR AWS ACCOUNT

Page 34: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 35: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MFA DELETE PROTECTION

Page 36: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 37: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

YOUR DATA STAYS

WHERE YOU PUT IT

Page 38: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

Page 39: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

USE MULTIPLE AZs

AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

Page 40: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

DATA ENCRYPTIONCHOOSE WHAT’S RIGHT FOR YOU:

Automated – AWS manages encryption

Enabled – user manages encryption using AWS

Client-side – user manages encryption using their own mean

Page 41: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS CloudHSM

Managed and monitored by AWS, but you

control the keys

Increase performance for applications that

use HSMs for key storage or encryption

Comply with stringent regulatory and

contractual requirements for key protection

EC2 Instance

AWS CloudHSM

AWS CloudHSM

Page 42: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

ENCRYPT YOUR DATA

AWS CLOUDHSM

AMAZON S3 SSE

AMAZON GLACIER

AMAZON REDSHIFT

AMAZON RDS

AMAZON EBS

Page 43: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

MORE AUDITABILITY

MORE VISIBILITY

MORE CONTROL

Page 44: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS Security Whitepapers

Page 45: Security and Compliance

AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014

AWS.AMAZON.COM/

SECURITY