Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

1,228 views

Published on

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the security programs, procedures and best practices you can use to enhance your current security posture.

Published in: Travel, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,228
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
62
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This circle represents all the security-related activities that you have to do to protect your system and make sure it is compliant to the regulations applicable to your business
  • Being able to focus on your business is one of AWS’s core value proposition. It also applies to AWS Security.
  • On AWS, small developer has same security as big company. No price change for security.
    You get the same access for security.

    Financial sector
    Pharmaceuticals
    Entertainment
    Start-ups
    Social media
    Home users
    Retail
  • We give you the tools to do the same:
    USE IAM (otherwise it’s like logging as root)
  • …Each user can have a specific policy which defines what she can do with AWS. You can pick a policy from the list of predefined ones we offer …
  • Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014

    1. 1. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Security Assurance: DoD Community Chris Gile Bill Murray awsbill@amazon.com cgile@amazon.com
    2. 2. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Security in the Cloud Bill Murray Sr. Manager AWS Security Programs
    3. 3. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Different Customer Viewpoints on Security Public Affairs keep out of the news Leader protect shareholder value CI{S}O preserve the confidentiality, integrity and availability of data
    4. 4. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Security Is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM SECURITY
    5. 5. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 SECURITY IS SHARED
    6. 6. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
    7. 7. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 WHAT WE DO FOR YOU WHAT YOU DO YOURSELF
    8. 8. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE
    9. 9. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO NASA JPL
    10. 10. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS SECURITY OFFERS MORE VISIBILITY AUDITABILITY CONTROL
    11. 11. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 MORE VISIBILITY
    12. 12. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
    13. 13. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    14. 14. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    15. 15. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 TRUSTED ADVISOR
    16. 16. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    17. 17. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 MORE AUDITABILITY
    18. 18. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    19. 19. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS CLOUDTRAIL
    20. 20. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
    21. 21. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment. Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
    22. 22. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LOGS OBTAINED, RETAINED, ANALYZED
    23. 23. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 MORE CONTROL
    24. 24. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Defense in Depth Multi level security • Physical security of the data centers • Network security • System security • Data security
    25. 25. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs AWS CloudHSM Defense in depth Rapid scale for security Automated checks with AWS Trusted Advisor Fine grained access controls Server side encryption Multi-factor authentication Dedicated instances Direct connection, Storage Gateway HSM-based key storage AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway
    26. 26. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LEAST PRIVILEGE PRINCIPLE AT AWS
    27. 27. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO SPECIFIC WORK
    28. 28. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LEAST PRIVILEGE PRINCIPLE SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA
    29. 29. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LEAST PRIVILEGE PRINCIPLE MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATA CENTER LOCATIONS
    30. 30. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 LEAST PRIVILEGE PRINCIPLE MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATA CENTERS
    31. 31. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 SIMPLE SECURITY CONTROLS ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE
    32. 32. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    33. 33. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS IAM IDENTITY & ACCESS MANAGEMENT
    34. 34. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT
    35. 35. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    36. 36. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 MFA DELETE PROTECTION
    37. 37. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    38. 38. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 YOUR DATA STAYS WHERE YOU PUT IT
    39. 39. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
    40. 40. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 USE MULTIPLE AZs AMAZON S3 AMAZON DYNAMODB AMAZON RDS MULTI-AZ AMAZON EBS SNAPSHOTS
    41. 41. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 DATA ENCRYPTION CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean
    42. 42. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS CloudHSM Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM
    43. 43. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT AMAZON RDS
    44. 44. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 MORE AUDITABILITY MORE VISIBILITY MORE CONTROL
    45. 45. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 IDC Survey Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization Source: IDC 2013 U.S. Cloud Security Survey Doc #242836, September 2013
    46. 46. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS.AMAZON.COM/ SECURITY
    47. 47. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 RISK & COMPLIANCE AUDITING SECURITY CHECKLIST SECURITY PROCESSES SECURITY BEST PRACTICES AWS Security Whitepapers
    48. 48. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Security Assurance: DoD Community Chris Gile
    49. 49. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Increasing Security and Operating Requirements DoD Cloud Security Model (Administered via DISA) 15 FedRAMP Compliant CSP1 10 – IaaS, 3- PaaS, 2- SaaS FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (NIPR) CSM ATO Level 6 (SIPR) 1 2 3 4 5 6 Providers are a mix of IaaS, PaaS, SaaS (Initial Focus on IaaS) 3 Provisional Authorizations granted1 0 Provisional Authorization granted2 100’s of Cloud Service Providers (CSP) System- Specific ATO John Doe DoD DAA The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog 1 Source: http://www.gsa.gov/portal/content/131931 2 Provisional ATO granted as of 2/15/2014 Cloud Services Provider DoD Cloud Security Model (CSM) - ATO Process
    50. 50. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Shared Security Responsibility • AWS & Customers both have security/compliance obligations • Logical assessment & accreditation boundaries • How are our ATOs consumed? – Agencies & Partners Cross-service Controls Service-specific Controls Managed by AWS Managed by Customer Compliance of the Cloud Compliance in the Cloud Cloud Service Provider Controls Optimized Network/OS/App Controls
    51. 51. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Availability Zone C Sample US Region - Multiple Isolated locations within a Region - Availability Zone = 1 or more “data center” - Independent Failure Zone - Physically separated - On separate Low Risk Flood Plains - Discrete UPS - Onsite backup generation facilities - Fed from different segments of utility provider - Redundantly connected to multiple tier-1 ISP’s - No “Disaster Recovery Datacenter” - Built for Continuous Availability - Customer decides Availability Zone for Compute ~ DoD Data Center Availability Zone B Availability Zone A AWS Availability Zone (AZ) View
    52. 52. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS FedRAMP Program • AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering: – All AWS US Regions (US East/West, & GovCloud (US)) – EC2, S3, EBS, VPC, IAM – New: Amazon Redshift (US East/West only) • Assessed against all FedRAMP-Moderate controls (298) • Agency ATO packages have reciprocity with federal agencies • AWS will directly field FedRAMP package requests from all customers, though agencies can still request AWS FedRAMP package from FedRAMP PMO if desired – AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package • AWS Security Assurance supports the lifecycle of customer engagements with supporting personnel and resources cloud.cio.gov/fedramp/amazon
    53. 53. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS DoD CSM Program • 2/6/14 Provisional Authorization for Levels 1-2 • DISA managed Cloud Security Model (CSM) • 68 additional control enhancements overlaid on FedRAMP Moderate • Partners have achieved MAC II Sensitive DIACAP ATOs
    54. 54. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Building Solutions on AWS • Partners & Agencies can leverage FedRAMP compliant AWS • AWS’ FedRAMP package covers AWS infrastructure and underlying management of services • Partner’s FedRAMP package includes inherited controls; shared controls documents partner’s application/service built on AWS • To support partners we can provide: – Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc. – SSP Template: Pre-populated with inherited control language, guidance on completing shared controls – ATO Letters as stand alone documents – Support: Security Solutions Architects, Security Assurance Architects, Professional Services
    55. 55. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Documentation Support • AWS Package is specific to the AWS Infrastructure • Partner’s Package is specific to the Partner’s Application or managed services • Inherited vs. Shared Controls
    56. 56. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Certifications & Compliance • AWS Environment – SOC 1/2/3 – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (up to Moderate) – AWS GovCloud (US) – ITAR compliant region • Customers have deployed various compliant applications – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA/FedRAMP (US Federal Government) – DIACAP – up to MAC II Sensitive – International Traffic in Arms Regulations (ITAR)
    57. 57. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Customer Resources • Whitepapers – Risk & Compliance Whitepaper – Overview of Security Processes – “Security at Scale” series • Governance in AWS • Logging in AWS • Template – FedRAMP SSP Template • Workbooks – FISMA-High – CJIS
    58. 58. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Other Compliance Programs • FISMA-High Handbook – Workbook available for partners under NDA – 84 additional control enhancements [21 inherited, 54 shared, 9 customer] • CJIS Handbook – Available under NDA – 121 security requirements; 10 inherited, 87 shared, and 24 customer-responsible requirements • Both are partner-based approaches to build a portfolio of authorizations
    59. 59. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Compliance & Security Centers • Answers to many security and compliance questions • Security whitepaper • Risk and Compliance whitepaper • Overview of Security Processes whitepaper • “Security at Scale” whitepaper series • Security bulletins • Customer penetration testing requests • Security best practices • Request more information by contacting us aws.amazon.com/security aws.amazon.com/compliance
    60. 60. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Additional AWS Security & Compliance References • https://aws.amazon.com/security • https://aws.amazon.com/compliance • https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs • https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam awscompliance@amazon.com
    61. 61. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Thank You Chris Gile Bill Murray awsbill@amazon.com cgile@amazon.com

    ×