Your SlideShare is downloading. ×
  • Like
  • Save
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve High Availability with Reliable Security at Low Cost, Santanu Dutt
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve High Availability with Reliable Security at Low Cost, Santanu Dutt

  • 405 views
Published

The cloud is not an 'All or Nothing' approach with regards to replacing workloads inside your datacenter. Enterprises with existing datacenters can easily extend their Infrastructure into the cloud to …

The cloud is not an 'All or Nothing' approach with regards to replacing workloads inside your datacenter. Enterprises with existing datacenters can easily extend their Infrastructure into the cloud to seamlessly leverage the benefits of cloud while using the same set of controls familiar to their business. However availability and security still remain among the top two concerns for CIOs when deciding on cloud adoption for their organization.

Amazon Web Services has infrastructure across multiple geographical Regions spanning five continents, with multiple Availability Zones in each Region along with a set of global edge locations. Building a similar infrastructure for high availability with your traditional datacenter would be non-trivial and cost prohibitive. Join this session to understand how you can achieve high availability across geographies, deploy your applications close to your users, control where your data is located, achieve low latency, and migrate your applications around the world in a cost-effective and easy manner using AWS services. You will also learn how AWS builds services in accordance with security best practices, provides appropriate security features in those services, has achieved industry standard certifications, and other third-party attestations. In addition, in line with the shared security model on the cloud, AWS customers must leverage on security features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
405
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Santanu Dutt santanu@amazon.com Extend your Data Center in the Cloud and achieve High Availability with reliable Security at low Cost
  • 2. traditional constraints
  • 3. 1. Capacity Corporate Data Center
  • 4. 1. Capacity Corporate Data Center
  • 5. Corporate Data Center 1. Capacity Capacity in traditional facilities is a premium resource
  • 6. 2. Agility Corporate Data Center
  • 7. 2. Agility Corporate Data CenterCorporate Data Center
  • 8. 2. Agility Approvals Hardware acquisition/VM capacity allocation Ticket queuing Provisioning Configuration Request Availability Requirements can take a long time to fulfill Corporate Data Center
  • 9. 3. Cost Corporate Data CenterCorporate Data Center
  • 10. 3. Cost Project X Potential impact: LOW Cost of infrastructure: HIGH Denied Project Z Potential impact: LOW Cost of infrastructure: LOW Approved Project Y Potential impact: HIGH Cost of infrastructure: HIGH Denied Corporate Data Center
  • 11. 3. Cost Corporate Data Center Project X Potential impact: LOW Cost of infrastructure: HIGH Denied Project Z Potential impact: LOW Cost of infrastructure: LOW Approved Project Y Potential impact: HIGH Cost of infrastructure: HIGH Denied Cost of infrastructure can inhibit innovation Corporate Data Center
  • 12. the elastic datacenter flexible, on-demand facilities
  • 13. Corporate Data Center
  • 14. Corporate Data Center Project Z Approved Corporate Data Center
  • 15. Corporate Data Center Project Z Approved Project X Approved Corporate Data Center
  • 16. Corporate Data Center Completed Project X Approved Corporate Data Center
  • 17. Project X Approved Project Y Approved Corporate Data Center
  • 18. Completed Completed Corporate Data Center
  • 19. Corporate Data Center Extending your data center
  • 20. Corporate Data Center Amazon Virtual Private Cloud (VPC) Connect toAmazon Virtual Private Cloud
  • 21. The New Enterprise IT Network Architecture Public Subnet Private Subnet Corporate Data Center Corporate Headquarters Branch Offices VPN Gateway Customer Gateway Internet Gateway NAT Instance Cloud Services
  • 22. your Application (high) Availability low-cost, global infrastructure
  • 23. 1. SELF-HEALING 2. MULTI-AVAILABILITY ZONES 3. MULTI-SITE WARM STANDBY 4. MULTI-SITE ACTIVE-ACTIVE
  • 24. Availability ZoneRegion
  • 25. Inherently Highly Available and Fault Tolerant Services Highly Available with the right architecture  Amazon S3  Amazon Route 53  Amazon CloudFront  Amazon DynamoDB  Elastic Load Balancing  Amazon SNS  Amazon SES  Amazon SWS  …  Amazon EC2  Amazon EBS  Amazon RDS  Amazon VPC AWS Building Blocks
  • 26. =
  • 27. Inter-region content Sync … just like that Singapore Dublin EBS Snapshot Copy AMI Copy
  • 28. 1. SELF-HEALING 2. MULTI-AVAILABILITY ZONES 3. MULTI-SITE WARM STANDBY 4. MULTI-SITE ACTIVE-ACTIVE
  • 29. 1. SELF-HEALING 2. MULTI-AVAILABILITY ZONES 3. MULTI-SITE WARM STANDBY 4. MULTI-SITE ACTIVE-ACTIVE
  • 30. 1. SELF-HEALING 2. MULTI-AVAILABILITY ZONES 3. MULTI-SITE WARM STANDBY 4. MULTI-SITE ACTIVE-ACTIVE
  • 31. 1. SELF-HEALING 2. MULTI-AVAILABILITY ZONES 3. MULTI-SITE WARM STANDBY 4. MULTI-SITE ACTIVE
  • 32. Security world-class secure infrastructure
  • 33. • Facilities • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure AWS Customer • Operating System • Application • Security Groups • OS Firewalls • Network Configuration • Account Management Shared Responsibility Model
  • 34. Who says?
  • 35. AWS Certifications • Based on the Shared Responsibility model • AWS Environment – SSAE 16 / SOC 1 (SAS70 Type II) Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 – FedRAMP (FISMA) • Customers have deployed various compliant applications: – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA (US Federal Government) – DIACAP MAC III Sensitive IATO
  • 36. How did AWS do that?
  • 37. Physical Security of Data Centers • Amazon has been building large-scale data centers for many years • Important attributes: – Non-descript facilities – Robust perimeter controls – Strictly controlled physical access – 2 or more levels of two-factor auth • Controlled, need-based access • All access is logged and reviewed • Separation of Duties – employees with physical access don’t have logical privileges
  • 38. Amazon EC2 Instance Isolation Physical Interfaces Customer 1 Hypervisor Customer 2 Customer n… … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups
  • 39. Storage Device Decommissioning • All storage devices go through process • Uses techniques from – DoD 5220.22-M (“National Industrial Security Program Operating Manual “) – NIST 800-88 (“Guidelines for Media Sanitization”) • Ultimately – degaussed – physically destroyed
  • 40. Network Security Considerations • Distributed Denial of Service (DDoS): – Standard mitigation techniques in effect • Man in the Middle (MITM): – All endpoints protected by SSL – Fresh EC2 host keys generated at boot • IP Spoofing: – Prohibited at host OS level • Unauthorized Port Scanning: – Violation of AWS TOS – Detected, stopped, and blocked – Inbound ports blocked by default • Packet Sniffing: – Promiscuous mode is ineffective – Protection at hypervisor level
  • 41. How do I build secure?
  • 42. • Users and Groups within Accounts • Unique security credentials • Access keys • Login/Password • optional MFA device • Policies control access to AWS APIs • API calls must be signed by either: • X.509 certificate • secret key • Deep integration into some Services • S3: policies on objects and buckets • AWS Management Console supports User log on • Not for Operating Systems or Applications • use LDAP, Active Directory/ADFS, etc... AWS Identity and Access Management (IAM)
  • 43. Multi-tier Security Approach Example Web Tier Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion All other Internet ports blocked by default Sync with on-premises database Amazon EC2 Security Group Firewall
  • 44. VPC
  • 45. Cloud HSM
  • 46. AWS Security and Compliance Center (http://aws.amazon.com/security/) • Answers to many security & privacy questions • Security whitepaper • Risk and Compliance whitepaper • Security bulletins • Customer penetration testing • Security best practices • More information on: • AWS Identity & Access Management (AWS IAM) • AWS Multi-Factor Authentication (AWS MFA)
  • 47. Questions ? santanu@amazon.com @san_dutt