AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview


Published on

As you look to go beyond your cloud and how you will manage governance for it, there are things you need to consider as you build your strategy. Come to this session to understand data protection policies, your relevant control areas, what shared responsibility means and what you need to do to put the right components together for your organisation's Cloud governance strategy.

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview

  1. 1. 2013 AWS WWPS SummitCanberra, AustraliaCompliance, Governance & Security on the AWS CloudMark RylandChief Solutions Architect
  2. 2. 2013 AWS WWPS Summit,Canberra – May 23The Capability/Transparency Trade-upWhat You Get- Flexible, powerful , fully virtual environment- High investment and capability in security- Certifications, reports, attestations- Reduced compliance ops burden- A world class security team watching yourback!What You Give Up- Low-level operational details ofthe physical infrastructure- Control over low-level capabilities- Ability to physically manage /examine networks and servers
  3. 3. 2013 AWS WWPS Summit,Canberra – May 23Benefits of Scale Apply to Security and ComplianceThe entire community benefits from toughscrutiny, the world-class AWS security team,market-leading capabilities, and constantimprovementsEveryone’s Systems and ApplicationsSecurity InfrastructureSecurity InfrastructureRequirements Requirements RequirementsNothing better for the community than atough set of customers…
  4. 4. 2013 AWS WWPS Summit,Canberra – May 23Accreditation & Compliance, Old and NewOld world• Functionally optional (you can build asecure system without it)• Audits done by an in-house team• Not about actual security; check the box• Check once a year• Workload-specific securityNew world• Functionally necessary (no, you cannotvisit our data centers!)• Audits done by third party auditors• Superior security drives broad compliance• Continuous monitoring, checking• Security based on all workload scenarios
  5. 5. 2013 AWS WWPS Summit,Canberra – May 23Expert Audits: Validation Scalpels Approaching From 360ºSMESMESMESMESME• Experts examine the systemwith their particular focus• Yet reviewed from a variety ofperspectives• What emerges is an unusuallycomplete, comprehensiveview including overlappingand non-overlapping elements• All customers benefit fromvariety, volume, velocitySME=subject matter expert
  6. 6. 2013 AWS WWPS Summit,Canberra – May 23Customers Getting CertifiedCustomerControls VerifiedReliancePracticesControls+CustomerControlsReportsTested
  7. 7. 2013 AWS WWPS Summit,Canberra – May 23System vs. Platform Certifications & ATOsSystem/app/workload ATOs• Traditional way of granting ATOs:analyze entire stack from concretethrough application• Not as efficient; harder to get re-use• However, provides the only fast way toachieve cloud value prop: greater agilityand more mission for the money• Many gov’t examples: Tradeshift in theUK; CDC BioSense 2.0 and Tradeworxin the US; Swiss Topo; etc.Platform certifications & ATOs• E.g., FedRAMP in the USA; still need tocertify/authorize workload on top• Make sense from a re-use and economiesof scale perspective• However, waiting for platform certificationdelays getting immediate value from thecloud!• This is the best solution for the longerterm, but don’t wait if you see compellingvalue
  8. 8. 2013 AWS WWPS Summit,Canberra – May 23Spectrum of Approaches to Platform CertificationProgressive Conservative“We don’t care about platformcertification. AWS provides compellingmission value. We’ll issue our own ATO.”“Our agency will authorize some low-risk workloads on AWS but will wait forplatform certification before going big.”“Our agency won’tspeak to AWS prior toplatform certification.”“Our agency may move to platformcertification but AWS providescompelling value. We’ll proceedforward with our own ATO for now.”“Our agency requires a platformcertification. We’ll start workingwith AWS but will wait to deployoperational workloads.”Government PMGovernment ISSOAgency Security OfficialGovernment COTRGovernment ISSO
  9. 9. 2013 AWS WWPS Summit,Canberra – May 23Private ConnectionsWorkload MigrationsAccess Control IntegrationWork with ExistingManagement ToolsOn-Premises AppsYour Data CentersCloud AppsGovernance: Extension and Integration
  10. 10. 2013 AWS WWPS Summit,Canberra – May 23Active DirectoryVMware ImagesNetwork ConfigurationYour DataYour On-Premises AppsUsers & Access RulesVM Import/ExportYour Private VPCOur StorageYour Cloud AppsDirect ConnectVPCIAMStorage GatewayMany Capabilities to Support Hybrid ArchitecturesYour Data Centers
  11. 11. 2013 AWS WWPS Summit,Canberra – May 23AWS Ecosystem Builds on Existing Management ToolsSingle Pane of GlassWorkload MigrationInventory / patch VMsApp 1Your Data CenterApp 2Your Data CenterVMsAWS EC2
  12. 12. AWS Cloud Governance Service EnablersGovernance Area AWS TechnologiesRoles and Responsibilities • Identity and Access Management: Groups, Policies, RolesConfiguration Management • Private, “hardened” AMIs• Cloud Formation Templates• Elastic Beanstalk• OpsWorksFinancial Controls • Linked Accounts, Consolidated Billing• Tagging of resources• CloudWatch Billing AlarmsMonitoring and Reporting • Cloud Watch• Cloud Watch Alarms• Simple Notification Service
  13. 13. AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesInformation Assurance:Processing• Corporate “Gold master” AMIs (operating system images)• VPC network isolation for all workloads• Dedicated EC2 Instances• CloudHSM serviceInformation Assurance:Storage• S3 AES 256 bit server-side encryption, client-side encryption• EBS Volume Encryption• RDS database encryption features• Complete destruction of all storage media on decommissioningInformation Assurance Transmission • SSL termination for all AWS endpoints• HW/SW VPN Connections• DirectConnect
  14. 14. AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesNetwork Security • Private addressing (Virtual Private Cloud)• Network ACLs• Security Groups• Virtual Private GatewaysAccess Controls • Identity and Access Management Policies across all services• S3 Bucket Policies• EC2 Instance RolesIdentification and Authentication • Identity and Access Management• Federated Identity Management (AWS as relying party)• Multi-Factor Authentication• Group Policies and Roles• Strong password policies
  15. 15. AWS Cloud Governance Service Enablers (cont.)Governance Area AWS TechnologiesDisaster Recovery and Continuity ofOperationsData• EBS Snapshots• S3 Near-Line Storage• Glacier Near-Offline Storage• Storage Gateway• Bulk Data Import/Export• Managed AWS No-SQL/SQL Database Services• Extensive 3rd Party SolutionsWorkload• Elastic load Balancers, EC2 Auto Scaling, CloudWatch• Route 53 – Health Checks, Latency Based Routing• Cloud Front – Content Delivery Network• Multi-AZ, Multi-Region Workload Deployment
  16. 16. 2013 AWS WWPS Summit,Canberra – May 23AWS Governance Tool: Trusted Advisor• Online service from AWS Support– Analyzes account for various kinds ofissues and possible concerns– Soon available as an API for integrationwith your tools or 3rd party solutions• Four categories:– Cost savings– Security– Fault tolerance– Performance
  17. 17. 2013 AWS WWPS Summit,Canberra – May 23Security is a Shared ResponsibilityFacilitiesPhysical securityCompute infrastructureStorage infrastructureNetwork infrastructureVirtualization layer (EC2)Hardened service endpointsRich IAM capabilitiesNetwork configurationSecurity groupsOS firewallsOperating systemsApplicationsProper service configurationAuthN & acct managementAuthorization policies+ =Customer• Re-focus your security professionals on a subset of the problem• Take advantage of high levels of uniformity and automation
  18. 18. Foundation ServicesCompute Storage Database NetworkingAWS GlobalInfrastructure RegionsAvailability ZonesEdge LocationsClient-side Data Encryption & DataIntegrity AuthenticationServer-side Encryption(File System and/or Data)Network Traffic Protection(Encryption/Integrity/Identity)Platform, Applications, Identity & Access ManagementOperating System, Network & Firewall ConfigurationCustomer DataAmazonCustomer• Payment Card Industry (PCI)Data Security Standard Level 1• NIST 800-53 Controls &multiple ATOs; FedRAMP• DoD Compliant Controls andmultiple DIACAP ATOs• SSAE 16 Types 1 & 2 (SAS 70)• ISO 27001/ 2 Certification• HIPAA and ITAR Compliant• Customers implement theirown set of controls• Multiple customers withFISMA GSS/MA Low/Moderate ATOs• Customers and partnersworking on FISMA GSS/MAHigh ATOs
  19. 19. 2013 AWS WWPS Summit,Canberra – May 23Dimensions of Shared Responsibility & Control1. Operation within the Service: The functions the customer controls andconfigurations they choose (e.g., in EC2, RDS)2. Security Configurability: The tools AWS gives customers to configure theirsecurity stance (e.g., access policies, security groups) vary considerably fromservice to service3. Security Features Which Span Services: Some security configurationfeatures are global (e.g., IAM), others service-specific4. Cross-Layer Security Controls: Means by which customers integrate theirexisting controls into AWS (e.g., key management, Active Directory, Drupaluser management) and vice versa (e.g., IAM Roles for Instances)
  20. 20. 2013 AWS WWPS SummitCanberra, AustraliaThank you!Mark