Your SlideShare is downloading. ×
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving Security with the AWS Cloud
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving Security with the AWS Cloud

567
views

Published on

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of …

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
567
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 20, 2014 Security  as  an  enabler  –  improving  security  with  the  AWS  cloud   Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services
  • 2. AWS  Region   US-WEST (N. California) EU-WEST (Ireland) ASIA PAC (Tokyo) ASIA PAC (Singapore) US-WEST (Oregon) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) GOV CLOUD ASIA PAC (Sydney) AWS has Regions across the globe – including Sydney
  • 3. You can stay onshore in Australia with AWS AWS Sydney Region Multiple availability zones
  • 4. You can improve your security with the AWS cloud
  • 5. AWS  Founda;on  Services   Compute   Storage   Database   Networking   AWS  Global   Infrastructure   Regions   Availability  Zones   Edge  Loca;ons   Client-­‐side  Data   Encryp8on   Server-­‐side  Data   Encryp8on   Network  Traffic   Protec8on   Pla@orm,  Applica8ons,  Iden8ty  &  Access  Management   Opera8ng  System,  Network  &  Firewall  Configura8on   Customer  content   Customers   You can deploy a consistent security model every time Customers control their level of security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  • 6. You can build everything to be resilient and fault tolerant AWS  operates  scalable,  fault  tolerant  services   Build  resilient  solu8ons  opera8ng  in  mul8ple  datacenters   AWS  helps  simplify  ac8ve-­‐ac8ve  resilient  solu8ons   All  AWS  facili8es  are  always  on   No  need  for  a  “Disaster  Recovery  Datacenter”  when  you  can   have  resilience   Every  AWS  facility  managed  to  the  same  global  standards   AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
  • 7. Everything can have fine-grained network security AvailabilityZoneA AvailabilityZoneB You control your VPC address range •  Your own private, isolated section of the AWS cloud •  Every VPC has a private IP address space you define •  Create your own subnets and control all internal and external connectivity AWS network security •  AWS network will prevent spoofing and other common layer 2 attacks •  Every compute instance gets multiple security groups - stateful firewalls •  Every subnet gets network access control lists
  • 8. Create multi-tier architectures every time VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump host 10.0.4.0/24 EC 2 App Log EC 2 Web Load balancing
  • 9. Firewall every single compute instance VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump 10.0.4.0/24 EC 2 App “Web servers will accept Port 80 from load balancers” “App servers will accept Port 8080 from web servers” “Allow SSH access only from from Jump Hosts” Log EC 2 Web Load balancing
  • 10. Enable network access control on every subnet VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 10.0.3.0/24 EC 2 10.0.5.0/24 Jump 10.0.4.0/24 EC 2 App Log EC 2 Web “Deny all traffic between the web server subnet and the database server subnet” Load balancing
  • 11. Control every Internet connection VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Internet Gateway Control Internet routing •  Create Public subnets and Private subnets •  Implement DMZ architectures as per normal best practices •  Allocate static Elastic IP addresses or use AWS- managed public IP addresses Load balancing
  • 12. Connect in private to your existing datacentres VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Use Internet VPNs or use AWS Direct Connect Your premises Load balancing
  • 13. You can route to the Internet using your gateway VPC A - 10.0.0.0/16 AvailabilityZoneA 10.0.1.0/24 10.0.2.0/24 EC 2 10.0.3.0/24 EC 2 10.0.4.0/24 EC 2 App EC 2 WebEC 2 WebEC 2 EC 2 Web Use Internet VPNs or use AWS Direct Connect Your premises Load balancing
  • 14. Create flexible multi-VPC hybrid environments Your organisation Project Teams Marketing Business Units Reporting Digital / Websites Dev and Test Redshift EMR Analytics Internal Enterprise Apps Amazon S3 Amazon Glacier Storage/ Backup
  • 15. Every website can absorb attacks and scale out Amazon S3 Distributed attackers Customers Customers Route53 Sydney region CloudFront Your VPC WAFWAF WAFWAF ELB ELB ELB ELB App App App App Auto Scaling Auto Scaling Auto Scaling Auto Scaling
  • 16.   Encrypt  your  Elas8c  Block  Store  volumes  any  way  you  like   •  Many  free  u8li8es,  plus  Trend,  SafeNet  and  other  partners  offer   high-­‐assurance  solu8ons   Amazon  S3  offers  either  server  or  client-­‐side  encryp8on   •  Manage  your  own  keys  or  let  AWS  do  it  for  you   RedshiR  has  one-­‐click  disk  encryp8on  as  standard   •  Encrypt  your  data  analy8cs   •  You  can  supply  your  own  keys   RDS  supports  transparent  data  encryp8on  (TDE)   •  Easily  encrypt  sensi8ve  database  tables   You can encrypt your sensitive information everywhere DBA
  • 17. Tamper-resistant customer controlled hardware security modules within your VPC •  Industry-standard SafeNet Luna devices. Common Criteria EAL4+, NIST FIPS 140-2 certified •  No access from Amazon administrators who manage and maintain the appliance •  High availability and replication with on-premise HSMs Reliable & Durable Key Storage •  Use for transparent data encryption on self-managed databases and natively with AWS Redshift •  Integrate with applications using Java APIs •  Integration with marketplace disk-encryption and SSL Store your encryption keys securely in CloudHSM
  • 18. Use your own HSMs if you want Your premises Applications Your HSM NATCloudHSM NATCloudHSM Volume, object, database encryption Signing / DRM / apps EC2 SYNC EBS S3 Amazon S3 Amazon Glacier
  • 19. You can enforce consistent host security Launch instanc e EC2 AMI catalogue Running instance Your instance Hardening Audit and logging Vulnerability management Malware and HIPS Whitelisting and integrity User administration Operating system Configur e instance You  control  the  configura8on  of  your  servers   Harden operating system and platforms to your own spec Use host-based protection software •  Apply ASD Top 35 mitigation strategies! Think about how you will manage administrative users •  Restrict access as much as possible Build out the rest of your standard security environment •  Connect to your existing services, e.g. SIEM
  • 20. Control access and segregate duties everywhere Region Internet Gateway Subnet 10.0.1.0/24 Subnet 10.0.2.0/24 VPC A - 10.0.0.0/16 Availability Zone Availability Zone Router Internet Customer Gateway You  get  to  control  who  can  do  what   in  your  AWS  environment  and  from   where     Fine-­‐grained  control  of  your  en8re   cloud  environment  with  two-­‐factor   authen8ca8on     Integrated  with  your  exis8ng   corporate  directory  using  SAML  2.0   AWS account owner Network management Security management Server management Storage management Build and run
  • 21. Full visibility of your AWS environment •  CloudTrail will record access to API calls and save logs in your S3 buckets, no matter how those API calls were made Who did what and when and from what IP address •  Support for many AWS services and growing - includes EC2, EBS, VPC, RDS, IAM and RedShift •  Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic Get consistent visibility of logs that you can monitor
  • 22. You get to do all of this in DEVELOPMENT TESTING PRE-PRODUCTION LIVE
  • 23. Lets hear from an AWS customer who has done it
  • 24. Bruce Haefele Chief Architect Heath Direct Australia Delivering health services on AWS
  • 25. Who we are and what we do
  • 26. We isolate environments into VPCs Dev Int Test Staging Prod. Tools Admin Corp. Sydney region HSM Appliance External Datacenter Provider VPN
  • 27. We isolate components within each VPC AvailabilityZoneA EC 2 WebEC 2 API Port. App. IAM Vuln. PII Log SIEM Mon. Sec. Man. Enc. Man. De-id Auth. Sec. Data Public Unclassified Sensitive / Health Web WAF API. Gate. ESB
  • 28. Services we use in the AWS cloud Dynamo DB RDS Elastic Network Interface EBS Elastic Load Balancer Glacier VPC Storage Gateway EC2 Cloud FormationAWS IAMAutoscalingElastic IPs Route 53 Cloudwatch S3 Cloudfront VPC VPN
  • 29. Things you should think about •  Start  small  and  experiment   •  Rethink  your  approach  to  your   infrastructure   •  Data  classifica8on   •  What  AWS  services  you  can  use   and  what  you  have  to  build   •  Defense  in  depth   •  Where  and  how  to  encrypt   •  What  to  log,  backup  strategies,   archive  and  retrieval   •  How  to  federate  and  integrate  –   levels  of  trust   •  Privileged  access   •  Compliance   •  Vendor  licensing  models   •  Financial  management  
  • 30. Read AWS security whitepapers, tips and good practices •  http://blogs.aws.amazon.com/security •  http://aws.amazon.com/compliance •  http://aws.amazon.com/security •  Risk and compliance, best practices, audit guides and operational checklists to help you before you go live •  Workshop  solu8ons  with  an  AWS  solu8ons  architect,  including  me!   •  Get  free  trials  of  security  from  AWS  Partners  on  the  AWS  marketplace Sign up for AWS premium support •  http://aws.amazon.com/support •  Get help when you need it most – as you grow •  Choose different levels of support with no long-term commitment Further info and how to get AWS support
  • 31. THANK YOU Please give us your feedback by filling out the Feedback Forms AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 20, 2014
  • 32. AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 20, 2014 Security  as  an  enabler  –  improving  security  with  the  AWS  cloud   Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services