Your SlideShare is downloading. ×
0
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AWS Summit Benelux 2013 - AWS Cloud Security Keynote

743

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
743
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
75
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Bill Murray General Manager, AWS Security Programs AWS Cloud Security
  • 2. Cloud Security is: • Universal • Visible • Auditable • Transparent • Shared • Familiar
  • 3. Universal Cloud Security • Every Customer Has Access to the Same Security Capabilities, and Gets to Choose What’s Right for Their Business - Governments - Financial Sector - Pharmaceuticals - Entertainment - Start-Ups - Social Media - Home Users - Retail
  • 4. Visible Cloud Security • AWS allows you to see your ENTIRE infrastructure at the click of a mouse. - Can you map your current network? This Or This?
  • 5. Auditable Cloud Security • How do you know AWS is right for your business? - 3rd Party Audits • Independent auditors - Artifacts • Plans, Policies and Procedures - Logs • Obtained • Retained • Analyzed
  • 6. Transparent Cloud Security • Choose the audit/certification that’s right for you: - ISO-27001 - SOC-1, SOC-2, SOC-3 - FedRAMP - PCI
  • 7. Security & Compliance Control Objectives • Control Objective 1: Security Organization – Who we are – Proper control & access within the organization • Control Objective 2: Amazon User Access – How we vet our staff – Minimization of access
  • 8. Security & Compliance Control Objectives • Control Objective 3: Logical Security – Our staff start with no systems access – Need-based access grants – Rigorous systems separation – Systems access grants regularly re-evaluated & automatically revoked
  • 9. Security & Compliance Control Objectives • Control Objective 4: Secure Data Handling – Storage media destroyed before being permitted outside our datacenters – Media destruction consistent with US Dept. of Defense Directive 5220.22 • Control Objective 5: Physical Security and Environmental Safeguards – Keeping our facilities safe – Maintaining the physical operating parameters of our datacenters
  • 10. Security & Compliance Control Objectives • Control Objective 6: Change Management – Continuous Operation • Control Objective 7: Data Integrity, Availability and Redundancy – Ensuring your data remains safe, intact & available • Control Objective 8: Incident Handling – Processes & procedures for mitigating and managing potential issues
  • 11. Shared Responsibility • Let AWS do the heavy lifting • This is what we do – and we do it all the time • As the AWS customer you can focus on your business and not be distracted by the muck • AWS • Facilities • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure • Customer • Choice of Guest OS • Application Configuration Options • Account Management flexibility • Security Groups • Network ACLs
  • 12. Physical Security • Large non-descript facilities • Robust perimeter controls • 2 factor authentication for entry • Controlled, need-based access for AWS employees • All access is logged and reviewed
  • 13. Physical Security • Distributed Regions – Multiple Availability Zones
  • 14. Network Security • DDoS attacks defended at the border • Man in the Middle attacks • SSL endpoints • IP Spoofing prohibited • Port scanning prohibited • Packet Sniffing prevented
  • 15. Amazon EC2 Security • Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited • Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs • Stateful firewall – Mandatory inbound firewall, default deny mode • Signed API calls – Require X.509 certificate or customer’s secret AWS key
  • 16. Physical Interfaces Customer 1 Hypervisor Customer 2 Customer n … … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups
  • 17. Customer’s Network Amazon Web Services Cloud Secure VPN Connection over the Internet Subnets Customer’s isolated AWS resources Amazon VPC Architecture Router VPN Gateway Internet NAT AWS Direct Connect – Dedicated Path/Bandwidth
  • 18. VPC - Dedicated Instances • Option to ensure physical hosts are not shared with other customers • $2/hr flat fee per Region + small hourly charge • Can identify specific Instances as dedicated • Optionally configure entire VPC as dedicated
  • 19. • Customers have requirements defining specific encryption key management procedures – Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls • Customers want to use AWS but had to retain keys in HSMs in on-premises datacenters – Applications may slow down due to network latency – Requires several DCs to provide high availability, disaster recovery and durability of keys Customer Challenge: Encryption
  • 20. • Customers receive dedicated access to HSM appliances • HSMs are physically located in AWS datacenters – in close network proximity to Amazon EC2 instances • Physically managed and monitored by AWS, but customers control their own keys • HSMs are inside customer’s VPC – dedicated to the customer and isolated from the rest of the network What is AWS CloudHSM? AWS CloudHSM
  • 21. AWS CloudHSM • With AWS CloudHSM customers can: – Encrypt data inside AWS – Store keys in AWS within a Hardware Security Module – Decide how to encrypt data • The AWS CloudHSM implements cryptographic functions and key storage for customer applications – Use third party validated hardware for key storage • AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards
  • 22. • Secure Key Storage – customers retain control of their own keys and cryptographic operations on the HSM • Contractual and Regulatory Compliance – helps customers comply with the most stringent requirements for key protection • Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage • Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC • Better Application Performance – reduce network latency and increase the performance AWS CloudHSM Service Highlights
  • 23. • AWS offers several data protection mechanisms – Access control – Encryption • AWS data encryption solutions allow – Encrypt and decrypt sensitive data inside or outside AWS – Decide which data to encrypt – Partner with 3rd party key management solutions • AWS CloudHSM complements existing AWS data protection and encryption solutions AWS Data Protection Solutions 9/30/2013 Slides not intended for redistribution.
  • 24. Familiar Cloud Security • Everything You Do Now Can Be Done in the Cloud - Intrusion Detection - Intrusion Prevention - Packet Capture - Firewalls - Access Control Lists - Multi-Factor Authentication - Identity and Access Management
  • 25. AWS Security Resources • http://aws.amazon.com/security/ • Security Whitepaper • Risk and Compliance Whitepaper • Regularly Updated • Feedback is welcome
  • 26. THANK YOU!! • bmurray@amazon.com • #billmurray00

×