• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
AWS Summit London - Keynote - Stephen Schmidt
 

AWS Summit London - Keynote - Stephen Schmidt

on

  • 1,168 views

AWS Summit, London Keynote: Stephen Schmidt, Chief Information Security Officer, AWS, Amazon.com & AWS Customer: Steve Howes (CEO at ATOC)

AWS Summit, London Keynote: Stephen Schmidt, Chief Information Security Officer, AWS, Amazon.com & AWS Customer: Steve Howes (CEO at ATOC)

Statistics

Views

Total Views
1,168
Views on SlideShare
1,165
Embed Views
3

Actions

Likes
6
Downloads
39
Comments
0

1 Embed 3

https://twitter.com 3

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    AWS Summit London - Keynote - Stephen Schmidt AWS Summit London - Keynote - Stephen Schmidt Presentation Transcript

    • Monday, April 29, 13
    • Stephen SchmidtChief Information Security Officer, AWSMonday, April 29, 13
    • Cloud Security is:• Universal• Visible• Auditable• Transparent• Shared• FamiliarMonday, April 29, 13
    • Universal Cloud SecurityEvery&customer&has&access&to&the&same&security&capabili3es,&and&gets&to&choose&what’s&right&for&their&business- Start<Ups- Social&Media- Home&Users- Retail- Governments- Financial&Sector- Pharmaceu3cals- EntertainmentMonday, April 29, 13
    • Visible Cloud SecurityAWS$allows$you$to$see$your$en#re$infrastructure$at$the$click$of$a$mouse.$Can$you$map$your$current$network?ThisOrThis?Monday, April 29, 13
    • Auditable Cloud SecurityHow$do$you$know$AWS$is$right$for$your$business?$$- 3rd$Party$Audits• Independent$auditors- Ar<facts• Plans,$Policies$and$Procedures- Logs• Obtained• Retained• AnalyzedMonday, April 29, 13
    • SOC 1/2 – Control Objectives• Control Objective 1: Security Organization• Control Objective 2: Amazon User Access• Control Objective 3: Logical Security• Control Objective 4: Secure Data Handling• Control Objective 5: Physical Security and Environmental Safeguards• Control Objective 6: Change Management• Control Objective 7: Data Integrity, Availability and Redundancy• Control Objective 8: Incident HandlingMonday, April 29, 13
    • Steve HowesChief Executive OfficerMonday, April 29, 13
    • Monday, April 29, 13
    • An$Integrated$Network• 21#franchised#rail#companies• 2,500#stations• 10,000#milesMonday, April 29, 13
    • National#Reservations#ServiceData#Distribution#ServiceProduct#Management#ServiceTicket#on#Departure#ServicePointsOfSaleX10,000Apportionment#EngineSettlement#ServiceSystem$Schema<cPreFsalesPostFsalesMonday, April 29, 13
    • National#Reservations#ServiceData#Distribution#ServiceProduct#Management#ServiceTicket#on#Departure#ServicePointsOfSaleX10,000Apportionment#EngineSettlement#ServiceSystem$Schema<cAWS#HostedPreFsalesPostFsalesMonday, April 29, 13
    • £#7.5#billonAnnual$rail$industry$revenue......Monday, April 29, 13
    • • Our#systems#handle#£7.5B#of#transactions#annually• Revenue#collected#by#the#retailer#must#be#correctly#settled#to#the#operators#to#the#penny,#auditable#to#the#highest#standards• We#handle#£5B#of#payment#card#transactions#annually• Our#passengers#depend#absolutely#on#our#servicesRSP$and$SecurityMonday, April 29, 13
    • • We#need#a#‘trusted’#environment,#more#than#the#narrow#meaning#of#security:– Compliance#– Governance– Risk#management– Availability– Integrity– Privacy• Simply,#through#AWS#and#our#SI#Partner#Smart421#we#are#able#to#meet#all#of#these#requirementsWhy$AWS?Monday, April 29, 13
    • Monday, April 29, 13
    • Shared Responsibility• Let$AWS$do$the$heavy$liWing• This$is$what$we$do$–$and$we$do$it$all$the$<me• As$the$AWS$customer$you$can$focus$on$your$business$and$not$be$distracted$by$the$muck• AWS• Facili<es• Physical$Security• Physical$Infrastructure• Network$Infrastructure• Virtualiza<on$Infrastructure• Customer• Choice$of$Guest$OS• Applica<on$Configura<on$Op<ons• Account$Management$flexibility• Security$Groups• Network$ACLsMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&GatewayAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&GatewayAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&Gateway$InternetAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&Gateway$InternetAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&Gateway$InternetNATAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer’sNetworkAmazonWeb$ServicesCloudSecure&VPN&Connec-on&over&the&InternetSubnetsCustomer’s$isolated$AWS$resourcesAmazon VPC ArchitectureRouterVPN&Gateway$InternetNATAWS&Direct&Connect&–&Dedicated&Path/BandwidthMonday, April 29, 13
    • Customer Challenge: Encryption (part 1)• Customers have requirements that require them to use specificencryption key management procedures not previously possibleon AWS– Requirements are based on contractual or regulatory mandates forkeeping encryption keys stored in a specific manner or with specificaccess controls– Good key management is criticalMonday, April 29, 13
    • Customer Challenge: Encryption (part 2)• Customers want to run applications and store data in AWS butpreviously had to retain keys in HSMs in on-premises data centers– Applications may slow down due to network latency– Requires several DCs to provide high availability, disaster recovery anddurability of keysMonday, April 29, 13
    • AWS Data Protection Solutions• AWS offers several data protection mechanisms including access control,encryption, etc.• AWS data encryption solutions allow customers to:– Encrypt and decrypt sensitive data inside or outside AWS– Decide which data to encrypt• AWS CloudHSM complements existing AWS data protection and encryptionsolutions• With AWS CloudHSM customers can:– Encrypt data inside AWS– Store keys in AWS within a Hardware Security Module– Decide how to encrypt data – the AWS CloudHSM implements cryptographicfunctions and key storage for customer applications– Use third party validated hardware for key storageMonday, April 29, 13
    • HSM – Hardware Security Module•  A hardware device that performs cryptographic operations and key storage•  Used for strong protection of private keys•  Tamper resistant – keys are protected physically and logically–  If a tampering attempt is detected, the appliance destroys the keys•  Device administration and security administration are logically separate–  Physical control of the appliance does not grant access to the keys•  Certified by 3rd parties to comply with government standards for physical andlogical security:–  FIPS 140-2–  Common Criteria EAL4+•  Example vendors include: SafeNet, Thales•  Historically located in on-premises datacentersHSMMonday, April 29, 13
    • What is AWS CloudHSM?• Customers receive dedicated access to HSM appliances• HSMs are physically located in AWS datacenters – in close networkproximity to Amazon EC2 instances• Physically managed and monitored by AWS, but customers control theirown keys• HSMs are inside customer’s VPC – dedicated to the customer andisolated from the rest of the networkAWS$CloudHSMMonday, April 29, 13
    • AWS CloudHSM Service Highlights• Secure Key Storage – customers retain control of their own keys andcryptographic operations on the HSM• Contractual and Regulatory Compliance – helps customers comply withthe most stringent regulatory and contractual requirements for keyprotection• Reliable and Durable Key Storage – AWS CloudHSMs are located inmultiple Availability Zones and Regions to help customers build highlyavailable applications that require secure key storage• Simple and Secure Connectivity – AWS CloudHSMs are in thecustomer’s VPC• Better Application Performance – reduce network latency and increasethe performance of AWS applications that use HSMsMonday, April 29, 13
    • How Customers Use AWS CloudHSM• Customers use AWS CloudHSM as an architectural building blockin securing applications– Object encryption– Digital Rights Management (DRM)– Document signing– Secure document repository– Database encryption– Transaction processingMonday, April 29, 13
    • Customer use cases• Large Silicon Valley company: video DRM• Start-up document rights management service: enterprise documentprotection• Very large tech company: Root of trust for Public Key Infrastructure (PKI)authentication system• Very large financial services organization: Root of trust for keymanagement system for virtual machine authentication & encryptionMonday, April 29, 13
    • On-Premises Integration with AWS CloudHSMHSMCustomers’ applications continue touse standard crypto APIs(PKCS#11, MS CAPI, JCA/JCE,etc.).SafeNet HSM client replacesexisting crypto service providerlibraries and connects to the HSM toimplement API calls in hardwareSafeNet HSM$Client$can$share$load$and$store$keys$redundantly$across$mul<ple$HSMsKey$material$is$securely$replicated$to$HSM(s)$in$the$customer’s$datacenterBACDAWSAmazon$Virtual$Private$CloudAWS$CloudHSMAmazon$VPC$InstanceCorporate$DatacenterSSLVPN INTERNETAWS$Direct$ConnectApplicationHSM ClientACDBSSLMonday, April 29, 13
    • Key Storage & Secure Operations for AWS WorkloadsCloudHSMs are in the customer’s VPCand isolated from other AWS networksESecure key storage in tamper-resistant/tamper-evident hardware available inmultiple regions and AZsDApplication performance improves (due toclose network proximity with AWSworkloads)CCustomers control and manage their ownkeysBAWS manages the HSM appliance butdoes not have access to customers’keysAAWSAmazon Virtual Private CloudAWS CloudHSM Amazon VPC InstanceSSLApplicationHSM ClientCDEBAMonday, April 29, 13
    • Monday, April 29, 13
    • AWS Deployment ModelsLogical Server andApplicationIsolationGranularInformation AccessPolicyLogicalNetworkIsolationPhysical serverIsolationGovernment OnlyPhysical Network andFacility IsolationITAR Compliant(US PersonsOnly)Sample WorkloadsCommercial$Cloud # $ # $ $ $ Public$facing$apps.$Web$sites,$Dev$test$etc.Virtual$Private$Cloud$(VPC)# $ # $ # $ # $ $ Data$Center$extension,$TIC$environment,$email,$FISMA$low$and$ModerateAWS$GovCloud$(US) # $ # $ # $ # $ # $ # $ US$Persons$Compliant$and$Government$Specific$Apps.Monday, April 29, 13
    • AWS Security Resources• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Regularly Updated• Feedback is welcomeMonday, April 29, 13
    • Thank you.Monday, April 29, 13
    • Bronze sponsorsSilver sponsorsGold sponsorMonday, April 29, 13