Bill Murray
General Manager, AWS Security Programs
AWS Cloud Security
Cloud Security is:
• Universal
• Visible
• Auditable
• Transparent
• Shared
• Familiar
Universal Cloud Security
• Every Customer Has Access to the Same Security
Capabilities, and Gets to Choose What’s Right fo...
Visible Cloud Security
• AWS allows you to see your ENTIRE infrastructure at the
click of a mouse.
- Can you map your curr...
Auditable Cloud Security
• How do you know AWS is right for your business?
- 3rd Party Audits
• Independent auditors
- Art...
Transparent Cloud Security
• Choose the audit/certification
that’s right for you:
- ISO-27001
- SOC-1, SOC-2, SOC-3
- FedR...
Security & Compliance Control Objectives
• Control Objective 1: Security Organization
– Who we are
– Proper control & acce...
Security & Compliance Control Objectives
• Control Objective 3: Logical Security
– Our staff start with no systems access
...
Security & Compliance Control Objectives
• Control Objective 4: Secure Data Handling
– Storage media destroyed before bein...
Security & Compliance Control Objectives
• Control Objective 6: Change Management
– Continuous Operation
• Control Objecti...
Shared Responsibility
• Let AWS do the heavy lifting
• This is what we do – and we do it all the time
• As the AWS custome...
Physical Security
• Large non-descript facilities
• Robust perimeter controls
• 2 factor authentication for entry
• Contro...
Physical Security
• Distributed Regions – Multiple Availability Zones
Network Security
• DDoS attacks defended at the border
• Man in the Middle attacks
• SSL endpoints
• IP Spoofing prohibite...
Amazon EC2 Security
• Host operating system
– Individual SSH keyed logins via bastion host for AWS admins
– All accesses l...
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
…
Virtual Interfaces
Firewall
Customer 1
Security Groups...
Customer’s
Network
Amazon
Web Services
Cloud
Secure VPN Connection
over the Internet
Subnets
Customer’s isolated
AWS resou...
VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other
customers
• $10/hr flat fee per Regi...
• Customers have requirements that require them to use specific
encryption key management procedures not previously
possib...
• AWS offers several data protection mechanisms including access
control, encryption, etc.
• AWS data encryption solutions...
• Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network...
• Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM
• Contractual an...
AWS Deployment Models
Logical
Server and
Application
Isolation
Granular
Information
Access
Policy
Logical
Network
Isolatio...
Familiar Cloud Security
• Everything You Do Now Can Be Done in the Cloud
- Intrusion Detection
- Intrusion Prevention
- Pa...
AWS Security Resources
• http://aws.amazon.com/security/
• Security Whitepaper
• Risk and Compliance Whitepaper
• Regularl...
THANK YOU!!
• bmurray@amazon.com
• #billmurray00
Upcoming SlideShare
Loading in …5
×

AWS Summit Nordics - Security Keynote

532 views
403 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
532
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

AWS Summit Nordics - Security Keynote

  1. 1. Bill Murray General Manager, AWS Security Programs AWS Cloud Security
  2. 2. Cloud Security is: • Universal • Visible • Auditable • Transparent • Shared • Familiar
  3. 3. Universal Cloud Security • Every Customer Has Access to the Same Security Capabilities, and Gets to Choose What’s Right for Their Business - Governments - Financial Sector - Pharmaceuticals - Entertainment - Start-Ups - Social Media - Home Users - Retail
  4. 4. Visible Cloud Security • AWS allows you to see your ENTIRE infrastructure at the click of a mouse. - Can you map your current network? This Or This?
  5. 5. Auditable Cloud Security • How do you know AWS is right for your business? - 3rd Party Audits • Independent auditors - Artifacts • Plans, Policies and Procedures - Logs • Obtained • Retained • Analyzed
  6. 6. Transparent Cloud Security • Choose the audit/certification that’s right for you: - ISO-27001 - SOC-1, SOC-2, SOC-3 - FedRAMP - PCI
  7. 7. Security & Compliance Control Objectives • Control Objective 1: Security Organization – Who we are – Proper control & access within the organization • Control Objective 2: Amazon User Access – How we vet our staff – Minimization of access
  8. 8. Security & Compliance Control Objectives • Control Objective 3: Logical Security – Our staff start with no systems access – Need-based access grants – Rigorous systems separation – Systems access grants regularly re-evaluated & automatically revoked
  9. 9. Security & Compliance Control Objectives • Control Objective 4: Secure Data Handling – Storage media destroyed before being permitted outside our datacenters – Media destruction consistent with US Dept. of Defense Directive 5220.22 • Control Objective 5: Physical Security and Environmental Safeguards – Keeping our facilities safe – Maintaining the physical operating parameters of our datacenters
  10. 10. Security & Compliance Control Objectives • Control Objective 6: Change Management – Continuous Operation • Control Objective 7: Data Integrity, Availability and Redundancy – Ensuring your data remains safe, intact & available • Control Objective 8: Incident Handling – Processes & procedures for mitigating and managing potential issues
  11. 11. Shared Responsibility • Let AWS do the heavy lifting • This is what we do – and we do it all the time • As the AWS customer you can focus on your business and not be distracted by the muck • AWS • Facilities • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure • Customer • Choice of Guest OS • Application Configuration Options • Account Management flexibility • Security Groups • Network ACLs
  12. 12. Physical Security • Large non-descript facilities • Robust perimeter controls • 2 factor authentication for entry • Controlled, need-based access for AWS employees • All access is logged and reviewed
  13. 13. Physical Security • Distributed Regions – Multiple Availability Zones
  14. 14. Network Security • DDoS attacks defended at the border • Man in the Middle attacks • SSL endpoints • IP Spoofing prohibited • Port scanning prohibited • Packet Sniffing prevented
  15. 15. Amazon EC2 Security • Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited • Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs • Stateful firewall – Mandatory inbound firewall, default deny mode • Signed API calls – Require X.509 certificate or customer’s secret AWS key
  16. 16. Physical Interfaces Customer 1 Hypervisor Customer 2 Customer n … … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups
  17. 17. Customer’s Network Amazon Web Services Cloud Secure VPN Connection over the Internet Subnets Customer’s isolated AWS resources Amazon VPC Architecture Router VPN Gateway Internet NAT AWS Direct Connect – Dedicated Path/Bandwidth
  18. 18. VPC - Dedicated Instances • Option to ensure physical hosts are not shared with other customers • $10/hr flat fee per Region + small hourly charge • Can identify specific Instances as dedicated • Optionally configure entire VPC as dedicated
  19. 19. • Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS – Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls – Good key management is c • Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises datacenters – Applications may slow down due to network latency – Requires several DCs to provide high availability, disaster recovery and durability of keys Customer Challenge: Encryption
  20. 20. • AWS offers several data protection mechanisms including access control, encryption, etc. • AWS data encryption solutions allow customers to: – Encrypt and decrypt sensitive data inside or outside AWS – Decide which data to encrypt • AWS CloudHSM complements existing AWS data protection and encryption solutions • With AWS CloudHSM customers can: – Encrypt data inside AWS – Store keys in AWS within a Hardware Security Module – Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions and key storage for customer applications – Use third party validated hardware for key storage • AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards) AWS Data Protection Solutions 9/23/2013 Slides not intended for redistribution.
  21. 21. • Customers receive dedicated access to HSM appliances • HSMs are physically located in AWS datacenters – in close network proximity to Amazon EC2 instances • Physically managed and monitored by AWS, but customers control their own keys • HSMs are inside customer’s VPC – dedicated to the customer and isolated from the rest of the network What is AWS CloudHSM? AWS CloudHSM
  22. 22. • Secure Key Storage – customers retain control of their own keys and cryptographic operations on the HSM • Contractual and Regulatory Compliance – helps customers comply with the most stringent regulatory and contractual requirements for key protection • Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage • Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC • Better Application Performance – reduce network latency and increase the performance of AWS applications that use HSMs AWS CloudHSM Service Highlights
  23. 23. AWS Deployment Models Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads Commercial Cloud   Public facing apps. Web sites, Dev test etc. Virtual Private Cloud (VPC)     Data Center extension, TIC environment, email, FISMA low and Moderate AWS GovCloud (US)       US Persons Compliant and Government Specific Apps.
  24. 24. Familiar Cloud Security • Everything You Do Now Can Be Done in the Cloud - Intrusion Detection - Intrusion Prevention - Packet Capture - Firewalls - Access Control Lists - Multi-Factor Authentication - Identity and Access Management
  25. 25. AWS Security Resources • http://aws.amazon.com/security/ • Security Whitepaper • Risk and Compliance Whitepaper • Regularly Updated • Feedback is welcome
  26. 26. THANK YOU!! • bmurray@amazon.com • #billmurray00

×