AWS Enterprise Day | Securing your Web Applications in the Cloud


Published on

Security is a top priority to both AWS and its customers and many enterprises trust us with some of their most sensitive information, including financial, personal and health information. Learn about the key security features of AWS that these enterprise customers are using to build their own secure applications and secure and encrypt their content. We will also share how you can integrate AWS into your existing security policies and how partners like Trend Micro can help you extend this into the AWS Cloud.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AWS Enterprise Day | Securing your Web Applications in the Cloud

  1. 1. AWS Enterprise Security Stephen Quigg Principal Security Solutions Architect – Asia Pacific
  2. 2. Every Customer Gets the Same AWS Security Foundations Independent validation by experts •  Every AWS Region is in scope •  SOC 1 (SSAE 16 & ISAE 3402) Type II •  SOC 2 Type II and public SOC 3 report •  ISO 27001 Certification •  Certified PCI DSS Level 1 Service Provider •  FedRAMP Certification, HIPAA capable AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  3. 3. Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a Shared Responsibility Between AWS and our Customers Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Foundation Services
  4. 4. Your  own   compliant   solu0ons   •  Culture of security and continual improvement •  Ongoing audits and assurance •  Protection of large-scale service endpoints Your Own Auditor Can Still Audit your AWS Environment Your  own  ISO     cer0fica0ons   Your  own   external  audits   and  assurance   •  Achieve PCI, HIPAA and MPAA compliance •  Certify against ISO27001 with a reduced scope •  Have key controls audited or publish your own independent attestations Customers   Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS Foundation Services
  5. 5. Let AWS Take Care of the Heavy Lifting for You Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Applications Proper service configuration AuthN & acct management Authorization policies + = Customer Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
  6. 6. You choose where to store it and who can use it •  Customers manage their privacy objectives how they choose to •  Select the AWS geographical Region and no automatic replication elsewhere •  Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS The security of our services and customers is key to AWS Customers Retain Full Ownership and Control of Their Content
  7. 7. Region   US-WEST (N. California) EU-WEST (Ireland) ASIA PAC (Tokyo) ASIA PAC (Singapore) US-WEST (Oregon) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) GOV CLOUD ASIA PAC (Sydney) Customers Choose Where Their Compute and Storage is Located CHINA (Beijing)
  8. 8. Build Your Own Resilient, Fault Tolerant Solutions AWS operates scalable, fault tolerant services Build resilient solutions operating in multiple datacenters AWS helps simplify active-active operations All AWS facilities are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every one managed to the same global standards AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
  9. 9. Create Your Own Integrated Hybrid Environment with Amazon VPC Your  organiza+on   Project  Teams   Marke+ng   Business  Units   Repor+ng   Digital  /   Websites   Dev  and   Test  env   RedshiB   EMR   Analy+cs   Internal   Enterprise   Apps   Amazon S3 Amazon   Glacier   Storage  / Backup  
  10. 10. You Can Apply Your Existing Security Policies and Standards Launch   instance   EC2   AMI  catalogue   Running  instance   Your  instance   Hardening  and  configura0on   Audit  and  logging   Vulnerability  management   Malware  and  IPS   Whitelis0ng  and  integrity   User  administra0on   Opera0ng  system   Configure   instance   Configure  your  environment  as  you  like   You  get  to  apply  your  exis0ng  security  policy   Create  or  import  your  own  ‘gold’  images   •  Import  exis0ng  VMs  to  AWS  or  save  your  own  custom   images   Choose  how  to  build  your  standard  host    security  environment      
  11. 11. AWS  account   owner   Network   management   Security   management   Server   management   Storage   management   Control Access and Segregate Duties with AWS IAM You  get  to  control  who  can  do  what   in  your  AWS  environment  and  from   where     Fine-­‐grained  control  of  your  en0re   cloud  environment  with  two-­‐factor   authen0ca0on     Integrated  with  your  exis0ng   corporate  directory  using  SAML  2.0   Build  and  run   Internet   Gateway   Subnet Subnet VPC A - Availability Zone Availability Zone Router   Internet   Customer   Gateway   Region  
  12. 12. You Can Choose to Encrypt Your Content Any Way You Like Encrypt your Elastic Block Store volumes any way you like •  Many free utilities, plus Trend and other partners offer high-assurance solutions S3 offers either server or client-side encryption •  Manage your own keys or let AWS do it for you Redshift has one-click disk encryption as standard •  You can supply your own keys RDS supports transparent data encryption (TDE) •  Easily encrypt sensitive database tables DBA  
  13. 13. Tamper-resistant, customer controlled hardware security module within your VPC •  Industry-standard SafeNet Luna devices. Common Criteria EAL4+, NIST FIPS 140-2 certified •  No access from Amazon administrators who manage and maintain the appliance Reliable & Durable Key Storage •  Use for database and Redshift encryption •  Integrate with your own applications •  Integration with partner disk-encryption You Can Use AWS CloudHSM to Store Your Encryption Keys
  14. 14. You Can Also Use or Integrate with Your Own On-premise HSMs Your  premises   Applica+ons   Your  HSM   NAT  CloudHSM   NAT  CloudHSM   Volume,  object,   database  encryp+on   Transac+on  signing  /   DRM  /  apps   EC2   H/A  PAIR   SYNC   EBS S3   Amazon S3 Amazon  Glacier  
  15. 15. AWS Partners Can Help You Build and Implement Secure Solutions Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability Rich security features + = AWS partner solutions There are also now free trials of security software on the AWS marketplace that you can use to evaluate for your own security Your secure AWS solutions
  16. 16. Simple . Smart . Security that fits Instant ON Security for AWS David Ng APAC PMM | Cloud & Data Center Security
  17. 17. Own  Data  Center   Physical   By 2016, 71% of server workloads will be virtualized 90% of large enterprises and government agencies will use cloud by 2015 1. Source: Gartner, Forecast Analysis: Data Center, May 2012 2. Source: Forrester Study, 2013 Virtual   Cloud   Data Center Ops 1 2
  18. 18. Are you using traditional data center security approaches in your cloud deployments?
  19. 19. •  Minutes to deploy a server… weeks to secure it? •  Knowing what security is needed… and if it is applied appropriately? •  Cloud scale beyond physical limits… hitting a wall on security? Are you Dealing With…
  20. 20. *Source: Trend Micro survey, May 2013 76%of organizations indicated they had compliance or data confidentiality requirements* Production Apps? Sensitive Data? Patch Scheduling? Web App Vulnerability? Compliance? Public Cloud How are You Dealing with…
  21. 21. Security Principles Remain the Same; APPROACH to Security Must Change CONTEXT Workload and application-aware SOFTWARE Optimized for cloud infrastructure PLATFORM Comprehensive capabilities extended across your data center and cloud Many Tools Generic Hardware ADAPTIVE Intelligent, dynamic policy enforcement Automated provisioning specific to platform Static
  22. 22. Cloud  Service     Provider   Founda+on  Services   Compute   Storage   Database   Networking   AWS  Global  Infrastructure   Regions   Availability  Zones   Edge  Loca+ons   Client-­‐side  Data   Encryp0on   Server-­‐side  Data   Encryp0on   Network  Traffic   Protec0on   PlaYorm,  Applica0ons,  Iden0ty  &  Access  Management   Opera0ng  System,  Network  &  Firewall  Configura0on   Customer  content   Customers Cloud Security is a Shared Responsibility
  23. 23. Provision securely within the dynamic cloud Manage security efficiently as you scale Security optimized for the cloud New Approaches Can Deliver Instant-on Cloud Security
  24. 24. 24   • Recommend and apply security policies for instant-on protection • Continuously scan applications for vulnerabilities • Protect data in motion and at rest Automate Security as a Part of Your Operations
  25. 25. Achieved COMPLIANCE with critical regulations & corporate standards COMPREHENSIVE capabilities from a leader in security AUTOMATED security for maximum operational efficiency RESULTS: After examining the available options and consulting with AWS on how to fulfill on their Shared Responsibility, it was clear that Trend Micro had the optimal solution for securing their cloud deployment and fitting into the AWS environment. Required major deployment in AWS to be as secure or more than the data center. Global Telecom Company 450 million subscriber worldwide
  26. 26. Provision securely within the dynamic cloud Manage security efficiently as you scale Security optimized for the cloud New Approaches Can Deliver Instant ON Cloud Security
  27. 27. •  Deploy software in the EC2 Instance to ensure context- based security HITECH   ACT   Integrity   Monitoring   Host  Firewall   Intrusion     Preven0on   An0-­‐malware   Log  Inspec0on   Applica0on   Scanning   Data   Protec0on   Deploy Security Controls Where They are Needed •  Address key compliance needs •  Automatically deploy the right controls to address security needs
  28. 28. • Leverage a comprehensive dashboard across multiple security controls with integrated reporting and alerting • Continuously monitor servers AND applications • Virtually patch deployed instances for maximum protection • Manage via web console OR via API Manage Security Efficiently as You Scale
  29. 29. Virtual Patching – Protect Against Vulnerabilities •  Reduce risk of exposure to vulnerability exploits – especially as you scale •  Save money avoiding costly emergency patching •  Patch at your convenience Vulnerability Disclosed or Exploit Available Patch Available Complete Deployment Test Soak Exposure   Begin Deployment Patched  Trend Micro Virtual Patching
  30. 30. Trend Micro’s Virtual Patching rules were released more than a month before these hacks were reported! 90% of all organizations have strong pain points with patch management, zero-day & legacy system
  31. 31. Enabled AUTOMATED provisioning and security CENTRALIZED MANAGEMENT of all security policies and reporting COMPLETE set of security capabilities Needed a partner who could easily add security to fulfill on shared responsibility in the cloud RESULTS: “As an AWS Premier Consulting Partner, our clients look to us for solutions that deliver the full benefits of the cloud without compromising security. Trend Micro and AWS allow us to achieve this, with a full set of security capabilities, and without the cost and complexity of other approaches” Mauricio Fernandes President
  32. 32. VM Private Cloud •  Agentless security •  Layered server security Security Virtual Appliance VM VM VM AWS Cloud VM •  Encryption for vCloud •  Compliance support (FIM, Encryption, etc.) •  Agent-based security •  Layered server security •  Encryption for leading cloud providers •  Compliance support (FIM, Encryption, etc.) VM Virtualization Security Virtual Appliance VM VM VM VM •  Agentless security •  Layered server security Dynamic Security across Environments Confidential | Copyright 2012 Trend Micro Inc.
  33. 33. INCREASED EFFICIENCY over previous traditional security controls Gave IT COMPREHENSIVE security controls in a single solution SEAMLESS integration with AWS for security RESULTS: “We highly value the comprehensive security functions that Deep Security has. We couldn’t find any other solution that guaranteed operation on AWS while also fulfilling our requirements.” Needed to enhance security of sensitive web servers and address shared responsibility on AWS
  34. 34. Cloud  and  Data  Center  Security   An0-­‐   Malware   Log   Inspec0on   Encryp0on     &  SSL   Applica0on   Scanning   Host     Firewall   Intrusion   Preven0on   Data Center Ops Security Integrity   Monitoring   Own  Data  Center   Physical   Virtual   Cloud  
  35. 35. Large-­‐scale  Web  site  secured   with  mul0ple  controls   Security  for  complete  data   center  move  to  cloud   Addressed  data   protec0on  &  compliance   PCI  compliance  on   AWS   Data-­‐center  level   security  in  the  cloud   Mul0ple  controls   securing  new  LOB   Using  mul0ple  controls   to  protect  cloud     Highly  secure   managed  cloud   Thousands of customers…millions of servers protected
  36. 36. Trend Micro Cloud Security for AWS So^ware  or   as  a  Service   Deep  Security     SecureCloud   Security  for  Web  Apps   As  a  Service   As  a  Service  
  37. 37. 2 Models of Deep Security Software Service Deep Security Software •  Datacenter security requirements •  Hybrid cloud environments •  Prefer to run Deep Security Manager themselves Deep Security as a Service •  AWS only security requirement •  Prefer utility charging model •  Want the convenience of a SaaS
  38. 38. Deep Security: Push to Trial
  39. 39. Deep Security for Web Apps: Push to Trial
  40. 40. Source:  IDC  Worldwide  Endpoint  Security  2013-­‐2017  Forecast  and  2012  Vendor  Shares,  Figure  2,  doc  #242618,  August  2013   31%   #1 Corporate Server Security Market Share
  41. 41. •  Amazon Advanced Technology Partner •  Deep Security is Common Criteria EAL 4+ •  #1 in Server Security (2012 IDC–Worldwide Endpoint Security Revenue Share by Vendor, 2011) •  #1 in Virtualization Security (2011 Technavio – Global Virtualization Security Management Solutions) •  #1 in Cloud Security (2012 Technavio – Global Security World Market) •  1st & only security that extends from enterprise datacenter to cloud •  Security optimized for AWS Why Trend Micro for AWS?
  42. 42. Thank you!
  43. 43. Browse and read AWS security whitepapers and good practices • • • •  Risk and compliance, including CSA questionnaire response •  Security best practices, audit guides and operational checklists to help you assess security before you go live Sign up for AWS support • •  Get help when you need it most – as you grow •  Choose different levels of support with no long-term commitment AWS Publishes Lots of Information that Can Help You With Security