0
AWS Summit 2014
Understanding AWS
Security
Carlos Conde
Head of EMEA Evangelism
@caarlco
Different customer viewpoints on security
PR exec
keep out of the news
CEO
protect shareholder
value
CI{S}O
preserve the
c...
Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NE...
SECURITY IS SHARED
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
WHAT
WE DO
WHAT YOU
HAVE TO DO
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSI...
YOUR DATA IS YOUR
MOST IMPORTANT ASSET
IF YOUR DATA IS NOT SECURE, YOU’RE NOT SECURE
NETWORK SECURITY
“GAME DAYS”
INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
MORE VISIBILITY
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
TRUSTED ADVISOR
MORE AUDITABILITY
AWS CLOUDTRAIL
You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…...
Security Analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to...
LOGS
OBTAINED, RETAINED, ANALYZED
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
VULNERABILITY
& PENETRATION TESTING
VULNERABILITY
& PENETRATION TESTING
MORE CONTROL
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO A SPECIFIC WORK
AWS STAFF ACCESS
‣  Staff vetting
‣  Staff has no logical access to customer instances
‣  Staff control-plane access limit...
USE SEPARATE SETS OF
CREDENTIALS
USE AWS IAM
IDENTITY & ACCESS MANAGEMENT
CONTROL WHO CAN DO WHAT IN
YOUR AWS ACCOUNT
ACCESS TO
SERVICE APIs
Amazon DynamoDB Fine Grained
Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify acces...
DEPLOYMENT PROCESS
HAS TO BE CONSTRAINED
DEV & TEST
ENVIRONMENT
AWS ACCOUNT A
PRODUCTION
ENVIRONMENT
AWS ACCOUNT B
“If you need to SSH into your instance,
your deployment process is broken.”
VERSIONED
AWS CLOUDFORMATION SCRIPTS
+
AWS OPSWORKS
MORE CONTROL
ON YOUR DATA
MFA PROTECTION
YOUR DATA STAYS
WHERE YOU PUT IT
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AW...
ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
…
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
“Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Sod...
AWS.AMAZON.COM/SECURITY
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
Thank You!
AWS EXPERT?
GET CERTIFIED!
aws.amazon.com/certification
Carlos Conde
Head of EMEA Evangelism
@caarlco
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
T4 – Understanding aws security
Upcoming SlideShare
Loading in...5
×

T4 – Understanding aws security

484

Published on



The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, the tools and services AWS makes available to customers to secure and manage their resources and best practices on how to use them.

This session is recommended for anyone with questions about how AWS can meet the compliance requirements of their applications.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
484
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
66
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "T4 – Understanding aws security"

  1. 1. AWS Summit 2014 Understanding AWS Security Carlos Conde Head of EMEA Evangelism @caarlco
  2. 2. Different customer viewpoints on security PR exec keep out of the news CEO protect shareholder value CI{S}O preserve the confidentiality, integrity and availability of data
  3. 3. Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM SECURITY
  4. 4. SECURITY IS SHARED
  5. 5. WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
  6. 6. WHAT WE DO WHAT YOU HAVE TO DO
  7. 7. SOC CONTROL OBJECTIVES 1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING
  8. 8. YOUR DATA IS YOUR MOST IMPORTANT ASSET IF YOUR DATA IS NOT SECURE, YOU’RE NOT SECURE
  9. 9. NETWORK SECURITY
  10. 10. “GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS. MEASURE SPEED OF DETECTION AND EXECUTION.
  11. 11. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  12. 12. AWS SECURITY OFFERS MORE VISIBILITY AUDITABILITY CONTROL
  13. 13. MORE VISIBILITY
  14. 14. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  15. 15. TRUSTED ADVISOR
  16. 16. MORE AUDITABILITY
  17. 17. AWS CLOUDTRAIL
  18. 18. You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
  19. 19. Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment. Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
  20. 20. LOGS OBTAINED, RETAINED, ANALYZED
  21. 21. PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS
  22. 22. VULNERABILITY & PENETRATION TESTING
  23. 23. VULNERABILITY & PENETRATION TESTING
  24. 24. MORE CONTROL
  25. 25. LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO A SPECIFIC WORK
  26. 26. AWS STAFF ACCESS ‣  Staff vetting ‣  Staff has no logical access to customer instances ‣  Staff control-plane access limited & monitored Bastion hosts, Least privileged model, Zoned data center access ‣  Business needs ‣  Separate PAMS
  27. 27. USE SEPARATE SETS OF CREDENTIALS
  28. 28. USE AWS IAM IDENTITY & ACCESS MANAGEMENT
  29. 29. CONTROL WHO CAN DO WHAT IN YOUR AWS ACCOUNT
  30. 30. ACCESS TO SERVICE APIs
  31. 31. Amazon DynamoDB Fine Grained Access Control Directly and securely access application data in Amazon DynamoDB Specify access permissions at table, item and attribute levels With Web Identity Federation, completely remove the need for proxy servers to perform authorization
  32. 32. DEPLOYMENT PROCESS HAS TO BE CONSTRAINED
  33. 33. DEV & TEST ENVIRONMENT AWS ACCOUNT A PRODUCTION ENVIRONMENT AWS ACCOUNT B
  34. 34. “If you need to SSH into your instance, your deployment process is broken.”
  35. 35. VERSIONED AWS CLOUDFORMATION SCRIPTS + AWS OPSWORKS
  36. 36. MORE CONTROL ON YOUR DATA
  37. 37. MFA PROTECTION
  38. 38. YOUR DATA STAYS WHERE YOU PUT IT
  39. 39. USE MULTIPLE AZs AMAZON S3 AMAZON DYNAMODB AMAZON RDS MULTI-AZ AMAZON EBS SNAPSHOTS
  40. 40. DATA ENCRYPTION CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean
  41. 41. ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT AMAZON RDS …
  42. 42. MORE AUDITABILITY MORE VISIBILITY MORE CONTROL
  43. 43. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO – NASA JPL
  44. 44. AWS.AMAZON.COM/SECURITY
  45. 45. AWS SECURITY WHITEPAPERS RISK & COMPLIANCE AUDITING SECURITY CHECKLIST SECURITY PROCESSES SECURITY BEST PRACTICES
  46. 46. Thank You! AWS EXPERT? GET CERTIFIED! aws.amazon.com/certification Carlos Conde Head of EMEA Evangelism @caarlco
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×