Understanding AWS Security

1,705 views
1,551 views

Published on

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that “Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?”  That’s the level of granularity you can choose to implement if you wish. In this session, we’ll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture. 

Published in: Technology, Business

Understanding AWS Security

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Understanding AWS Security Bill Murray, Sr Manager, AWS Security Programs
  2. 2. Different customer viewpoints on security PR exec keep out of the news CEO protect shareholder value CI{S}O preserve the confidentiality, integrity and availability of data
  3. 3. Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM SECURITY
  4. 4. SECURITY IS SHARED
  5. 5. WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
  6. 6. WHAT WE DO FOR YOU WHAT YOU DO YOURSELF
  7. 7. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  8. 8. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO – NASA JPL
  9. 9. AWS SECURITY OFFERS MORE VISIBILITY AUDITABILITY CONTROL
  10. 10. MORE VISIBILITY
  11. 11. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  12. 12. TRUSTED ADVISOR
  13. 13. MORE AUDITABILITY
  14. 14. SECURITY CONTROL OBJECTIVES 1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING
  15. 15. AWS CLOUDTRAIL
  16. 16. You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
  17. 17. Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment. Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
  18. 18. ‣ CloudTrail records API calls and delivers a log file to your S3 bucket. ‣ Typically, delivers an event within 15 minutes of the API call. ‣ Log files are delivered approximately every 5 minutes. ‣ Multiple partners offer integrated solutions to analyze log files.
  19. 19. LOGS OBTAINED, RETAINED, ANALYZED
  20. 20. PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS
  21. 21. MORE CONTROL
  22. 22. Defense in Depth Multi level security • Physical security of the data centers • Network security • System security • Data security
  23. 23. AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs AWS CloudHSM Defense in depth Rapid scale for security Automated checks with AWS Trusted Advisor Fine grained access controls Server side encryption Multi-factor authentication Dedicated instances Direct connection, Storage Gateway HSM-based key storage AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway
  24. 24. LEAST PRIVILEGE PRINCIPLE AT AWS
  25. 25. LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO SPECIFIC WORK
  26. 26. LEAST PRIVILEGE PRINCIPLE SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA
  27. 27. LEAST PRIVILEGE PRINCIPLE MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATACENTER LOCATIONS
  28. 28. LEAST PRIVILEGE PRINCIPLE MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATACENTERS
  29. 29. SIMPLE SECURITY CONTROLS ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE
  30. 30. MORE CONTROL ON IDENTITY & ACCESS
  31. 31. USE AWS IAM IDENTITY & ACCESS MANAGEMENT
  32. 32. CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT
  33. 33. AWS IAM: Recent Innovations Securely control access to AWS services and resources • Delegation – Roles for Amazon EC2 – Cross-account access • Powerful integrated permissions – Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation – Access control policy variables – Policy Simulator – Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk • Federation – Web Identity Federation – AD and Shibboleth examples – Partner integrations – Case study: Expedia • Strong authentication – MFA-protected API access – Password policies • Enhanced documentation and videos
  34. 34. ACCESS TO SERVICE APIs
  35. 35. Amazon DynamoDB Fine Grained Access Control Directly and securely access application data in Amazon DynamoDB Specify access permissions at table, item and attribute levels With Web Identity Federation, completely remove the need for proxy servers to perform authorization
  36. 36. MORE CONTROL OF YOUR DATA
  37. 37. MFA DELETE PROTECTION
  38. 38. YOUR DATA STAYS WHERE YOU PUT IT
  39. 39. USE MULTIPLE AZs AMAZON S3 AMAZON DYNAMODB AMAZON RDS MULTI-AZ AMAZON EBS SNAPSHOTS
  40. 40. DATA ENCRYPTION CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean
  41. 41. AWS CloudHSM Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM
  42. 42. ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT AMAZON RDS …
  43. 43. MORE AUDITABILITY MORE VISIBILITY MORE CONTROL
  44. 44. IDC Survey Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization Source: IDC 2013 U.S. Cloud Security Survey Doc #242836, September 2013
  45. 45. AWS.AMAZON.COM/SECURITY
  46. 46. AWS SECURITY WHITEPAPERS RISK & COMPLIANCE AUDITING SECURITY CHECKLIST SECURITY PROCESSES SECURITY BEST PRACTICES
  47. 47. AWS MARKETPLACE SECURITY SOLUTIONS
  48. 48. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. AWS Security Bill Murray, Sr. Manager, AWS Security Programs Thank You!

×