Your SlideShare is downloading. ×
AWS Cloud Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

AWS Cloud Security

1,090
views

Published on

Segurança na Nuvem da AWS

Segurança na Nuvem da AWS

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,090
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
93
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Max Ramsay AWS Cloud Security Principal Security SolutionsArchitect
  • 2. Vários Tutoriais , treinamentos e mentoria em português Inscreva-se agora !! http://awshub.com.br
  • 3. What we will be covering today • AWS Security Overview • Focus on Serasa Experian • Focus on Trend Micro
  • 4. AWS Security Overview
  • 5. Cloud Security is
  • 6. Every Customer Has Access to the Same Security Capabilities • And gets to choose what’s right for their business needs – Governments – Financial Sector – Pharmaceuticals – Entertainment – Start-ups – Social Media – Home Users – Retail
  • 7. Focus on Serasa Experian Rodrigo Zenun IT Specialist
  • 8. “No nosso Laboratório de Inovação na AWS, conseguimos testar novas tecnologias e lançar novos produtos em tempo recorde”. • A Serasa Experian, parte do grupo Experian, é o maior bureau de crédito do mundo fora dos Estados Unidos, detendo o mais extenso banco de dados da América Latina sobre consumidores, empresas e grupos econômicos. • Há 45 anos no mercado brasileiro, a Serasa Experian participa da maioria das decisões de crédito e negócios tomadas no País, respondendo, on-line e em tempo real, a 6 milhões de consultas por dia, demandadas por 500 mil clientes diretos e indiretos. “A AWS nos possibilita estudar novas tecnologias e inovar em uma velocidade antes inimaginável para uma grande empresa do setor financeiro” - Rodrigo Zenun
  • 9. O Desafio • Criar uma extensão de nossos data centers com, no mínimo, os mesmos padrões de segurança que possibilitasse o estudo de tecnologias emergentes. • Combinar flexibilidade, agilidade e segurança da informação. • Usufruir da elasticidade oferecida pela AWS para front-end de aplicações e produtos.
  • 10. Sobre a o Papel da AWS e Benefícios alcançados • Realização de provas de conceito e protótipos com muita facilidade e agilidade; • Viabilidade de lançamento de novos produtos; • Distribuição de conteúdo público; • Redução de despesas e elasticidade;
  • 11. AWS Security Overview Continued
  • 12. Visible Cloud Security This Or This?
  • 13. Auditable Cloud Security
  • 14. Transparent Cloud Security
  • 15. Security & Compliance Control Objectives • Control Objective 1: Security Organization • Control Objective 2: Amazon User Access • Control Objective 3: Logical Security • Control Objective 4: Secure Data Handling • Control Objective 5: Physical Security and Environmental Safeguards • Control Objective 6: Change Management • Control Objective 7: Data Integrity, Availability and Redundancy • Control Objective 8: Incident Handling
  • 16. Security & Compliance Control Objectives (cont’d) • Control Objective 1: Security Organization – Who we are – Proper control & access within the organization • Control Objective 2: Amazon User Access – How we vet our staff – Minimization of access
  • 17. Security & Compliance Control Objectives (cont’d) • Control Objective 3: Logical Security – Our staff start with no system access – Need-based access grants – Rigorous system separation – System access grants regularly evaluated & automatically revoked
  • 18. Security & Compliance Control Objectives (cont’d) • Control Objective 4: Secure Data Handling – Storage media destroyed before being permitted outside our datacenters – Media destruction consistent with US Dept. of Defense Directive 5220.22 • Control Objective 5: Physical Security and Environmental Safeguards – Keeping our facilities safe – Maintaining the physical operating parameters of our datacenters
  • 19. Security & Compliance Control Objectives (cont’d) • Control Objective 6: Change Management – Continuous operation • Control Objective 7: Data Integrity, Availability and Redundancy – Ensuring your data remains safe, intact, & available • Control Objective 8: Incident Handling – Process & procedures for mitigating and managing potential issues
  • 20. Shared Responsibility AWS • Facilities • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure Customer • Choice of Guest OS • Application Configuration Options • Account Management Flexibility • Security Groups • Network ACLs • Network Configuration Control
  • 21. You Decide Where Applications and Data Reside
  • 22. Network Security
  • 23. Amazon EC2 Security • Host operating system (AWS controlled) – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited • Guest operating system (Customer controlled) – AWS admins cannot log in – Customer-generated keypairs • Stateful firewall – Mandatory inbound firewall, default deny mode – Customer controls configuration via Security Groups • Signed API calls – Require X.509 certificate or customer’s secret AWS key
  • 24. Physical interfaces Customer 1 Hypervisor Customer 2 Customer n … … Virtual interfaces Firewall Customer 1 Security groups Customer 2 Security groups Customer n Security groups
  • 25. Tiering Security Groups
  • 26. Tiering Security Groups (Cont’d) • Dynamically created rules based on Security Group membership • Effectively create tiered network architectures “Web” Security Group: TCP 80 0.0.0.0/0 TCP 22 “Mgmt” “App” Security Group: TCP 8080 “Web” TCP 22 “Mgmt” “DB” Security Group: TCP 3306 “App” TCP 22 “Mgmt” “Mgmt” Security Group: TCP 22 163.128.25.32/32 Firewall Web Server App Server Firewall Firewall DB Server Web (HTTP) 8080 3306 22 22 Bastion Host Firewall 22
  • 27. Amazon VPC Architecture Customer’s network Amazon Web Services cloud Secure VPN Subnets Router VPN gateway Internet NAT AWS DirectConnect – Dedicated Path/Bandwidth Customer’s isolated AWS resources
  • 28. Amazon VPC Network Security Controls
  • 29. VPC - Dedicated Instances • Option to ensure physical hosts are not shared with other customers • $2/hr flat fee per region + small hourly charge • Can identify specific Instances as dedicated • Optionally configure entire VPC as dedicated
  • 30. AWS Deployment Models Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads CommercialCloud   Public-facing apps, web sites, dev, test, etc. Virtual Private Cloud (VPC)     Datacenter extension, TIC environment, email, FISMA low and Moderate AWS GovCloud (US)       US Persons Compliantand Government Specific Apps
  • 31. Premium Support Trusted Advisor • Security Checks – Security Group Rules (Hosts & Ports) – IAM Use – S3 Policies • Fault Tolerance Checks – Snapshots – Multi-AZ – VPN Tunnel Redundancy
  • 32. Focus on Trend Micro JD Sherry Vice President, Technology and Solutions
  • 33. Security in 2013 The Cloud Changes Nothing… and Everything! July 2013 JD Sherry Vice President, Technology & Solutions
  • 34. Discussion Outcomes 8/2/2013 Copyright 2013 Trend Micro Inc. 36 • Enterprises and the Cloud • Best Practices for Compliance & Security in the Cloud • Solutions and Case Studies
  • 35. Enterprises and the Cloud … 8/2/2013 Copyright 2013 Trend Micro Inc. 37 • Security & compliance top priorities for enterprises, underscoring concerns that are impeding cloud adoption • Are cloud security needs that different than on-premise? – Cloud introduces the concept of shared responsibility for securing their services and applications running in the cloud • Security is not the only inhibitor … – Many organizations are reluctant to change status quo • Fear of the unknown • Cloud concepts & terminology intimidating • IT job loss concerns • Dramatic change from a process & operations perspective … • Not sure how/where to get started …
  • 36. Customer Security Concerns 8/2/2013 Copyright 2013 Trend Micro Inc. 38 • Data sovereignty – Concerns over stewardship of data • Who has access to the data? customer, provider, government? • Data privacy concerns > other tenants, attacks against my data … • Will my data leave the country? – If I terminate a cloud server, do copies of my data still exist in the cloud? – US Patriot Act • Could USA law enforcement gain access to my systems and data?
  • 37. Customer Security Concerns 8/2/2013 Copyright 2013 Trend Micro Inc. 39 • Multi-tenancy – Risk of configuration errors leading to data exposure – How can I protect my cloud servers from attack? – Will I even know my cloud servers are being attacked? • Compliance – How can I use the cloud and still meet internal and external compliance requirements? – Who is responsible for cloud security?
  • 38. Consumers of Cloud Services Responsibilities 8/2/2013 Copyright 2013 Trend Micro Inc. 40 • Consumers of cloud services are responsible for – Security of the instance (OS & Applications) – Ensuring SLA’s are maintained – Ultimately it boils down to protecting your instances from compromise and the integrity of the applications running in the cloud … • How do you protect AWS instances? – Traditional network appliances are not feasible • Limited control over the network … – Agent-based host security controls are required
  • 39. Cloud Security is a Shared Responsibility 8/2/2013 Copyright 2013 Trend Micro Inc. 41 • What type of host security controls are required? The Need Preferred Security Control Data confidentiality Encryption Block malicious software Anti-Malware Detect & track vulnerabilities Vulnerability scanning services Control server communications Host-firewalls Detect suspicious activity Intrusion Prevention Detect unauthorized changes File Integrity Monitoring Block OS & App vulnerabilities Patch & shield vulnerabilities Data monitoring & compliance DLP • Security principles don’t change • Implementation & Management change drastically
  • 40. 8/2/2013 42 The Cloud Changes Nothing…and Everything! Practical Guidance for Compliance & Security in the Cloud
  • 41. Practical Considerations 8/2/2013 Copyright 2013 Trend Micro Inc. 43 Cloud Elasticity • Automated protection of new instances critical to success • Equally important that terminated instances are not left ‘orphaned’ • Security must become part of the cloud fabric, including working within the provisioning process, with support for leading tools critical OpsWorks
  • 42. Copyright 2013 Trend Micro Inc. Transformation Physical Virtual Cloud Cloud and Data Center Security Anti-Malware Integrity Monitoring Encryption Log Inspection Firewall Intrusion Prevention Data Center Ops Security Deep Security SecureCloud
  • 43. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 45 Global Financial/Insurance Company Rapid business expansion Address high cost & complexity with cloud First Mover in their industry Opportunities Challenges Compliance & data privacy Cloud provider role definition Data destruction Solution Shared responsibility model SecureCloud Dynamic encryption via automated policy Data persistently encryption (destruction) Sensitive data protected via key access
  • 44. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 46 Large Manufacturing Company Data center consolidation Address high cost with cloud (utility pricing) Infrastructure elasticity Opportunities Challenges Management & platform support Security in the cloud Managing multiple point solutions Solution Dynamic infrastructure with utility billing Deep Security Comprehensive cloud security Automated management & integration with Chef Broad environment support
  • 45. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 47 Global Transportation Company Efficiency Drive down cost with cloud Infrastructure elasticity & reliability Opportunities Challenges Management across systems Support for multiple clouds Corporate governance Solution Rapid deployment Deep Security Comprehensive cloud security SecureCloud Encryption of sensitive data Broad environment support
  • 46. Thank You! JD Sherry Vice President, Technology & Solutions Booth 101
  • 47. AWS Security Overview Continued
  • 48. AWS Security, Compliance, & Architecture Resources http://aws.amazon.com/security/ • Security whitepaper • Security best practices • Security bulletins • Customer security testing process http://aws.amazon.com/compliance/ • Risk and compliance whitepaper http://aws.amazon.com/architecture/ • Reference Architectures • Whitepapers • Webinars http://blogs.aws.amazon.com/security/ • Stay up to date on security and compliance in AWS Feedback is always welcome!
  • 49. Thank You!!! awsmax@amazon.com

×