Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The AWS Shared Security Responsibility Model in Practice

225 views

Published on

Patrick Shumate, Solutions Architect, Amazon Web Services, reviews the shared security responsibility model for the AWS cloud.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

The AWS Shared Security Responsibility Model in Practice

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved The AWS Shared Security Responsibility Model in Practice Patrick Shumate Solutions Architect, Amazon Web Services
  2. 2. AWS Global Footprint
  3. 3. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul) Asia Pacific (Mumbai )
  4. 4. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) São Paulo EU Central (Frankfurt) Asia Pacific (Tokyo) China (Beijing) Asia Pacific (Seoul) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location- dependent privacy and compliance requirements
  5. 5. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul) Asia Pacific (Mumbai )
  6. 6. AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul) Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region
  7. 7. AWS Global Footprint
  8. 8. AWS Global Footprint Edge Location collections of servers in geographically dispersed data centers deliver content to end users with lower latency
  9. 9. AWS Global Footprint
  10. 10. AWS Global Footprint 13 (11) Regions 35 (28) Availability Zones 54 Edge locations Over 1 million active customers Every day, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise. https://aws.amazon.com/about-aws/global-infrastructure/
  11. 11. Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
  12. 12. Data Locality in practice Block level storage Instance Storage (Elastic Cloud Compute - EC2) Elastic Block Storage (EBS) Object level storage Simple Storage Service (S3) Database storage Relational Database Service (RDS) NoSQL (DynamoDB) Columnar (Redshift) Caching (Elasticache)
  13. 13. Shared Responsibility Who manages which parts?
  14. 14. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  15. 15. AWS Shared Responsibility Model – Deep Dive Will one model work for all services? Infrastructure Services Container Services Abstract Services
  16. 16. Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Mgmt Protocols API Calls
  17. 17. Infrastructure Service Example – EC2 • Foundation Services — Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints AWS • Customer Data • Customer Application • Operating System • Network & Firewall • Customer IAM (Corporate Directory Service) • High Availability, Scaling • Instance Management • Data Protection (Transit, Rest, Backup) • AWS IAM (Users, Groups, Roles, Policies) Customers RESPONSIBILITIES
  18. 18. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Mgmt Protocols API Calls
  19. 19. Infrastructure Service Example – RDS • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application AWS • Customer Data • Firewall (VPC) • Customer IAM (DB Users, Table Permissions) • AWS IAM (Users, Groups, Roles, Policies) • High Availability • Data Protection (Transit, Rest, Backup) • Scaling Customers RESPONSIBILITIES
  20. 20. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model: for Abstract Services Managed by Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls
  21. 21. • Foundational Services • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application • Data Protection (Rest - SSE, Transit) • High Availability / Scaling AWS • Customer Data • Data Protection (Rest – CSE) • AWS IAM (Users, Groups, Roles, Policies) Customers Infrastructure Service Example – S3
  22. 22. Summary of Customer Responsibility in the Cloud Customer IAM AWS IAM Firewall Data AWS IAM Data Applications Operating System Networking/Firewall Data Customer IAM AWS IAM Infrastructure Services Container Services Abstract Services
  23. 23. Shared Responsibility What about security OF the cloud?
  24. 24. Security Shared Responsibility Model AWS is responsible for the security OF the cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  25. 25. Auditing - Comparison on-prem vs on AWS Start with bare concrete Functionally optional – you can build a secure system without it Audits done by an in-house team Accountable to yourself Typically check once a year Workload-specific compliance checks Must keep pace and invest in security innovation on-prem Start on base of accredited services Functionally necessary – high watermark of requirements Audits done by third party experts Accountable to everyone Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance on AWS
  26. 26. What this means You benefit from an environment built for the most security sensitive organizations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity You always have full ownership and control of your data
  27. 27. AWS Assurance Programs
  28. 28. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Meet your own security objectives Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Your own external audits Customers Your own accreditation Your own certifications
  29. 29. Compliance Resources https://aws.amazon.com/compliance/resources/
  30. 30. Education — AWS Security & Compliance AWS Security Fundamentals 3 hour eLearning course Target audience – Security Auditors/Analysts It’s Free  AWS Security Operations 3 day Instructor Lead Training Target audience – Security Engineer/Architects 12 Modules + Labs Self paces labs available on http://qwiklabs.com https://aws.amazon.com/training/course-descriptions/
  31. 31. awscompliance@amazon.com
  32. 32. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved Thank You

×