More Related Content Similar to Amazon WorkSpaces for Regulated Industries (BAP211) - AWS re:Invent 2018 (20) More from Amazon Web Services (20) Amazon WorkSpaces for Regulated Industries (BAP211) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon WorkSpaces for
Regulated Industries
B A P 2 1 1
Eric Jones
Sr Product Manager
Amazon WorkSpaces
Ron Bledsoe
Sr Engineer
Bridgewater Associates
Andrew Wood
Sr Specialized EUC SA
AWS Solutions Architecture
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Amazon WorkSpaces capabilities for regulated industries
Regulatory/compliance availability
Features for security posture
Use case: Bridgewater Associates
Using Amazon WorkSpaces to help meet high security requirements
Regulations focus: EMEA
How EMEA customers meet new regulations with Amazon WorkSpaces
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
5
A cost-effective, managed cloud desktop for flexible work styles
• Managed desktop-as-a-service (DaaS) offering
hosted in the AWS cloud
• Secure access to the business desktop:
Applications, documents, and corporate
resources
• Fast, responsive user experience on any network
• Available on wide range of personal devices
including iPads, Android tablets, Macs, PCs,
laptops, and Chromebooks
• Cloud economics: Scale at your pace and only
pay for what you use
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Included with Amazon WorkSpaces
• Compliance
• Ongoing programs
• Data sovereignty
• Features and partner solutions
• Auditing
• Security
• Access controls
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Compliance programs
7
GDPR
Current
DoD SRG
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon WorkSpaces security features – New in 2018
IP-based access controls
• Select IP addresses from which users can access Amazon WorkSpaces
Amazon WorkSpaces access events
• View, search, download, archive, analyze, and respond to successful logins
to your Amazon WorkSpaces
Custom Login Workflows
• Generate custom links containing login information with Uniform Resource
Identifier support
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Active
Directory
SIEM
Direct
Connect
or VPN
MFA (RADIUS)
Corporate
Network
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Controls
Certificate Auth
IP Access Controls
MFA
Active
Directory
SIEM
Direct
Connect
or VPN
MFA (RADIUS)
Corporate
Network
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Controls
Certificate Auth
IP Access Controls
MFA
Security Controls
Certificate Auth
MFA
CloudWatch Events
Active
Directory
SIEM
Direct
Connect
or VPN
MFA (RADIUS)
Corporate
Network
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Controls
Certificate Auth
IP Access Controls
MFA
Security Controls
Certificate Auth
MFA
CloudWatch Events
Security Controls
MFA
Active
Directory
SIEM
Direct
Connect
or VPN
MFA (RADIUS)
Corporate
Network
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security Controls
Certificate Auth
IP Access Controls
MFA
Security Controls
Certificate Auth
MFA
CloudWatch Events
Security Controls
MFA
Active
Directory
SIEM
Direct
Connect
or VPN
MFA (RADIUS)
Corporate
Network
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Click to add slide title (size 48)
By Data courtesy Marc Imhoff of NASA GSFC and Christopher Elvidge of NOAA NGDC.Image by Craig Mayhew and Robert Simmon, NASA GSFC. - NASA Visible Earthcropped from Image:Earthlights dmsp.jpg by Luestling 14:17, 22. M
2005from German Wikipedia [1], Public Domain, https://commons.wikimedia.org/w/index.php?curid=409353
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related sessions
Thursday, November 29
BAP305: How to move to Amazon WorkSpaces and replace your legacy VDI
1:45 p.m. – 2:45 p.m. | MGM, Level 3, Premier Ballroom 319, T2
Friday, November 30
BAP323: Move your Desktops and Applications to AWS with Amazon
WorkSpaces and AppStream 2.0
10:00 a.m. – 11:00 a.m. | Venetian, Level 4, Lando 4202, T1
19. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Eric Jones
ejjonesa@amazon.com
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Appendix: WorkSpaces features
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control Amazon WorkSpaces access
• Select IP addresses from which users can access Amazon
WorkSpaces
• Create groups of custom rules specifying which IP
addresses users can access Amazon WorkSpaces from
Benefits
• Ensure that Amazon WorkSpaces are only accessed from
trusted networks
• Groups can be applied at the individual directory level
from the Amazon WorkSpaces console or through APIs
Limitations
• Cannot be enabled for the Web Access client
IP-based access controls
Amazon WorkSpaces
Client
AWS Cloud
Source IP Check
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identify Amazon WorkSpaces access
• View, search, download, archive, analyze, and respond to
successful logins to your Amazon WorkSpaces
• Monitor client WAN IP addresses, operating system,
Amazon WorkSpaces ID, and Directory ID information for
users’ logins to Amazon WorkSpaces
Benefits
• Learn when, where, and how your users log in to and
access their Amazon WorkSpaces
• Monitor client WAN IP addresses, operating system,
Amazon WorkSpaces ID, and Directory ID information for
users’ logins to WorkSpace
• Set up automated actions based on how a WorkSpace is
accessed
CloudWatch events on Amazon WorkSpaces access
Amazon WorkSpaces
Client
CloudWatch Events
Amazon WorkSpaces Access
Event (on Login Success)
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Access control based on the client device type and
certificates
Managed device authentication
How does it work?
• Customers deploy device certificates to managed devices
• Amazon WorkSpaces service stores root certificate with
public key only
• Amazon WorkSpaces application makes authentication
request and the service returns a randomly generated
nonce along with root certificate
• App locates device cert chaining to root authority of the
certificate provided by the service
• App uses private key of the device certificate and signs the
nonce provided by the service and sends to service along
with public key
• The service validates if the nonce is signed by device
certificate and allows authentication to proceed
Certificate authentication
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Encrypt Amazon WorkSpaces volumes
Data in transit and rest is encrypted using AES-256 bit
encryption
Integrates with the AWS Key Management Service
(AWS KMS)
Use your AWS KMS keys to encrypt Amazon
WorkSpaces
Encrypt up to 30 Amazon WorkSpaces with a single
key
Can encrypt both root and user volume
No material performance impact
Pricing
Pay for AWS KMS keys and Amazon WorkSpaces – no
additional charge
Encryption
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Partner Solutions
• Authentication portals
• Multi factor
authentication
• Endpoint inspection
• Anti-virus protection
• Network inspection
• Web proxy