Smartronix - Building Secure Applications on the AWS Cloud


Published on

Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We currently manage over 20 large scale high volume web properties on AWSWe were the prime contractor that migrated and now operate and manage the Recovery.Gov cloud environment.
  • Examining AWS, you’ll see that the same security isolations are employed as would be found in a traditional datacenter. These include physical datacentre security, separation of the network, isolation of the server hardware, and isolation of storage. AWS customers have control over their data: they own the data, not us; they can encrypt their data at rest and in motion, just as they would in their own datacenter.  Amazon Web Services provides the same, familiar approaches to security that companies have been using for decades. Importantly, it does this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, privately-owned environments.AWS is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, HIPAA, SAS 70 Type II. Our services and data centers have multiple layers of operational and physical security designed to protect the integrity and safety of your data. Visit our Security Center to learn more and Accreditations: AWS has successfully completed a SAS70 Type II Audit, and will continue to obtain the appropriate security certifications and accreditations to demonstrate the security of our infrastructure and services. PCI DSS: We finalized our 2011 PCI compliance audit, publishing our extensive Report on Controls (ROC) with an expanded scope. Our new November 30, 2011 PCI Attestation of Compliance, a document from our auditor stating we are compliant with all 12 PCI security standard domains, is available now for customers considering or working on moving PCI systems to AWS. The new Attestation of Compliance document includes some key changes this year: This year we’ve added RDS, ELB, and IAM as in-scope services. The addition of these services is fantastic news for PCI customers since they can now leverage RDS to store cardholder and transaction data, use ELB to manage card transaction traffic, and rely on IAM features as validated control mechanisms that satisfy PCI security standard requirements. Consistent with last year, EC2, S3, EBS, and VPC continue to be in scope.  Physical Security: Amazon has many years of experience in designing, constructing, and operating large scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical barriers to prevent unauthorized access.Secure Services: Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. Data Privacy: AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS.“In essence, the security system of AWS’s platform has been added to our existing security systems. We now have a security posture consistent with that of a multi-billion dollar company.” - Jim Warren, CIO, Recovery Accountability and Transparency Board (RATB)
  • Security and Operational Excellence is the Top most priority. Its Priority 0. No exceptions allowed. We understand that Security and governance are often the top issues identified when we talk to our customers. Instead of tossing this over the fence, we really advice and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
  • AWS Direct Connect makes it easy to establish a dedicated network connection from your premise to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple logical connections. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments. Logical connections can be reconfigured at any time to meet your changing needs. Virtual Private Cloud (Amazon VPC) lets you provision a private, isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. With Amazon VPC, you can define a virtual network topology that closely resembles a traditional network that you might operate in your own datacenter. You have control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet. Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter. Instances are Amazon EC2 instances launched within your Amazon VPC that run hardware dedicated to a single customer. Dedicated Instances let you take full advantage of the benefits of Amazon VPC and the AWS cloud – on-demand elastic provisioning, pay only for what you use, and a private, isolated virtual network, all while ensuring that your Amazon EC2 compute instances will be isolated at the hardware level. You can easily create a VPC that contains dedicated instances only, providing physical isolation for all Amazon EC2 compute instances launched into that VPC, or you can choose to mix both dedicated instances and non-dedicated instances within the same VPC based on application-specific requirements.
  • Amazon Web Services provides highly scalable computing infrastructure that enables organizations around the world to requisition compute power, storage, and other on-demand services in the cloud.  These services are available on demand so a customer doesn’t need to think about controlling them, maintaining them or even where they are located. Our approach has always been to be a customer focused company.  We constantly look to develop services in line with the needs of our customers to make sure they get the flexibility and usability out of the service that they need to be successful. 
  • EyechartThe main takeaway here is the ability to scale and secure at each tier. A defense in depth approach.People tell me all the time that they fear the cloud isn’t secure. I ask them about their existing topology and inevetiably they discuss how they created a DMZ that shares their existing Internet pipe and is one hop away from their internal environment.Why not completely isolate your public facing environment and let that surface area absorb an attack? That is basically a read only publication environment.More controls are put in place for authoring. In this example we show a VPN extension of your data center into an AWS VPC environment. That VPC has subnets, using your IP space, that extend your datacenter into the cloud. From there it can publish over SSL to the public site.ACTIVE ACTIVE! No need for COOP.
  • Lose your mindset that security has anything to with data or service location. Treat data like its always on the wire and issues like Data Loss or multitenancy concerns disappear.Defense in Depth. Protect at every layer.Security is Confidentiality, Integrity, and Availability. Now you can afford Availability like never before. The same controls you would apply on-prem for Conf and Integrity can be applied in the Cloud. Its just now they can be automated, massively scale, and repeatedly performed.
  • Smartronix - Building Secure Applications on the AWS Cloud

    1. 1. Building Secure Applications on the AWS Cloud July 24th 2012
    2. 2. Smartronix• We specialize in very large network operations, cyber security, infrastructure services and enterprise application development and deployment• We design, deploy, manage and secure some of the world’s largest and most complex networks (USMC, NMCI, DoJ, 53rd Air Wing)• AWS Partner since 2009 – AWS Advanced Consulting Partner – AWS Authorized Government Partner – AWS Channel Reseller Partner• Microsoft Gold Partner
    3. 3. Smartronix and AWS• AWS Solution Provider since 2009• Over 50 trained AWS specialists• Over 20 large scale high volume web sites:,,, Makin, etc.• First government migration to the cloud• Commercial Enterprise solutions for SharePoint, Exchange and .NET deployments – (Fortune 1000, Federal, Health IT)
    4. 4. Security
    5. 5. Security: Shared Responsibility Model AWS Customer• Facilities • Operating System• Physical Security • Application• Physical Infrastructure • Security Groups• Network Infrastructure • OS Firewalls• Virtualization • Network Configuration Infrastructure • Account Management
    6. 6. Built for Enterprise Security Standards Certifications Physical Security HW, SW, Network SOC 1 Type 2 Datacenters in Systematic change (formerly SAS-70) nondescript facilities management ISO 27001 Physical access Phased updates strictly controlled deployment PCI DSS for EC2, S3, EBS, VPC, Must pass two-factor Safe storage RDS, ELB, IAM authentication at decommission least twice for floor FISMA Moderate Automated access Compliant Controls monitoring and self- Physical access audit HIPAA & ITAR logged and audited Compliant Advanced network Architecture protection
    7. 7. SAS 70 Type II Audit Encrypt data in transitISO 27001/2 Certification Encrypt data at restPCI DSS 2.0 Level 1-5 Protect your AWS CredentialsHIPAA/SOX Compliance Rotate your keysFISMA Moderate Infrastructure Application Secure your OS and applicationsFEDRamp / GSA ATO Security SecurityHow we measure that our How can you secure yourinfrastructure is secure application and what is your responsibility? Services Security What security options and features are Enforce IAM policies available to you? Use MFA, VPC, Leverage S3 bucket policies, EC2 Security groups, EFS in EC2 Etc..
    8. 8. Networking & Security AWS Direct Amazon Virtual Dedicated Connect Private Cloud (VPC) Instances Single Tenant Compute Instance Internet Dedicated connection Private VPN Amazon EC2 between your connection to your resources running on datacenter and AWS AWS resources private hardware
    9. 9. AWS Platform Your Applications Management & Administration Building Block Services Administration Identity & Deployment Monitoring Console Access Application Platform Services Content Parallel Libraries & Messaging Distribution Processing SDKs Foundation Services Compute Storage Database Networking Availability Zones AWS Global Infrastructure Edge Locations Regions
    10. 10. The New Enterprise IT Availability Zone 1Network Architecture 10G DirectConnect Private Subnet NAT Instance Location Corporate Data Center VPN Gateway Customer Gateway Internet Gateway Public Subnet Amazon VPC Availability Zone 2 Corporate Headquarters S3 SQS/SNS/SES SWF Elastic SimpleDB DynamoD Beanstalk B AWS Region Branch Offices
    11. 11. Advantages• Extend your datacenter securely• Reduce the surface area of attack on your network• Securely manage service connections• The “cloud” can be completely behind the TIC and utilize your TIC/SOC infrastructure
    12. 12. Case Study Federal Web Site Architecture Community Cloud
    13. 13. Architecture Production Public Enclave Amazon CloudFront Elastic Load Balancer TMG TMG TMG TMG DC DC Server Server Server Server Security Group Security Group Security Group Security Group Amazon S3 Amazon Search Web Web Web Web SearchCloudWatch Server Server Server Server Server Server Alarms Security Group Security Group App App App AppAmazon SNS Server Server Server ServerNotifications Security Group Security Group Primar 2ndary OPS OPS Witnes DB DB Server Server Server Server Server IAM Security Group Security Group Availability Zone A Availability Zone B Authoring / Collab Enclave App Web App Web Server Server Server Server Security Group Security Group Corporate Data center Availability Zone A Availability Zone B
    14. 14. Security• Defense in Depth – Layered Security• Compensating Security Controls• “Least Privilege” Best Practices• Hardened AMI• HA/Redundancy/COOP• Unified Threat Management• Monitoring stack / Log aggregation• Data Protection, Encryption and Backup solutions• Software based IDS/IPS