Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Enterprise Summit London 2015 | Security in the Cloud

Dob Todorov, Head of Public Sector Solutions Architecture, AWS

  • Login to see the comments

AWS Enterprise Summit London 2015 | Security in the Cloud

  1. 1. ©  2015,  Amazon  Web  Services,  Inc.  or  its  Affiliates.  All  rights  reserved. Dob  Todorov Regional  Technology  Officer,  Public  Sector  and  Principal   Architect  Security  &  Compliance  EMEA Security  in  the  Cloud  
  2. 2. 21st Century  IT  Security Cloud   Security
  3. 3. “Based  on  our  experience,  I  believe  that  we   can  be  even  more  secure  in  the  AWS  cloud   than  in  our  own  data  centers” Tom  Soderstrom – CTO  NASA  JPL
  4. 4. Cost  of  Security  on  Premises  /  Hosted  Facility CapEx OpEx Technology (Physical Security,   Infrastructure,  Power,   Networking) £££££ £££ Processes (standards,  procedures,   guidelines,  assurance,   compliance) £££ ££ People (hire,  upskill, compensate,   train,  manage) ££ ££££
  5. 5. Security  and  Business  Value Security  as  a  “Feature”: • Qualitative  measure:  either  secure  or   insecure • No  added  end  user  value Objective  Reality: • Small  or  shrinking  budgets • Threat  vectors  and  agents  rising  in   number  and  sophistication Challenge: How  do  we  justify  the  cost  of  security?
  6. 6. Cost  of  Security  in  the  Cloud CapEx OpEx Technology (Physical Security,   Infrastructure,  Power,   Networking) -­ -­ Processes (standards,  procedures,   guidelines,  assurance,   compliance) -­ -­ People (hire,  upskill, compensate,   train,  manage) -­ -­ Infrastructure  secure  &  compliant  at   no  extra  cost
  7. 7. Cloud  Security  Principles  Compliance o Issued  1  Apr  2014  by  the  CESG o They  replace  the  Business  Impact  Levels  model  (BIL:  IL1-­IL5+) o Distributed  certification  model o Risk-­based  approach:  suitability  for  purpose o New  protective  marking  mechanisms o AWS  Whitepaper  Available
  8. 8. Cyber  Essentials  Plus  Compliance  in  Dublin Cyber  Essentials  Plus  is  a  UK  Government-­ backed,  industry-­supported  certification   scheme  that  helps  organisations demonstrate   security  against  common  cyber  attacks. The  ‘Plus’  scheme  benefits  from  independent   testing  and  validation  compared  to  the   baseline  ‘Cyber  Essentials’  scheme  that  is   self-­attested.
  9. 9. ISO  27018 Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011, the Information Security Management System as defined and implemented by headquartered in Seattle, Washington, United States of America, certified under certification number [2013-009], is also compliant with the requirements as stated in the standard: EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the related ISMS certificate with number [2013-009]. *This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements for information security and protection of personally identifiable information (PII) as stated in Statement of Applicability version 2015,01, approved on September 15, 2015. ISO/IEC 27018:2014 Issue date of certificate: October 1, 2015 Expiration date of certificate: November 12, 2016 Amazon Web Services, Inc.* Certificate Certificate number: 2015-016 Certified by EY CertifyPoint since: October 1, 2015 © Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved. Drs. R. Toppen RA Director EY CertifyPoint DIGITAL COPY1/3 o Customers  control  their  content. o Customers'  content  will  not  be  used  for  any   unauthorized  purposes. o Physical  media  is  destroyed  prior  to  leaving   AWS  data  centers. o AWS  provides  customers  the  means  to   delete  their  content. o AWS  doesn’t  disclose  customers'  content
  10. 10. AWS  Security  Tools AWS  Trusted  Advisor AWS  Config Rules Amazon  Inspector Periodic  evaluation  of  alignment  with  AWS  Best   Practices.  Not  just  Security-­related. Create  rules  that  govern  configuration  of  your   AWS  resources.  Continuous  evaluation. Security  insights  into  your  applications. Runs  on  EC2  instances;;  on-­demand  scans AWS  Compliance AWS:  Security  of the  cloud Customer:  Security  in the  cloud
  11. 11. Cloud  Config Rules
  12. 12. Security  by  Design  -­ SbD • Systematic  approach  to   ensure  security • Formalizes  AWS  account  design • Automates  security  controls • Streamlines  auditing • Provides  control  insights   throughout  the  IT   management  process AWS   CloudTrail AWS   CloudHSM AWS  IAM AWS  KMS AWS Config
  13. 13. GoldBase -­ Scripting  your  governance  policy Set  of  CloudFormation Templates  &  Reference   Arhcitectures that  accelerate  compliance  with  PCI,  EU   Personal  Data  Protection,  HIPAA,  FFIEC,  FISMA,  CJIS Result:  Reliable  technical  implementation  of  administrative   controls
  14. 14. What  is  Inspector? • Application  security  assessment • Selectable  built-­in  rules • Security  findings • Guidance  and  management • Automatable  via  APIs
  15. 15. Rule  packages • CVE  (common  vulnerabilities  and  exposures) • Network  security  best  practices • Authentication  best  practices • Operating  system  security  best  practices • Application  security  best  practices • PCI  DSS  3.0  readiness
  16. 16. Why  AWS  WAF? Application  DDoS,  Vulnerabilities,  Abuse Good  users Bad  guys Web  server Database
  17. 17. What  is  AWS  WAF? Application  DDoS Good  users Bad  guys Web  server Database AWS WAF AWS  WAF  rules: 1:  BLOCK  requests  from  bad  guys. 2:  ALLOW  requests  from  good  guys. Types  of  conditions  in  rules: 1:  Source  IP/range 2:  String  Match 3:  SQL  Injection
  18. 18. S2N  – AWS  Implementation  of  TLS • Small:     • ~6,000  lines  of  code,  all  audited • ~80%  less  memory  consumed • Fast:     • 12%  faster • Simple:     • Avoid  rarely  used  options/extensions
  19. 19. VPC  Flow  Logs
  20. 20. Certification  &  Education • Security  Fundamentals  on  AWS • free,  online  course  for  security  auditors  and   analysts • Security  Operations  on  AWS • 3-­day  class  for  Security  engineers,  architects,   analysts,  and  auditors • AWS  Certification • Security  is  part  of  all  AWS  exams
  21. 21. Rich  Security  Capabilities  in  the  Cloud Prepare Prevent Detect Respond
  22. 22. o AWS  Security  Solutions  Architects o AWS  Professional  Services o AWS  Secure  by  Design  &  Gold  Base o AWS  Security  Best  Practices o Partner  Professional  Services o AWS  Training  and  Certification o Understand  Compliance  Requirements Prepare
  23. 23. o Use  IAM  – consider  MFA,  roles,  federation,  SSO o Implement  Amazon  WAF o Leverage  S2N  for  secure  TLS  connections o Implement  Config Rules  to  enforce  compliance o Implement  Amazon  Inspector  to  identify   vulnerabilities  early  on Prevent
  24. 24. o Cloud  Trail  enabled  across  all  accounts  and  services o Consider  Config &  Config Rules  logs o Inspector  can  be  used  as  a  detective  tool o Trusted  Advisor  goes  beyond  just  security o Use  CloudWatch logs o VPC  Flow  Logs  give  insight  into  intended  and   unintended  communication  taking  place  into  your  VPC o Do  look  at  partner  log  management  and  security   monitoring  solutions Detect
  25. 25. o Be  Prepared:   o Develop,  acquire  or  hire  Security  Incident  Response   capabilities o Test  preparedness  via  game  days o Automated  response  and  containment  is  always   better  than  manual  response o AWS  supports  forensic  investigations o Leverage  AWS  Support  for  best  results o Talk  to  our  security  partners Respond
  26. 26. Be  Secure  &  Compliant  in   the  Cloud!