Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS re:Invent 2016: re:Source Mini Con for Security Services State of the Union (SEC312)

595 views

Published on

AWS CISO Steve Schmidt presents the state of the union for re:Source Mini Con for Security Services. He addresses the state of the security and compliance ecosystem; large enterprise customer additions in key industries; the vertical view: maturing spaces for AWS security assurance (GxP, IoT, CIS foundations); and the international view: data privacy protections and data sovereignty. The state of the union also addresses a number of new identity, directory, and access services, and closes by looking at what's on the horizon.

Published in: Technology
  • Be the first to comment

AWS re:Invent 2016: re:Source Mini Con for Security Services State of the Union (SEC312)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Stephen Schmidt Vice President and Chief Information Security Officer November 29, 2016 SEC312 Security Services: State of the Union
  2. 2. Evolution “Cloud will account for 92 percent of data center traffic by 2020” - Global Cloud Index (GCI) Forecast
  3. 3. • AWS compliance program – updates • How Johnson & Johnson thinks about automation • Security tool enhancements in 2016 • How AWS handles security at scale • What’s coming at re:Invent 2016? DURING THIS STATE OF THE UNION …
  4. 4. CARE DEEPLY ABOUT DATA SECURITY WE WORK TO GET THIS RIGHT FOR CUSTOMERS AWS COMPLIANCE
  5. 5. Customers choose where to place their data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP
  6. 6. Our Audit and Certification Approach 70+ services 7,710 Audit Artifacts 2,670 Controls 3,030 Audit Requirements
  7. 7. COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact
  8. 8. MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM
  9. 9. MAKING COMPLIANCE EASIER AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS
  10. 10. SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION & VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud  One-click launch  Ready-to-run on AWS  Pay only for what you use
  11. 11. MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail
  12. 12. • AWS compliance program – updates • How Johnson & Johnson thinks about automation • Security tool enhancements in 2016 • How AWS handles security at scale • What’s coming at re:Invent 2016?
  13. 13. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Johnson & Johnson Marene Allison Chief Information Security Officer
  14. 14. I have the absolute best job in the world… 250 operating companies, 60 countries, 126,900 employees World’s sixth-largest consumer health, pharmaceuticals, and biologics company – Most comprehensive medical device company – 5th largest pharmaceutical company globally – 6th largest biotech company globally – 6th largest consumer health care company globally We touch 1 billion customers every day We provide products for all stages of life 2015 worldwide sales $70.1 billion
  15. 15. Automate everything Cutting-edge, software defined data center Enterprise guardrails: self-service with control Segregated environments for containment
  16. 16. Simplify relentlessly CORE PRINCIPLES FOR SECURITY, COMPLIANCE, AND MANAGEMENT ENFORCE LEAST PRIVILEGE APPROACH LOG EVERYTHING J&J IDENTITY & GROUP MANAGEMENT J&J NETWORK EXTENSION ENFORCE OUR IMAGES ACCOUNT ISOLATION
  17. 17. Thank you!
  18. 18. • AWS compliance program – updates • How Johnson & Johnson thinks about automation • Security tool enhancements in 2016 • How AWS handles security at scale • What’s coming at re:Invent 2016?
  19. 19. AWS IDENTITY AND ACCESS MANAGEMENT (IAM) SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES
  20. 20. Apply the security principles of “least privilege” and “segregation of responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
  21. 21. AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources
  22. 22. SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND ACTIVITY AMAZON INSPECTOR
  23. 23. Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS
  24. 24. AMAZON INSPECTOR FEATURES ADDED IN 2016 • CIS certs for Windows Server 2008 R2, Server 2012, and Server 2012 R2 • Assessments complete even if some targeted agents are offline • Filter findings based on severity levels
  25. 25. AWS KEY MANAGEMENT SERVICE CONTROL YOUR ENCRYPTION KEYS
  26. 26. AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM
  27. 27. • Bring your own keys to AWS Key Management Service using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016
  28. 28. CONSTRAINT-BASED MONITORING AUTOMATED REASONING
  29. 29. AWS SOLUTION: CONSTRAINT-BASED MONITORING A TOOL FOR STATIC ANALYSIS OF AMAZON EC2/VPC NETWORKS
  30. 30. AWS SOLUTION: CONSTRAINT-BASED MONITORING • Making undecidable problems feel decidable in practice • Abstraction to finite/tractable problems • Counterexample-guided abstraction refinement • Interpolation for guessing inductive invariants To learn more please reference Byron Cook’s session, we’ll be posting online next week: SEC401 – Automated Formal Reasoning About AWS Systems
  31. 31. SPEED OF SECURITY GO BIG WITH INSTANCES
  32. 32. X1 INSTANCES
  33. 33. P2 INSTANCES
  34. 34. • AWS compliance program – updates • How Johnson & Johnson thinks about automation • Security tool enhancements in 2016 • How AWS handles security at scale • What’s coming at re:Invent 2016?
  35. 35. AWS Security – 2016 Pace of Innovation • Reviewed 2,233 services and features in the last year • 319 compliance programs in scope across 40+ services • 5,769 overall security reviews YTD
  36. 36. How AWS handles security at scale • We operate over 2,400 controls, but multiply that by the 64 services we have, over a period of 6 months that may be 30 million instances of control performance • We collect terabytes and terabytes of logs on our own data
  37. 37. AWS CloudTrail logs are a treasure trove of information • Examples: event type, source IP, principal/AKID, MFA used Use data to rapidly detect and respond to threats • “Walking” credentials • Compromised accounts • Other malicious behavior Detecting anomalies through AWS CloudTrail Logs
  38. 38. Collecting raw NetFlow-like logs in AWS Scenario: You purchased a company running on EC2 You've been asked "Tell us of any known suspicious activity or activity indicating possible compromise for the main web server"
  39. 39. Autoticketing • Find and close gaps in security monitoring • Be highly accurate and actionable • Deliver results with low latency
  40. 40. How AWS handles security at scale Work generator Corp S3 Results processor SNS Lambda (async) Scan target Lambda (sync)
  41. 41. Change Management • Problem: controlled automated deployment and validation of daily deployments • Our response: automated auditable deployment and validation environment • How we use it: auditor validation of our preventative and detective change management controls • Benefit: all changes to environment and controlled and documented
  42. 42. Change Management 1 2 3 4 5
  43. 43. Change Management QA & Code Review 1 2 3 4 5 6
  44. 44. Change Management Flagged Deployment ID: 47365690 Deployer: johndoe@ Deployment Time: 09:56:23 11/15/2016 Flag reason: Approval was not documented in the change ticket
  45. 45. • AWS compliance program – updates • How Johnson & Johnson thinks about automation • Security tool enhancements in 2016 • How AWS handles security at scale • What’s coming at re:Invent 2016?
  46. 46. AWS Security – re:Invent 2016 Preparation • Reviewed and tested 91 service and feature launches for re:Invent 2016 • Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security completed 139 pen-tests (equaling 2,357 person days)
  47. 47. What’s Coming in the Next Few Days?
  48. 48. The Future … Recurrent Neural Networks Using the Cloud to Secure the Cloud New Regions in: • UK (London) • Canada (Montreal) • France (Paris) • China (Ningxia)
  49. 49. Evolution Today's "cloud-first" strategy is already moving toward "cloud-only" - IDC, “Industry Predictions for 2017”
  50. 50. • https://aws.amazon.com/security/ • https://aws.amazon.com/compliance/ • https://aws.amazon.com/blogs/security/ ADDITIONAL RESOURCES
  51. 51. Thank you!

×