AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013


Published on

Security must be the number one priority for any cloud provider and that's no different for AWS. Stephen Schmidt, vice president and chief information officer for AWS, will share his insights into cloud security and how AWS meets the needs of today's IT security challenges. Stephen, with his background with the FBI and his work with AWS customers in the government and space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.

Published in: Technology
  • Be the first to comment

AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013

  1. 1. AWS Security Stephen E. Schmidt, Chief Information Security Officer November 13, 2013 © 2013, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of, Inc.
  2. 2. Different customer viewpoints on security: • CEO: protect shareholder value • PR exec: keep out of the news • CI{S}O: preserve the confidentiality, integrity and availability of data
  3. 3. AWS Viewpoint on Security Art Science
  4. 4. Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload
  5. 5. AWS Cloud Security “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL
  6. 6. AWS Security Offers Customers More Visibility Auditability Control
  7. 7. Visibility – In the AWS cloud, see your entire infrastructure at the click of a mouse – Can you map your current network?
  8. 8. AWS Security Delivers More Auditability • Consistent, regular, exhaustive 3rd party evaluations with commonly understood results
  9. 9. Introducing AWS CloudTrail You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
  10. 10. Use cases enabled by CloudTrail • Security Analysis  Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. • Track Changes to AWS Resources  Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. • Troubleshoot Operational Issues  Quickly identify the most recent changes made to resources in your environment. • Compliance Aid  Easier to demonstrate compliance with internal policies and regulatory standards.
  11. 11. What is AWS CloudTrail? • CloudTrail records API calls in your account and delivers a log file to your S3 bucket. • Typically, delivers an event within 15 minutes of the API call. • Log files are delivered approximately every 5 minutes. • Multiple partners offer integrated solutions to analyze log files. Image Source: Jeff Barr
  12. 12. Visibility • Logs == one component of visibility – Obtain – Retain – Analyze
  13. 13. Sumo Logic • Enterprise Class Log Management & Analytics – Availability and Performance – Security and Compliance – User and Application Analytics • Sumo Logic Application for AWS CloudTrail – Real-time Security Monitoring and Alerting – Compliance Auditing – Operational Visibility and Cost
  14. 14. • Come see us @ booth #117 • CTO, Christian Beedgen – Wednesday: 3:00 PM - 4:00 PM – San Polo 3501A
  15. 15. Control • Defense in Depth – Multi level security • • • • Physical security of the data centers Network security System security Data security
  16. 16. AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs AWS IAM Defense in depth Rapid scale for security Amazon VPC Automated checks with AWS Trusted Advisor Fine grained access controls AWS Storage Gateway Server side encryption Multi-factor authentication AWS Direct Connect Dedicated instances Direct connection, Storage Gateway AWS CloudHSM HSM-based key storage
  17. 17. Control • SSO Federation using SAML – Support for SAML 2.0 – Use existing SAML identity providers to access AWS Resources • You don’t have to add additional software! – AWS Management Console SSO • New sign-in URL –<yourdatahere> – API federation using new assumeRoleWithSAML API
  18. 18. Amazon DynamoDB Fine Grained Access Control • Directly and securely access application data in Amazon DynamoDB • Specify access permissions at table, item and attribute levels • With Web Identity Federation, completely remove the need for proxy servers to perform authorization
  19. 19. Control • AWS Staff Access – Staff vetting – Staff has no logical access to customer instances – Staff control-plane access limited & monitored • Bastion hosts • Least privileged model – Zoned data center access • Business needs • Separate PAMS
  20. 20. Control • Shared Responsibility – Let AWS do the heavy lifting – Focus on your business • AWS • • • • • • Facility operations Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Hardware lifecycle management • Customer • • • • • • Choice of Guest OS Application Configuration Options Account Management flexibility Security Groups ACLs Identity Management
  21. 21. Control • Your data stays where you put it Australia
  22. 22. Control • Encryption – Customers choose the solution that’s right for them • Regulatory • Contractual • Best-practices – Options • Automated – AWS manages encryption for the customer • Enabled – customer manages encryption using AWS services • Client-side – customer manages encryption using their own means
  23. 23. Control AWS CloudHSM • Managed and monitored by AWS, but you control the keys AWS CloudHSM • Increase performance for applications that use HSMs for key storage or encryption EC2 Instance • Comply with stringent regulatory and contractual requirements for key protection AWS CloudHSM
  24. 24. AWS IAM: Recent Innovations Securely control access to AWS services and resources • Delegation • – – – – – Roles for Amazon EC2 – Cross-account access • Powerful integrated permissions – Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation – Access control policy variables – Policy Simulator – Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk Federation • Web Identity Federation AD and Shibboleth examples Partner integrations Case study: Expedia Strong authentication – MFA-protected API access – Password policies • Enhanced documentation and videos
  25. 25. Authentication Market • Consumers are demanding stronger authentication • Banks want to reduce fraud • Regulators are requiring banks to implement stronger PKI-based authentication
  26. 26. Entersekt’s Transakt Product End-to-End Bank’s firewall User’s web browser Bank web server Mutually secured User’s mobile channel using with Transakt the Entersekt system AZ-USE1d AZ-USE1a Auto scaling Group CloudHSM Entersekt Cloud Router Entersekt Security Gateway
  27. 27. Why the Cloud? • AWS CloudHSM – We issue X.509 certificates securely from AWS – We augment the entropy generation on the phone – Only Entersekt has access to the keys in CloudHSM – AWS does not • Mobile phone connections fronted by AWS cloud – Mitigates DDoS attacks – Manages large number of persistent connections – Maintains end-to-end encryption between enterprise and phone
  28. 28. Entersekt’s Track Record Global Top 500 Banking Customer: 2012 – 450 000 users 80 70 60 Nedbank sees 99% reduction in phishing losses Nedbank reports a 99% reduction in phishing losses since launching its internet banking security feature, Approve-it. 50 Source: 40 30 Entersekt go-live 20 10 0 30-Jun 26-Jun 22-Jun 18-Jun… 14-Jun 10-Jun 06-Jun 02-Jun 29-May 25-May 21-May… 17-May 13-May 09-May 05-May 01-May 27-Apr 23-Apr… 19-Apr 15-Apr 11-Apr 07-Apr 03-Apr 30-Mar 26-Mar… 22-Mar 18-Mar 14-Mar 10-Mar 06-Mar 02-Mar 27-Feb… 23-Feb 19-Feb 15-Feb 11-Feb 07-Feb 03-Feb 30-Jan… Attempts Fraud
  29. 29. Entersekt in Action
  30. 30. IDC Survey Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
  31. 31. What to Watch for This Week • Key Sessions to See – SEC201 – Access Control for the Cloud: AWS Identity & Access Management – SEC203 – Security Assurance & Governance in AWS – SEC205 – Cybersecurity Engineers: You’re More Secure in the Cloud! – SEC304 – Encryption & Key Management in AWS – SEC305 – DDOS Resiliency with AWS – SEC402 – Intrusion Detection in the Cloud – CPN401 – A Day in the Life of a Billion Packets
  32. 32. Come talk security with AWS! • When: Thursday 11/14, 4:00-6:00 PM • Where: Toscana 3605 or • AWS Booth – Wednesday 10:30 AM – 5:30 PM – Thursday 10:30 AM – 6:30 PM – Friday 9:00 AM – Noon or –
  33. 33. We are sincerely eager to hear your feedback on this presentation and on re:Invent. Please fill out an evaluation form when you have a chance.