AWS: Overview ofSecurity ProcessesStephen SchmidtChief Information Security Officer
AWS Security Model Overview       Certifications & Accreditations                                                   Shared...
Shared Responsibility Model             AWS                             Customer•    Facilies	                      •  Ope...
AWS Security Resources!       http://aws.amazon.com/security/!       Security Whitepaper!       Risk and Compliance Whitep...
AWS Certifications!   Sarbanes-Oxley (SOX)!   ISO 27001 Certification!   Payment Card Industry Data Security    Standard (...
SOC 1 Type II!    Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2     report every six...
SOC 1            Type II – Control Objectives!   Control Objective 1: Security Organization!   Control Objective 2: Amazon...
ISO 27001!   AWS has achieved ISO 27001 certification of our    Information Security Management System (ISMS)    covering ...
Physical Security!   Amazon has been building large-scale data centers for    many years!   Important attributes:   •    N...
GovCloud    US West        US West    US East       South          EU         Asia          Asia (US ITAR    (Northern    ...
AWS Regions and Availability Zones   Customer Decides Where Applications and Data Reside
AWS Identity and Access Management!   Enables	  a	  customer	  to	  create	  mulple	  Users	  and	      manage	  the	  per...
AWS MFA Benefits!   Helps prevent anyone with unauthorized    knowledge of your e-mail address and password    from impers...
Amazon EC2 Security!   Host operating system    •  Individual SSH keyed logins via bastion host for AWS admins    •  All a...
Amazon EC2 Instance Isolation    Customer 1        Customer 2                                            …	      Customer ...
Virtual Memory & Local Disk                                                                                       Amazon	 ...
Network Security Considerations!   DDoS (Distributed Denial of Service):     •    Standard mitigation techniques in effect...
Amazon Virtual Private Cloud (VPC)!   Create a logically isolated environment in Amazon’s highly scalable    infrastructur...
Amazon VPC Architecture                                                         Customer’s isolated                       ...
Amazon VPC Network Security Controls
Amazon VPC - Dedicated Instances!   New option to ensure physical hosts are not shared with    other customers!   $10/hr f...
AWS Deployment Models                  Logical Server    Granular        Logical     Physical    Government Only    ITAR  ...
Thanks!        Remember to visithttps://aws.amazon.com/security
AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC
Upcoming SlideShare
Loading in …5
×

AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC

7,652 views

Published on

Published in: Technology
1 Comment
27 Likes
Statistics
Notes
No Downloads
Views
Total views
7,652
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
0
Comments
1
Likes
27
Embeds 0
No embeds

No notes for slide

AWS Security Overview - AWS CISO Steve Schmidt - AWS Summit 2012 - NYC

  1. 1. AWS: Overview ofSecurity ProcessesStephen SchmidtChief Information Security Officer
  2. 2. AWS Security Model Overview Certifications & Accreditations Shared Responsibility Model !  Sarbanes-Oxley (SOX) compliance !  Customer/SI Partner/ISV controls !  ISO 27001 Certification guest OS-level security, including !  PCI DSS Level I Certification patching and maintenance !  HIPAA compliant architecture !  Application level security, including password and role based access !  SAS 70(SOC 1) Type II Audit !  Host-based firewalls, including !  FISMA Low & Moderate ATOs Intrusion Detection/Prevention !  DIACAP MAC III-Sensitive Systems §  Pursuing DIACAP MAC II–Sensitive !  Separation of AccessPhysical Security VM Security Network Security!  Multi-level, multi-factor controlled !  Multi-factor access to Amazon !  Instance firewalls can be configured access environment Account in security groups;!  Controlled, need-based access for !  Instance Isolation !  The traffic may be restricted by AWS employees (least privilege) •  Customer-controlled firewall at protocol, by service port, as well asManagement Plane Administrative Access the hypervisor level by source IP address (individual IP!  Multi-factor, controlled, need-based •  Neighboring instances or Classless Inter-Domain Routing access to administrative host prevented access (CIDR) block).!  All access logged, monitored, •  Virtualized disk management !  Virtual Private Cloud (VPC) provides reviewed layer ensure only account IPSec VPN access from existing!  AWS Administrators DO NOT have owners can access storage enterprise data center to a set of logical access inside a customer’s disks (EBS) logically isolated AWS resources VMs, including applications and data !  Support for SSL end point encryption for API calls
  3. 3. Shared Responsibility Model AWS Customer•  Facilies   •  Operang  System  •  Physical  Security   •  Applicaon  •  Physical  Infrastructure   •  Security  Groups  •  Network  Infrastructure   •  Network  ACLs  •  Virtualizaon   •  Network  Configuraon   Infrastructure     •  Account  Management  
  4. 4. AWS Security Resources! http://aws.amazon.com/security/!   Security Whitepaper!   Risk and Compliance Whitepaper!   Latest Versions May 2011, January 2012 respectively!  Regularly Updated!  Feedback is welcome
  5. 5. AWS Certifications!   Sarbanes-Oxley (SOX)!   ISO 27001 Certification!   Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant!   SAS70(SOC 1) Type II Audit!   FISMA A&As •  Multiple NIST Low Approvals to Operate (ATO) •  NIST Moderate, GSA issued ATO •  FedRAMP!   DIACAP MAC III Sensitive ATO!   Customers have deployed various compliant applications such as HIPAA (healthcare)
  6. 6. SOC 1 Type II!  Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security to safeguard customer data. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits.!  The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.!  This report is available to customers under NDA.
  7. 7. SOC 1 Type II – Control Objectives!   Control Objective 1: Security Organization!   Control Objective 2: Amazon Employee Lifecycle!   Control Objective 3: Logical Security!   Control Objective 4: Secure Data Handling!   Control Objective 5: Physical Security!   Control Objective 6: Environmental Safeguards!   Control Objective 7: Change Management!   Control Objective 8: Data Integrity, Availability and Redundancy!   Control Objective 9: Incident Handling
  8. 8. ISO 27001!   AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). We have established a formal program to maintain the certification.
  9. 9. Physical Security!   Amazon has been building large-scale data centers for many years!   Important attributes: •  Non-descript facilities •  Robust perimeter controls •  Strictly controlled physical access •  2 or more levels of two-factor auth!   Controlled, need-based access for AWS employees (least privilege)!   All access is logged and reviewed
  10. 10. GovCloud US West US West US East South EU Asia Asia (US ITAR (Northern (Oregon) (Northern America (Ireland) Pacific Pacific Region) California) Virginia) (Sao Paulo) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
  11. 11. AWS Regions and Availability Zones Customer Decides Where Applications and Data Reside
  12. 12. AWS Identity and Access Management!   Enables  a  customer  to  create  mulple  Users  and   manage  the  permissions  for  each  of  these  Users.    !   Secure  by  default;  new  Users  have  no  access  to   AWS  unl  permissions  are  explicitly  granted.  Us  !   AWS  IAM  enables  customers  to  minimize  the   use  of  their  AWS  Account  credenals.    Instead   all  interacons  with  AWS  Services  and  resources   should  be  with  AWS  IAM  User  security   credenals.er  !   Customers  can  enable  MFA  devices  for  their   AWS  Account  as  well  as  for  the  Users  they  have   created  under  their  AWS  Account  with  AWS   IAM.  
  13. 13. AWS MFA Benefits!   Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you!   Requires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management Console!   Adds an extra layer of protection to sensitive information, such as your AWS access identifiers!   Extends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data
  14. 14. Amazon EC2 Security!   Host operating system •  Individual SSH keyed logins via bastion host for AWS admins •  All accesses logged and audited!   Guest operating system •  Customer controlled at root level •  AWS admins cannot log in •  Customer-generated keypairs!   Firewall •  Mandatory inbound instance firewall, default deny mode •  Outbound instance firewall available in VPC •  VPC subnet ACLs!   Signed API calls •  Require X.509 certificate or customer’s secret AWS key
  15. 15. Amazon EC2 Instance Isolation Customer 1 Customer 2 …   Customer n Hypervisor Virtual Interfaces … Customer 1 Customer 2 Customer n Security Groups Security Groups Security Groups Firewall Physical Interfaces
  16. 16. Virtual Memory & Local Disk Amazon  EC2   Instances   Encrypted     File  System   Amazon  EC2   Instance   Encrypted   Swap  File  •  Proprietary  Amazon  disk  management  prevents  one  Instance  from   reading  the  disk  contents  of  another  •  Local  disk  storage  can  also  be  encrypted  by  the  customer  for  an  added   layer  of  security  
  17. 17. Network Security Considerations! DDoS (Distributed Denial of Service): •  Standard mitigation techniques in effect!   MITM (Man in the Middle): •  All endpoints protected by SSL •  Fresh EC2 host keys generated at boot!   IP Spoofing: •  Prohibited at host OS level!   Unauthorized Port Scanning: •  Violation of AWS TOS •  Detected, stopped, and blocked •  Ineffective anyway since inbound ports blocked by default!   Packet Sniffing: •  Promiscuous mode is ineffective •  Protection at hypervisor level
  18. 18. Amazon Virtual Private Cloud (VPC)!   Create a logically isolated environment in Amazon’s highly scalable infrastructure!   Specify your private IP address range into one or more public or private subnets!   Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists!   Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups!   Attach an Elastic IP address to any instance in your VPC so it can be reached directly from the Internet!   Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect!   Use a wizard to easily create your VPC in 4 different topologies
  19. 19. Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Cloud Connect – Dedicated Path/ Bandwidth Customer’s Network
  20. 20. Amazon VPC Network Security Controls
  21. 21. Amazon VPC - Dedicated Instances!   New option to ensure physical hosts are not shared with other customers!   $10/hr flat fee per Region + small hourly charge!   Can identify specific Instances as dedicated!   Optionally configure entire VPC as dedicated
  22. 22. AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Application Information Network server Physical Network Compliant Isolation Access Policy Isolation Isolation and Facility (US Persons Isolation Only)Commercial ü  ü  Public facing apps. WebCloud sites, Dev test etc.Virtual Private ü  ü  ü  ü  Data Center extension,Cloud (VPC) TIC environment, email, FISMA low and ModerateAWS GovCloud ü  ü  ü  ü  ü  ü  US Persons Compliant(US) and Government Specific Apps.
  23. 23. Thanks! Remember to visithttps://aws.amazon.com/security

×