Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS Security State of the Union - SID326 - re:Invent 2017

2,245 views

Published on

Steve Schmidt, chief information security officer of AWS, addresses the current state of security in the cloud, with a particular focus on feature updates, the AWS internal "secret sauce," and what's on horizon in terms of security, identity, and compliance tooling.

  • How can I improve my memory and concentration? How can I improve my memory for studying? https://bit.ly/2GEWG9T
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AWS Security State of the Union - SID326 - re:Invent 2017

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT Security State of the Union S t e v e S c h m i d t , V i c e P r e s i d e n t a n d C h i e f I n f o r m a t i o n S e c u r i t y O f f i c e r S I D 3 2 6 November 29, 2017
  2. 2. 3,950 AWS Direct Connect AWS Elastic Beanstalk Schema Conversion Tool AWS Shield Amazon EFS Amazon WorkSpaces Amazon Lumberyard Amazon Pinpoint AWS IoT AWS Managed Services Amazon Route 53 AWS Import/Export AWS OpsWorks for Chef Automate Amazon Redshift Dynamo DB Amazon Polly AWS Snowball AWS Organizations Device Farm Amazon Config Amazon RDS for Aurora WorkDocs AWS Snowball Edge CodeCommit AWS CodePipeline AWS Service Catalog CloudWatch Logs Amazon Lex AWS Greengrass Amazon EC2 Systems ManagerAWS WAF Amazon Appstream 2.0 Amazon Athena AWS Glue Amazon Lightsail Amazon Rekognition AWS Step Functions AWS Discovery Services AWS Certificate Manager Amazon ElastiCache Mobile Analytics AWS Mobile Hub AWS Storage Gateway AWS OpsWorks AWS Batch Amazon Inspector EC2 Container Service Amazon Cognito AWS CodeDeploy AWS Personal Health Dashboard AWS Snowmobile AWS Lambda * As of 1 November 2017 AWS Codebuild AWS X-Ray Amazon QuickSight Amazon Kinesis Firehose Amazon Workmail Amazon Inspector Amazon Machine Learning 3,950
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2 3 3 3 2 2 3 6 N. Virginia 3 Ohio N. California Oregon Sydney Seoul Tokyo 2 Singapore 2 Canada Beijing 3 Sao Paulo 2 Mumbai 2 London 3 Ireland 3 Frankfurt # REGION & AVAILABILITY ZONES NEW REGION COMING SOON Cloud security at massive scale… © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. …and growing 17more Availability Zones and 6more Regions have been announced in Bahrain, China, France, Hong Kong, Sweden, and a second AWS GovCloud Region in the U.S. The AWS Cloud operates 44Availability Zones within 16Geographic Regions.
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS ecosystem AWS Snowball has moved over 5 billion objects into Amazon S3. AWS Snowball appliances have traveled a distance equal to circling the world more than 100 times.
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The scale of the AWS Cloud Amazon DynamoDB handles well over a trillion requests per day and served over 56 billion extra requests worldwide on PRIME Day compared to the same day the previous week.
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. =At our scale, .00001% faults
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Global trust in the AWS Cloud
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Global trust in the AWS Cloud “[AWS allows us] to scale up our experiments and try out our new software on realistic configurations of hundreds or even thousands of computers.” “With AWS, DNAnexus enables enterprises worldwide to perform genomic analysis and clinical studies in a secure and compliant environment at a scale not previously possible.”
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mechanisms to drive security Buy-in from Leadership! Radically restrict and monitor human access to data Source code security Patching Log retention duration Credential blast radius reduction Credentials lifespan reduction TLS implementation AWS encryption everywhere Canaries and invariants for security functionality
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Most importantly… humans and data don’t mix!
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing: Amazon GuardDuty • Turned on with one click in the AWS console • Integrated threat intelligence from AWS & leading third-party providers
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing: Amazon GuardDuty 165,000,000 flow log events 68,000,000 IP reputation lookups Per second
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What can Amazon GuardDuty detect? Unusual Ports DNS ExfiltrationRDP Brute Force Temp credentials used off-instance Unusual Instance Launch Malicious or Suspicious IP Unusual Traffic Volume Connect to Blacklisted SiteRecon Anonymizing Proxy Unusual ISP Caller Bitcoin Activity Attempt to compromise account Probe API with temp creds RDP Brute Force Exfiltrate temp IAM creds over DNS RAT installed
  15. 15. Introducing: Amazon GuardDuty
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Introducing: Amazon GuardDuty “With Amazon GuardDuty, we can view and investigate alerts across AWS accounts and regions. GuardDuty provides detection and correlation for us without all the complexity that it previously entailed.” —Ben Waugh, Security Architect at Twilio
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Warner Bros. Vahram Sukyas V i c e P r e s i d e n t A p p l i c a t i o n I n f r a s t r u c t u r e & O p e r a t i o n s
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ENTERTAINING THE WORLD
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ENTERTAINING THE WORLD at the Box Office #1 increase in consumer products profit of film, TV and video game titles • Domestic box office in 2017, as of October 25, 2017 • Injustice 2 was the highest grossing game of Q2 2017 • Consumer products growth YoY 2015-2016 85+ 47% in Interactive Entertainment Leader TV series across all platforms Thousands digital networks footprint Growing
  20. 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. MANAGING MASSIVE MEDIA INFRASTRUCTURE APPLICATION ISOLATION SECURITY AGILITY BILLING CLARITY Accounts 225+
  21. 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. HOW WE SLEEP AT NIGHT Supporting a philosophy of independence with isolation and security Amazon Inspector Amazon GuardDuty AWS WAF & AWS Shield AWS CloudTrail Amazon VPC Flow Logs Distributing, enforcing, and auditing security controls in a multi-account model is key to what we do
  22. 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VULNERABILITY MANAGEMENT WITH AMAZON INSPECTOR EASIER SET-UP IMPROVED CONTROL BETTER DISTRIBUTION OF FINDINGS ADVANCED ANALYTICS
  23. 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VULNERABILITY MANAGEMENT WITH AMAZON INSPECTOR Analytics Open source code available here: https://github.com/warnerbros/inspector-pipeline AccountID XXXXXXXX AccountID XXXXXXXX AccountID XXXXXXXXAccountID XXXXXXXXAccountID XXXXXXXX AccountID XXXXXXXX AccountID XXXXXXXX Ticketing System
  24. 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty
  25. 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you Vahram Sukyas V i c e P r e s i d e n t A p p l i c a t i o n I n f r a s t r u c t u r e & O p e r a t i o n s
  26. 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  27. 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudFormation for Amazon Inspector Amazon Inspector AWS CloudFormation Coming next week 1. Create a template 2. Target 3. Run from AWS CloudFormation
  28. 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Cognito security Risk-based multi-factor authentication
  29. 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. New Amazon S3 security tooling AWS KMS Amazon S3
  30. 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. New Amazon S3 security tooling
  31. 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Codename: Zelkova (currently in use Amazon S3 & Amazon Macie) Zelkova Lambda Engine
  32. 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Codename: Zelkova
  33. 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Financial services & AWS The largest exchange company in the world and currently owns and operates 24 markets, three clearing houses and five central securities spanning six continents. Some of the most highly-regulated financial services companies in the world trust AWS. One of the largest U.S. banks, offering credit cards, checking and savings accounts, auto loans, rewards, and online banking services. One of the largest investment firms operating around the globe. The country’s only internet bank with a focus on developing and delivering settlement services to its customers. A global provider of independent investment research, products, and services. Regulates brokerage firms doing business with the public in the United States; a critical part of the securities industry. A leading Canadian financial services organization. Provides financial services and products to individuals, businesses, and pension plans. An online bank that offers its customers tools to better understand and manage their finances. A leading Australian financial services company.
  34. 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  35. 35. Investor Protection – Market Integrity • Write and enforce rules governing the activities of 3,800 brokerages with 634,000 brokers • Examine for compliance with those rules • Foster market transparency • Educate investors • FINRA uses Big Data and data science technologies to detect and analyze fraud, market manipulation, and insider trading across US capital markets
  36. 36. UP TO 75 BILLION EVENTS PER DAY Over 25 PETABYTES of Storage Market Reconstruction Containing TRILLIONS of Nodes & Edges FINRA Technology INNOVATING TO PROTECT INVESTORS AND ENSURE MARKET INTEGRITY
  37. 37. Need for Nimbleness Legacy approach not meeting needs Market volumes are volatile and steadily increasing Exchanges are dynamically evolving Regulatory landscape is changing Market manipulators innovate
  38. 38. Cloud Architecture Solved Our Problems Huge capacity Decouple storage and processing Consume processing when needed Manual processes replaced by code
  39. 39. Cloud Risk Management Private data centers have risk Cloud has equivalent security controls In fact, for most organizations Cloud can be more secure But… you must do it right
  40. 40. • Easy micro-segmentation • Fine-grained entitlements • Strict separation of duties (SoD) • Automation = consistent compliance • Rich audit trail • Best-of-breed security services (AWS KMS) • Cloud and DevOps = more rapid patching • Resilience and multiple recovery options • Assurance through third-party assessments • Cloud provider must be secure to survive Cloud Security – Do It RIGHT
  41. 41. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! John Brady V i c e P r e s i d e n t , C h i e f I n f o r m a t i o n S e c u r i t y O f f i c e r
  42. 42. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security ecosystem 17,000+ video cameras running 24/7 15,000,000,000+ program executions processed by internal tooling per day
  43. 43. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS security + open source Bulk encryption with anonymity Authenticated Encryption and Additional Data (AEAD) Formally verified random number generators Formally verified constant-time properties of our code More Fuzz tests!
  44. 44. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security features (in last 90 days) 5 new Amazon S3 encryption and security features • Use Amazon ElastiCache for Redis with in-transit and at-rest encryption • Amazon Cognito now integrates with Amazon Pinpoint to add analytics AWS CodeBuild now provides ability to manage secrets • Amazon EC2 Systems Manager adds compliance reporting and auto-remediation
  45. 45. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS and Machine Learning— Amazon Macie Understand your data • Natural language • Processing (NLP) Understand data access • Machine Learning
  46. 46. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. When access to data changes, Amazon Macie tells you
  47. 47. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS and Machine Learning— Amazon Macie Processing 10,000,000,000+ activity records per day
  48. 48. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Macie Now approved for HIPAA Workloads
  49. 49. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS wants to maximize your most valuable resource… Your Security Engineers that understand the vast gray area that is security
  50. 50. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Today SID218: Introducing Amazon GuardDuty • 1:45pm (next session up in this room!) SID314: IAM Policy Ninja • 3:15pm @ MGM Premier Ballroom 316 SID330: Best Practices for Implementing Encryption Strategy Using AWS Key Management Service • 4:45pm @ MGM Grand Ballroom 122 Other security sessions Note: All Sessions allow for 25% walkups (non-reserved) seating!
  51. 51. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Other security sessions Thursday SID 322: The Philosophy of Amazon Security • 1:00pm @ MGM Grand Ballroom 117 SID405: Security Automation Improvements with Amazon CloudWatch and AWS Config • 5:30pm @ MGM Premier Ballroom 312 Note: All Sessions allow for 25% walkups (non-reserved) seating!
  52. 52. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Notable events We are Giants: Diversity and Inclusion in Tech Wednesday at The Encore (Beethoven 1&2): 4:30pm–7:30pm
  53. 53. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you! C L I C K T O A D D T E X T C L I C K T O A D D T E X T

×