AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security with AWS, Co-Presented with Trend Micro


Published on

We’ve entered a new connectivity oriented world where we can access information any time, any place, on any device, 24 hours a day, and cloud computing is a major enabler of this flexibility. Like you, more and more businesses are looking to the cloud for better, faster, more powerful and affordable communications and while many would think that security in the cloud is much different, the reality is less dramatic. Moving to the cloud still requires using proven security techniques, but sometimes in new and dynamic ways that adapt to the elastic nature of cloud architecture. Join us as we discuss the latest cloud security solutions, including real world examples of how organizations like yours are succeeding against new and evolving threats. We will examine security considerations beyond what is provided by security-conscious cloud providers like Amazon Web Services and what additional factors you might want to think about when deploying to the cloud.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security with AWS, Co-Presented with Trend Micro

  1. 1. Security & Compliance Bill Murray Manager, AWS Security Programs July 18, 2013
  2. 2. Cloud Security Is
  3. 3. Universal Cloud Security
  4. 4. Visible Cloud Security This Or This?
  5. 5. Auditable Cloud Security
  6. 6. Transparent Cloud Security
  7. 7. Security & Compliance Control Objectives • Control Objective 1: Security Organization – Who we are – Proper control & access within the organization • Control Objective 2: Amazon User Access – How we vet our staff – Minimization of access
  8. 8. • Control Objective 3: Logical Security – Our staff start with no systems access – Need-based access grants – Rigorous systems separation – Systems access grants regularly re-evaluated & automatically revoked Security & Compliance Control Objectives
  9. 9. • Control Objective 4: Secure Data Handling – Storage media destroyed before being permitted outside our datacenters – Media destruction consistent with US Dept. of Defense Directive 5220.22 • Control Objective 5: Physical Security and Environmental Safeguards – Keeping our facilities safe – Maintaining the physical operating parameters of our datacenters Security & Compliance Control Objectives
  10. 10. • Control Objective 6: Change Management – Continuous Operation • Control Objective 7: Data Integrity, Availability and Redundancy – Ensuring your data remains safe, intact & available • Control Objective 8: Incident Handling – Processes & procedures for mitigating and managing potential issues Security & Compliance Control Objectives
  11. 11. Shared Responsibility
  12. 12. Facilities & Physical Security
  13. 13. Physical Security Availability Zone A Availability Zone B Availability Zone C Asia Pacific (Tokyo) Availability Zone A Availability Zone B Availability Zone C EU (Ireland) Availability Zone A Availability Zone B South America (Sao Paulo) Availability Zone A Availability Zone B Asia Pacific (Sydney) Availability Zone A Availability Zone B GovCloud (OR) Availability Zone A Availability Zone B Availability Zone C Availability Zone D US East (VA) Availability Zone A Availability Zone B US West (CA) Availability Zone A Availability Zone B Asia Pacific (Singapore) Availability Zone A Availability Zone B Availability Zone C US West (OR)
  14. 14. Network Security
  15. 15. Amazon EC2 Security • Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited • Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs • Stateful firewall – Mandatory inbound firewall, default deny mode • Signed API calls – Require X.509 certificate or customer’s secret AWS key
  16. 16. Amazon VPC Architecture Customer’s Network Amazon Web Services Cloud Secure VPN Connection over the Internet Subnets Customer’s isolated AWS resources Router VPN Gateway Internet NAT AWS Direct Connect – Dedicated Path/Bandwidth
  17. 17. Shared Responsibility
  18. 18. The Cloud Changes Nothing… and Everything! Ken Low Director of Enterprise Security July 18, 2013
  19. 19. Cloud Security is a Shared Responsibility • Consumers of cloud services are responsible for – Security of the instance (OS & Applications) – Ensuring business application SLA’s are maintained – Ultimately it boils down to protecting your instances from compromise and the integrity of the applications running in the cloud … • How do you protect AWS instances? – Traditional network IDS/IPS appliances are not feasible – Network interception methods are not effective or scalable in the cloud – Agent-based host security controls are more effective
  20. 20. Cloud Security is a Shared Responsibility • What type of host security controls are required? • Security principles don’t change • Implementation & Management change drastically The Need Preferred Security Control Data confidentiality Encryption Block malicious software Anti-Malware Detect & track vulnerabilities Vulnerability scanning services Control server communications Host-firewalls (in addition to AWS security groups) Detect suspicious activity Intrusion Prevention Detect unauthorized changes File Integrity Monitoring Block OS & App vulnerabilities Patch & shield vulnerabilities Data monitoring & compliance DLP
  21. 21. Trend Micro Deep Security for AWS • World’s No. 1 server security solution, hosted on AWS • Designed to automate and simplify security operations in and across AWS applications. • Provides AWS instance-based security (Available in two versions) – Trend Micro Deep Security software (now) – Trend Micro Deep Security as a Service (available in NA now, APAC in 2014)
  22. 22. What Protection does Deep Security Provide? Anti-malware New malware is being created every second of every day, Deep Security as a Service provides timely protection against this avalanche of malware being used to attack systems and steal data Web Reputation Control which domains your servers can communicate with to reduce the risk of compromise Firewall Create a firewall perimeter around each cloud server to block attacks and limit communication to only the ports and protocols necessary, in addition to cloud provider controls Intrusion Prevention Shield unpatched vulnerabilities from attack with auto-updating security policies that ensure the right protection is applied to the right cloud servers at the right time Integrity Monitoring Meet your compliance monitoring requirements, while ensuring unauthorized or out of policy changes are detected and reported
  23. 23. What Protection does Deep Security Provide? • Deep Security as a Service is a SaaS solution that delivers comprehensive security for cloud servers • Built on security technology proven across thousands of organizations, it provides: Protection from attacks Combine Anti-malware and Intrusion Prevention to prevent attacks that can lead to data theft and system compromise Server hardening Reduce your exposure to attack by ensuring your cloud servers are only communicating with expected systems Compliance Monitoring Integrity Monitoring provides an audit trail of changes to critical server operating system, configuration, and application files Automated Management Achieve automated and consistent protection for existing and new cloud servers with security recommendation scans & streamlined deployment The Takeaway: The security solution designed specifically to work hand-in-hand with AWS, running on AWS.
  24. 24. Who Needs This Solution? • IT Managers, IT Directors, Compliance Officers and CIOs using Amazon Web Services • Organizations that are leveraging AWS for ad-hoc or temporary projects • Business units that require additional security and are using AWS • Organizations that want to leverage security expertise from a proven vendor in a way that is natural for an AWS environment
  25. 25. Trend Micro Deep Security as a Service* DS as a Service ManagerDS as a Service ManagerDS as a Service ManagerDS as a Service Manager Protection for AWS From AWS *Available in NA now, APAC in 2014. Deep Security Agents Deep Security Agents Deep Security Agents
  26. 26. Which Deep Security version is for you? Buy Deep Security Software • Datacenter security requirements • Hybrid cloud environments • Prefer to run Deep Security Managers themselves • Require a solution now Buy Deep Security as a Service • AWS only security requirement • Want the convenience of a SaaS • Available in NA now, APAC in 2014
  27. 27. Summary of Key Features: ✔ AWS connector for Instance inventory synchronization ✔ Deployment scripts for integration with RightScale, Chef, Puppet, & OpsWorks ✔ Templates for consistent & automated security policy enforcement ✔ Roles based administration ✔ Dashboards with customizable widgets ✔ Alerts & reporting capabilities ✔ Broad platform support Advanced Protection from the Cloud For the Cloud …
  28. 28. Trend Micro SecureCloud for AWS • Protection for data in the cloud • Automated encryption and key management • Solution that helps you protect the privacy of data in AWS, making sure that only authorized servers can access encryption keys • Trend Micro’s highly automated data protection approach safely delivers encryption keys to valid devices without the need for you to deploy an entire file system and management infrastructure • Key benefits: – Policy-Based Key Management – Enterprise-Controlled Encryption and Key Management – Standard Protocols and Advanced Encryption – Authentication – Logging, Reporting, and Auditing – Separation of Duties
  29. 29. Why Trend Micro and AWS? Trend micro, a global leader in cloud security, delivers flexible, proven solutions for AWS which • have been architected to be highly effective and efficient in protecting the data and applications running on EC2 • have been built to the highest government standards, including common criteria EAL4+ • integrate seamlessly with cloud management tools such as AWS CloudFormation, RightScale, Chef and Puppet to automate security management • reduce security management costs by automating security tasks and lowering the preparation time and effort required to support audits
  30. 30. Trend Micro Resources for Cloud Best Security Practices Most complete set of tools built specifically for the cloud:  Bi-directional stateful firewall  Anti-Malware  Intrusion Prevention  Integrity Monitoring  Log Inspection  Domain whitelisting  Data encryption and key management Host-based all-in-one security: Top 10 Best Practices for securing your AWS instances Blog series at Twitter: @TrendMicro Try out a new cloud-based security service for your AWS instances with our new free beta AWS-Based service:
  31. 31. • Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS – Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls – Good key management is critical • Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises datacenters – Applications may slow down due to network latency – Requires several DCs to provide high availability, disaster recovery and durability of keys Customer Challenge: Encryption
  32. 32. • AWS offers several data protection mechanisms including access control, encryption, etc. • AWS data encryption solutions allow customers to: – Encrypt and decrypt sensitive data inside or outside AWS – Decide which data to encrypt • AWS CloudHSM complements existing AWS data protection and encryption solutions • With AWS CloudHSM customers can: – Encrypt data inside AWS – Store keys in AWS within a Hardware Security Module – Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions and key storage for customer applications – Use third party validated hardware for key storage • AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards) AWS Data Protection Solutions
  33. 33. • Customers receive dedicated access to HSM appliances • HSMs are physically located in AWS datacenters – in close network proximity to Amazon EC2 instances • Physically managed and monitored by AWS, but customers control their own keys • HSMs are inside customer’s VPC – dedicated to the customer and isolated from the rest of the network What is AWS CloudHSM? AWS CloudHSM
  34. 34. • Secure Key Storage – customers retain control of their own keys and cryptographic operations on the HSM • Contractual and Regulatory Compliance – helps customers comply with the most stringent regulatory and contractual requirements for key protection • Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage • Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC • Better Application Performance – reduce network latency and increase the performance of AWS applications that use HSMs AWS CloudHSM Service Highlights
  35. 35. • Customers use AWS CloudHSM as an architectural building block in securing applications – Object encryption – Digital Rights Management (DRM) – Document signing – Secure document repository – Database encryption – Transaction processing How Customers Use AWS CloudHSM
  36. 36. Familiar Cloud Security
  37. 37. AWS Security Resources • • Security Whitepaper • Risk and Compliance Whitepaper • Regularly Updated • Feedback is welcome
  38. 38. Business Transformation Track