Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Demystifying Cloud Security: Lessons Learned for the Public Sector


Published on

As government agencies expand the use of cloud services, security continues to be a top priority for program managers, policymakers, and cloud service providers (CSPs). Governments and agencies worldwide are moving workloads with varying levels of sensitivity to the cloud. This session will feature agency-level security risk management practices and address common myths about security in the cloud. Participants will gain insight into how governments are leveraging cloud computing to improve their security posture and more quickly benefit from economies of scale.

Mark Ryland, Chief Solutions Architect, Amazon Web Services, WWPS

Published in: Technology

Demystifying Cloud Security: Lessons Learned for the Public Sector

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Mark Ryland Chief Architect, Worldwide Public Sector Team April 28th, 2016 Demystifying Cloud Security: Lessons from the Public Sector
  2. 2. Security is Job Zero at AWS Network Security Physical Security Platform Security People & Procedures
  3. 3. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Security & compliance is a shared responsibility Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
  4. 4. Build everything on a constantly monitored and audited, constantly improving security baseline AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud GxP ISO 13485 AS9100 ISO/TS 16949
  5. 5. Simple Security Controls Easy to Get Right Easy to Audit Easy to Enforce
  6. 6. This To This
  7. 7. Our Security Culture Make your security engineers part of your product/service engineering teams Make your compliance team part of your engineering and security teams
  8. 8. Our Security Culture… Collect, digest, disseminate & use intelligence
  9. 9. Our Security Culture… Proactive, predictive monitoring rules the day • What’s “normal” in your environment? • Depending on signatures == waiting to find out WHEN you’ve been had
  10. 10. Our Security Culture… Base decisions on facts, metrics, & detailed understanding of your environment and adversaries
  11. 11. Our Security Culture… Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
  12. 12. AWS: Cloud Leader and Visionary Gartner Magic Quadrant for Cloud Infrastructure as a Service, Worldwide Source: Gartner (May 2015) Gartner “Magic Quadrant for Cloud Infrastructure as a Service, Worldwide,” Lydia Leong, Douglas Toombs, Bob Gill, May 18, 2015. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available at Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
  13. 13. Forrester Cloud Security Wave Nov 2014
  14. 14. Cloud Security Alliance – AWS Keynote (Dec 2013) “Seven Systemic Advantages of Cloud Security” Seven reasons, plus one to grow on: 1. Security is the CSP’s highest priority; no compromises, ever 2. Integration of compliance and security 3. Economies of scale and separation of duties 4. Customers refocus on systems and applications 5. Visibility, homogeneity, and automation 6. Cloud platforms as “systems containers” 7. Cloud, big data, security: using the cloud to secure the cloud 8. With cloud speed of innovation and increasing scale, the story will only get better – quickly!
  15. 15. USA CIO Tony Scott “I see the big cloud providers in the same way I see a bank,” he says. “They have the incentive, they have skills and abilities, and they have the motivation to do a much better job of security than any one company or any one organization can probably do. […] I think today the better bet is get to the cloud as quick as you can because you're guaranteed almost to have better security there than you will in any private thing you can do.” CIO Magazine:
  16. 16. Role of compliance and 3rd party auditors • Vendor claims alone are not good enough! • Testing, auditing and certification by multiple teams of 3rd-party pros provides needed proof • Far more rigorous process than any gov’t agency or corporation could reasonably sustain
  17. 17. Five Security Myths About the AWS Cloud 1. Multi-tenancy is inherently risky 2. In the cloud, I lose visibility and control 3. Incident response is harder in the cloud 4. In the cloud I must choose between central governance and control versus agility and mission ownership (aka “shadow IT”) 5. Cloud is only appropriate for less sensitive data; more sensitive data is safer on-premises
  18. 18. Multi-tenancy • The AWS business fundamentally depends on complete isolation of tenants • Logical isolation, automation of controls, push-button encryption of all data—these far outweigh value of physical separation • Separation of duties and data protection through services like Key Management Service and CloudHSM • Dedicated instances and dedicated hosts in EC2 for the extra-cautious
  19. 19. Visibility and Control • Easy/cheap to enable logging of APIs & data services • CloudTrail, S3, ELB, CloudWatch/CloudWatch Logs, VPC Flow Logs, CloudFront • Rich 3rd party ecosystem • AWS Config and Config Rules for configuration management and state maintenance • Powerful IAM system to enforce least privilege • Limit even administrative access to core security data with API-level MFA, Glacier policies, etc.
  20. 20. Incident Response • Prepare in advance! • With preparation, IR is easier and richer in AWS that in on-prem environments (ask NASA JPL IG) • Three presentations with lots of details: SEC308: Wrangling Security Events in The Cloud (ReInvent 2015): SEC216: Harden Your Architecture with Security Incident Response Simulations (same): NIST Forensics in the Cloud Conference, Sept 2015:, click on Day 3, Part 6
  21. 21. Central Control Versus Agility • Reframing: GRC and the AWS cloud • Governance means being able to answer key questions • What do I have? How is performing? Who can control/is controlling it? What is it costing me? Is it in compliance? Is it secure? • Achieve both goals with a centralized governance organization and decentralized development teams •
  22. 22. Cloud Only Appropriate for Less Sensitive Data • Reasonable to start with less sensitive data / workloads on your cloud journey • There is a learning curve, so lower your risks while learning • However, that is not the end state!
  23. 23. “From a physical and logical security standpoint, I believe that, if done right, public cloud computing is as or more secure than self-hosting.” – Steve Randich, EVP and CIO, Financial Industry Regulatory Authority, USA FINRA now deploying multiple Hadoop-based and Redshift-based analytics apps core to their regulatory mission • Multi-petabyte clusters growing by terabytes per day • Core apps in full production since January 2015 • Half way thru 2 year plan to go “all in” to the AWS cloud Improving security with the cloud
  24. 24. Improving security with the cloud For more details, see Re:Invent 2013 presentations by NASA JPL cyber security engineer Matt Derenski ( “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters.” -Tom Soderstrom, CTO, NASA JPL
  25. 25. Rob Alexander / CIO of Capital One Bank “And of course, security is critical for us. The financial services industry attracts some of the worst cyber criminals. So we worked closely with the AWS team to develop a security model which, we believe, allows us to operate more securely in the public cloud than we can even in our own datacenters.” re:Invent Keynote 2015
  26. 26. UK MoJ CTO David Rogers “You should probably start engaging with the idea that the cloud can be considerably more secure than the private cloud or your own data centre, and start engaging with the risks that are building in the spaces where you haven't moved to the cloud yet.” The Guardian: (emphasis added)
  27. 27. Former CIO of US VA & DoC Roger Baker in (Jan 2015): “Why Commercial Cloud Are More Secure Than Federal Data Centers” Six reasons: • New and sometimes purpose-built equipment and software, constantly updated • System configurations are standardized and automatically created to eliminate variances, and for maximum efficiency • Security patches are automatically applied to all systems on a timely basis • Cloud environments are certified to multiple different national and international security standards • The private sector can hire high-level system engineering and security talent more readily; and • The company’s brand is at risk should security be compromised, ensuring full alignment and motivation.
  28. 28. Analyst’s Perspective CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly and reliably leverage the benefits of this increasingly ubiquitous computing model. Clouds Are Secure: Are You Using Them Securely? Published: 22 September 2015 -- Jay Heiser
  29. 29. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!