Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014

1,760 views

Published on

Data security is a paramount concern for financial services firms. This session discusses how Fidelity Investments use Amazon S3 with server-side encryption with customer-provided keys (SSE-C) to protect critical information and the firm's use of other AWS services, which include AWS Elastic Beanstalk, Elastic Load Balancer, and Amazon DynamoDB. Fidelity Investments is one of the largest mutual fund and financial services groups in the world. Fidelity manages a large family of mutual funds, provides fund distribution and investment advice services, and also provides discount brokerage services, retirement services,wealth management, securities execution and clearance, life insurance and a number of other services.

Published in: Technology
  • Be the first to comment

(FIN202) Addressing Data Security Concerns in Financial Services: Fidelity Investment's Use of SSE-C | AWS re:Invent 2014

  1. 1. November 14, 2014 | Las Vegas, NV Travell Perkins, Fidelity
  2. 2.    • • •Virtual asset transfer (inheritance)
  3. 3. AmazonAmazon ELBTwilio ServerDSMDSMCloudantCloudantCloudFilesTwilio ServerS3S3EC2 Auto Scaling GroupApplication ServerApplication ServerApplication Server
  4. 4. Generates encryption keys using AES- 256 Cipher. The keys are used to encrypt/decrypt files. (DynamicSecurityModule - PHP Service/ FidelityVDC) Documents and data are encrypted for persistent storage and decrypted for presentation layer(Core Service/Node.JS/AWS EC2) Customer facing interface to upload/ download documents(Javascript, EC2) Sends emails for Account Signup, Password Resets, File Sharing Notices etc. (Simple Email Service) Register new users, password resets, user profile management(Core Service/Node.JS/AWS EC2) Get Encryption KeyEncrypted documents (S3) Store Encrypted Documents and meta- DataNotify usersRedundant document storage(CloudFiles) Document Meta-data is stored. Customer accounts info is also stored. (Cloudant) Add a new user, manage usersRegister User, Authenticate usersAdmin interface to manage system users(Javascript, EC2) SMS/Voice for multi- factor authentication(Twilio) Authenticate & Authorize(Core Service/Node.JS/AWS EC2) Is the user a valid user? Manage Users/AdminsCustomersAdminsEncrypt and Store Documents, Get Customer DocumentsSend Email to usersSend Email to usersUpload/DownloadDocumentsManage Admin Users
  5. 5. Component Threat Protocol A.S. Mitigation All data flows TID HTTPS Various SSL/TLS everywhere
  6. 6. Component Threat Mitigation EndUser S Form Authentication; Multi-factor Authentication RD Not Applicable Admin (Jump Box) S SSH UserName/Password; Multi-factor Authentication RD Not Applicable Twilio S Shared Access Key RD No fallback SMS service. But Fidsafe Auth falls back to Security Questions. SES (Email) S Shared Access Key RD No fallback. Messages are sent async.
  7. 7. Component Threat Mitigation DSM S HTTPS SSL Server Authentication E Low Privileged Account TRID All PHP files are read only (for non-root) and owned by root Core Service S HTTPS SSL/TLS Server Authentication E Low Privileged Account, Node (Non-root user) TRID Permissions on Node.JS application files 644 Web UI S Forms Authentication over HTTPS; SMS or Preference Based Security Question E Running as logged-in user TRID Default permissions (User has no permissions to Framework binaries) Mobile App S Digital Signature provides authenticity and tamper detection E Default container defenses provide least privilege TRID Digital Signature provides authenticity and tamper detection
  8. 8. Component Threat Mitigation Cloudant TID Database Permission (Read, Write, Delete) for CRUD operations. CloudFiles TID Shared Access Key; All data bits are encrypted; Hashes stored separately in Cloudant S3 TID Shared Access Key; All data bits are encrypted; Hashes stored separately in Cloudant
  9. 9. Request Processing Stack HTTPS Transport IP Filtering HMAC SHA256 Signing JSON XSS Filtering Authentication Authorization Exception Handling Execution
  10. 10. http://bit.ly/awsevals

×