Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro & Security Update

3,245 views

Published on

AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.

Published in: Technology
  • Be the first to comment

Intro & Security Update

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. December 1st 2015 AWS Data Security Security Update
  2. 2. Data Security Agenda 1:00 pm – AWS Security Overview + What’s New 2:00 pm – Network Security & Access Control in AWS 2:55 pm – Refreshment Break (15 minutes) 3:10 pm – Protecting Your Data in AWS 4:10 pm – Securing Systems at Cloud Scale 5:00 pm – Closing Remarks + Open Q&A
  3. 3. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security Overview + What’s New
  4. 4. AWS Security An Intro
  5. 5. AWS Security Team Operations Application Security Engineering Security Assurance Aligned for agility
  6. 6. Security ownership as part of DNA • Promotes culture of “everyone is an owner” for security • Makes security a stakeholder in business success • Enables easier and smoother communication Distributed Embedded
  7. 7. Operating principles Separation of duties Different personnel across service lines Least privilege
  8. 8. Technology to automate operational principles Visibility through automation Shrinking the protection boundaries Ubiquitous encryption
  9. 9. Shared Responsibility
  10. 10. Intro to AWS 11 Regions 30 Availability Zones 53 Edge Locations Over 1 Million Active Customers Across 190 Countries Everyday, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise.
  11. 11. A European view of Cloud • Regions: – Dublin (EU-West) – 3 x Availability Zones • Launched in 2007 – Frankfurt (EU-Central) – 2 x Availability Zones • Launched in 2014 • Edge Locations: – Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt, Germany (3), London, England (3), Madrid, Spain, Marseille, France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and Warsaw, Poland • Direct Connect POPs: – Dublin, London, Frankfurt
  12. 12. Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
  13. 13. AWS Global Infrastructure AWS Global Infrastructure Your Applications AWS Global Infrastructure AWS Global Infrastructure AWS Global Infrastructure Regions Availability Zones Edge Locations Foundation Services Application Services Deployment & Management Compute Storage Networking Databases Content Delivery Applications Distributed Computing Libraries & SDK’s EC2 S3 EBS Glacier Storage Gateway VPC Direct Connect ELB Route53 RDS ElastiCacheDynamo RedShift CloudFront SES SNS SQS Elastic Transcoder CloudSearch SWF EMR CloudWatch Monitoring BeanStalk OpsWorks Cloud Formation DataPipe Deployment & Automation IAM Federation Identity & Access Management Console Billing Web Interface Human Interaction Mechanical Turk AWS Global Infrastructure Enterprise Applications Workspaces Zocalo Virtual Desktop Document Collaboration Overview of AWS Services
  14. 14. How does a customer interact with AWS services? Common Protocols • SSH, RDP, HTTP, SSL, SQL etc API Calls (Management Console, SDKs, Unified CLI) • S3, EC2, RDS
  15. 15. API Calls • Authentication is provided by IAM (Identity Access Management) • API calls are secured within an TLS connection • API Calls are made to AWS Service endpoints deployed globally • A full list of endpoints available here: – http://docs.aws.amazon.com/general/latest/gr/rande.html • AWS Unified CLI – aws ec2 start-instances – aws ec2 stop-instances – aws s3 ls – aws s3 cp <source> <destionation>
  16. 16. Lets look at how customers traditionally manage IT
  17. 17. Core Services Server Storage Networking Platform & Applications Management Customer Data Customer view Customer Responsibility: - Data & Network Protection - High Availability - Disaster Recovery - Backup - Scalability - Audit Operating System Data Centre HVAC UPS Security Data Encryption Data Integrity/Backup Network Protection Management,Monitoring&Logging
  18. 18. AWS Shared Responsibility Model Lets talk about Security within the Cloud and who is responsible for which parts? Security OF the Cloud vs Security IN the Cloud
  19. 19. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAM CustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption File System and/or Data APIEndpoint
  20. 20. Infrastructure Service Example – EC2 • AWS Responsibility: • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS IAM • AWS API Endpoints •Customer Responsibility: • Customer Data • Customer Application/Platform • Operating System • Network & Firewall • Customer IAM • High Availability, Scaling • Instance Management, • Data Protection (Transit, Rest, Backup)
  21. 21. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity APIEndpointCustomerIAM AWSIAM
  22. 22. Infrastructure Service Example – RDS • AWS Responsibility: • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS IAM • AWS API Endpoints • Operating System • Platform / Application •Customer Responsibility: • Customer Data • Firewall (VPC) • Customer IAM (DB Users, Table Permissions) • High Availability • Data Protection (Transit, Rest, Backup) • Scaling
  23. 23. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model: for Abstract Services Managed by Managed by Optional – Opaque Data: 1’s and 0’s (in flight / at rest) Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit Client-Side Data Encryption & Data Integrity Authentication APIEndpoint AWSIAM
  24. 24. Infrastructure Service Example – S3 • AWS Responsibility: • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS IAM • AWS API Endpoints • Operating System • Platform / Application • Data Protection (Rest - SSE, Transit) • High Availability / Scaling •Customer Responsibility: • Customer Data • Data Protection
  25. 25. Shared Responsibility Summary of Security IN the Cloud (Customer Responsibility Infrastructure Services Applications Operating System Container Services Abstract Services Networking/Firewall Data Customer IAM AWS IAM Networking/Firewall Data AWS IAM Data Customer IAM AWS IAM
  26. 26. What about Security OF the Cloud? Shared Responsibility
  27. 27. Security Shared Responsibility Model AWS Foundation Services Compute Storage Database Network AWS Global Infrastructure Regions AWS is responsible for the security OF the cloud AWS Availability Zones Edge Locations
  28. 28. on AWS •Start on base of accredited services •Functionally necessary – high watermark of requirements •Audits done by third party experts •Accountable to everyone •Continuous monitoring •Compliance approach based on all workload scenarios •Security innovation drives broad compliance on-Prem • Start with bare concrete • Functionally optional – (you can build a secure system without it) • Audits done by an in-house team • Accountable to yourself • Typically check once a year • Workload-specific compliance checks • Must keep pace and invest in security innovation Auditing - Comparison on-Prem vs on AWS
  29. 29. What this means • You benefit from an environment built for the most security sensitive organizations • AWS manages 1,800+ security controls so you don’t have to • You get to define the right security controls for your workload sensitivity • You always have full ownership and control of your data
  30. 30. AWS Assurance Program Updates SOC: New services in scope after successful assessment KMS, Workspace, SES PCI: New services in scope after achieving PCI DSS 3.1 certification KMS, Cloudtrail, Cloudfront ISO 27017: International code of practice focusing on Cloud providers ISO 27018: International code of practice that focuses on protection of PII in the cloud.
  31. 31. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own accreditation Meet your own security objectives Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Customers
  32. 32. Why AWS? How AWS Security features and services can help our Customers
  33. 33. Amazon Inspector (Preview) Security assessment tool analyzing end-to-end application configuration and activity
  34. 34. Why Amazon Inspector? Applications testing key to moving fast but staying safe Security assessment highly manual, resulting in delays or missed security checks Valuable security subject matter experts spending too much time on routine security assessment
  35. 35. Amazon Inspector features Configuration Scanning Engine Activity monitoring Built-in content library Automatable via API Fully auditable
  36. 36. Getting started
  37. 37. Amazon Inspector rulesets CVE Network Security Best Practices Authentication Best Practices Operating System Best Practices Application Security Best Practices PCI DCSS 3.0 Readiness
  38. 38. Prioritized findings
  39. 39. Detailed remediation recommendations
  40. 40. AWS WAF
  41. 41. AWS WAF features Web filtering Amazon CloudFront integration Centralized rule management Real-time visibility API automation
  42. 42. AWS WAF benefits Increased protection against web attacks Ease of deployment and maintenance Security embedded in development process
  43. 43. AWS WAF
  44. 44. AWS WAF in action AWS Management ConsoleAdmins Developers AWS API Web app in CloudFront Define rules Deploy protection AWS WAF
  45. 45. AWS WAF Partner integrations • Alert Logic, Trend Micro, and Imperva integrating with AWS WAF • Offer additional detection and threat intelligence • Dynamically modify rulesets of AWS WAF for increased protection
  46. 46. AWS Config Rules
  47. 47. Fully managed service which provides: • An Inventory of your AWS resources • Lets you audit the resource configuration history • Notifies you of resource configuration changes • Logs are placed in customer defined S3 bucket AWS Config
  48. 48. AWS Config Rules features Flexible rules evaluated continuously and retroactively Dashboard and reports for common goals Customizable remediation API automation
  49. 49. AWS Config Rules – example rules Is Cloudtrail Enabled? Are in-use volumes encrypted? Are resources appropriately tagged? Is incoming SSH disabled? Are instanced running in the correct VPC? Are Elastic IPs attached to the correct EC2 instances?
  50. 50. AWS Config Rules Broad ecosystem of solutions
  51. 51. AWS Config Rules benefits Continuous monitoring for unexpected changes Shared compliance across your organization Simplified management of configuration changes
  52. 52. AWS Config Rules
  53. 53. Security by Design (Preview)
  54. 54. Evolution of security & compliance at AWS AWS certifications Customer enabler docs Customer case studies Security by Design (SbD) AWS CloudTrailAWS CloudHSM AWS IAM AWS KMS AWS Config
  55. 55. Security by Design - SbD Security by Design (SbD) is a modern, security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing. It is a systematic approach to ensure security; instead of relying on after-the-fact auditing, SbD provides control insights throughout the IT management process. AWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config
  56. 56. Putting it all together (SbD) Build your AWS applications using Security by Design Continuous Compliance through Config Rules Continuous Compliance through Inspector Customer Workload
  57. 57. Security Training
  58. 58. New security training Training Security Fundamentals on AWS – Free online course for Security Auditors, Analysts and Management – 5 modules over 3 hours  Progress is saved Details at aws.amazon.com/training
  59. 59. New security training Training Security Operations on AWS – 3 day class for:  Security Engineers/Architects  Security Analysts and Auditors – 11 modules with X Labs Details at aws.amazon.com/training
  60. 60. Security Partners
  61. 61. • Infrastructure Security – gateway, firewall, router, WAF, network, UTM • Identity & Access Control - allowed/authorized access • Logging & Monitoring - SIEM/ Governance, Risk, & Compliance (GRC) • Configuration & Vulnerability Analysis – scanning/pen testing and IPS/IDS • Data Protection - DRM/DLP/Encryption • Threat Analytics - continuous monitoring AWS Marketplace Offers customers a choice of security configurations IN the Cloud
  62. 62. AWS Marketplace Network/Security Partner Eco-system Infrastructure Security Logging & Monitoring Identity & Access Control Configuration & Vulnerability Analysis Data Protection SaaS SaaS SaaS
  63. 63. Helpful Resources
  64. 64. Getting help - Trusted Advisor Performs a series of security configuration checks of your AWS environment: ---------------- • Open ports • Unrestricted access • IAM use • CloudTrail Logging • S3 Bucket Permissions • Multi-factor authentication • Password Policy • DB Access Risk • DNS Records • Load Balancer configuration
  65. 65. Getting Help - AWS Auditing Checklists
  66. 66. Getting help - AWS Compliance: Workbooks • IT Grundschutz (TUV Trust IT) • CESG UK Security Principles • PCI Workbook – Anitian • Audit Checklists Whitepapers • EU Data Protection • Risk & Compliance • Overview of Security Processes • FERPA FAQs • PCI, HIPAA, EU Data Protection, ISO 27001, 9001 etc… Training • eLearning – Security Fundamentals – 3hour free online course • Instructor Lead Training – 3day course for Security Professionals • Qwiklabs - Security & Auditing Self Paced Lab Blogs • http://blogs.aws.amazon.com/security/
  67. 67. Getting help - Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Center Website: https://aws.amazon.com/compliance Security Center: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ AWS Audit Training: awsaudittraining@amazon.com AWS Security Training: https://aws.amazon.com/blogs/aws/new-aws-security-courses/

×