Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to AWS: Security

2,850 views

Published on

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability, and control. You have to know what you have and where it is before you can assess the environment against best practices, internal standards, and compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says that "Tom is the only person who can access this data object that I store with Amazon, and he can do so only from his corporate desktop on the corporate network, from Monday–Friday 9–5, and when he uses MFA?" That's the level of granularity you can choose to implement if you wish. In this session, we'll cover these topics to provide a practical understanding of the security programs, procedures, and best practices you can use to enhance your current security posture.

Published in: Technology

Intro to AWS: Security

  1. 1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved SECURITY IS JOB ZERO Security – The Forefront For Any Online Business Bill Murray – Sr. Mgr, AWS Security Programs
  2. 2. Security is Job Zero Network Security Physical Security Platform Security People & Procedures
  3. 3. SECURITY IS SHARED
  4. 4. Build everything on a constantly improving security baseline AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud GxP ISO 13485 AS9100 ISO/TS 16949
  5. 5. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers Security & compliance is a shared responsibility Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
  6. 6. SECURITY IS FAMILIAR
  7. 7. Security is Familiar • We strive to make security at AWS as familiar as what you are doing right now – Visibility – Auditability – Controllability – Agility
  8. 8. AWS Marketplace: One-stop shop for familiar tools Advanced Threat Analytics Application Security Identity and Access Mgmt Encryption & Key Mgmt Server & Endpoint Protection Network Security Vulnerability & Pen Testing
  9. 9. SECURITY REQUIRES VISIBILITY
  10. 10. VISIBILITY HOW OFTEN DO YOU MAP YOUR NETWORK? WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
  11. 11. Security is Visible • Who is accessing the resources? • Who took what action? – When? – From where? – What did they do? – Logs Logs Logs
  12. 12. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift
  13. 13. Use cases enabled by CloudTrail • Security Analysis  Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns • Track Changes to AWS Resources  Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes • Troubleshoot Operational Issues  Identify the most recent actions made to resources in your AWS account • Compliance Aid  Easier to demonstrate compliance with internal policies and regulatory standards
  14. 14. SECURITY IS AUDITABLE
  15. 15. AWS Config AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
  16. 16. Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
  17. 17. Use cases enabled by Config • Security Analysis: Am I safe? • Audit Compliance: Where is the evidence? • Change Management: What will this change affect? • Troubleshooting: What has changed?
  18. 18. Am I safe? • Properly configured resources are critical to security • Config enables you to continuously monitor the configurations of your resources and evaluate these configurations for potential security weaknesses
  19. 19. Where is the evidence? • Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA) • A complete inventory of all resources and their configuration attributes is available for any point in time
  20. 20. What will this change affect? • When your resources are created, updated, or deleted, these configuration changes are streamed to Amazon SNS • Relationships between resources are understood, so that you can proactively assess change impact
  21. 21. What changed? • It is critical to be able to quickly answer “What has changed?” • You can quickly identifying the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
  22. 22. SECURITY PROVIDES CONTROL
  23. 23. Ubiquitous encryption is one of our core design tenets Good Crypto Everywhere, All The Time
  24. 24. TLS is everywhere in our APIs Good Crypto Everywhere, All The Time
  25. 25. TLS is complex Good Crypto Everywhere, All The Time
  26. 26. Good Crypto Everywhere, All The Time
  27. 27. Small, Fast, Simple Good Crypto Everywhere, All The Time
  28. 28. Small: ~6,000 lines of code, all audited ~80% less memory consumed Good Crypto Everywhere, All The Time
  29. 29. Fast: 12% faster Good Crypto Everywhere, All The Time
  30. 30. Simple: avoid rarely used options/extensions Good Crypto Everywhere, All The Time
  31. 31. Open source Available on AWSLabs today https://github.com/awslabs/s2n Good Crypto Everywhere, All The Time
  32. 32. AWS is committed to OpenSSL Supporting OpenSSL development through the Linux Foundation’s Core Infrastructure Initiative Good Crypto Everywhere, All The Time
  33. 33. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
  34. 34. Encryption & Best Practices with AWS Managed key encryption Key storage with AWS CloudHSM Customer-supplied key encryption DIY on Amazon EC2 Create, store, & retrieve keys securely Rotate keys regularly Securely audit access to keys Partner enablement of crypto
  35. 35. AWS Key Management Service • A managed service that makes it easy for you to create, control, and use your encryption keys • Integrated with AWS SDKs and AWS services including Amazon EBS, Amazon S3, and Amazon Redshift • Integrated with AWS CloudTrail to provide auditable logs to help your regulatory and compliance activities
  36. 36. AWS Key Management Service Integrated with AWS IAM Console
  37. 37. AWS Key Management Service Integrated with Amazon EBS
  38. 38. AWS Key Management Service Integrated with Amazon S3
  39. 39. AWS Key Management Service Integrated with Amazon Redshift
  40. 40. SECURITY IS AGILE
  41. 41. HOW DOES AWS PRACTICE SECURITY?
  42. 42. The practice of security at AWS is different, but the outcome is familiar: So what does your security team look like?
  43. 43. Our Culture: Everyone’s an owner When the problem is “mine” rather than “hers” there’s a much higher likelihood I’ll do the right thing
  44. 44. Measure constantly, report regularly, and hold senior executives accountable for security – have them drive the right culture Our Culture:
  45. 45. Our Culture: Measure measure measure • 5 min metrics are too coarse • 1 min metrics just barely OK
  46. 46. Our Culture: Saying “no” is a failure
  47. 47. Our Culture: Apply more effort to the “why” rather than the “how” Why is what really matters When something goes wrong, ask the “five whys”
  48. 48. Our Culture: Decentralize - don’t be a bottleneck It’s human nature to go around a bottleneck
  49. 49. Our Culture: Produce services that others can consume through hardened APIs
  50. 50. Our Culture: Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
  51. 51. Our Culture: Proactive monitoring rules the day • What’s “normal” in your environment? • Depending on signatures == waiting to find out WHEN you’ve been had
  52. 52. Our Culture: Collect, digest, disseminate, & use intelligence
  53. 53. Our Culture: Make your compliance team a part of your security operations
  54. 54. Our Culture: Base decisions on facts, metrics, & detailed understanding of your environment and adversaries
  55. 55. Simple Security Controls Easy to Get Right Easy to Audit Easy to Enforce
  56. 56. CONSTANT REDUCTION IN SURFACE AREA
  57. 57. CONSTANT REDUCTION IN HUMAN ACCESS POTENTIAL
  58. 58. UBIQUITOUS ENCRYPTION
  59. 59. EVEN MORE GRANULAR SEPARATION
  60. 60. Security is Job Zero YOU ARE BETTER OFF IN AWS THAN YOU ARE IN YOUR OWN ENVIRONMENT – “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL – “Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations.” Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
  61. 61. Your Feedback is Important to AWS Please complete the session evaluation. Tell us what you think!
  62. 62. NEW YORK

×