Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to AWS Security

1,008 views

Published on

This session is designed to introduce you to fundamental cloud computing and AWS security concepts that will help you prepare for the Security Week sessions, demos, and workshops. We will also provide an overview of the Security pillar of the AWS Cloud Adoption Framework (CAF) and talk about how AWS keeps humans away from data—and how you can, too.

  • Be the first to comment

Introduction to AWS Security

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Security and Compliance An Overview Tzoori Tamam Solutions Architect
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why is security traditionally so hard? Lack of visibility Low degree of automation
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORMove fast Stay secure Before…
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ORANDMove fast Stay secure Now…
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with deeply integrated security services Inherit global security and compliance controls Highest standards for privacy and data security Largest network of security partners and solutions Scale with superior visibility and control Move to AWS Strengthen your security posture
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The security paradigm shifted On AWSOn-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protection and data Everything is automated
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our data centers provide protection at every layer: ü Perimeter Layer ü Infrastructure Layer ü Data Layer ü Environmental Layer Our Data Centers https://aws.amazon.com/compliance/data-center/data-centers/ Take a virtual tour:
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ø ACCESS IS SCRUTINIZED Ø ENTRY IS CONTROLLED AND MONITORED Ø AWS DATA CENTER WORKERS ARE SCRUTINIZED, TOO Ø MONITORING FOR UNAUTHORIZED ENTRY Ø AWS SECURITY OPERATIONS CENTERS MONITORS GLOBAL SECURITY Perimeter Layer
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ø LAYER-BY-LAYER ACCESS REVIEW Ø MAINTAINING EQUIPMENT IS A PART OF REGULAR OPERATIONS Ø EMERGENCY-READY BACKUP EQUIPMENT Infrastructure Layer
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ø TECHNOLOGY AND PEOPLE WORK TOGETHER FOR ADDED SECURITY Ø PREVENTING PHYSICAL AND TECHNOLOGICAL INTRUSION Ø SERVERS AND MEDIA RECEIVE EXACTING ATTENTION Ø THIRD-PARTY AUDITORS VERIFY OUR PROCEDURES AND SYSTEMS Data Layer
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Ø PREPARED FOR THE UNEXPECTED Ø HIGH AVAILABILITY THROUGH MULTIPLE AVAILABILITY ZONES Ø SIMULATING DISRUPTIONS & MEASURING OUR RESPONSE Ø GREENER IN THE AWS CLOUD Environmental Layer
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Inherit global security and compliance controls
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Encryption at scale with keys managed by our AWS Key Management Service (KMS) or managing your own encryption keys with Cloud HSM using FIPS 140-2 Level 3 validated HSMs Meet data residency requirements Choose an AWS Region and AWS will not replicate it elsewhere unless you choose to do so Access services and tools that enable you to build compliant infrastructure on top of AWS Comply with local data privacy laws by controlling who can access content, its lifecycle, and disposal Highest standards for privacy
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Infrastructure security Logging & monitoring Identity & access control Configuration & vulnerability analysis Data protection Largest ecosystem of security partners and solutions Infrastructure security
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security engineering Governance, risk & compliance Security operations & automation Consulting competency partners with demonstrated expertise Security engineering
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Scale with visibility and control
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Security OF the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. “Security IN the Cloud” - Customer responsibility will be determined by the AWS Cloud services that a customer selects. Shared Responsibility Model
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Foundation Services Compute Storage Database Networking Infrastructure Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers are responsible for end-to-end security in their on-premise data centers Traditional On-Premise Security Model
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS Security Model when using Infrastructure Services (EC2 instances)
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Foundation Services Compute Storage Database Networking Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS Security Model when using Abstract Services (managed services)
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Secrets Manager AWS Single Sign-On AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs Security Hub AWS Systems Manager AWS Shield AWS WAF – Web application firewall AWS Firewall Manager Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie AWS Certificate Manager Server-Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity and Access Management (IAM) Securely control access to AWS services and resources AWS Organizations Policy-based management for multiple AWS accounts Amazon Cognito Add user sign-up, sign-in, and access control to your web and mobile apps AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud AWS Secrets Manager Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle AWS Single Sign-On Centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications Define, enforce, and audit user permissions across AWS services, actions and resources. Identity & access management Identity and access management
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS CloudTrail Enable governance, compliance, and operational/risk auditing of your AWS account AWS Config Record and evaluate configurations of your AWS resources. Enable compliance auditing, security analysis, resource change tracking, and troubleshooting Amazon CloudWatch Monitor AWS Cloud resources and your applications on AWS to collect metrics, monitor log files, set alarms, and automatically react to changes Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads VPC Flow Logs Capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs Gain the visibility you need to spot issues before they impact the business, improve your security posture, and reduce the risk profile of your environment. Detective control
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Systems Manager Easily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, securely connect to servers, and configure secure operating systems AWS Shield Managed DDoS protection service that safeguards web applications running on AWS AWS WAF – Web application firewall Protects your web applications from common web exploits ensuring availability and security AWS Firewall Manager Centrally configure and manage AWS WAF rules across accounts and applications Amazon Inspector Automates security assessments to help improve the security and compliance of applications deployed on AWS Amazon Virtual Private Cloud (VPC) Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define Reduce surface area to manage and increase privacy for and control of your overall infrastructure on AWS. Infrastructure security
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Key Management Service (KMS) Easily create and control the keys used to encrypt your data AWS CloudHSM Managed hardware security module (HSM) on the AWS Cloud Amazon Macie Machine learning-powered security service to discover, classify, and protect sensitive data AWS Certificate Manager Easily provision, manage, and deploy SSL/TLS certificates for use with AWS services Server-Side Encryption Flexible data encryption options using AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys In addition to our automatic data encryption and management services, employ more features for data protection. (including data management, data security, and encryption key storage) Data protection
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Config Rules Create rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring configuration to a known-good state AWS Lambda Use our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents During an incident, containing the event and returning to a known good state are important elements of a response plan. AWS provides the following tools to automate aspects of this best practice. Incident response
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.” • Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day • Processes approximately 6 terabytes of data and 37 billion records on an average day • Went from 3–4 weeks for server hardening to 3–4 minutes • DevOps teams focus on automation and tools to raise the compliance bar and simplify controls • Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts —John Brady, CISO FINRA Financial industry regulatory authority
  28. 28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management …All our new services are built as stateless docker containers, allowing us to deploy and scale them easily using Amazon’s ECS.” “AWS allowed us to scale our business to handle 6 million patients a month and elevate our security —all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months” • Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization • New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month • Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours • Maintain end to end visibility of patient data using AWS Online medical care scheduling
  29. 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security Tzoori Tamam tzoorit@amazon.com

×