© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
Different customer viewpoints on security
PR exec
keep out of the news
CEO
protect shareholder
value
CI{S}O
preserve the
c...
Security is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NE...
SECURITY IS SHARED
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
WHAT
WE DO
WHAT YOU
HAVE TO DO
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
“Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Sod...
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
MORE VISIBILITY
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
TRUSTED ADVISOR
MORE AUDITABILITY
SECURITY CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. ...
AWS CLOUDTRAIL
You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…...
Security Analysis
Use log files as an input into log management and analysis solutions to perform
security analysis and to...
‣  CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣  Typically, delivers an event within 15
minut...
LOGS
OBTAINED, RETAINED, ANALYZED
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
MORE CONTROL
Defense in Depth
Multi level security
•  Physical security of the data centers
•  Network security
•  System security
•  D...
AWS Security Delivers More Control & Granularity
Customize the implementation based on your business needs
AWS
CloudHSM
De...
AWS STAFF ACCESS
‣  Staff vetting
‣  Staff has no logical access to customer instances
‣  Staff control-plane access limit...
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK
MORE CONTROL
ON IDENTITY & ACCESS
USE AWS IAM
IDENTITY & ACCESS MANAGEMENT
CONTROL WHO CAN DO WHAT
WITH YOUR AWS ACCOUNT
AWS IAM: Recent Innovations
Securely control access to AWS services and resources
•  Delegation
–  Roles for Amazon EC2
– ...
ACCESS TO
SERVICE APIs
Amazon DynamoDB Fine Grained
Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify acces...
MORE CONTROL
OF YOUR DATA
MFA DELETE PROTECTION
YOUR DATA STAYS
WHERE YOU PUT IT
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AW...
AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs fo...
ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
…
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
•  11,000 customers
•  100 countries
•  332,5M € revenue in 2013
•  1,700+ employees
•  HQ in Phoenix, AZ USA
•  Offices i...
Axway Cloud and AWS
•  Start Quickly
•  Everywhere
•  No initial cost
•  Pay per use
•  Scale up and down
•  No commitment...
Axway Cloud threat mitigation
Architecture and
Datacenter
Vulnerabilities
Service Platform
Availability
Information
Confid...
Axway Cloud security architecture
•  SOC1 Type 2 certification achieved in March
•  ISO27001 Beginning of 2015
Management
...
•  Axway governs the flow of data in the Cloud
•  Axway Cloud is based on a strong AWS partnership
•  Security = AWS + Axw...
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Clou...
AWS.AMAZON.COM/SECURITY
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS MARKETPLACE
SECURITY SOLUTIONS
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or i...
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security
Upcoming SlideShare
Loading in …5
×

AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security

2,166 views

Published on

Morning Security keynote by Steven Schmidt

Published in: Technology, Business
  • Be the first to comment

AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security

  1. 1. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. AWS Security Stephen E. Schmidt, Directeur de la Sécurité
  2. 2. Different customer viewpoints on security PR exec keep out of the news CEO protect shareholder value CI{S}O preserve the confidentiality, integrity and availability of data
  3. 3. Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload PEOPLE & PROCEDURES NETWORK SECURITY PHYSICAL SECURITY PLATFORM SECURITY
  4. 4. SECURITY IS SHARED
  5. 5. WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
  6. 6. WHAT WE DO WHAT YOU HAVE TO DO
  7. 7. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  8. 8. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO – NASA JPL
  9. 9. AWS SECURITY OFFERS MORE VISIBILITY AUDITABILITY CONTROL
  10. 10. MORE VISIBILITY
  11. 11. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  12. 12. TRUSTED ADVISOR
  13. 13. MORE AUDITABILITY
  14. 14. SECURITY CONTROL OBJECTIVES 1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING
  15. 15. AWS CLOUDTRAIL
  16. 16. You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
  17. 17. Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes. Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment. Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
  18. 18. ‣  CloudTrail records API calls and delivers a log file to your S3 bucket. ‣  Typically, delivers an event within 15 minutes of the API call. ‣  Log files are delivered approximately every 5 minutes. ‣  Multiple partners offer integrated solutions to analyze log files.
  19. 19. LOGS OBTAINED, RETAINED, ANALYZED
  20. 20. PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS
  21. 21. MORE CONTROL
  22. 22. Defense in Depth Multi level security •  Physical security of the data centers •  Network security •  System security •  Data security DATA
  23. 23. AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs AWS CloudHSM Defense in depth Rapid scale for security Automated checks with AWS Trusted Advisor Fine grained access controls Server side encryption Multi-factor authentication Dedicated instances Direct connection, Storage Gateway HSM-based key storage AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway
  24. 24. AWS STAFF ACCESS ‣  Staff vetting ‣  Staff has no logical access to customer instances ‣  Staff control-plane access limited & monitored Bastion hosts, Least privileged model, Zoned data center access ‣  Business needs ‣  Separate PAMS
  25. 25. LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO SPECIFIC WORK
  26. 26. MORE CONTROL ON IDENTITY & ACCESS
  27. 27. USE AWS IAM IDENTITY & ACCESS MANAGEMENT
  28. 28. CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT
  29. 29. AWS IAM: Recent Innovations Securely control access to AWS services and resources •  Delegation –  Roles for Amazon EC2 –  Cross-account access •  Powerful integrated permissions –  Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation –  Access control policy variables –  Policy Simulator –  Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk •  Federation –  Web Identity Federation –  AD and Shibboleth examples –  Partner integrations –  Case study: Expedia •  Strong authentication –  MFA-protected API access –  Password policies •  Enhanced documentation and videos
  30. 30. ACCESS TO SERVICE APIs
  31. 31. Amazon DynamoDB Fine Grained Access Control Directly and securely access application data in Amazon DynamoDB Specify access permissions at table, item and attribute levels With Web Identity Federation, completely remove the need for proxy servers to perform authorization
  32. 32. MORE CONTROL OF YOUR DATA
  33. 33. MFA DELETE PROTECTION
  34. 34. YOUR DATA STAYS WHERE YOU PUT IT
  35. 35. USE MULTIPLE AZs AMAZON S3 AMAZON DYNAMODB AMAZON RDS MULTI-AZ AMAZON EBS SNAPSHOTS
  36. 36. DATA ENCRYPTION CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean
  37. 37. AWS CloudHSM Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM
  38. 38. ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE AMAZON GLACIER AMAZON REDSHIFT AMAZON RDS …
  39. 39. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Axway, Cloud and Security David FIGINI, VP Cloud Managed Services EMEA
  40. 40. •  11,000 customers •  100 countries •  332,5M € revenue in 2013 •  1,700+ employees •  HQ in Phoenix, AZ USA •  Offices in 19 countries Governing the flow of data DATA FLOW GOVERNANCE
  41. 41. Axway Cloud and AWS •  Start Quickly •  Everywhere •  No initial cost •  Pay per use •  Scale up and down •  No commitment •  Repeatable •  Reliable •  Secure VPC (Virtual Private Cloud) – Privatization for Cloud components. Data centers (zones) - Tier IV and compliant with all major third-party certifications. Storage – 99.999999999 durability Database – Multizone configuration Elastic Load Balancers – Zone independence VPN – AWS Direct Connect provides dedicated private networking for increased bandwidth and reliability. EC2 Instances – Elastic computing Cloud Formation – Reliable delivery from Web Services Applications – Designed for no single points of failure and non- repudiation. All services are monitored through a centralized location utilizing, SES, SNS, Cloud Watch, Nagios, etc.
  42. 42. Axway Cloud threat mitigation Architecture and Datacenter Vulnerabilities Service Platform Availability Information Confidentiality and Integrity Loss Decrease in Functional Performance Human Activities • Multi AZ Auto-Scaling groups Very High Availability • Solution deployed by Axway OS Patch management • Data encryption at rest and for communications • Backup policy based on snapshots Data loss and confidentiality • Access to environments is centralized and all activity is trackedHuman activity • Security and monitoring tools (Ossec, syslog, Nagios, CloudWatch, …) • Splunk to receive, process and present security events Real time monitoring
  43. 43. Axway Cloud security architecture •  SOC1 Type 2 certification achieved in March •  ISO27001 Beginning of 2015 Management Solution Access Control Axway data center Amazon Route 53 Axway workforce VPN Elastic Load Balancing Supervision Monitoring & Security tools VPC peering Solution Elastic Load Balancing VPC peering Monitoring & Security data Acce ss CloudWatch Amazon SES Auto Scaling group AZ #1 AZ #2 Auto Scaling group AZ #1 AZ #2 CloudTrail
  44. 44. •  Axway governs the flow of data in the Cloud •  Axway Cloud is based on a strong AWS partnership •  Security = AWS + Axway + Processes+ People Takeaways from Axway
  45. 45. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. Axway, Cloud and Security David FIGINI, VP Cloud Managed Services EMEA Merci !
  46. 46. MORE AUDITABILITY MORE VISIBILITY MORE CONTROL
  47. 47. IDC Survey Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization Source: IDC 2013 U.S. Cloud Security Survey Doc #242836, September 2013
  48. 48. AWS.AMAZON.COM/SECURITY
  49. 49. AWS SECURITY WHITEPAPERS RISK & COMPLIANCE AUDITING SECURITY CHECKLIST SECURITY PROCESSES SECURITY BEST PRACTICES
  50. 50. AWS MARKETPLACE SECURITY SOLUTIONS
  51. 51. © 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc. AWS Security Stephen E. Schmidt, Directeur de la Sécurité Merci !

×