Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia

2,973 views

Published on

Stephen Schmidt’s presentation at the Australian AWS Summit, Sydney 2012 - Executive Track

Published in: Technology
  • Be the first to comment

Security and Privacy in the Cloud - Stephen Schmidt - AWS Summit 2012 Australia

  1. 1. Security and Privacyin the CloudStephen SchmidtVice President &Chief Information Security Officer
  2. 2. AWS Security Model Overview Certifications & Accreditations Shared Responsibility Model Sarbanes-Oxley (SOX) compliance Customer/SI Partner/ISV controls guest ISO 27001 Certification OS-level security, including patching and PCI DSS Level I Certification maintenance HIPAA compliant architecture Application level security, including password and role based access SAS 70(SOC 1) Type II Audit Host-based firewalls, including Intrusion FISMA Low & Moderate ATOs Detection/Prevention Systems DIACAP MAC III-Sensitive Separation of Access  Pursuing DIACAP MAC II–SensitivePhysical Security VM Security Network Security Multi-level, multi-factor controlled access Multi-factor access to Amazon Account Instance firewalls can be configured in environment Instance Isolation security groups; Controlled, need-based access for AWS • Customer-controlled firewall at the The traffic may be restricted by protocol, employees (least privilege) hypervisor level by service port, as well as by source IPManagement Plane Administrative Access • Neighboring instances prevented access address (individual IP or Classless Inter- Multi-factor, controlled, need-based Domain Routing (CIDR) block). • Virtualized disk management layer access to administrative host ensure only account owners can access Virtual Private Cloud (VPC) provides All access logged, monitored, reviewed storage disks (EBS) IPSec VPN access from existing enterprise AWS Administrators DO NOT have logical data center to a set of logically isolated Support for SSL end point encryption for access inside a customer’s VMs, including AWS resources API calls applications and data
  3. 3. Shared Responsibility Model AWS Customer•Facilities •Operating System•Physical Security •Application•Physical •Security Groups Infrastructure •Network ACLs•Network •Network Infrastructure Configuration •Account Management
  4. 4. AWS Security Resources http://aws.amazon.com/security/ Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011, January 2012respectively Regularly Updated Feedback is welcome
  5. 5. AWS CertificationsSarbanes-Oxley (SOX)ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70(SOC 1) Type II AuditFISMA A&As• Multiple NIST Low Approvals to Operate (ATO)• NIST Moderate, GSA issued ATO• FedRAMPDIACAP MAC III Sensitive ATOCustomers have deployed various compliant applications such as HIPAA(healthcare)
  6. 6. SOC 1 Type IIAmazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 reportevery six months and maintains a favorable unbiased and unqualified opinion from itsindependent auditors. AWS identifies those controls relating to the operational performanceand security to safeguard customer data. The SOC 1 report audit attests that AWS’ controlobjectives are appropriately designed and that the individual controls defined to safeguardcustomer data are operating effectively. Our commitment to the SOC 1 report is on-going and weplan to continue our process of periodic audits.The audit for this report is conducted in accordance with the Statement on Standards forAttestation Engagements No. 16 (SSAE 16) and the International Standards for AssuranceEngagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meeta broad range of auditing requirements for U.S. and international auditing bodies. This audit isthe replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.
  7. 7. SOC 1Control Objective 1: Security OrganizationControl Objective 2: Amazon Employee LifecycleControl Objective 3: Logical SecurityControl Objective 4: Secure Data HandlingControl Objective 5: Physical SecurityControl Objective 6: Environmental SafeguardsControl Objective 7: Change ManagementControl Objective 8: Data Integrity, Availability and RedundancyControl Objective 9: Incident Handling
  8. 8. ISO 27001 AWS has achieved ISO 27001 certification of ourInformation Security Management System (ISMS) coveringAWS infrastructure, data centers in all regions worldwide,and services including Amazon Elastic Compute Cloud(Amazon EC2), Amazon Simple Storage Service (AmazonS3) and Amazon Virtual Private Cloud (Amazon VPC). Wehave established a formal program to maintain thecertification.
  9. 9. Physical Security Amazon has been building large-scale data centers formany years Important attributes: •Non-descript facilities •Robust perimeter controls •Strictly controlled physical access •2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed
  10. 10. GovCloud US West US West US East South America EU Asia Asia (US ITAR (Northern (Oregon) (Northern (Sao Paulo) (Ireland) Pacific Pacific Region) California) Virginia) (Singapore) (Tokyo) AWS Regions AWS Edge Locations
  11. 11. AWS Regions and Availability Zones Customer Decides Where Applications and Data Reside
  12. 12. AWS Identity and Access ManagementEnables a customer to create multiple Usersand manage the permissions for each ofthese Users.Secure by default; new Users have no accessto AWS until permissions are explicitlygranted. UsAWS IAM enables customers to minimize theuse of their AWS Account credentials.Instead all interactions with AWS Servicesand resources should be with AWS IAM Usersecurity credentials.erCustomers can enable MFA devices for theirAWS Account as well as for the Users theyhave created under their AWS Account withAWS IAM.
  13. 13. AWS MFA Benefits Helps prevent anyone with unauthorized knowledgeof your e-mail address and password fromimpersonating you Requires a device in your physical possession togain access to secure pages on the AWS Portal or togain access to the AWS Management Console Adds an extra layer of protection to sensitiveinformation, such as your AWS access identifiers Extends protection to your AWS resources such asAmazon EC2 instances and Amazon S3 data
  14. 14. Amazon EC2 SecurityHost operating system• Individual SSH keyed logins via bastion host for AWS admins• All accesses logged and auditedGuest operating system• Customer controlled at root level• AWS admins cannot log in• Customer-generated keypairsFirewall• Mandatory inbound instance firewall, default deny mode• Outbound instance firewall available in VPC• VPC subnet ACLsSigned API calls• Require X.509 certificate or customer’s secret AWS key
  15. 15. Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
  16. 16. Virtual Memory & Local Disk Amazon EC2 Instances Encrypted File System Amazon EC2 Instance Encrypted Swap File•Proprietary Amazon disk management prevents one Instance from reading the disk contents of another•Local disk storage can also be encrypted by the customer for an added layer of security
  17. 17. Network Security ConsiderationsDDoS (Distributed Denial of Service):• Standard mitigation techniques in effectMITM (Man in the Middle):• All endpoints protected by SSL• Fresh EC2 host keys generated at bootIP Spoofing:• Prohibited at host OS levelUnauthorized Port Scanning:• Violation of AWS TOS• Detected, stopped, and blocked• Ineffective anyway since inbound ports blocked by defaultPacket Sniffing:• Promiscuous mode is ineffective
  18. 18. Amazon Virtual Private Cloud (VPC)Create a logically isolated environment in Amazon’s highly scalable infrastructureSpecify your private IP address range into one or more public or private subnetsControl inbound and outbound access to and from individual subnets using statelessNetwork Access Control ListsProtect your Instances with stateful filters for inbound and outbound traffic usingSecurity GroupsAttach an Elastic IP address to any instance in your VPC so it can be reacheddirectly from the InternetBridge your VPC and your onsite IT infrastructure with an industry standard encryptedVPN connection and/or AWS Direct ConnectUse a wizard to easily create your VPC in 4 different topologies
  19. 19. Amazon VPC Architecture Customer’s isolated AWS resources Subnets Router VPN GatewaySecure VPN AmazonConnection over theInternet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  20. 20. Amazon VPC Architecture Customer’s isolated AWS resources Subnets Router VPN GatewaySecure VPN AmazonConnection over theInternet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  21. 21. Amazon VPC Architecture Customer’s isolated AWS resources SubnetsInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  22. 22. Amazon VPC Architecture Customer’s isolated AWS resources SubnetsInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  23. 23. Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  24. 24. Amazon VPC Architecture Customer’s isolated AWS resources Subnets NATInternet Router VPN Gateway Secure VPN Amazon Connection over the Internet Web Services AWS Direct Connect Cloud – Dedicated Path/ Bandwidth Customer’s Network
  25. 25. Amazon VPC Network Security Controls
  26. 26. Amazon VPC - Dedicated Instances New option to ensure physical hosts are not shared withother customers $10/hr flat fee per Region + small hourly charge Can identify specific Instances as dedicated Optionally configure entire VPC as dedicated
  27. 27. AWS Deployment Models Logical Server Granular Logical Physical Government Only ITAR Sample Workloads and Application Information Network server Physical Network Compliant Isolation Access Policy Isolation Isolation and Facility (US Persons Isolation Only)Commercial Cloud   Public facing apps. Web sites, Dev test etc.Virtual Private     Data Center extension,Cloud (VPC) TIC environment, email, FISMA low and ModerateAWS GovCloud       US Persons Compliant(US) and Government Specific Apps.
  28. 28. Thanks! Remember to visithttps://aws.amazon.com/security

×