Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Day What's (nearly) New

3,430 views

Published on

Security Day What's (nearly) New

Published in: Business
  • Be the first to comment

Security Day What's (nearly) New

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dave Walker SpecialistSolutions Architect,Security & Compliance EMEA 28/01/16 What’s (nearly) New? London
  2. 2. Cloud Security Principles Compliance o Issued 1 Apr 2014 by the CESG o They replace the Business Impact Levels model (BIL: IL1-IL5+) o Distributed certification model o Risk-based approach: suitability for purpose o New protective marking mechanisms o AWS Whitepaper Available
  3. 3. Cyber Essentials Plus Compliance in Dublin This is to certify that Amazon Web Services (Scope limited to Dublin Region) 60 Holborn Viaduct London EC1A 2FD Has been assessed by Zia Rehman for Perspective Risk Ltd against the Cyber Essentials Scheme Test Specification Level of certification: Cyber Essentials PLUS Scope: Cyber Essentials Plus of external Dublin network perimeter, sample desktop and mobile devices Certification date: August 7th, 2015 Recommended re-assessment date: August 6th, 2016 Certificate no.: 2864877880893798 This Certificate confirms that the organisation named was assessed against the Cyber Essentials RequirementsThis Certificate confirms that the organisation named was assessed against the Cyber Essentials Requirements dated June 2014, and at the time of testing, the organisation's ICT defences were assessed to meet thedated June 2014, and at the time of testing, the organisation's ICT defences were assessed to meet the Requirements. Cyber Essentials Certification indicates that the organisation has implemented a sensible baseline ofRequirements. Cyber Essentials Certification indicates that the organisation has implemented a sensible baseline of organisational cyber security only, and implies no guarantee of effective defence against commodity cyber attacksorganisational cyber security only, and implies no guarantee of effective defence against commodity cyber attacks circumventing this baseline. Organisations are recommended to define and understand the risks to theircircumventing this baseline. Organisations are recommended to define and understand the risks to their organisation and take all appropriate action to mitigate or reduce any issues, which may require a greater degree oforganisation and take all appropriate action to mitigate or reduce any issues, which may require a greater degree of rigour or technical investment than is required for Cyber Essentials alone.rigour or technical investment than is required for Cyber Essentials alone. Cyber Essentials Plus is a UK Government-backed, industry- supported certification scheme that helps organisations demonstrate security against common cyber attacks. The ‘Plus’ scheme benefits from independent testing and validation compared to the baseline ‘Cyber Essentials’ scheme that is self- attested.
  4. 4. ISO 27018 Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011, the Information Security Management System as defined and implemented by headquartered in Seattle, Washington, United States of America, certified under certification number [2013-009], is also compliant with the requirements as stated in the standard: EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the related ISMS certificate with number [2013-009]. *This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements for information security and protection of personally identifiable information (PII) as stated in Statement of Applicability version 2015,01, approved on September 15, 2015. ISO/IEC 27018:2014 Issue date of certificate: October 1, 2015 Expiration date of certificate: November 12, 2016 Amazon Web Services, Inc.* Certificate Certificate number: 2015-016 Certified by EY CertifyPoint since: October 1, 2015 © Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved. Drs. R. Toppen RA Director EY CertifyPoint DIGITAL COPY1/3 o Customers control their content. o Customers' content will not be used for any unauthorized purposes. o Physical media is destroyed prior to leaving AWS data centers. o AWS provides customers the means to delete their content. o AWS doesn’t disclose customers' content
  5. 5. ISO 27017 Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011, the Information Security Management System as defined and implemented by headquartered in Seattle, Washington, United States of America, certified under certification number [2013-009], is also compliant with the requirements as stated in the standard: EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the related ISMS certificate with number [2013-009]. *This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements for information security and protection of personally identifiable information (PII) as stated in Statement of Applicability version 2015,01, approved on September 15, 2015. ISO/IEC 27018:2014 Issue date of certificate: October 1, 2015 Expiration date of certificate: November 12, 2016 Amazon Web Services, Inc.* Certificate Certificate number: 2015-016 Certified by EY CertifyPoint since: October 1, 2015 © Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved. Drs. R. Toppen RA Director EY CertifyPoint DIGITAL COPY1/3 o Newest ISO code of practice o Builds on top of ISO 27002 o Information security controls specific to Cloud services o Scope includes all AWS Regions and edge locations
  6. 6. AWS Security Tools AWS Trusted Advisor AWS Config Rules Amazon Inspector Periodic evaluation of alignment with AWS Best Practices. Not just Security-related. Create rules that govern configuration of your AWS resources. Continuous evaluation. Security insightsinto your applications. Runs on EC2 instances; on-demand scans AWS Compliance AWS: Security of the cloud Customer: Security in the cloud
  7. 7. Cloud Config Rules
  8. 8. AWS Config Rules features Flexible rules evaluated continuously and retroactively Dashboard and reports for common goals Customizable remediation API automation
  9. 9. AWS Config Rules Broad ecosystem of solutions
  10. 10. AWS Config Rules benefits Continuous monitoring for unexpected changes Shared compliance across your organization Simplified management of configuration changes
  11. 11. Security by Design - SbD • Systematic approach to ensure security • Formalizes AWS account design • Automates security controls • Streamlines auditing • Provides control insights throughout the IT management process AWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config
  12. 12. GoldBase - Scripting your governance policy Set of CloudFormation Templates & Reference Arhcitectures that accelerate compliance with PCI, EU Personal Data Protection, HIPAA, FFIEC, FISMA, CJIS Result: Reliable technical implementation of administrative controls
  13. 13. What is Inspector? • Application security assessment • Selectable built-in rules • Security findings • Guidance and management • Automatable via APIs
  14. 14. Rule packages • CVE (common vulnerabilities and exposures) • Network security best practices • Authentication best practices • Operating system security best practices • Application security best practices • PCI DSS 3.0 readiness
  15. 15. Getting started
  16. 16. Prioritized findings
  17. 17. Detailed remediation recommendations
  18. 18. What is AWS WAF? Application DDoS Good users Bad guys Web server Database AWS WAF AWS WAF rules: 1: BLOCK requests from bad guys. 2: ALLOW requests from good guys. Types of conditions in rules: 1: Source IP/range 2: String Match 3: SQL Injection
  19. 19. Why AWS WAF? Application DDoS, Vulnerabilities, Abuse Good users Bad guys Web server Database
  20. 20. AWS WAF Partner integrations • Alert Logic, Trend Micro, and Imperva integrating with AWS WAF • Offer additional detection and threat intelligence • Dynamically modify rulesets of AWS WAF for increased protection
  21. 21. S2N – AWS Implementation of TLS • Small: • ~6,000 lines of code, all audited • ~80% less memory consumed • Fast: • 12% faster • Simple: • Avoid rarely used options/extensions
  22. 22. VPC Flow Logs
  23. 23. Flow Log Record Structure Event-Version Account Number ENI-ID Source-IP Destination-IP SourcePort Destination-Port Protocol Number Number of Packets Number of Bytes Start-Time Window End-Time Window Action State 2 123456789 eni-31607853 172.16.0.10 172.16.0.172 80 41707 6 1 40 1440402534 1440402589 ACCEPT OK
  24. 24. AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform. Introducing AWS Certificate Manager
  25. 25. AWS Certificate Manager • Provision trusted SSL/TLS certificates from AWS for use with AWS resources: • Elastic Load Balancing • Amazon CloudFront distributions • AWS handles the “maths and maintenance” • Key pair and CSR generation • Managed renewal and deployment • Domain validation (DV) through email • Available through AWS Management console, CLI, or API
  26. 26. AWS Certificate Manager (ACM) Benefits • Protect and secure websites and applications • Provision certificates quickly and easily • Free • Managed certificate renewal • Secure key management • Centrally manage certificates on the AWS Cloud • Integrated with other AWS Cloud Services
  27. 27. ACM Use Cases • Help meet regulatory compliance requirements for encryption of data in transit • PCI, FedRAMP and HIPAA • Minimize downtime and outages • Improve search rankings by using SSL/TLS
  28. 28. ACM-Provided Certificates Domain names • Single domain name: www.example.com • Wildcard domain names: *.example.com • Combination of wildcard and non-wildcard names • Multiple domain names in the same certificate (up to 10) ACM-provided certificates are managed • Private keys are generated, protected, and managed • ACM-provided certificates cannot be used on EC2 instances or on-premises servers • Can be used with AWS services, such as ELB and CloudFront Algorithms • RSA 2048 and SHA-256
  29. 29. What is available at launch? • SSL/TLS certificates for use with AWS services (ELB and CloudFront) • Availability in US-East (N. Virginia) • Domain validation via email • Console, API, CLI • Integration with ELB and CloudFront • Managed renewal and deployment
  30. 30. What is NOT available at launch? • Availability in additional regions • Certificates for use on EC2 • “Take home” certificates that can be used anywhere • Cross-region certificates • Cross-account access to certificates • CloudTrail logging of ACM API calls • Tagging • Certificates for email, code signing, or any other purpose except SSL/TLS termination
  31. 31. Certification & Education • Security Fundamentals on AWS • free, online course for security auditors and analysts • Security Operations on AWS • 3-day class for Security engineers, architects, analysts, and auditors • AWS Certification • Security is part of all AWS exams
  32. 32. Rich Security Capabilities in the Cloud Prepare Prevent Detect Respond
  33. 33. o AWS Security Solutions Architects o AWS Professional Services o AWS Secure by Design & GoldBase o AWS Security Best Practices o Partner Professional Services o AWS Training and Certification o Understand Compliance Requirements Prepare
  34. 34. o Use IAM – consider MFA, roles, federation, SSO o Implement Amazon WAF o Leverage S2N for secure TLS connections o Implement Config Rules to enforce compliance o Implement Amazon Inspector to identify vulnerabilities early on Prevent
  35. 35. o CloudTrail enabled across all accounts and services o Consider Config & Config Rules logs o Inspector can be used as a detective tool o Trusted Advisor goes beyond just security o Use CloudWatch logs o VPC Flow Logs give insight into intended and unintended communication taking place into your VPC o Look at partner log management and security monitoring solutions Detect
  36. 36. o Be Prepared: o Develop, acquire or hire Security Incident Response capabilities o Test preparedness via game days o Automated response and containment is always better than manual response o AWS supports forensic investigations o Leverage AWS Support for best results o Talk to our security partners Respond
  37. 37. Be Secure & Compliant in the Cloud!
  38. 38. Thank you!

×