The document provides an overview of AWS security presented by Max Ramsay. It discusses AWS security capabilities that are available to all customers regardless of business type. It focuses on case studies of how Serasa Experian and Trend Micro use AWS, highlighting benefits like agility, flexibility and cost reduction. The document also covers shared security responsibilities on AWS, compliance controls, network security features, and resources for learning more about AWS security best practices.

1. Max Ramsay
AWS Cloud Security
Principal Security SolutionsArchitect

2. Vários Tutoriais , treinamentos e mentoria em
português
Inscreva-se agora !!
http://awshub.com.br

3. What we will be covering today
• AWS Security Overview
• Focus on Serasa Experian
• Focus on Trend Micro

4. AWS Security Overview

5. Cloud Security is

6. Every Customer Has Access to the Same Security Capabilities
• And gets to choose what’s right for their business needs
– Governments
– Financial Sector
– Pharmaceuticals
– Entertainment
– Start-ups
– Social Media
– Home Users
– Retail

7. Focus on Serasa Experian
Rodrigo Zenun
IT Specialist

8. “No nosso Laboratório de Inovação na AWS, conseguimos testar novas
tecnologias e lançar novos produtos em tempo recorde”.
• A Serasa Experian, parte do grupo
Experian, é o maior bureau de crédito do
mundo fora dos Estados Unidos, detendo
o mais extenso banco de dados da América
Latina sobre consumidores, empresas e
grupos econômicos.
• Há 45 anos no mercado brasileiro, a Serasa
Experian participa da maioria das decisões
de crédito e negócios tomadas no País,
respondendo, on-line e em tempo real, a 6
milhões de consultas por dia,
demandadas por 500 mil clientes diretos e
indiretos.
“A AWS nos
possibilita estudar
novas tecnologias
e inovar em uma
velocidade antes
inimaginável para
uma grande empresa
do setor financeiro”
- Rodrigo Zenun

9. O Desafio
• Criar uma extensão de nossos data
centers com, no mínimo, os mesmos
padrões de segurança que
possibilitasse o estudo de tecnologias
emergentes.
• Combinar flexibilidade, agilidade e
segurança da informação.
• Usufruir da elasticidade oferecida pela
AWS para front-end de aplicações e
produtos.

10. Sobre a o Papel da AWS e
Benefícios alcançados
• Realização de provas de conceito e
protótipos com muita facilidade e
agilidade;
• Viabilidade de lançamento de novos
produtos;
• Distribuição de conteúdo público;
• Redução de despesas e elasticidade;

11. AWS Security Overview
Continued

12. Visible Cloud Security
This
Or
This?

13. Auditable Cloud Security

14. Transparent Cloud Security

15. Security & Compliance Control Objectives
• Control Objective 1: Security Organization
• Control Objective 2: Amazon User Access
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security and Environmental Safeguards
• Control Objective 6: Change Management
• Control Objective 7: Data Integrity, Availability and Redundancy
• Control Objective 8: Incident Handling

16. Security & Compliance Control Objectives (cont’d)
• Control Objective 1: Security Organization
– Who we are
– Proper control & access within the organization
• Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access

17. Security & Compliance Control Objectives (cont’d)
• Control Objective 3: Logical Security
– Our staff start with no system access
– Need-based access grants
– Rigorous system separation
– System access grants regularly evaluated & automatically revoked

18. Security & Compliance Control Objectives (cont’d)
• Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our datacenters
– Media destruction consistent with US Dept. of Defense Directive 5220.22
• Control Objective 5: Physical Security and Environmental Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters

19. Security & Compliance Control Objectives (cont’d)
• Control Objective 6: Change Management
– Continuous operation
• Control Objective 7: Data Integrity, Availability and Redundancy
– Ensuring your data remains safe, intact, & available
• Control Objective 8: Incident Handling
– Process & procedures for mitigating and managing potential issues

20. Shared Responsibility
AWS
• Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
Customer
• Choice of Guest OS
• Application Configuration Options
• Account Management Flexibility
• Security Groups
• Network ACLs
• Network Configuration Control

21. You Decide Where Applications and Data Reside

22. Network Security

23. Amazon EC2 Security
• Host operating system (AWS controlled)
– Individual SSH keyed logins via bastion host for AWS admins
– All accesses logged and audited
• Guest operating system (Customer controlled)
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default deny mode
– Customer controls configuration via Security Groups
• Signed API calls
– Require X.509 certificate or customer’s secret AWS key

24. Physical interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
…
Virtual interfaces
Firewall
Customer 1
Security groups
Customer 2
Security groups
Customer n
Security groups

25. Tiering Security Groups

26. Tiering Security Groups (Cont’d)
• Dynamically created rules based on Security Group
membership
• Effectively create tiered network architectures
“Web” Security Group:
TCP 80 0.0.0.0/0
TCP 22 “Mgmt”
“App” Security Group:
TCP 8080 “Web”
TCP 22 “Mgmt”
“DB” Security Group:
TCP 3306 “App”
TCP 22 “Mgmt”
“Mgmt” Security Group:
TCP 22 163.128.25.32/32
Firewall
Web
Server
App
Server
Firewall
Firewall
DB
Server
Web
(HTTP)
8080
3306
22
22
Bastion
Host
Firewall
22

27. Amazon VPC Architecture
Customer’s
network
Amazon
Web Services
cloud
Secure VPN
Subnets
Router
VPN
gateway
Internet
NAT
AWS DirectConnect –
Dedicated
Path/Bandwidth
Customer’s
isolated AWS
resources

28. Amazon VPC Network Security Controls

29. VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• $2/hr flat fee per region + small hourly charge
• Can identify specific Instances as dedicated
• Optionally configure entire VPC as dedicated

30. AWS Deployment Models
Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
CommercialCloud   Public-facing apps, web
sites, dev, test, etc.
Virtual Private
Cloud (VPC)
    Datacenter extension, TIC
environment, email,
FISMA low and Moderate
AWS GovCloud (US)       US Persons Compliantand
Government Specific Apps

31. Premium Support Trusted Advisor
• Security Checks
– Security Group Rules (Hosts & Ports)
– IAM Use
– S3 Policies
• Fault Tolerance Checks
– Snapshots
– Multi-AZ
– VPN Tunnel Redundancy

32. Focus on Trend Micro
JD Sherry
Vice President, Technology and Solutions

33. Security in 2013
The Cloud Changes Nothing…
and Everything!
July 2013
JD Sherry
Vice President, Technology & Solutions

34. Discussion Outcomes
8/2/2013 Copyright 2013 Trend Micro Inc. 36
• Enterprises and the Cloud
• Best Practices for Compliance & Security in the Cloud
• Solutions and Case Studies

35. Enterprises and the Cloud …
8/2/2013 Copyright 2013 Trend Micro Inc. 37
• Security & compliance top priorities for enterprises, underscoring
concerns that are impeding cloud adoption
• Are cloud security needs that different than on-premise?
– Cloud introduces the concept of shared responsibility for securing their
services and applications running in the cloud
• Security is not the only inhibitor …
– Many organizations are reluctant to change status quo
• Fear of the unknown
• Cloud concepts & terminology intimidating
• IT job loss concerns
• Dramatic change from a process & operations perspective …
• Not sure how/where to get started …

36. Customer Security Concerns
8/2/2013 Copyright 2013 Trend Micro Inc. 38
• Data sovereignty
– Concerns over stewardship of data
• Who has access to the data? customer, provider,
government?
• Data privacy concerns > other tenants, attacks against
my data …
• Will my data leave the country?
– If I terminate a cloud server, do copies of my
data still exist in the cloud?
– US Patriot Act
• Could USA law enforcement gain access to my
systems and data?

37. Customer Security Concerns
8/2/2013 Copyright 2013 Trend Micro Inc. 39
• Multi-tenancy
– Risk of configuration errors leading to data exposure
– How can I protect my cloud servers from attack?
– Will I even know my cloud servers are being attacked?
• Compliance
– How can I use the cloud and still meet internal and
external compliance requirements?
– Who is responsible for cloud security?

38. Consumers of Cloud Services Responsibilities
8/2/2013 Copyright 2013 Trend Micro Inc. 40
• Consumers of cloud services are responsible for
– Security of the instance (OS & Applications)
– Ensuring SLA’s are maintained
– Ultimately it boils down to protecting your instances from compromise
and the integrity of the applications running in the cloud …
• How do you protect AWS instances?
– Traditional network appliances are not feasible
• Limited control over the network …
– Agent-based host security controls are required

39. Cloud Security is a Shared Responsibility
8/2/2013 Copyright 2013 Trend Micro Inc. 41
• What type of host security controls are required?
The Need Preferred Security Control
Data confidentiality Encryption
Block malicious software Anti-Malware
Detect & track vulnerabilities Vulnerability scanning services
Control server communications Host-firewalls
Detect suspicious activity Intrusion Prevention
Detect unauthorized changes File Integrity Monitoring
Block OS & App vulnerabilities Patch & shield vulnerabilities
Data monitoring & compliance DLP
• Security principles don’t change
• Implementation & Management change drastically

40. 8/2/2013 42
The Cloud Changes
Nothing…and Everything!
Practical Guidance for
Compliance & Security
in the Cloud

41. Practical Considerations
8/2/2013 Copyright 2013 Trend Micro Inc. 43
Cloud Elasticity
• Automated protection of new instances critical
to success
• Equally important that terminated instances are
not left ‘orphaned’
• Security must become part of the cloud fabric,
including working within the provisioning
process, with support for leading tools critical
OpsWorks

42. Copyright 2013 Trend Micro Inc.
Transformation
Physical Virtual Cloud
Cloud and Data Center Security
Anti-Malware
Integrity
Monitoring
Encryption
Log
Inspection
Firewall
Intrusion
Prevention
Data Center Ops
Security
Deep Security SecureCloud

43. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 45
Global Financial/Insurance
Company
Rapid business
expansion
Address high cost &
complexity with cloud
First Mover in their
industry
Opportunities
Challenges
Compliance &
data privacy
Cloud provider
role definition
Data
destruction
Solution
Shared responsibility
model
SecureCloud
Dynamic encryption
via automated policy
Data persistently
encryption
(destruction)
Sensitive data
protected via
key access

44. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 46
Large Manufacturing Company
Data center
consolidation
Address high cost with
cloud (utility pricing)
Infrastructure
elasticity
Opportunities
Challenges
Management
& platform
support
Security in the
cloud
Managing
multiple point
solutions
Solution
Dynamic
infrastructure with
utility billing
Deep Security
Comprehensive cloud
security
Automated
management &
integration with Chef
Broad
environment
support

45. Case Study
8/2/2013 Copyright 2013 Trend Micro Inc. 47
Global Transportation
Company
Efficiency
Drive down cost
with cloud
Infrastructure
elasticity & reliability
Opportunities
Challenges
Management
across systems
Support for
multiple clouds
Corporate
governance
Solution
Rapid deployment
Deep Security
Comprehensive
cloud security
SecureCloud
Encryption of
sensitive data
Broad
environment
support

46. Thank You!
JD Sherry
Vice President, Technology & Solutions
Booth 101

47. AWS Security Overview
Continued

48. AWS Security, Compliance, & Architecture Resources
http://aws.amazon.com/security/
• Security whitepaper
• Security best practices
• Security bulletins
• Customer security testing process
http://aws.amazon.com/compliance/
• Risk and compliance whitepaper
http://aws.amazon.com/architecture/
• Reference Architectures
• Whitepapers
• Webinars
http://blogs.aws.amazon.com/security/
• Stay up to date on security and
compliance in AWS
Feedback is always welcome!

49. Thank You!!!
awsmax@amazon.com