AWS Cloud Security

Max Ramsay
AWS Cloud Security
Principal Security SolutionsArchitect

Vários Tutoriais , treinamentos e mentoria em
português
Inscreva-se agora !!
http://awshub.com.br

What we will be covering today
• AWS Security Overview
• Focus on Serasa Experian
• Focus on Trend Micro

Every Customer Has Access to the Same Security Capabilities
• And gets to choose what’s right for their business needs
– Governments
– Financial Sector
– Pharmaceuticals
– Entertainment
– Start-ups
– Social Media
– Home Users
– Retail

Focus on Serasa Experian
Rodrigo Zenun
IT Specialist

“No nosso Laboratório de Inovação na AWS, conseguimos testar novas
tecnologias e lançar novos produtos em tempo recorde”.
• A Serasa Experian, parte do grupo
Experian, é o maior bureau de crédito do
mundo fora dos Estados Unidos, detendo
o mais extenso banco de dados da América
Latina sobre consumidores, empresas e
grupos econômicos.
• Há 45 anos no mercado brasileiro, a Serasa
Experian participa da maioria das decisões
de crédito e negócios tomadas no País,
respondendo, on-line e em tempo real, a 6
milhões de consultas por dia,
demandadas por 500 mil clientes diretos e
indiretos.
“A AWS nos
possibilita estudar
novas tecnologias
e inovar em uma
velocidade antes
inimaginável para
uma grande empresa
do setor financeiro”
- Rodrigo Zenun

O Desafio
• Criar uma extensão de nossos data
centers com, no mínimo, os mesmos
padrões de segurança que
possibilitasse o estudo de tecnologias
emergentes.
• Combinar flexibilidade, agilidade e
segurança da informação.
• Usufruir da elasticidade oferecida pela
AWS para front-end de aplicações e
produtos.

Sobre a o Papel da AWS e
Benefícios alcançados
• Realização de provas de conceito e
protótipos com muita facilidade e
agilidade;
• Viabilidade de lançamento de novos
produtos;
• Distribuição de conteúdo público;
• Redução de despesas e elasticidade;

AWS Security Overview
Continued

Visible Cloud Security
This
Or
This?

Security & Compliance Control Objectives
• Control Objective 1: Security Organization
• Control Objective 2: Amazon User Access
• Control Objective 3: Logical Security
• Control Objective 4: Secure Data Handling
• Control Objective 5: Physical Security and Environmental Safeguards
• Control Objective 6: Change Management
• Control Objective 7: Data Integrity, Availability and Redundancy
• Control Objective 8: Incident Handling

Security & Compliance Control Objectives (cont’d)
• Control Objective 1: Security Organization
– Who we are
– Proper control & access within the organization
• Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access

• Control Objective 3: Logical Security
– Our staff start with no system access
– Need-based access grants
– Rigorous system separation
– System access grants regularly evaluated & automatically revoked

• Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our datacenters
– Media destruction consistent with US Dept. of Defense Directive 5220.22
• Control Objective 5: Physical Security and Environmental Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters

• Control Objective 6: Change Management
– Continuous operation
• Control Objective 7: Data Integrity, Availability and Redundancy
– Ensuring your data remains safe, intact, & available
• Control Objective 8: Incident Handling
– Process & procedures for mitigating and managing potential issues

Shared Responsibility
AWS
• Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
Customer
• Choice of Guest OS
• Application Configuration Options
• Account Management Flexibility
• Security Groups
• Network ACLs
• Network Configuration Control

You Decide Where Applications and Data Reside

Amazon EC2 Security
• Host operating system (AWS controlled)
– Individual SSH keyed logins via bastion host for AWS admins
– All accesses logged and audited
• Guest operating system (Customer controlled)
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default deny mode
– Customer controls configuration via Security Groups
• Signed API calls
– Require X.509 certificate or customer’s secret AWS key

Physical interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
…
Virtual interfaces
Firewall
Customer 1
Security groups
Customer 2
Security groups
Customer n
Security groups

Tiering Security Groups (Cont’d)
• Dynamically created rules based on Security Group
membership
• Effectively create tiered network architectures
“Web” Security Group:
TCP 80 0.0.0.0/0
TCP 22 “Mgmt”
“App” Security Group:
TCP 8080 “Web”
TCP 22 “Mgmt”
“DB” Security Group:
TCP 3306 “App”
TCP 22 “Mgmt”
“Mgmt” Security Group:
TCP 22 163.128.25.32/32
Firewall
Web
Server
App
Server
Firewall
Firewall
DB
Server
Web
(HTTP)
8080
3306
22
22
Bastion
Host
Firewall
22

Amazon VPC Architecture
Customer’s
network
Amazon
Web Services
cloud
Secure VPN
Subnets
Router
VPN
gateway
Internet
NAT
AWS DirectConnect –
Dedicated
Path/Bandwidth
Customer’s
isolated AWS
resources

Amazon VPC Network Security Controls

VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• $2/hr flat fee per region + small hourly charge
• Can identify specific Instances as dedicated
• Optionally configure entire VPC as dedicated

AWS Deployment Models
Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
CommercialCloud   Public-facing apps, web
sites, dev, test, etc.
Virtual Private
Cloud (VPC)
    Datacenter extension, TIC
environment, email,
FISMA low and Moderate
AWS GovCloud (US)       US Persons Compliantand
Government Specific Apps

Premium Support Trusted Advisor
• Security Checks
– Security Group Rules (Hosts & Ports)
– IAM Use
– S3 Policies
• Fault Tolerance Checks
– Snapshots
– Multi-AZ
– VPN Tunnel Redundancy

Focus on Trend Micro
JD Sherry
Vice President, Technology and Solutions

Security in 2013
The Cloud Changes Nothing…
and Everything!
July 2013
JD Sherry
Vice President, Technology & Solutions

Discussion Outcomes
8/2/2013 Copyright 2013 Trend Micro Inc. 36
• Enterprises and the Cloud
• Best Practices for Compliance & Security in the Cloud
• Solutions and Case Studies

Enterprises and the Cloud …
• Security & compliance top priorities for enterprises, underscoring
concerns that are impeding cloud adoption
• Are cloud security needs that different than on-premise?
– Cloud introduces the concept of shared responsibility for securing their
services and applications running in the cloud
• Security is not the only inhibitor …
– Many organizations are reluctant to change status quo
• Fear of the unknown
• Cloud concepts & terminology intimidating
• IT job loss concerns
• Dramatic change from a process & operations perspective …
• Not sure how/where to get started …

Customer Security Concerns
• Data sovereignty
– Concerns over stewardship of data
• Who has access to the data? customer, provider,
government?
• Data privacy concerns > other tenants, attacks against
my data …
• Will my data leave the country?
– If I terminate a cloud server, do copies of my
data still exist in the cloud?
– US Patriot Act
• Could USA law enforcement gain access to my
systems and data?

Customer Security Concerns
• Multi-tenancy
– Risk of configuration errors leading to data exposure
– How can I protect my cloud servers from attack?
– Will I even know my cloud servers are being attacked?
• Compliance
– How can I use the cloud and still meet internal and
external compliance requirements?
– Who is responsible for cloud security?

Consumers of Cloud Services Responsibilities
• Consumers of cloud services are responsible for
– Security of the instance (OS & Applications)
– Ensuring SLA’s are maintained
– Ultimately it boils down to protecting your instances from compromise
and the integrity of the applications running in the cloud …
• How do you protect AWS instances?
– Traditional network appliances are not feasible
• Limited control over the network …
– Agent-based host security controls are required

Cloud Security is a Shared Responsibility
• What type of host security controls are required?
The Need Preferred Security Control
Data confidentiality Encryption
Block malicious software Anti-Malware
Detect & track vulnerabilities Vulnerability scanning services
Control server communications Host-firewalls
Detect suspicious activity Intrusion Prevention
Detect unauthorized changes File Integrity Monitoring
Block OS & App vulnerabilities Patch & shield vulnerabilities
Data monitoring & compliance DLP
• Security principles don’t change
• Implementation & Management change drastically

8/2/2013 42
The Cloud Changes
Nothing…and Everything!
Practical Guidance for
Compliance & Security
in the Cloud

Practical Considerations
Cloud Elasticity
• Automated protection of new instances critical
to success
• Equally important that terminated instances are
not left ‘orphaned’
• Security must become part of the cloud fabric,
including working within the provisioning
process, with support for leading tools critical
OpsWorks

Copyright 2013 Trend Micro Inc.
Transformation
Physical Virtual Cloud
Cloud and Data Center Security
Anti-Malware
Integrity
Monitoring
Encryption
Log
Inspection
Firewall
Intrusion
Prevention
Data Center Ops
Security
Deep Security SecureCloud

Case Study
Global Financial/Insurance
Company
Rapid business
expansion
Address high cost &
complexity with cloud
First Mover in their
industry
Opportunities
Challenges
Compliance &
data privacy
Cloud provider
role definition
Data
destruction
Solution
Shared responsibility
model
SecureCloud
Dynamic encryption
via automated policy
Data persistently
encryption
(destruction)
Sensitive data
protected via
key access

Case Study
Large Manufacturing Company
Data center
consolidation
Address high cost with
cloud (utility pricing)
Infrastructure
elasticity
Opportunities
Challenges
Management
& platform
support
Security in the
cloud
Managing
multiple point
solutions
Solution
Dynamic
infrastructure with
utility billing
Deep Security
Comprehensive cloud
security
Automated
management &
integration with Chef
Broad
environment
support

Case Study
Global Transportation
Company
Efficiency
Drive down cost
with cloud
Infrastructure
elasticity & reliability
Opportunities
Challenges
Management
across systems
Support for
multiple clouds
Corporate
governance
Solution
Rapid deployment
Deep Security
Comprehensive
cloud security
SecureCloud
Encryption of
sensitive data
Broad
environment
support

Thank You!
JD Sherry
Vice President, Technology & Solutions
Booth 101

AWS Security, Compliance, & Architecture Resources
http://aws.amazon.com/security/
• Security whitepaper
• Security best practices
• Security bulletins
• Customer security testing process
http://aws.amazon.com/compliance/
• Risk and compliance whitepaper
http://aws.amazon.com/architecture/
• Reference Architectures
• Whitepapers
• Webinars
http://blogs.aws.amazon.com/security/
• Stay up to date on security and
compliance in AWS
Feedback is always welcome!

Thank You!!!
awsmax@amazon.com

AWS Cloud Security

More Related Content

Viewers also liked

Similar to AWS Cloud Security

More from Amazon Web Services LATAM

Recently uploaded

AWS Cloud Security