Security and Privacy in the AWS Cloud - AWS India Summit 2012
•
0 likes•2,170 views
Security and Privacy in the AWS Cloud presentation for the AWS Summit in India. Co presentation with TrendMicro
Recommended
More Related Content
What's hot
What's hot (19)
Viewers also liked
Viewers also liked (20)
Similar to Security and Privacy in the AWS Cloud - AWS India Summit 2012
Similar to Security and Privacy in the AWS Cloud - AWS India Summit 2012 (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Security and Privacy in the AWS Cloud - AWS India Summit 2012
- 1. Securing Your Journey to the Cloud Santanu Dutt Sharda Tickoo santanu@amazon.com Subject Matter Expert Solutions Architect Trend Micro
- 2. Shared Responsibility Model AWS Customer • Facilities • Operating System • Physical Security • Application • Physical Infrastructure • Security Groups • Network Infrastructure • OS Firewalls • Virtualization • Network Configuration Infrastructure • Account Management
- 3. Who says?
- 4. AWS Certifications • Based on the Shared Responsibility model • AWS Environment – SSAE 16 / SAS70 Type II Audit – ISO 27001 Certification – Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider – FedRAMP (FISMA) • Customers have deployed various compliant applications: – Sarbanes-Oxley (SOX) – HIPAA (healthcare) – FISMA (US Federal Government) – DIACAP MAC III Sensitive IATO
- 5. How did AWS do that?
- 6. Physical Security of Data Centers • Amazon has been building large-scale data centers for many years • Important attributes: – Non-descript facilities – Robust perimeter controls – Strictly controlled physical access – 2 or more levels of two-factor auth • Controlled, need-based access • All access is logged and reviewed • Separation of Duties – employees with physical access don’t have logical privileges
- 7. Amazon EC2 Instance Isolation Customer 1 Customer 2 … Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups … Customer n Security Groups Firewall Physical Interfaces
- 8. Storage Device Decommissioning • All storage devices go through process • Uses techniques from – DoD 5220.22-M (“National Industrial Security Program Operating Manual “) – NIST 800-88 (“Guidelines for Media Sanitization”) • Ultimately – degaussed – physically destroyed
- 9. Network Security Considerations • Distributed Denial of Service (DDoS): – Standard mitigation techniques in effect • Man in the Middle (MITM): – All endpoints protected by SSL – Fresh EC2 host keys generated at boot • IP Spoofing: – Prohibited at host OS level • Unauthorized Port Scanning: – Violation of AWS TOS – Detected, stopped, and blocked – Inbound ports blocked by default • Packet Sniffing: – Promiscuous mode is ineffective – Protection at hypervisor level
- 10. How do I build secure?
- 11. AWS Identity and Access Management (IAM) • Users and Groups within Accounts • Unique security credentials • Access keys • Login/Password • optional MFA device • Policies control access to AWS APIs • API calls must be signed by either: • X.509 certificate • secret key • Deep integration into some Services • S3: policies on objects and buckets • Simple DB: domains • AWS Management Console supports User log on • Not for Operating Systems or Applications • use LDAP, Active Directory/ADFS, etc...
- 12. Multi-tier Security Approach Example Web Tier Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Sync with on-premises Amazon EC2 database Security Group Firewall All other Internet ports blocked by default
- 13. VPC V2
- 14. AWS Security and Compliance Center (http://aws.amazon.com/security/) • Answers to many security & privacy questions • Security whitepaper • Risk and Compliance whitepaper • Security bulletins • Customer penetration testing • Security best practices • More information on: • AWS Identity & Access Management (AWS IAM) • AWS Multi-Factor Authentication (AWS MFA)
- 15. Addressing Cloud Requirements Requires a combination of technologies and is a shared responsibility between CSP and customer 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 16. How Are You Securing the Cloud? Encrypt Any Data Stored in the Cloud Keep a 1:1 Copy of All Data Synched to Public Cloud Source: Trend Micro survey, May 2011 But traditional encryption solutions leave you vulnerable in the cloud. You need: • Policy-based key management • Server validation • Business key ownership 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 17. What is the Solution? Data Protection in the Cloud Encryption Credit Card Payment SensitiveMedicalNumbers Social Security Records Patient Policy-based with Research Results Information Key Management AES Encryption Policy-based Auditing, Reporting, 128, 192, & 256 bit Key Management & Mobility • Unreadable to outsiders • Trusted server access • Compliance support • Obscured data on • Control for when and • Custody of keys recycled devices where data is accessed 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 18. SecureCloud Encryption & Key Mgmt for private, public, & hybrid clouds 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 19. What is the Solution? Trend Micro Secure Cloud The Basics: What Does Secure Cloud Do? • Encrypts data in public or private cloud environments – Military grade, FIPS 140-2 compliant encryption to 256-bits • Manages encryption keys – Typically a very tedious, detailed and expensive process – Application upkeep offloaded to trusted partner • Authenticates servers requesting access to data – Policy-based system gives wide range of factors on which key deployment decisions are made – Delivers keys securely over encrypted SSL channels • Audits, alerts, and reports on key delivery activities – Multiple reports and alerting mechanisms available 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 20. Trend Micro SecureCloud How It Works Policy Random session key over SSL ?: information return • XYZ • 123G • 78HJ • etc Policy information request: • Rule 1 • Rule 2 • Rule 3 • etc Internal Process Policy Policy information information requested: return: Rule 1 XYZ My Rule 2 123G Data Rule 3 78HJ
- 21. Trend Micro SecureCloud How It Works Unique Server Validation Identity Integrity “Is it mine?” “Is it okay?” • Embedded keys • Firewall • Location • Antivirus • Start-up time • Self integrity check • Etc. • Etc. • Automated authorization and key release for rapid operations • Or manual approval for increased security
- 22. Trend Micro SecureCloud Summary of Features and Benefits • Apply industry standard encryption Security • Employ full-volume protection • Get real-time encryption and decryption Choice • Encrypt your virtual and cloud infrastructures • Deploy as a software application or SaaS • Determine when and where data is accessed Control • Ensure only authorized VMs access data • Support internal governance and compliance Compliance • Address audits with reports and alerts Safely Deploy Your Own Journey to the Cloud 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 23. Deep Security Self Defending Hosts 10/7/2012 Confidential | Copyright 2012 TrendMicro Inc.
- 24. Trend Micro Deep Security Server & application protection 5 protection modules Deep Packet Inspection Detects and blocks known and IDS / IPS zero-day attacks that target vulnerabilities Shields web application Web Application Protection vulnerabilities Provides increased visibility into, Application Control or control over, applications accessing the network Reduces attack surface. Integrity Detects malicious and Prevents DoS & detects Firewall unauthorized changes to Monitoring reconnaissance scans directories, files, registry keys… Optimizes the Log Detects and blocks malware identification of important Anti-Virus (web threats, viruses & Inspection security events buried in worms, Trojans) log entries Protection is delivered via Agent and/or Virtual Appliance
- 25. Cloud Security Cloud Security Encryption Credit Card Payment Sensitive Research Modular Protection Patient Medical Records Social Security Numbers with Policy-based Information Results Key Management • Unreadable for unauthorized users • Self-defending VM security • Control of when and where data is accessed • Agentless and agent-based • Server validation • One management portal for all modules, all deployments • Custody of keys Integration ensures servers have up-to-date security before encryption keys are released
Editor's Notes
- SAS 70 Type IIAmazon Web Services publishes a Statement on Auditing Standards No. 70 (SAS 70) Type II Audit report every six months and maintains a favorable opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security of its services. Through the SAS 70 Type II report, an auditor evaluates the design of the stated control objectives and control activities and attests to the effectiveness of their design. The auditors also verify the operation of those controls, attesting that the controls are operating as designed. Provided a customer has signed a non-disclosure agreement with AWS, this report is available to customers who require a SAS 70 to meet their own audit and compliance needs. The AWS SAS 70 control objectives are provided here. The report itself identifies the control activities that support each of these objectives. Security Organization Controls provide reasonable assurance that information security policies have been implemented and communicated throughout the organization.Amazon User Access Controls provide reasonable assurance that procedures have been established so that Amazon user accounts are added, modified and deleted in a timely manner and are reviewed on a periodic basis.Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately.Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.Data Integrity, Availability and RedundancyControls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved. AWS’ commitment to SAS 70 is on-going, and AWS will continue the process of periodic audits. In addition, in 2011 AWS plans to convert the SAS 70 to the new Statement on Standards for Attestation Engagements (SSAE) 16 format (equivalent to the International Standard on Assurance Engagements [ISAE] 3402). The SSAE 16 standard replaces the existing SAS 70 standard, and implementation is currently expected to be required by all SAS 70 publishers in 2011. This new report will be similar to the SAS 70 Type II report, but with additional required disclosures and a modified format.
- ISO 27001AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services including Amazon EC2, Amazon S3 and Amazon VPC. ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments appropriate to ever-changing threat scenarios. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing significant information regarding our security controls and practices. AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. AWS provides additional information and frequently asked questions about its ISO 27001 certification on their web site.
- PCI DSS Level 1AWS satisfies the requirements under PCI DSS for shared hosting providers. AWS also has been successfully validated against standards applicable to a Level 1 service provider under PCI DSS Version 2.0. Merchants and other PCI service providers can use the AWS PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud, as long as those customers create PCI compliance for their part of the shared environment. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) were included as part of this validation. Under the same circumstances, other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure. AWS provides additional information and frequently asked questions about its PCI compliance on its web site.
- Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, so that one customer’s data are never unintentionally exposed to another. AWS recommends customers further protect their data using appropriate means. One common solution is to run an encrypted file system on top of the virtualized disk device.
- Amazon Simple Data Base (SimpleDB) SecurityAmazon SimpleDB APIs provide domain-level controls that only permit authenticated access by the domain creator, therefore the customer maintains full control over who has access to their data. Amazon SimpleDB access can be granted based on an AWS Account ID. Once authenticated, an AWS Account has full access to all operations. Access to each individual domain is controlled by an independent Access Control List that maps authenticated users to the domains they own. A user created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy. Amazon SimpleDB is accessible via SSL-encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2. Data stored within Amazon SimpleDB is not encrypted by AWS; however the customer can encrypt data before it is uploaded to Amazon SimpleDB. These encrypted attributes would be retrievable as part of a Get operation only. They could not be used as part of a query filtering condition. Encrypting before sending data to Amazon SimpleDB helps protect against access to sensitive customer data by anyone, including AWS.Amazon SimpleDB Data Management When a domain is deleted from Amazon SimpleDB, removal of the domain mapping starts immediately, and is generally processed across the distributed system within seconds. Once the mapping is removed, there is no remote access to the deleted domain. When item and attribute data are deleted within a domain, removal of the mapping within the domain starts immediately, and is also generally complete within seconds. Once the mapping is removed, there is no remote access to the deleted data. That storage area is then made available only for write operations and the data are overwritten by newly stored data.
- Amazon Simple Data Base (SimpleDB) SecurityAmazon SimpleDB APIs provide domain-level controls that only permit authenticated access by the domain creator, therefore the customer maintains full control over who has access to their data. Amazon SimpleDB access can be granted based on an AWS Account ID. Once authenticated, an AWS Account has full access to all operations. Access to each individual domain is controlled by an independent Access Control List that maps authenticated users to the domains they own. A user created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy. Amazon SimpleDB is accessible via SSL-encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2. Data stored within Amazon SimpleDB is not encrypted by AWS; however the customer can encrypt data before it is uploaded to Amazon SimpleDB. These encrypted attributes would be retrievable as part of a Get operation only. They could not be used as part of a query filtering condition. Encrypting before sending data to Amazon SimpleDB helps protect against access to sensitive customer data by anyone, including AWS.Amazon SimpleDB Data Management When a domain is deleted from Amazon SimpleDB, removal of the domain mapping starts immediately, and is generally processed across the distributed system within seconds. Once the mapping is removed, there is no remote access to the deleted domain. When item and attribute data are deleted within a domain, removal of the mapping within the domain starts immediately, and is also generally complete within seconds. Once the mapping is removed, there is no remote access to the deleted data. That storage area is then made available only for write operations and the data are overwritten by newly stored data.
- Amazon Simple Queue Service (Amazon SQS) SecurityAmazon SQS is a highly reliable, scalable message queuing service that enables asynchronous message-based communication between distributed components of an application. The components can be computers or Amazon EC2 instances or a combination of both. With Amazon SQS you can send any number of messages to an Amazon SQS queue at any time from any component. The messages can be retrieved from the same component or a different one right away or at a later time (within 4 days). Messages are highly durable; each message is persistently stored in highly available, highly reliable queues. Multiple processes can read/write from/to an Amazon SQS queue at the same time without interfering with each other. Amazon SQS access is granted based on an AWS Account or a user created with AWS IAM. Once authenticated, the AWS Account has full access to all user operations. An AWS IAM user however only has access to the operations and queues which they have been granted access to via policy. By default, access to each individual queue is restricted to the AWS Account that created it. However, a customer can allow other access to a queue, using either an SQS-generated policy or a policy written by the user. Amazon SQS is accessible via SSL-encrypted endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2. Data stored within Amazon SQS are not encrypted by AWS; however the user can encrypt data before it is uploaded to Amazon SQS, provided that the application utilizing the queue has a means to decrypt the message when retrieved. Encrypting messages before sending them to Amazon SQS helps protect against access to sensitive customer data by unauthorized persons, including AWS.
- Amazon CloudFront SecurityAmazon CloudFront requires every request made to its control API be authenticated so only authenticated users can create, modify or delete their own Amazon CloudFront distributions. Requests are signed with an HMAC-SHA1 signature calculated from the request and the user’s private key. Additionally, the Amazon CloudFront control API is only accessible via SSL-encrypted endpoints. There is no guarantee of durability of data held in Amazon CloudFront edge locations. The service may from time to time remove objects from edge locations if those objects are not requested frequently. Durability is provided by Amazon S3, which works as the origin server for Amazon CloudFront holding the original, definitive copies of objects delivered by Amazon CloudFront. If you want control over who is able to download content from Amazon CloudFront, you can enable the service’s private content feature. This feature has two components: the first controls how the Amazon CloudFront edge locations access your objects in Amazon S3. The second controls how content is delivered from the Amazon CloudFront edge location to viewers on the internet. To control access to the original copies of your objects in Amazon S3, Amazon CloudFront allows you to create one or more “Origin Access Identities” and associate these with your distributions. When an Origin Access Identity is associated with an Amazon CloudFront distribution, the distribution will use that identity to retrieve objects from Amazon S3. You can then use Amazon S3’s ACL feature, which limits access to that Origin Access Identity so the original copy of the object is not public readable. To control who is able to download your objects from Amazon CloudFront edge locations, the service uses a signed-URL verification system. To use this system, you first create a private-key public-key pair, and upload the public key to your account via the Amazon Web Services website. Second, you configure your Amazon CloudFront distribution to indicate which accounts you would authorize to sign requests – you can indicate up to five AWS Accounts you trust to sign requests. Third, as you receive requests you will create policy documents indicating the conditions under which you want Amazon CloudFront to serve your content. These policy documents can specify the name of the object that is requested, the date and time of the request, and the source IP (or CIDR range) of the client making the request. You then calculate the RSA-SHA1 encoding of your policy document and sign this using your private key. Fourth, you include both the encoded policy document and the signature as query string parameters when you reference your objects. When Amazon CloudFront receives a request, it will decode the signature using your public key. Amazon CloudFront will only serve requests that have valid policy document and matching signature. Note that private content is an optional feature that must be enabled when you set up your CloudFront distribution. Content delivered without this feature enabled will be publicly readable by anyone. Amazon Cloudfront also provides the ability to transfer content over an encrypted connection (HTTPS) to authenticate the content delivered to your users. By default Amazon Cloudfront will accept requests over both HTTP and HTTPS protocols. If you prefer, you can also configure Amazon Cloudfront to require HTTPS for all requests and disallow all HTTP requests.For HTTPS requests, Amazon Cloudfront will also utilize HTTPS to retrieve your object from Amazon S3, so that your object is encrypted whenever it is transmitted. Amazon CloudFront Access logs contain a comprehensive set of information about requests for content, including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer, and the user agent. To enable access logs just specify the name of the Amazon S3 bucket to store the logs in when you configure your Amazon CloudFront distribution.
- Amazon Elastic MapReduce SecurityAmazon Elastic MapReduce requires every request made to its API be authenticated. This ensures that only authenticated users can create, lookup, or terminate their job flows. Requests are signed with an HMAC-SHA1 signature calculated from the request and the user’s private key. Amazon Elastic MapReduce provides SSL endpoints for access to its web service APIs and the console. When launching job flows on behalf of a customer, Amazon Elastic MapReduce sets up an Amazon EC2 security group of the master node to only allow external access via SSH. The service creates a separate security group of the slaves which does not allow any external access. To protect customer input and output datasets, Amazon Elastic MapReduce transfers data to and from S3 using SSL.
- Fault Separation AWS provides customers the flexibility to place instances and store data within multiple geographic Regions. Each Region is an independent collection of AWS resources in a defined geography. AWS currently supports five Regions: US East (Northern Virginia), US West (Northern California), EU (Ireland), Asia Pacific (Singapore) and Asia Pacific (Tokyo). The Amazon S3 US Standard Region includes the US East facilities in Northern Virginia and facilities in Western Washington State. The selection of a Region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive. Data is not replicated between Regions unless proactively done so by the customer, thus allowing customers with these types of data placement and privacy requirements the ability to establish compliant environments. It should be noted that all communications between Regions is across public Internet infrastructure. Appropriate encryption methods should be used to protect sensitive data. Within a given Region, Amazon EC2, Amazon EBS and Amazon Relational Database Service (RDS) allow customers to place instances and store data across multiple Availability Zones. See the “Business Continuity Management” section for more information on availability. Amazon S3, Amazon SimpleDB, Amazon Simple Notification Service (SNS), and Amazon Simple Queue Service (SQS) do not expose the concept of Availability Zones to customers. With these services, data is automatically stored on multiple devices across multiple facilities within a Region. The diagram below demonstrates the Regions and Availability Zones within each Region for Amazon EC2, Amazon EBS and Amazon RDS.
- Amazon Account Security FeaturesAWS provides a number of ways for customers to identify themselves and securely access their AWS Account. A complete list of credentials supported by AWS can be found on the Security Credentials page under Your Account. AWS also provides additional security options that enable customers to further protect their AWS Account and control access: AWS Identity and Access Management (AWS IAM), Multi-Factor Authentication (MFA) and Key Rotation.AWS Multi-Factor Authentication (AWS MFA)AWS Multi-Factor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over AWS Account settings and the management of the AWS Services and resources for which the account is subscribed. When customers enable this opt-in feature, they will need to provide a six-digit single-use code in addition to their standard username and password credentials before access is granted to their AWS Account settings or AWS Services and resources. Customers get this single use code from an authentication device that they keep in their physical possession. This is called Multi-Factor Authentication because two factors are checked before access is granted: customers need to provide both their username (Amazon e-mail in the case of the AWS Account) and password (the first “factor”: something you know) and the precise code from their authentication device (the second “factor”: something you have). Customers can enable MFA devices for their AWS Account as well as for the users they have created under their AWS Account with AWS IAM. It is easy to obtain an authentication device from a participating third party provider and to set it up for use via the AWS website. More information about Multi-Factor Authentication is available on the AWS website: http://aws.amazon.com/mfa/ Key RotationFor the same reasons as it is important to change passwords frequently, AWS recommends that customers rotate their access keys and certificates on a regular basis. To let customers do this without potential impact to their applications’ availability, AWS supports multiple concurrent access keys and certificates. With this feature, customers can rotate keys and certificates into and out of operation on a regular basis without any downtime to their application. This can help to mitigate risk from lost or compromised access keys or certificates. The AWS IAM APIs enables a customer to rotate the access keys of their AWS Account as well as for users created under their AWS Account using AWS IAM.
- Enables four models instead of just 1.Public facing only for network control and web access (potentially host-based VPN)Public facing plus private for tighter access control to the back-end tier (but no hardware VPN)Public facing plus private subnets with hardware VPN hookupFully private using only hardware VPN.
- Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering the flexibility to enable customers to build a wide range of applications. Helping to protect the confidentiality, integrity, and availability of our customers’ systems and data is of the utmost importance to AWS, as is maintaining customer trust and confidence. This document is intended to answer questions such as, “How does AWS help me protect my data?” Specifically, AWS physical and operational security processes are described for network and server infrastructure under AWS’ management, as well as service-specific security implementations. This document provides an overview of security as it pertains to the following areas relevant to AWS: Shared Responsibility EnvironmentControl Environment SummarySecure Design PrinciplesBackupMonitoringInformation and CommunicationEmployee LifecyclePhysical SecurityEnvironmental SafeguardsConfiguration Management Business Continuity ManagementBackupsFault Separation Amazon Account Security FeaturesNetwork SecurityAWS Service Specific Security Amazon Elastic Compute Cloud (Amazon EC2) SecurityAmazon Virtual Private Cloud (Amazon VPC)Amazon Simple Storage Service (Amazon S3) SecurityAmazon SimpleDB SecurityAmazon Relational Database Service (Amazon RDS) SecurityAmazon Simple Queue Service (Amazon SQS) SecurityAmazon Simple Notification Service (SNS) SecurityAmazon CloudWatch SecurityAuto Scaling SecurityAmazon CloudFront SecurityAmazon Elastic MapReduce Security
- Multiple Levels of SecurityVirtual Private Cloud: Each VPC is a distinct, isolated network within the cloud. At creation time, an IP address range for each VPC is selected by the customer. Network traffic within each VPC is isolated from all other VPCs; therefore, multiple VPCs may use overlapping (even identical) IP address ranges without loss of this isolation. By default, VPCs have no external connectivity. Customers may create and attach an Internet Gateway, VPN Gateway, or both to establish external connectivity, subject to the controls below. API: Calls to create and delete VPCs, change routing, security group, and network ACL parameters, and perform other functions are all signed by the customer’s Amazon Secret Access Key, which could be either the AWS Accounts Secret Access Key or the Secret Access key of a user created with AWS IAM. Without access to the customer’s Secret Access Key, Amazon VPC API calls cannot be made on the customer’s behalf. In addition, API calls can be encrypted with SSL to maintain confidentiality. Amazon recommends always using SSL-protected API endpoints. AWS IAM also enables a customer to further control what APIs a newly created user has permissions to call. Subnets: Customers create one or more subnets within each VPC; each instance launched in the VPC is connected to one subnet. Traditional Layer 2 security attacks, including MAC spoofing and ARP spoofing, are blocked. Route Tables and Routes: Each Subnet in a VPC is associated with a routing table, and all network traffic leaving a subnet is processed by the routing table to determine the destination. VPN Gateway: A VPN Gateway enables private connectivity between the VPC and another network. Network traffic within each VPN Gateway is isolated from network traffic within all other VPN Gateways. Customers may establish VPN Connections to the VPN Gateway from gateway devices at the customer premise. Each connection is secured by a pre-shared key in conjunction with the IP address of the customer gateway device. Internet Gateway: An Internet Gateway may be attached to a VPC to enable direct connectivity to Amazon S3, other AWS services, and the Internet. Each instance desiring this access must either have an Elastic IP associated with it or route traffic through a NAT instance. Additionally, network routes are configured (see above) to direct traffic to the Internet Gateway. AWS provides reference NAT AMIs that can be extended by customers to perform network logging, deep packet inspection, application-layer filtering, or other security controls. This access can only be modified through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the Internet Gateway, therefore enabling the customer to implement additional security through separation of duties. Amazon EC2 Instances: Amazon EC2 instances running with an Amazon VPC contain all of the benefits described above related to the Host Operating System, Guest Operating System, Hypervisor, Instance Isolation, and protection against packet sniffing. Tenancy: VPC allows customers to launch Amazon EC2 instances that are physically isolated at the host hardware level; they will run on single tenant hardware. A VPC can be created with ‘dedicated’ tenancy, in which case all instances launched into the VPC will utilize this feature. Alternatively, a VPC may be created with ‘default’ tenancy, but customers may specify ‘dedicated’ tenancy for particular instances launched into the VPC. Firewall (Security Groups): Like Amazon EC2, Amazon VPC supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block). The firewall isn’t controlled through the Guest OS; rather it can be modified only through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the firewall, therefore enabling the customer to implement additional security through separation of duties. The level of security afforded by the firewall is a function of which ports are opened by the customer, and for what duration and purpose. Well-informed traffic management and security design are still required on a per-instance basis. AWS further encourages customers to apply additional per-instance filters with host-based firewalls such as IPtables or the Windows Firewall. Network Access Control Lists: To add a further layer of security within Amazon VPC, customers can configure Network ACLs. These are stateless traffic filters that apply to all traffic inbound or outbound from a subnet within VPC. These ACLs can contain ordered rules to allow or deny traffic based upon IP protocol, by service port, as well as source/destination IP address. Like security groups, network ACLs are managed through Amazon VPC APIs, adding an additional layer of protection and enabling additional security through separation of duties.
- OK, for the next few slides, I’ll be talking about Federation to access AWS APIsWith IAM, you can now SYNC identities between your system and our system.However, this isn’t truly Federation:Identities are maintained in 2 placesIf you terminate an employee, must also do so in our systemSo question comes down to how are we going to enable federation to our APIs?
- Thanks Miles. We would like to enhance the security already available in CSP environment. Like Miles just mentioned security is a joint responsibility between the CSP and customer.
- In our survey, we asked businesses how they are securing their clouds today. We found that 85% are using encryption on their cloud data. We also found that 85% are keeping a 1 to 1 copy of all data synched to a public cloud.[click]Although it’s good to encrypt cloud data as a security best practice, most traditional encryption solutions leave business vulnerable when applied to cloud data. To provide the flexibility needed in a cloud encryption solution, you need:[click]Policy-based key management to indicate when and where data can be accessed. This is important to support compliance.[click]Server validation. This is critical to ensure that only authorized servers get access to decryption keys. [click]And business key ownership to provide a strict separation of duties between the business and the service provider.
- Let’s look at what’s needed in a cloud encryption solution in more detail… [click]The solution should start with industry-standard encryption.[click]This encryption renders your data unreadable to outsiders. [click]Even if your data is moved and residual data is left behind, the data in the recycled devices is obscured. [click]It is critical to have this encryption accessed through policy-based key management. [click]Through policies, identity- and integrity-based validation rules specify which servers have access to decryption keys.[click]Also these policies can specify when and where the data can be accessed. This granular control not only prevents rogue servers from accessing your information but also supports data privacy regulations which require that data only be accessed in particular geographic regions. [click]An encryption solution can also provide reporting and auditing to show who has accessed your data.[click]This supports internal governance and external compliance requirements. [click]The keys should not be held by the cloud vendor to support a clear separation of duties between the business and service provider. An encryption solution with policy-based key management allows even heavily regulated companies to leverage the flexibility and cost savings of the public cloud while ensuring their data stays secure.