SlideShare a Scribd company logo

MAE401_Designing for DisneyMarvel Studio-Grade Security

Amazon Web Services
Amazon Web Services

Security is paramount for media storage and workloads and can directly impact a studio's bottom line. As core media workloads move to the cloud, it’s imperative to examine the security implications of a multi-tenant public cloud environment in light of various asset classifications, content production, and delivery scenarios, as well as content handling during production workloads. In this session, we address questions and concerns about security in the cloud in the context of tier-1 (pre-released) studio content, as well as the MPAA. We highlight a studio's journey to meet Marvel’s security requirements and run a tier-1 content workflow in the cloud and discuss what it took to approve the environment on AWS.

1 of 37
Download to read offline
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Designing for Disney/Marvel Studio- Grade Security K E I T H R I T L O P | S r . M a n a g e r – S t u d i o T e c h n o l o g y & R i s k A s s e s s m e n t E L I M E Z E I | E x e c u t i v e P a r t n e r – I n d e p e n d e n t S e c u r i t y E v a l u a t o r s U S M A N S H A K E E L | W W . T e c h L e a d e r M & E a t A W S M A E 4 0 1 N o v e m b e r 2 7 , 2 0 1 7
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. M&E: Security Common security requirements • MPAA • CDSA • Major studio requirements (Disney/Marvel) CSA, standard audit parties ISO, SOC Third-party audits
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Is Cloud more secure for my high valued Content? Yes “Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers” “By 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures” – Gartner January 23, 2017
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Best Practices What: • A set of guidelines based on ISO, OWASP, CSA, PCI, NIST800-53, SANS and industry best practices • Consists of Application Security and Cloud Security guidelines How: • Not an Audit rather an ‘assessment’ or ‘inspection’ • Self Assessment • Infrastructure and Application assessment
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Scenario Keith Ritlop Sr. Manager – Studio Technology & Risk Assessment Studio Content Owner VFX House Service Provider Cloud-Based RenderfarmControl Visibility Scale Flexibility Cost Auditability Eli Mezei Executive Partner – Independent Security Evaluators 3rd Party Auditor Content Owner
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance/ Control Auditability Monitoring Baseline AWS Concepts ( S e l e c t i v e I n g r e d i e n t s ) AWS Config Amazon EC2 Systems Manager Amazon CloudWatch AWS CloudTrail IAM Amazon Inspector AWS Organizations AWSKMS VPC peering endpoints Amazon Cloud Directory
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WORKFLOWS DRIVE SECURITY Security must support the workflow, not the other way around The workflow must be understood in depth before security controls can be defined The simplest solution is generally the most secure
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TRUST MODEL VS. THREAT MODEL
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. KNOW YOUR ADVERSARY
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A Simplified Production Workflow 1. Content Creation and Capture 2. On-Location Production – Uses Cloud Based tools 3. Post Production - Relies Heavily on Cloud based Collaboration Tools
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zooming in on the Workflow On-Location Set Editorial Prepare Editorial Framework Editing Finalize On-Set Director, VFX-Editorial Post Production Departments Film Lab VFX Isolated Network ISIS ISIS Mount and Move of Original Video to staging area Prepare Editorial Tools for Editing Edit Film Scenes Edit Film Sequences Cut in VFX, Art, and Second Unit Footage Prepare Review Cut On Location Post Production Off-Site Crew Studio HQ WAN VFX Vendor Commercial Cloud Collaboration Services PixsFotokem Shotgun
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On-Premises VFX rendering
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Challenge What are we trying to solve? SPEED Storage S P A C E Security
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example Cloud-Based VFX Render Workflow - AWS Private Compute and Storage Subnet 10.0.2.0/24 AWS Batch Spot Fleet Spot Instances instances VPN Subnet 10.0.1.0/24 router Bastion ServerAmazon CloudWatch AWS KMS Content Ingress/ Egress Amazon EFS route table On-premises network 192.168.0.0/16 customer gateway Active Directory Region Amazon VPC VPN gateway VPN connection route table Compute Subnet Render Farm Compute Domain Controller AD Connect Sync Access Control
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Principals of Secure Design in Content Production workflows
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. INDUSTRY PRINCIPALS • Secure Design Principle: those upon which systems resilient against attacks are built • Principal of secure design should apply to all production technology • Controls are workflow dependent, but interchangeable with minimal customization
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: LEAST PRIVILIGE
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: PRIVILIGE SEPARATION
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Core Services for Least Privilege and Privilege Segregation AWS Accounts Structure IAM AWS Organizations S3 bucket policies
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam create-role --role-name Key_OP --assume-role-policy-document file://Test-Role- Trust-Policy.json Content of the JSON: { "Role": { "AssumeRolePolicyDocument": "<URL-encoded-JSON>", "RoleId": "Key_OP", "CreateDate": "2017-10-07T20:43:32.821Z", "RoleName": "Key_OP", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/Backend-Rendering" } } Create IAM Role - Control access on as needed basis – assume role - Cross Account Access - Revoke access once task is done
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam create-policy --policy-name my-policy --policy-document file://key_use_policy { "Policy": { "PolicyName":, "key_use_policy", "CreateDate": "2015-06-01T19:31:18.620Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ZXR6A36LTYANPAI7NJ5UV", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::0123456789012:policy/my-policy", "UpdateDate": "2015-06-01T19:31:18.620Z” } } Create KMS Policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name Key_OP aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name Key- Man Attach a Policy to the Role - Can be attached to any IAM Role - Secure means to pass the encryption keys without any human involvement - Logged and fully managed - Automated and as-needed basis - Customer controls the Master key
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ########This is the S3 bucket policy that requires use of a kms encryption for upload:######## {"Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::Backend-Rendering-Bucket /*", "Condition": { "StringNotEquals": {"s3:x-amz-server-side-encryption":"aws:kms"} } }, {"Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::Backend-Rendering-Bucket /*", "Condition": { "Null": {"s3:x-amz-server-side-encryption": true}} }]} Set KMS Requirement
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bucket Policy for role: {"Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::Backend-Rendering-Bucket", "arn:aws:s3:::Backend-Rendering-Bucket/*” ], "Condition": { "StringNotLike": { “aws:userId": [ “AROAUNIQUEROLEIDENTIFIER:*” ] }} }] } CREATE RESTRICITVE KMS RULE
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architectural Pattern: achieve Privilege Control Subnet AWS KMS Region IAM Amazon VPC route table IAM S3 Bucket role permissions Users Define role User policy permissions permissions Encryption keys AWS CloudFormation Access Data Monitor Attach policy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architectural Pattern: Encryption & Key Management AWS KMS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: DEFENSE IN DEPTH
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Segmentation • Allows you to treat services, and apps, and storage as distinct zones with logical controls • Traffic generally controlled through an app or a portal • Audit and monitor critical apps/VPCs
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Extends trust and controls to Counterparties • Restricts access to only known infrastructure • Used for workflows that involve trusted counterparties & shared infrastructure VPC Peering
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Trust is completely centralized • Tantamount to restricting access via a corporate LAN • Very restrictive trust model • Incredibly robust Logging and monitoring capability VPC Sub-Account
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: TRUST RELUCTANCE
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Robust Logging, Monitoring Virtual private cloud Amazon VPC flow logs Amazon CloudWatch bucket AWS CloudTrail Monitor API VPC Logs Asset Subnet AWS KMS route table S3 Bucket Encryption keys Logging data Key Logging Logging data instance with CloudWatch Amazon Elasticsearch Service Event drive analytics analytics' Amazon RedshiftData warehouse queries AWS Lambda Centralized Logging Proxy Proxy Server Administrator Log Management API Calls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summing it all up
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Secure Design is Interchangeable
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do I achieve Studio Security? Reach out to studio stakeholders/content owners to inform them of your design and plan Get buy-in from the stakeholder Request the template via AWS Artifacts and get the implementation audited quickly Innovate
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions…
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

Recommended

DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
Amazon Web Services
 
HLC308_Refactoring to the Cloud
HLC308_Refactoring to the CloudHLC308_Refactoring to the Cloud
HLC308_Refactoring to the Cloud
Amazon Web Services
 
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
Amazon Web Services
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
Amazon Web Services
 
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
Amazon Web Services
 
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Amazon Web Services
 
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
Amazon Web Services
 

Recommended

DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You ProtectedDVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
DVC304_Compliance and Top Security Threats in the Cloud—Are You Protected
Amazon Web Services
 
HLC308_Refactoring to the Cloud
HLC308_Refactoring to the CloudHLC308_Refactoring to the Cloud
HLC308_Refactoring to the Cloud
Amazon Web Services
 
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
LFS301-SAGE Bionetworks, Digital Mammography DREAM Challenge and How AWS Enab...
Amazon Web Services
 
DVC202_The Open Guide to AWS
DVC202_The Open Guide to AWSDVC202_The Open Guide to AWS
DVC202_The Open Guide to AWS
Amazon Web Services
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
Amazon Web Services
 
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
RET303_Drive Warehouse Efficiencies with the Same AWS IoT Technology that Pow...
Amazon Web Services
 
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Building Serverless Websites with Lambda@Edge - CTD309 - re:Invent 2017
Amazon Web Services
 
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
CMP216_Use Amazon EC2 Spot Instances to Deploy a Deep Learning Framework on A...
Amazon Web Services
 
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
Amazon Web Services
 
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Amazon Web Services
 
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
Amazon Web Services
 
DVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationDVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational Transformation
Amazon Web Services
 
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
Amazon Web Services
 
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
Amazon Web Services
 
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdfWPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
Amazon Web Services
 
AMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AIAMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AI
Amazon Web Services
 
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204) NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
Amazon Web Services
 
ARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending ProgramsARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending Programs
Amazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
Amazon Web Services
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
Amazon Web Services
 
MCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and GluonMCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and Gluon
Amazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the Union
Amazon Web Services
 
FSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningFSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine Learning
Amazon Web Services
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
Amazon Web Services
 
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
Amazon Web Services
 
Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...
Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
Amazon Web Services
 
STG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWSSTG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWS
Amazon Web Services
 
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information Security
Amazon Web Services
 

More Related Content

What's hot

DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
Amazon Web Services
 
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Amazon Web Services
 
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
Amazon Web Services
 
DVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationDVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational Transformation
Amazon Web Services
 
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
Amazon Web Services
 
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
Amazon Web Services
 
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdfWPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
Amazon Web Services
 
AMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AIAMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AI
Amazon Web Services
 
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204) NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
Amazon Web Services
 
ARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending ProgramsARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending Programs
Amazon Web Services
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
Amazon Web Services
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
Amazon Web Services
 
MCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and GluonMCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and Gluon
Amazon Web Services
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the Union
Amazon Web Services
 
FSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningFSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine Learning
Amazon Web Services
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
Amazon Web Services
 
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
Amazon Web Services
 
Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...
Amazon Web Services
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
Amazon Web Services
 
STG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWSSTG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWS
Amazon Web Services
 

What's hot (20)

DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
DynamoDB adaptive capacity: smooth performance for chaotic workloads - DAT327...
 
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
Zombie Annihilation Using AWS Big Data - ABD328 - re:Invent 2017
 
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
GPSBUS221_Breaking Barriers Move Enterprise SAP Customers to SAP HANA on AWS ...
 
DVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational TransformationDVC303-Technological Accelerants for Organizational Transformation
DVC303-Technological Accelerants for Organizational Transformation
 
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
RET301-Build Single Customer View across Multiple Retail Channels using AWS S...
 
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
NEW LAUNCH! Introducing AWS IoT Analytics - IOT214 - re:Invent 2017
 
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdfWPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
WPS301-Navigating HIPAA and HITRUST_QuickStart Guide to Account Gov Strat.pdf
 
AMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AIAMF305_Autonomous Driving Algorithm Development on Amazon AI
AMF305_Autonomous Driving Algorithm Development on Amazon AI
 
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204) NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
NEW LAUNCH! Building Alexa Skills for Businesses (ALX204)
 
ARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending ProgramsARC210_Building Scalable Multi-Tenant Email Sending Programs
ARC210_Building Scalable Multi-Tenant Email Sending Programs
 
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
NEW LAUNCH! AWS Serverless Application Repository - SRV215 - re:Invent 2017
 
GPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data AnalyticsGPSBUS202_Driving Customer Value with Big Data Analytics
GPSBUS202_Driving Customer Value with Big Data Analytics
 
MCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and GluonMCL303-Deep Learning with Apache MXNet and Gluon
MCL303-Deep Learning with Apache MXNet and Gluon
 
MBL306_Mobile State of the Union
MBL306_Mobile State of the UnionMBL306_Mobile State of the Union
MBL306_Mobile State of the Union
 
FSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine LearningFSV305-Optimizing Payments Collections with Containers and Machine Learning
FSV305-Optimizing Payments Collections with Containers and Machine Learning
 
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
GPSTEC321_VMware on AWS Cloud Technical Deep Dive & Native AWS Services Integ...
 
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
 
Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...Building Best Practices and the Right Foundation for your 1st Production Work...
Building Best Practices and the Right Foundation for your 1st Production Work...
 
GPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through FailureGPSTEC302_Anti-Patterns- Learning through Failure
GPSTEC302_Anti-Patterns- Learning through Failure
 
STG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWSSTG205_#EarthOnAWS How NASA is Using AWS
STG205_#EarthOnAWS How NASA is Using AWS
 

Similar to MAE401_Designing for DisneyMarvel Studio-Grade Security

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Amazon Web Services
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information Security
Amazon Web Services
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
Amazon Web Services
 
Devoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWSDevoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWS
Adrian Hornsby
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Amazon Web Services
 
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
Amazon Web Services
 
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech TalksAWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
Amazon Web Services
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
Amazon Web Services
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
Amazon Web Services
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
Amazon Web Services
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
Amazon Web Services
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
Amazon Web Services
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
Amazon Web Services
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Amazon Web Services
 
Serverless in Action on AWS
Serverless in Action on AWSServerless in Action on AWS
Serverless in Action on AWS
Adrian Hornsby
 
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
Amazon Web Services
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep Dive
Kristana Kane
 
SRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the EdgeSRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the Edge
Amazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
Amazon Web Services
 

Similar to MAE401_Designing for DisneyMarvel Studio-Grade Security (20)

Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
Security at Scale: How Autodesk Leverages Native AWS Technologies to Provide ...
 
The Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information SecurityThe Future of Securing Access Controls in Information Security
The Future of Securing Access Controls in Information Security
 
SID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and AlexaSID302_Force Multiply Your Security Team with Automation and Alexa
SID302_Force Multiply Your Security Team with Automation and Alexa
 
Devoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWSDevoxx: Building AI-powered applications on AWS
Devoxx: Building AI-powered applications on AWS
 
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
Manage Infrastructure Securely at Scale and Eliminate Operational Risks - DEV...
 
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
The 1% Identity and Governance Patterns from the Most Advanced AWS Customers ...
 
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech TalksAWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
AWS X-Ray: Debugging Applications at Scale - AWS Online Tech Talks
 
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
The 1%: Identity and Governance Patterns From the Most Advanced AWS Customers...
 
SID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account StrategySID331_Architecting Security and Governance Across a Multi-Account Strategy
SID331_Architecting Security and Governance Across a Multi-Account Strategy
 
Incident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdfIncident Response on AWS - A Practical Look.pdf
Incident Response on AWS - A Practical Look.pdf
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
Soup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWSSoup to Nuts: Identity Federation for AWS
Soup to Nuts: Identity Federation for AWS
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
Use Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition SystemUse Amazon Rekognition to Build a Facial Recognition System
Use Amazon Rekognition to Build a Facial Recognition System
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
 
Serverless in Action on AWS
Serverless in Action on AWSServerless in Action on AWS
Serverless in Action on AWS
 
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...
 
Security @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep DiveSecurity @ (Cloud) Scale Deep Dive
Security @ (Cloud) Scale Deep Dive
 
SRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the EdgeSRV312_Taking Serverless to the Edge
SRV312_Taking Serverless to the Edge
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

MAE401_Designing for DisneyMarvel Studio-Grade Security

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:Invent Designing for Disney/Marvel Studio- Grade Security K E I T H R I T L O P | S r . M a n a g e r – S t u d i o T e c h n o l o g y & R i s k A s s e s s m e n t E L I M E Z E I | E x e c u t i v e P a r t n e r – I n d e p e n d e n t S e c u r i t y E v a l u a t o r s U S M A N S H A K E E L | W W . T e c h L e a d e r M & E a t A W S M A E 4 0 1 N o v e m b e r 2 7 , 2 0 1 7
  • 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. M&E: Security Common security requirements • MPAA • CDSA • Major studio requirements (Disney/Marvel) CSA, standard audit parties ISO, SOC Third-party audits
  • 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Is Cloud more secure for my high valued Content? Yes “Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60% fewer security incidents than those in traditional data centers” “By 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures” – Gartner January 23, 2017
  • 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Cloud Security Best Practices What: • A set of guidelines based on ISO, OWASP, CSA, PCI, NIST800-53, SANS and industry best practices • Consists of Application Security and Cloud Security guidelines How: • Not an Audit rather an ‘assessment’ or ‘inspection’ • Self Assessment • Infrastructure and Application assessment
  • 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Scenario Keith Ritlop Sr. Manager – Studio Technology & Risk Assessment Studio Content Owner VFX House Service Provider Cloud-Based RenderfarmControl Visibility Scale Flexibility Cost Auditability Eli Mezei Executive Partner – Independent Security Evaluators 3rd Party Auditor Content Owner
  • 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance/ Control Auditability Monitoring Baseline AWS Concepts ( S e l e c t i v e I n g r e d i e n t s ) AWS Config Amazon EC2 Systems Manager Amazon CloudWatch AWS CloudTrail IAM Amazon Inspector AWS Organizations AWSKMS VPC peering endpoints Amazon Cloud Directory
  • 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. WORKFLOWS DRIVE SECURITY Security must support the workflow, not the other way around The workflow must be understood in depth before security controls can be defined The simplest solution is generally the most secure
  • 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. TRUST MODEL VS. THREAT MODEL
  • 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. KNOW YOUR ADVERSARY
  • 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. A Simplified Production Workflow 1. Content Creation and Capture 2. On-Location Production – Uses Cloud Based tools 3. Post Production - Relies Heavily on Cloud based Collaboration Tools
  • 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Zooming in on the Workflow On-Location Set Editorial Prepare Editorial Framework Editing Finalize On-Set Director, VFX-Editorial Post Production Departments Film Lab VFX Isolated Network ISIS ISIS Mount and Move of Original Video to staging area Prepare Editorial Tools for Editing Edit Film Scenes Edit Film Sequences Cut in VFX, Art, and Second Unit Footage Prepare Review Cut On Location Post Production Off-Site Crew Studio HQ WAN VFX Vendor Commercial Cloud Collaboration Services PixsFotokem Shotgun
  • 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. On-Premises VFX rendering
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Challenge What are we trying to solve? SPEED Storage S P A C E Security
  • 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Example Cloud-Based VFX Render Workflow - AWS Private Compute and Storage Subnet 10.0.2.0/24 AWS Batch Spot Fleet Spot Instances instances VPN Subnet 10.0.1.0/24 router Bastion ServerAmazon CloudWatch AWS KMS Content Ingress/ Egress Amazon EFS route table On-premises network 192.168.0.0/16 customer gateway Active Directory Region Amazon VPC VPN gateway VPN connection route table Compute Subnet Render Farm Compute Domain Controller AD Connect Sync Access Control
  • 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Principals of Secure Design in Content Production workflows
  • 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. INDUSTRY PRINCIPALS • Secure Design Principle: those upon which systems resilient against attacks are built • Principal of secure design should apply to all production technology • Controls are workflow dependent, but interchangeable with minimal customization
  • 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: LEAST PRIVILIGE
  • 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: PRIVILIGE SEPARATION
  • 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Core Services for Least Privilege and Privilege Segregation AWS Accounts Structure IAM AWS Organizations S3 bucket policies
  • 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam create-role --role-name Key_OP --assume-role-policy-document file://Test-Role- Trust-Policy.json Content of the JSON: { "Role": { "AssumeRolePolicyDocument": "<URL-encoded-JSON>", "RoleId": "Key_OP", "CreateDate": "2017-10-07T20:43:32.821Z", "RoleName": "Key_OP", "Path": "/", "Arn": "arn:aws:iam::123456789012:role/Backend-Rendering" } } Create IAM Role - Control access on as needed basis – assume role - Cross Account Access - Revoke access once task is done
  • 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam create-policy --policy-name my-policy --policy-document file://key_use_policy { "Policy": { "PolicyName":, "key_use_policy", "CreateDate": "2015-06-01T19:31:18.620Z", "AttachmentCount": 0, "IsAttachable": true, "PolicyId": "ZXR6A36LTYANPAI7NJ5UV", "DefaultVersionId": "v1", "Path": "/", "Arn": "arn:aws:iam::0123456789012:policy/my-policy", "UpdateDate": "2015-06-01T19:31:18.620Z” } } Create KMS Policy
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name Key_OP aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name Key- Man Attach a Policy to the Role - Can be attached to any IAM Role - Secure means to pass the encryption keys without any human involvement - Logged and fully managed - Automated and as-needed basis - Customer controls the Master key
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ########This is the S3 bucket policy that requires use of a kms encryption for upload:######## {"Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::Backend-Rendering-Bucket /*", "Condition": { "StringNotEquals": {"s3:x-amz-server-side-encryption":"aws:kms"} } }, {"Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::Backend-Rendering-Bucket /*", "Condition": { "Null": {"s3:x-amz-server-side-encryption": true}} }]} Set KMS Requirement
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bucket Policy for role: {"Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::Backend-Rendering-Bucket", "arn:aws:s3:::Backend-Rendering-Bucket/*” ], "Condition": { "StringNotLike": { “aws:userId": [ “AROAUNIQUEROLEIDENTIFIER:*” ] }} }] } CREATE RESTRICITVE KMS RULE
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architectural Pattern: achieve Privilege Control Subnet AWS KMS Region IAM Amazon VPC route table IAM S3 Bucket role permissions Users Define role User policy permissions permissions Encryption keys AWS CloudFormation Access Data Monitor Attach policy
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architectural Pattern: Encryption & Key Management AWS KMS
  • 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: DEFENSE IN DEPTH
  • 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC Segmentation • Allows you to treat services, and apps, and storage as distinct zones with logical controls • Traffic generally controlled through an app or a portal • Audit and monitor critical apps/VPCs
  • 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Extends trust and controls to Counterparties • Restricts access to only known infrastructure • Used for workflows that involve trusted counterparties & shared infrastructure VPC Peering
  • 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Trust is completely centralized • Tantamount to restricting access via a corporate LAN • Very restrictive trust model • Incredibly robust Logging and monitoring capability VPC Sub-Account
  • 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. PRINCIPAL: TRUST RELUCTANCE
  • 32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Robust Logging, Monitoring Virtual private cloud Amazon VPC flow logs Amazon CloudWatch bucket AWS CloudTrail Monitor API VPC Logs Asset Subnet AWS KMS route table S3 Bucket Encryption keys Logging data Key Logging Logging data instance with CloudWatch Amazon Elasticsearch Service Event drive analytics analytics' Amazon RedshiftData warehouse queries AWS Lambda Centralized Logging Proxy Proxy Server Administrator Log Management API Calls
  • 33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Summing it all up
  • 34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Secure Design is Interchangeable
  • 35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do I achieve Studio Security? Reach out to studio stakeholders/content owners to inform them of your design and plan Get buy-in from the stakeholder Request the template via AWS Artifacts and get the implementation audited quickly Innovate
  • 36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions…
  • 37. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!