This document summarizes a presentation on reinventing the security landscape in AWS. The presentation covers how cloud computing is gaining traction for allowing companies to focus more on innovation by reducing time spent on infrastructure. It discusses how security responsibilities are shared between AWS and customers. It also provides examples of security best practices and services in AWS like encryption, identity and access management, logging, and monitoring that can help customers strengthen their security posture while moving fast.
3. Reasons Cloud Computing is Gaining Traction in FinServ
Lower the time spent
on infrastructure
Dedicate more resources
to innovation
Concentrate on new
business initiatives
5. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infr
astructure
Regions
Availability Zone
s
Edge Locati
ons
Client-side Data Enc
ryption
Server-side Data
Encryption
Network Traffic Prot
ection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are re
sponsible for thei
r security IN the
Cloud
AWS is responsible
for the security OF
the Cloud
6. Accreditation & Compliance,
Old and New
Old world
• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year
• Workload-specific compliance checks
New world
• Functionally necessary – high watermark
of requirements
• Audits done by third party experts
• Accountable to everyone
• Superior security drives broad compliance
• Continuous monitoring
• Compliance approach based on all
workload scenarios
10. Strengthen your security posture
Get native functionality and tools at
no additional charge
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned from
1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations
11. Access a deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrailService
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation
12. Evolving the Practice of Security Architecture
• Security architecture as a separate function can no longer exist
• Static position papers,arc
hitecture diagrams & docu
ments
• UI-dependent consoles and “
pane of glass” technologies
• Auditing,assurance,and
compliance are decoupled
, separate processes
CurrentSecurity
Architecture
Practice
13. Evolving the Practice of Security Architecture
• Security architecture can now be part of the ‘maker’ team
• Architecture artifacts (desi
gn choices,narrative,etc.)
committed to commonrep
ositories
• Complete solutions accou
nt for automation
• Solution architectures are l
iving audit/compliance artif
acts and evidence in a clo
sed loop
Evolved Security
Architecture Pract
ice
17. AWS IAM enables to securely control access to AWS service
s and resources
• Control who can do what and when from where
• Fine grained control of user permissions, resources and
actions
• Add multi factor authentication
• Hardware token or smartphone apps
• Test out new policies using the IAM policy simulator
Grained control of your AWS environment
18. Segregate duties between roles with IAM
Region
Internet G
ateway
Subnet10.0.1.0/24
Subnet10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
Choose who can do
what in your AWS
environment and from
where
AWS account
owner (master)
Network
management
Security
management
Server
management
Storage
management
Manage and operate
20. AWS CloudTrail logs for many powerful use cases
CloudTrail achieves many tasks
• Security analysis
• Track changes to AWS resources, for
example VPC security groups and NACLs
• Compliance – understand AWS API call
history
• Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
21. Consolidated Logging:
Log flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and
upload to Amazon
Redshift
Amazon EC2 in
stances
Analyze with standard
BI tools
Archive to
Amazon Glacier
AWS CloudTrail
Encrypted
end to end!
26. You can also connect privately using AWS Direct Connect
AvailabilityZoneA
EC2
EC2
NAT
EC2Jump
EC2WebEC2WebEC2EC2Web VPC Router
Direct
ConnectVirtual Private
Gateway
Customer
Gateway
Your premises
36. What you do in any IT environment
• Firewall rules
• Network ACLs
• Network time pointers
• Internal and external subnets
• NAT rules
• Golden OS images
• Encryption algorithms for data
in transit and at rest
Security Translation to AWS
AWS JSON translation
Golden OS
Network ACLs,
subnets, firewall
rules