AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85...
Transcript of AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85...
![Page 1: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/1.jpg)
Berlin
![Page 2: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/2.jpg)
Security & AWS
Stephen Schmidt
Vice President and CISO
![Page 3: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/3.jpg)
Security is Job Zero
Familiar Security
ModelValidated and driven by
customers’ security expertsBenefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
![Page 4: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/4.jpg)
The Enterprise AWS Security Journey
Phase 1:
How do I move
to AWS?
Time
Experience
![Page 5: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/5.jpg)
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability Zones
Edge Locations
Network
SecurityInventory &
Configuration
Customer applications & content
Yo
uAWS and you share responsibility for security
You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud
Data
Encryption
Access
Control
![Page 6: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/6.jpg)
Start with the 5 why’s of security
![Page 7: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/7.jpg)
1) Why is security such a hot topic?
Because its important, and it’s hard
![Page 8: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/8.jpg)
2) Why is enterprise security traditionally so hard?
Because so much planning is needed
![Page 9: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/9.jpg)
3) Why so much planning which takes so long?
Because it requires so many processes
![Page 10: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/10.jpg)
4) Why so many processes?
Because mistakes are easy
to make and hard to put right
![Page 11: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/11.jpg)
5) Why are mistakes so hard to put right?
Lack of visibility Low degree of automation
![Page 12: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/12.jpg)
So where does AWS come in?
AWS makes security
more agile
Lets you move fast while
staying safe
![Page 13: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/13.jpg)
The Enterprise AWS Security Journey
Phase 2:
How do I use AWS to improve?
Time
Experience
![Page 14: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/14.jpg)
Design
Deploy
Operate
Improve
Improve
Design
DeployOperate
From this To this
![Page 15: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/15.jpg)
Design & Deploy
Define sensible defaults
Inherit compliance controls
Use available security features
Manage templates - not instances
![Page 16: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/16.jpg)
Operate & Improve
Constantly reduce the role of people
Reduce Privileged accounts
Concentrate on what matters
![Page 17: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/17.jpg)
Example: Hardened InstancesQ
uestion t
o a
nsw
er
• How many of my instances came from the correct “approved” server image?
• How many “approved” instances?
Tra
ditio
nal IT • Manual IT process
to prevent
• Even more manual process to audit
AW
S • CloudTrailidentifies instance launches with unapproved AMIs
• Continuously auditable
• Push notification rather than regular pull
![Page 18: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/18.jpg)
Example: Entitlements ReportingQ
uestion t
o a
nsw
er
• What accesses do your people have?
Tra
ditio
nal IT • Inventory your
assets and privileges
• Reconcile with user accounts
• All manual
AW
S • IAM Auditing native API calls
• GetAccountAuthorizationDetails
• ListUserPolicies
• ListGroupPolicies
• ListRolePolicies
![Page 19: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/19.jpg)
The Enterprise AWS Security Journey
Phase 3:
How do I design
security for
tomorrow?
Time
Experience
![Page 20: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/20.jpg)
The Five Why’s at Work at AWS
AWS Security Team
Operations
Application Security
Engineering
Compliance
Aligned for speed
![Page 21: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/21.jpg)
Security Ownership as part of DNA
• Promotes culture of “everyone is an owner” for security
• Makes security stakeholder in business success
• Enables easier and smoother communication
Distributed Embedded
![Page 22: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/22.jpg)
Operating Principles
Separation of duties
Different personnel across service lines
Least privilege
![Page 23: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/23.jpg)
Technology to automate operational principles
Visibility through log analytics
Shrinking the protection boundaries
Ubiquitous encryption
![Page 24: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/24.jpg)
Log analysis at AWS
• Internal project at AWS to analyze internal log
traffic• Collecting 90TB of logs per day - ~70k EPS average
• Correlate with permissions
• Compress 10:1 and store in S3
• Less than a minute response time for 3 billion sequential
accesses
• Costing a fraction of off the shelf software
![Page 25: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/25.jpg)
Log analysis data flow
Raw logs
Permissions
Amazon EMR
Amazon Glacier
Amazon Redshift
Amazon S3
Write to S3
Parse in EMR and
upload to Redshift
EC2 Instances
Analyze with standard
BI tools
Archive to Glacier
AWS CloudTrail
Encrypted
end-to-end!
![Page 26: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/26.jpg)
What are we looking for?
• Unused permissions
• Overuse of privileged accounts
• Usage of keys
• Anomalous logins
• Policy violations
• System abuse
• ….
• Collect data once, many use cases
![Page 27: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/27.jpg)
Infrastructure Security at AWS
AWS Data Center
x
• Bastion hosts for maintenance
• Two Factor Authentication
• Ubiquitous Encryption
• Separation to Enhance Containment
• Testing & Metrics
![Page 28: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/28.jpg)
Ubiquitous encryption
AWS CloudTrail
IAM
EBS
RDS
Redshift
S3
Glacier
Encrypted in transit
and at rest
Fully auditable
Fully managed
keys
Restricted access
![Page 29: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/29.jpg)
Ubiquitous encryption is one of our core design tenets
Good Crypto Everywhere, All The Time
![Page 30: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/30.jpg)
TLS is everywhere in our APIs
Good Crypto Everywhere, All The Time
![Page 31: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/31.jpg)
TLS is complex
Good Crypto Everywhere, All The Time
![Page 32: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/32.jpg)
Good Crypto Everywhere, All The Time
![Page 33: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/33.jpg)
Small, Fast, Simple
Good Crypto Everywhere, All The Time
![Page 34: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/34.jpg)
Small: ~6,000 lines of code, all audited
~80% less memory consumed
Good Crypto Everywhere, All The Time
![Page 35: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/35.jpg)
Fast: 12% faster
Good Crypto Everywhere, All The Time
![Page 36: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/36.jpg)
Simple: avoid rarely used options/extensions
Good Crypto Everywhere, All The Time
![Page 37: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/37.jpg)
Open Source
Available on AWSLabs today
https://github.com/awslabs/s2n
Good Crypto Everywhere, All The Time
![Page 38: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/38.jpg)
AWS is committed to OpenSSL
Supporting OpenSSL development through the Linux
Foundation’s Core Infrastructure Initiative
Good Crypto Everywhere, All The Time
![Page 39: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/39.jpg)
Benefits of Enterprise Security on AWS
Higher degree of visibility, transparency and accountability
Higher degree of trust and autonomy
Better ability to respond to business’ requirements for change
Agility in security leading to speed to market
![Page 40: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/40.jpg)
St. James’s Place Runs 85 Percent of Its Applications on AWS
St. James’s Place is a U.K. wealth-management
company managing over £52 billion of client funds.
We were able to double our capacity
during the peak tax season, and then
contract it back down when it was no
longer required.
Andy Montgomery
Head of Division for IT Operations and Solution
Design, St James’s Place
”
“ Needed flexible IT resources that
could scale as customer base grows
50% every year.
Needed high level of data security and
compliance with Financial Conduct
Authority (FCA) regulations
Migrated 85 percent of its applications
to AWS and expects a full migration by
2016.
![Page 41: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/41.jpg)
https://blogs.aws.amazon.com/security/
For more information:
![Page 42: AWS Deck Templateaws-de-media.s3.amazonaws.com/images/AWS Summit... · St. James’s Place Runs 85 Percent of Its Applications on AWS St. James’s Place is a U.K. wealth-management](https://reader034.fdocuments.us/reader034/viewer/2022042218/5ec453c9ecb48c6a2e4d8bf4/html5/thumbnails/42.jpg)
Thank you!