AWS Summit 2013 Tel Aviv Oct 16 – Tel Aviv, Israel

Carlos Conde

Sr. Mgr. Solutions Architecture

AWS CLOUD SECURITY

SECURITY IS UNIVERSAL

EVERY CUSTOMER HAS ACCESS

TO THE SAME SECURITY

CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

AWS GOV CLOUD

ITAR COMPLIANT

SECURITY IS VISIBLE

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT

RIGHT NOW?

AWS API + CLOUDFORMER ENVIRONMENT ARCHITECTURE DEFINITION

AND CHANGE DETECTION

SECURITY IS TRANSPARENT

SOC 1 SOC 2 SOC 3 PCI DSS L1 ISO 27001

ITAR FIPS FedRAMP HIPAA

SECURITY IS FAMILIAR

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO A SPECIFIC WORK

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT IN

YOUR AWS ACCOUNT

IAM USERS & ROLES

ACCESS TO

SERVICE APIs

NO PASSWORDS

USE SEPARATE SETS OF

CREDENTIALS

ROTATE YOUR AWS SECURITY

CREDENTIALS

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

YOUR DATA IS YOUR

MOST IMPORTANT ASSET IF YOUR DATA IS NOT SECURE, YOU’RE NOT SECURE

…

MFA DELETE PROTECTION

ENCRYPT YOUR DATA

AMAZON S3 SSE DATA AT REST

AWS CLOUDHSM

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

NEED TO KNOW

+

CCTV, GUARDS, MAN TRAPS,

FENCES, ETC…

…

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

CHANGES IN PRODUCTION

HAVE TO BE AUTHORIZED

DEV & TEST ENVIRONMENT

AWS ACCOUNT A

PRODUCTION ENVIRONMENT

AWS ACCOUNT B

DEPLOYMENT PROCESS

HAS TO BE CONSTRAINED

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

CONTINUOUS DELIVERY MODEL

CONTINUOUS DEPLOYMENT

SESSION 13:30 START-UP TRACK

REDUNDANCY & INTEGRITY

CHECKS

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB

AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

SOC CONTROL OBJECTIVES

1. SECURITY ORGANIZATION

2. AMAZON USER ACCESS

3. LOGICAL SECURITY

4. SECURE DATA HANDLING

5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

6. CHANGE MANAGEMENT

7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

8. INCIDENT HANDLING

“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

GAME DAYS !! INSERT ARTIFICIAL SECURITY INCIDENTS.

MEASURE SPEED OF DETECTION AND EXECUTION.

SECURITY IS AUDITABLE

VULNERABILITY / PENETRATION

TESTING

VULNERABILITY / PENETRATION

TESTING

LOGS

OBTAINED, RETAINED, ANALYZED

OBTAIN, RETAIN, ANALYSE

YOUR LOGS

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

TRUSTED ADVISOR

SECURITY IS SHARED

NETWORK SECURITY:

DDOS

NETWORK SECURITY:

SSL

NETWORK SECURITY:

SPOOFING

NETWORK SECURITY:

PORT SCANNING

AMAZON EC2 SECURITY:

HOST OS SSH KEYED LOGINS VIA BASTION HOST

ALL ACCESSES LOGGED AND AUDITED

AMAZON EC2 SECURITY:

GUEST OS CUSTOMER CONTROLLED AT ROOT LEVEL

AWS ADMINS CANNOT LOG IN

CUSTOMER-GENERATED KEYPAIRS

“If you need to SSH into your

instance, your deployment process

is broken.”

AMAZON EC2 SECURITY:

STATEFUL & STATELESS FIREWALL MANDATORY INBOUND

DEFAULT DENY MODE

SECURITY IS

UNIVERSAL

VISIBLE

TRANSPARENT

FAMILIAR

AUDITABLE

SHARED

AWS.AMAZON.COM / SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS MARKETPLACE

SECURITY SOLUTIONS