AWS Webcast - Understanding the AWS Security Model
-
Upload
amazon-web-services -
Category
Technology
-
view
1.697 -
download
5
Transcript of AWS Webcast - Understanding the AWS Security Model
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Max Ramsay, Head of Americas Security Solution Architecture, AWS
March 19th, 2015
Understanding the AWS
Shared Security Model
Security is Job Zero
Familiar Security
ModelValidated and driven by
customers’ security expertsBenefits all customers
PEOPLE & PROCESS
SYSTEM
NETWORK
PHYSICAL
Vodafone built a mobile payment app
Amazon Web Services was the
clear choice in terms of security.
Stefano Harak
Online Senior Product Manager
PCI and DSS compliance was essential
Launched in 3 months
Reduced CapEx by 30%
Deployed to 7 channels, including Facebook
Payments
Agenda
• AWS Culture
• Shared Security Model
• Compliance
• Tools & Features
• Where to get help
Security & compliance requirements from every industry
Expert Audits: Transparency & Accuracy
SME
SME
SME
SME
SME
Security, compliance, governance, and audit related launches and updates
AWS constantly innovating – driven by your needs
Native tools improve compliance efficiency
Discover and provision cloud services
Audit and troubleshoot configuration
changes in the cloud
Get consistent visibility of cloud logs
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity Data Infrastructure
Customer applications & content
You
AWS and you share responsibility for security
You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud
What this means
• You benefit from an environment built for the most
security sensitive organizations
• AWS manages 1,800+ security controls so you don’t
have to
• You get to define the right security controls for your
workload sensitivity
• You always have full ownership and control of your data
Key AWS Certifications and Assurance Programs
IT Grundschutz Certification Workbook
• Assessed by TÜV TRUST IT
• AWS controls meet BSI IT Grundschutz requirements
• Customers can integrate AWS infrastructure into their
own ISMS and be compliant
• Report and workbook available at
aws.amazon.com/compliance
On AWS
•Start on base of accredited services
•Functionally necessary – high watermark of
requirements
•Audits done by third party experts
•Accountable to everyone
•Continuous monitoring
•Compliance approach based on all
workload scenarios
•Security innovation drives broad
compliance
On-prem
• Start with bare concrete
• Functionally optional (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in securityinnovation
Accreditation & Compliance: on-prem vs on AWS
AWS Security Tools & Features
IdentityDataInfrastructure
Customer applications & content
Oversight & Monitoring
• AWS and its partners offer over 700 security services, tools and
features
• Mirror the familiar controls you deploy within your on-prem
environments
Infrastructure: Enforce consistent security on hosts
EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
• You fully control EC2 instances
• Configure and harden to your own specs!
• Use host-based protection software
• Manage administrative users
• Enforce separation of duties & least privilege
• Build out the rest of your standard security environment
• Connect to your existing services, e.g. SIEM, monitoring,
patching
Create flexible, resilient, segmented environments
Your organization
Project Teams Marketing
Business Units Reporting
Digital /
Websites
Dev and
Test
Redshift
EMR
Analytics
Internal
Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/
Backup
Encrypt your Elastic Block Store volumes any way you like
• AWS native EBS encryption for free with a mouse-click
• Encrypt yourself using free utilities, plus Trend Micro, SafeNet and
other partners for high-assurance key management solutions
Amazon S3 offers either server or client-side encryption
• Manage your own keys or let AWS do it for you
Redshift has one-click disk encryption as standard
• Encrypt your data analytics
• You can supply your own keys
Amazon RDS supports encryption
• Encrypt your MySQL or PostgreSQL databases using keys you manage through AWS Key Management Service (KMS)
• Supports Transparent Data Encryption in SQL Server and Oracle
Data: Encrypt your sensitive information
DBA
Identity: Control access and segregate duties
everywhere
You get to control who can do what in your AWS
environment when and from where
Fine-grained control of your AWS cloud with multi-
factor authentication
Integrate with your existing corporate directory using
SAML 2.0 and single sign-on
AWS account owner
Network management
Security management
Server management
Storage management
Full visibility of your AWS environment
• CloudTrail will record access to API calls and save logs in your
S3 buckets, no matter how those API calls were made
Who did what and when and from where (IP address)
• Support for many AWS services and growing - includes EC2,
EBS, VPC, RDS, IAM and RedShift
• Easily Aggregate all log information
Out of the box integration with log analysis tools from
AWS partners including Splunk, AlertLogic and
SumoLogic
Monitoring: Get consistent visibility of logs
AWS Marketplace: One-stop shop for security tools
Advanced Threat
Analytics
Application Security
Identity and Access Mgmt
Encryption & Key Mgmt
Server & Endpoint
Protection
Network Security
Vulnerability & Pen Testing
Getting help – Trusted Advisor
Performs a series of security configuration checks of your AWS environment:
• Open ports
• Unrestricted access
• IAM use
• CloudTrail Logging
• S3 Bucket Permissions
• Multi-factor auth
• Password Policy
• DB Access Risk
• DNS Records
• Load Balancer config
Getting Help: Support
Account Team
• Your Account Manager is your advocate
• Solutions Architects have a wealth of expertise
Four tiers of support
• Free – Basic, forum-based & health check support
• Developer – Email support & best practice guidance
• Business – Phone/chat/email support, 1 hour response time
• Enterprise – 15 min response time, dedicated Technical Account Manager
Getting Help: Professional Services
AWS Professional Services
• Enterprise Security Architecture
• Policy & Controls Mapping
• SOC Design
AWS Partner Network
• Over 600 certified AWS Consulting Partners worldwide
Summary
• Security is job zero for AWS
• AWS takes care of the security OF the Cloud
• You define your controls IN the Cloud
• Compliance is more cost effective in AWS
• You can take advantage of over 700 services, tools and
features from AWS and partners
• AWS and partner resources on hand to help
Thank you!