Logicworks Managed High Availability on Amazon Web Services (AWS) - Presented by Logicworks and AWS
MEXICOCITY WWPS Summit Assets... · 2020-03-23 · Flexible options for data encryption using the...
Transcript of MEXICOCITY WWPS Summit Assets... · 2020-03-23 · Flexible options for data encryption using the...
M E X I C O C I T Y
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Managing Security At AWS
Arturo Cabañas
M G M T 1 0 4
Public Sector Security Assurance Lead, AWS Public Sector Latin America
Known Security Model
Major client requirements are audited and conducted by experts
PEOPLE & PROCESSES
SYSTEMS
NETWORK
PHYSICAL
All clients benefit
Security in AWS is Priority Zero
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“In accordance with our experience, I believe we can be even safer in the AWS Cloud than in our own data centers".
Tom Soderstrom
CTO, NASA JPL
Security and Protection of Personal Data in AWS
The storage of information poses a series of common matters in the practice that must be addressed, such as
• Is the content safe?• Where will the content be stored?• Who will have access to the content?
But mainly, how do we comply with the Mexican laws and regulations?:• General Law on Protection of Personal Data in Possession of Regulated
Entities and Individuals (LGPDPPSO)• General Law on Transparency and Right-to-Know Public Information
(LGTAIP)
S H A R E D R E S P O N S I B I L I T Y
The AWS shared responsibility approach to manage security in the cloud
Multi-regions & Availability Zones to store their information
GLOBAL INFRASTRUCTURE
Different options of security services to control access to its content.
SECURITY SERVICES
National Digital StrategyLGPDPPSOLGTAIP
LEGAL FRAMEWORK IN MEXICO
Agenda
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is a shared responsibility
+ =
• Premises
• Physical Security
• Computing Infrastructure
• Storing Infrastructure
• Networking Infrastructure
• Virtualization Layer (EC2)
• Reinforced Service Endpoints
• Network Configuration
• Security Groups
• Operative System Firewall
• Operative Systems
• Application Security
• Proper Service Configuration
• Authorization Policies
Safer and Compliant Systems than what any entity could achieve by
itself.
The Shared Responsibility Approach
Clients trust in AWS compliance with global standards
Certifications & Attestations Laws, Regulations & Privacy Guidelines & Frameworks
The Shared Responsibility Approach
ISO 27001 • It is a standard of security administration which establishes recommended practices
in matters of security administration and control
ISO 27017• Provides guidance on matters of information security in the cloud computing, and
recommends the implementation of cloud-specific information security controls
ISO 27018• Standard ISO 27018 is a code of conduct designed to protect personal data in the
cloud
The AWS Artifact tool helps bring transparency
What is it?
A global and free portal that provides access on-demand to the AWS certifications with the latest updates in security and compliance
How does it work?
Clients may review the controls, set their own in line with AWS controls and use reports to verify that AWS controls are in effective operation
• Information about AWS policies, processes and controls
• Documentation about relevant controls to AWS specific
services
• Validation for the effective operation of AWS controls
Global Certifications & Attestations
AWS Security Solutions
AWS Identity and Access Management (IAM)
AWS Organizations
AWS Directory Service
AWS Single Sign-On
AWS Cognito
AWS Secrets Manager
AWS Configuration
Amazon GuardDuty
AmazonCloudWatch
AWS CloudTrail
VPC Flow Logs
AWS Shield
AWS Firewall Manager
AWS WAF Web ApplicationFirewall
Amazon Virtual PrivateCloud (VPC)
Amazon EC2 SystemManager
Amazon Inspector
AWS KMS Key Management Service
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
Identity Detective Control
Infrastructure Security
Incident Response
Data Protection
AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources.
AWS OrganizationsPolicy-based management for multiple AWS accounts
Amazon CognitoAdd user sign-up, sign-in and access control to your web and mobile applications
AWS Directory ServiceMicrosoft Active Directory managed in AWS Cloud
AWS Single Sign-OnCentrally manage single sign-on (SSO) to multiple AWS accounts and business applications
Define, enforce and audit user permits in AWS services, actions and resources.
Identity and Access Management
AWS CloudTrailEnable governance, compliance, operational / risk auditing of your AWS account
AWS ConfigRecord and evaluate your AWS resource configuration. Enable compliance auditing, security analysis, tracking of resource changes and problem solving
Amazon CloudWatchSupervise resources in the AWS Cloud and your AWS applications to collect metrics, monitor log files, configure alarms and take automated action to changes
Amazon GuardDutySmart threat detection and continuous monitoring to protect your AWS accounts and workloads
VPC Flow LogsCapture information about IP traffic in and out of network interfaces in your VPC. Flow log records are stored using the Amazon CloudWatch Logs
Get the visibility you need to detect issues before they affect
the business, improve your security and limit the risk profile
of your environment
Detective Control
Amazon EC2 System ManagerEasily configure and manage Amazon EC2 and the local systems to apply patches in operative systems, create system safe images and configure safe operative systems
AWS ShieldManaged Distributed Denial of Service (DDoS) that safeguards applications running on AWS
AWS Web Application Firewall (WAF)Protect your web applications from common web exploits safeguarding availability and security
Amazon InspectorAutomated security assessment service to help improve the security and compliance of applications deployed on AWS.
Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define
Limit the space to manage and increase the privacy and control of your general infrastructure in
AWS.
InfrastructureSecurity
AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data
AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud
Amazon MacieA machine learning-powered security service to discover, classify, and protect sensitive data
AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates to use with AWS services
Server-Side EncryptionFlexible options for data encryption using the keys managed by AWS services, AWS keys managed through AWS KMS, or keys managed by the client
In addition to our encrypted automated services and data management, use more data
protection functions(including data management, data security, and
encryption key storage).
Data Protection
AWS Config RulesCreate rules that take automated action in response to changes of your environment, like isolating resources, enriching events with additional data, or reestablishing your configuration to a known good state
AWS LambdaUse our serverless computing service to run code without provisioning or managing servers so that you may scale your response to incidents in a planned and automated manner
During an incident, event containment and restoring a known good state are important elements of a response plan. AWS provides the following tools to automate
aspects of this good practice.
IncidentResponse
How to use ML to protect my environment in the cloud?
Amazon GuardDuty is a managed service for threat detection that continuously monitors and detects malicious and/or unauthorized activity to help protect your AWS accounts and workloads using ML.
Amazon GuardDuty
GuardDuty – Centralized Alerts
Amazon GuardDuty – quick response to a security event
CloudWatch EventsGuardDuty Lambda
How to use ML to protect my environment in the cloud?Amazon Macie
• Personally Identifiable
Information (PII)
• Intellectual Property
• Source Code
• Private Keys
• API Keys
• SSL Certificates, etc.
How to use ML to protect my environment in the cloud?
Amazon Macie
How to use ML to protect my environment in the cloud?
CloudWatch Events
Amazon CloudWatch
CloudWatch Event
Lambda
Lambda Function
AWS Lambda
Macie
Amazon Macie
AWS Security Solutions
Physical Layer Secure facilities and optical encryption using AES-256
VPC Encryption | Cross-Region Peering | Amazon VPN
Amazon s2n | NLB-TLS | ALB | CloudFront | ACM integration
AWS Crypto SDK | Server-side encryption with KMS integration
Data link layer
Network Layer
Transport Layer
Application Layer
MACsec AES-256 (IEEE 802.1AE)
More than 7,000 products in our AWS Marketplace
Is the content safe?
• AWS has more than 58 certifications and attestations (+ 2,600 controls, audited every year)
• AWS offers a broad selection of security tools and functions that clients can use.
• Clients may also use their own security tools and controls, including a wide variety of third-party security solutions
• Clients are also free to design and conduct security evaluations in accordance with their own preferences
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Where will the content be stored?
AWS Data Centers are built in groups in several regions worldwide. This means each of our data center groups in a country is “Region”
AWS now has 69 availability zones in 22 geographic regions worldwide. In addition, plans to incorporate 16 more availability zones and 5 regions have been announced, these will include Indonesia, Italy, Japan, South Africa and Spain.
RegionsComing soon
Zoom: Availability ZoneExample of a region in the U.S. Example of an Availability Zone
Zone ofAvailability B
Zone ofAvailability A
Zone ofAvailability C
Data Center 2
Data Center 1
Data Center 3
Zoom: AWS Region
Availability Zones
• Totally isolated infrastructure with one or more data centers
• Significant-distance separation• Single-energy Infrastructure• Many 100Ks of scale servers• Data centers connected through
totally redundant and isolated meter fiber
Anatomy of a Region on AWSRedundant Transit Centers Highly interconnected
— Intra-AZ Connections — Inter-AZ Connections — Transit Center Connections
Understanding durability
Designed for a durability of
99.99%
Dos copias en un sitio
Designed for a durability of
99.999%
Copias en dos sitios
Designed for a durability of
99.999999999%
GlacierStandard IA
AWS Region
Where will the content be stored?
• Only AWS clients choose the AWS Region or Regions where their content and servers will be located.
• Clients always keep control of the Regions used to store and process the content.
• AWS only stores and processes the content of each client in the Region(s) and uses the services chosen by the client and cannot transfer the client’s content in any way whatsoever.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Define, enforce and audit userpermits in AWS services, actions and resources.
Identity and Access Management
AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources.
AWS OrganizationsPolicy-based management for multiple AWS accounts
Amazon CognitoAdd user sign-up, sign-in and access control to your web and mobile applications
AWS Directory ServiceMicrosoft Active Directory managed in AWS Cloud
AWS Single Sign-OnCentrally manage single sign-on (SSO) to multiple AWS accounts and business applications
Who will have access to the content?
• You may control who, when and from where they may conduct actions in your AWS environment
• Control granular access in the AWS cloud with multi-factor authentication (tokens)
• Integrate your Active Directory by federation and single sign-on.
Who will have access to the content?
AWS Management Console/APIs
AWS Infrastructure
AWS Applications
Your applications
Developers
Admins
Security Employees
Clients
Partners
Identity and Access Management
Who will have access to the content? – In short
Clients using AWS services who keep and not give up effective control over their content within the AWS environment, may:
• Determine where their content will be
• Control the format, structure and security of their content
• Manage other access controls, like identity credentials, access management, permits and security
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
General Law on Transparency and Right-to-KnowPublic InformationIt is important to mention that you are the only responsible for classifying the information, as set out in Article 100 of the LGTAIP:
“Article 100. • Classification is the process through which the regulated entity or individual subject to
this Law determines that the information in their power is applicable to any of the cases of reserve or confidentiality
• The Chiefs of the Areas of the Regulated Entities or Individuals shall be responsible of classifying the information
Data, by default, are of public classification:
“Article 11. • All the information in possession of the regulated entities or individuals shall be public, complete,
timely and accessible, subject to very specific exceptions
General Law on Transparency and Right-to-KnowPublic Information
Article 63. • The responsible entity or individual may contract or adhere to services, applications and
infrastructure of cloud computing, and other matters that implicate processing personal data
General Law on Protection of Personal Data in Possession of Regulated Entities and Individuals(LGPDPPSO)
II. Provider should have mechanisms, at least, to:
a) Inform changes in their privacy policies or conditions in the service rendered;
b) Allow the responsible entity o individual limit the type of data processing
c) Establish and maintain security measures
d) Guarantee the suppression of the personal data
e) Prevent individuals who do not have access privileges to access the personal data.
General Law on Protection of Personal Data in Possession of Regulated Entities and Individuals(LGPDPPSO)
General Law on Protection of Personal Data in Possession of Regulated Entities and Individuals(LGPDPPSO)
Mechanisms AWS
Inform changes in their privacy policies or conditions in the service rendered
https://aws.amazon.com/es/privacy/
Allow the responsible entity o individual limit the type of data processing
Global Infrastructure, Shared Responsibility, Encryption, etc.
Maintain security measures
SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018Guarantee the suppression of the personal data
Prevent individuals who do not have access privileges to access the personal data
IAM, Server-Side Encryption (SSE) with the keys managed by Amazon S3 (SSE-S3), SSE with the keys managed from AWS KMW (SSE-KMS) or SSE with encryption keys provided by the client (SSE-C)
General Law on Protection of Personal Data in Possession of Regulated Entities and Individuals(LGPDPPSO)
Learn Security with AWS Training and CertificationResources created by the experts at AWS to help you build and validate cloud security skills
Visit the Learning Path at https://aws.training/Security
Take one of the classroom offerings, like AWS Security Engineering on AWS, featuring AWS expert instructors and hands-on activities
30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security
Validate your expertise with the AWS Certified Security –Specialty exam
¡Gracias!
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.