Security & Compliance in the AWS Cloud & Compliance in the AWS Cloud. ... Hadoop/ Spark. Streaming...
-
Upload
nguyenkhue -
Category
Documents
-
view
224 -
download
6
Transcript of Security & Compliance in the AWS Cloud & Compliance in the AWS Cloud. ... Hadoop/ Spark. Streaming...
www.cloudsec.com | #CLOUDSEC
Security & Compliance in the AWS Cloud
Vijay Rangarajan – Senior Cloud Architect, ASEANAmazon Web Services@awscloud
ENTERPRISE APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
DataWarehousing
Hadoop/Spark
Streaming Data Collection
Machine Learning
Elastic Search
Virtual Desktops
Sharing & Collaboration
Corporate Email
Backup
Queuing & Notifications
Workflow
Search
Transcoding
One-click App Deployment
Identity
Sync
Single Integrated Console
PushNotifications
DevOps Resource Management
Application Lifecycle Management
Containers
Triggers
Resource Templates
TECHNICAL & BUSINESS SUPPORT
Account Management
Support
Professional Services
Training & Certification
Security & Pricing Reports
Partner Ecosystem
Solutions Architects
MARKETPLACE
Business Apps
Business Intelligence DatabasesDevOps
Tools NetworkingSecurity Storage
Regions Availability Zones
Points of Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling, & Load Balancing
StorageObject, Blocks, Archival, Import/Export
DatabasesRelational, NoSQL, Caching, Migration
NetworkingVPC, DX, DNSCDN
Access Control
Identity Management
Key Management & Storage
Monitoring & Logs
Assessment and reporting
Resource & Usage Auditing
SECURITY & COMPLIANCE
Configuration Compliance
Web application firewall
HYBRID ARCHITECTURE
Data Backups
Integrated App Deployments
DirectConnect
IdentityFederation
IntegratedResource Management
Integrated Networking
API Gateway
IoT
Rules Engine
Device Shadows
Device SDKs
Registry
Device Gateway
Streaming Data Analysis
Business Intelligence
MobileAnalytics
2009
48
280
722
82
2011 2013 2015
AWS has been continually expanding its’ services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile
AWS Pace of Innovation
exactly
GxPISO 13485AS9100ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge
Locations
AWS is responsible for the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge
Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
usto
mer
sCustomers have their choice of
security configurations IN
the Cloud
AWS is responsible for the
security OFthe Cloud
decide how to implement
You are making API calls...
On a growing set of services around the
world…
AWS CloudTrail is continuously recording API
calls…
And delivering log files to you
AWS CLOUDTRAIL
RedshiftAWS CloudFormation
AWS Elastic Beanstalk
Continuous ChangeRecordingChanging Resources
History
Stream
Snapshot (ex. 2014-11-05)AWS Config
AWS Config
Control access and segregate duties everywhereWith AWS Identity Access Management you get to control who can do what in your AWS environment and from where
Fine-grained control of your AWS cloud with two-factor authentication
Integrate with your existing corporate directory using SAML 2.0 and single sign-on
AWS account owner
Network management
Security management
Server management
Storage management
US-WEST (Oregon)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
US-WEST (N. California)
SOUTH AMERICA (Sao
Paulo)
US-EAST (Virginia)
AWS GovCloud (US)
ASIA PAC (Sydney)
ASIA PAC (Singapore)
CHINA (Beijing)
EU-CENTRAL (Frankfurt)
you put itASIA PAC (Korea)
13 Regions35 Availability Zones59 Edge Locations
ASIA PAC (Mumbai)
Create your own private, isolated section of the AWS cloudAv
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
AWS Virtual Private Cloud Provision a logically
isolated section of the AWS cloud
You choose a private IP range for your VPC
Segment this into subnets to deploy your compute instances
AWS network security AWS network will prevent
spoofing and other common layer 2 attacks
You cannot sniff anything but your own EC2 host network interface
Control all external routing and connectivity
connect resiliently and in private
YOUR AWS ENVIRONMENT
AWSDirect
ConnectYOUR
PREMISES
Digital Websites
Big Data Analytics
Dev and Test
Enterprise Apps
Internet VPN
AWS Key Management Service
PCI DSS SP L1 CompliantUnder-going FIPS140-2
Encryption key management and compliance made easy
Integrated with AWS Services(e.g. S3, EBS, RDS, Redshift,
CloudTrail, EMR)
Highly Available and durable
Cloud HSMdedicated access
Only you have access to your keys and operations on the keys
CloudHSM
AWS administrator—Manages the appliance
You—Control keys and crypto operations
Geographic data locality
Control over regionalreplication
Policies, resource level permissions,
temporary credentials
Fine-grainedaccess control In-depth
logging
AWS CloudTrail and Config
Fine-grained visibility and control for accounts, resources, data
Visibility into resources and
usage
Service Describe* APIs and
AWS CloudWatch
Control over deployment
AWS CloudFormation
Governance
ISO 9001
SOC 3
SOC 2
ISO 27001
ISO 27017
PCI DSS Level 1ISO 27018
SOC 1 / ISAE 3402
GxPHIPAA
ITAR
FERPA
FISMA, RMF, and DIACAP
FedRAMP
Section 508 / VPAT
DoD SRG Levels 2 & 4
FIPS 140-2
CJIS
Cloud Security Alliance
MPAA
NIST
MLPS Level 3
G-Cloud
IT-Grundschutz
MTCS Tier 3
IRAP Cyber Essentials Plus
More accreditations & certifications than anyone
You retain control and ownership of your content
Choose your AWS region and adhere to data sovereignty laws
Compliant with ISO 27001, ISO 27017, ISO 27018
Encrypt your data using AWS Services or using your own
Data Sovereignty & Privacy
Vibrant Partner EcosystemInfrastructure Security
Logging and Monitoring
Identity and Access Control
Configuration and Vulnerability Analysis
Data Protection
SaaS
SaaSSaaS