AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Security & Compliance
Dob Todorov
Regional Head – Public Sector Solutions Architecture
Principal Security & Compliance Solutions Architect
EMEA
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
Security Is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
SECURITY IS SHARED
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
WHAT
WE DO
FOR YOU
WHAT YOU DO
YOURSELF
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
“Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers”
Tom Soderstrom – CTO
NASA JPL
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service Providers]
provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
MORE VISIBILITY
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
TRUSTED ADVISOR
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
MORE AUDITABILITY
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS CLOUDTRAIL
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
You are making
API calls...On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.
Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.
Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LOGSOBTAINED, RETAINED,
ANALYZED
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
MORE CONTROL
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
Defense in Depth
Multi level security• Physical security of the data centers
• Network security
• System security
• Data security
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LEAST PRIVILEGE PRINCIPLE
AT AWS
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LEAST PRIVILEGE PRINCIPLE
SEPARATE NETWORKS FOR CORPORATE WORK VS.
ACCESSING CUSTOMER DATA
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT
SENSITIVE INFORMATION LIKE DATA CENTER
LOCATIONS
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER
TO ACCESS DATA CENTERS
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,
AND EASIEST TO ENFORCE
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS IAMIDENTITY & ACCESS MANAGEMENT
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
CONTROL WHO CAN DO WHAT
WITH YOUR AWS ACCOUNT
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
MFA DELETE PROTECTION
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
YOUR DATA STAYS
WHERE YOU PUT IT
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
DATA ENCRYPTIONCHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
AMAZON EBS
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS Security Whitepapers
AWS Government, Education, and Nonprofits SymposiumLondon | 21 Oct 2014
AWS.AMAZON.COM/
SECURITY
Top Related