Upload
damian-rodgers
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Breaking the Iron Quadrangle with Cloud ComputingMark FoxDoD Programs
December 4, 2013
BETTER
CHEAPER
FASTER
The “Iron Triangle”: Pick Two!
Better
CheaperFa
ster
ADD MORE SECURE –???
The “Iron Quadrangle”: Still Pick Two?!?
Bette
rCheaper
FasterM
ore
Secur
e
Cloud Can Break Not Only the Iron Triangle…
• Evidence mounting that cloud can be better, cheaper, faster…
… But the Iron Quadrangle Too!
For the details, see Re:Invent 2013 presentations by cyber security engineer Matt Derenski of NASA JPL
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
IDC Cloud Security Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security SurveyDoc #242836, September 2013
Forrester Study
“… We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves.”
Security’s Cloud Revolution is Upon Us
Forrester Research, Inc., August 2, 2013
Security is a Cloud Provider’s No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
People & Procedures
Network Security
Physical Security
Platform Security
TO GOOD TO BE TRUE?
Reasons For Systemic Superiority and Growth of Cloud
Six reasons, plus one to grow on:
1. Integration of compliance and security
2. Benefit of massive scale for both
3. Customers refocus on systems and applications
4. Visibility, homogeneity, and automation
5. Cloud platforms as “systems containers”: a new kind of defense in depth
6. Cloud, big data, and security: use cloud to secure cloud
7. With cloud speed of innovation and increasing scale, the story will only get better – quickly!
1. Integration of Compliance and Security
• CSP business model, scale is incompatible with one-on-one security assessments by customers
• But of course “trust me” is not a viable solution to the challenge
• Solution: Rigorous compliance regimes and constantly surveillance by expert third-party auditors fill the gap
Expert Audits: the Validation Scalpel
• Experts auditors give a 360° view of cloud
• Constantly engaged; the overall process never stops
• Continuous monitoring like you’ve never seen before
SME
SME
SME
SME
SME
SME=subject matter expert
2. Benefits of Scale Apply to Security and Compliance
The customer community benefits from tough scrutiny, the world-class AWS security team, market-leading capabilities, and constant improvements
Everyone’s Systems and Applications
Security Infrastructure
Security Infrastructure
Requirements Requirements Requirements
Nothing better for the entire community than a tough set of customers…
Infrastructure Security: World-class Teams
• Where would some of the world’s best security experts like to work?
• They want to work on huge challenges with huge rewards!
• So cloud providers have world-class teams watching your back!
3. Customers Refocus on Systems and Apps
• Security experts are a scare resource!• Refocus security pros on a subset of the problem
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Application security
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customers
More secure and
compliant systems
than any one entity
could achieve on its
own
4. Visibility, Homogeneity, Automation
• Numbers 1 and 2 of SAN Institute’s 20 Critical Security Controls: Inventory! What do you have???
• In the cloud, your entire infrastructure is an API call or a click of a mouse away… – Can you with assurance map the devices in your network?
Vs.
4. Visibility, Homogeneity, Automation…
• Rich but bounded set of options and configurations—better control and security– E.g., IT pros and developers can only launch a limited
set of blessed OS and application images– Pre-configured systems and apps can be “stamped
out” as identical copies by orchestration and automation (see next point)
4. Visibility, Homogeneity, Automation…
• Programmable infrastructure means that infrastructure can for the first time be scripted, code-reviewed, and checked into a source control system!– “Infrastructure as code” can massively improve
security posture
5. Cloud as “System Container”
• Cloud is not only programmable infrastructure, but reacting infrastructure
• Monitoring, logging, alerting when “interesting” things happen– Simple example: sudden increase in network out-flows from app tier
can indicate a compromised system
• One key alerting mechanism is to call an HTTP endpoint of your choice; recursively reactive and programmable
6. Cloud and Big DataUsing the Cloud to Secure the Cloud
• Natural affinity between cloud and big data– Volume, variety, and velocity of data; and experimental /
exploration usage of data fits cloud model perfectly
• Security configuration and behavior of large scale systems is a classic big data problem
• Use the storage and processing power of the cloud to find the security needle in the haystack– Many customers doing that today; more related services coming
from AWS soon!
7. Recent Security-Related Innovations
• CloudTrail logging/auditing for core services– Provide a pipeline of near real time API logs to support Continuous
Monitoring and analysis
• Cloud HSM– Composes with RedShift, 3rd party software; more coming…
• Variables in IAM policies– Composes with…
• SAML 2.0 and Web Identity Federation– Composes with…
• DynamoDB Fine-Grained Access Control
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.