Architecting for Greater Security

Carlos Conde – Technology Evangelist

5 WHYs

1. Why does security come first in

enterprise cloud adoption?

New territory Security is hardAWS job zero

2. Why is enterprise security

traditionally so hard?

Change controlCompliance planning

3. Why so much planning which

takes so long?

So many processes Built-in pausesSo many hand-offs

Processes detect

unwanted change

Reduce impact

of failure

Visibility & control

are essential

4. Why so many processes?

No stimulus

and response

Low degree

of automation

Lack of

visibility

5. Why are change detection and low-risk

changes are so difficult?

So where does AWS come in?

AWS makes

security faster

Lets you move fast

but stay safe

LEAST PRIVILEGE PRINCIPLE

Confine roles only to the material

required to do specific work

AWS IAM

Identity & Access Management.

Control who does what in your AWS account with

fine-grained policies.

LEAST PRIVILEGE PRINCIPLE

Confine network access only to the nodes

required to do specific work

DATA PROTECTION PRINCIPLE

Protect data in transit & at rest

ENCRYPT YOUR DATAAMAZON EMR

AMAZON S3 SSE

AMAZON GLACIER

AMAZON REDSHIFT

AMAZON RDS

…

CHOOSE THE RIGHT MODEL

FOR YOUR NEEDS

Automated – AWS manages encryption

Enabled – user manages encryption using AWS

Client-side – user manages encryption using their own mean

AWS Private Key Management Capabilities

AWS CloudHSMDedicated HSM appliances

Managed and monitored by

AWS, but you control the keys

Increase performance for

applications that use HSMs for

key storage or encryption

Comply with stringent

regulatory and contractual

requirements for key protection

EC2 InstanceAWS CloudHSM

VISIBILITY PRINCIPLE

You can’t protect what you don’t know about

LOG FILES

Obtained, Analysed, Retained

AWS CloudWatch Logs

You are making

API calls...On a growing set of

services around the

world…

CloudTrail is

continuously

recording API

calls…

And delivering

log files to you

AWS CloudTrail

PROTECT YOUR LOGS WITH IAM

ARCHIVE YOUR LOGS

AWS Config

System change deltas time series

Continuous ChangeRecordingChanging

Resources

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

MAKE SECURITY ACTIONABLE

Automate log reviews with AWS Lambda.

Automatically shutdown non-compliant instances.

Validate changes.

Rollback unapproved changes.

CONTINUOUS DEPLOYMENT

FOR SECURITY

Automated deployments are more secure.

Enables “SSH-less” production environments.

Rapid deployment of security fixes.

Use AWS CodeDeploy.

AWS Assurance Programs

aws.amazon.com / compliance

“… We’ll also see organizations adopt cloud

services for the improved security protections

and compliance controls that they otherwise

could not provide as efficiently or effectively

themselves.”

Security’s Cloud Revolution is Upon Us

Forrester Research, Inc., August 2, 2013

Co-Founder

Ohpen is a platform ‘out-of-the-box’ and offers financial service providers a fully integrated, multilingual, web-, front-, mid- and back-end solution for mutual funds and savings accounts.

Ohpen enabled the first bank in the world to go to

the cloud. All-in!

We are extinguishing legacy software by developing the best mutual fund and savings platform in the world.

The financial services industry shall be freed from on premise legacy software by cloud based administration factories, where you just plug in.

59

60

62

•

•

•

•

•

•

•

•

•

•

•

•

@

“Based on our experience,

I believe that we can be even

more secure in the AWS cloud

than in our own data centers”

Tom Soderstrom – CTO – NASA JPL

MORE AUDITABILITY

MORE VISIBILITY

MORE CONTROL

aws.amazon.com/security

Please rate this session & provide your feedback

Download the AWS Summit App

AWS Summit 2015

#AWSSummit@AWS_UKI

LONDON