AWS Security - Amazon Web Servicesaws-de-media.s3. . AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. ... Securely control access to AWS services and resources •

  • View
    213

  • Download
    1

Embed Size (px)

Text of AWS Security - Amazon Web Servicesaws-de-media.s3. . AMAZON USER ACCESS 3. LOGICAL SECURITY 4....

  • 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

    AWS Security

    Stephen E. Schmidt, Directeur de la Scurit

  • Different customer viewpoints on security

    PR exec keep out of the news

    CEO protect shareholder

    value

    CI{S}O preserve the

    confidentiality, integrity

    and availability of data

  • Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload

    PEOPLE &

    PROCEDURES

    NETWORK

    SECURITY

    PHYSICAL

    SECURITY

    PLATFORM

    SECURITY

  • SECURITY IS SHARED

  • WHAT NEEDS

    TO BE DONE

    TO KEEP THE

    SYSTEM SAFE

  • WHAT

    WE DO

    WHAT YOU

    HAVE TO DO

  • SOC CONTROL OBJECTIVES

    1. SECURITY ORGANIZATION

    2. AMAZON USER ACCESS

    3. LOGICAL SECURITY

    4. SECURE DATA HANDLING

    5. PHYSICAL SECURITY AND ENV. SAFEGUARDS

    6. CHANGE MANAGEMENT

    7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY

    8. INCIDENT HANDLING

  • YOUR DATA IS YOUR

    MOST IMPORTANT ASSET IF YOUR DATA IS NOT SECURE, YOURE NOT SECURE

  • CHANGES IN PRODUCTION

    HAVE TO BE AUTHORIZED

  • DEPLOYMENT PROCESS

    HAS TO BE CONSTRAINED

  • NETWORK SECURITY

  • GAME DAYS INSERT ARTIFICIAL SECURITY INCIDENTS.

    MEASURE SPEED OF DETECTION AND EXECUTION.

  • EVERY CUSTOMER HAS ACCESS

    TO THE SAME SECURITY

    CAPABILITIES

    CHOOSE WHATS RIGHT FOR YOUR BUSINESS

  • Based on our experience, I believe that we

    can be even more secure in the AWS

    cloud than in our own data centers

    Tom Soderstrom CTO NASA JPL

  • AWS SECURITY OFFERS MORE

    VISIBILITY

    AUDITABILITY

    CONTROL

  • MORE VISIBILITY

  • CAN YOU MAP YOUR NETWORK?

    WHAT IS IN YOUR ENVIRONMENT

    RIGHT NOW?

  • TRUSTED ADVISOR

  • MORE AUDITABILITY

  • INTRODUCING

    AWS CLOUDTRAIL

  • You are making

    API calls... On a growing set of

    services around the

    world

    CloudTrail is

    continuously

    recording API

    calls

    And delivering

    log files to you

  • Security Analysis Use log files as an input into log management and analysis solutions to perform

    security analysis and to detect user behavior patterns.

    Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2

    instances, Amazon VPC security groups and Amazon EBS volumes.

    Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.

    Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.

  • CloudTrail records API calls and

    delivers a log file to your S3 bucket.

    Typically, delivers an event within 15

    minutes of the API call.

    Log files are delivered approximately

    every 5 minutes.

    Multiple partners offer integrated

    solutions to analyze log files.

  • LOGS

    OBTAINED, RETAINED, ANALYZED

  • PROTECT YOUR LOGS WITH IAM

    ARCHIVE YOUR LOGS

  • VULNERABILITY

    & PENETRATION TESTING

  • VULNERABILITY

    & PENETRATION TESTING

  • MORE CONTROL

  • Defense in Depth Multi level security

    Physical security of the data centers

    Network security

    System security

    Data security

  • AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs

    AWS

    CloudHSM

    Defense in depth

    Rapid scale for security

    Automated checks with AWS Trusted Advisor

    Fine grained access controls

    Server side encryption

    Multi-factor authentication

    Dedicated instances

    Direct connection, Storage Gateway

    HSM-based key storage

    AWS IAM

    Amazon VPC

    AWS Direct

    Connect

    AWS Storage

    Gateway

  • AWS STAFF ACCESS

    Staff vetting

    Staff has no logical access to customer instances

    Staff control-plane access limited & monitored Bastion hosts, Least privileged model, Zoned data center access

    Business needs

    Separate PAMS

  • MORE CONTROL

    ON IDENTITY & ACCESS

  • LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

    REQUIRED TO DO A SPECIFIC WORK

  • USE AWS IAM IDENTITY & ACCESS MANAGEMENT

  • CONTROL WHO CAN DO WHAT IN

    YOUR AWS ACCOUNT

  • AWS IAM: Recent Innovations Securely control access to AWS services and resources

    Delegation

    Roles for Amazon EC2

    Cross-account access

    Powerful integrated permissions

    Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation

    Access control policy variables

    Policy Simulator

    Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk

    Federation

    Web Identity Federation

    AD and Shibboleth examples

    Partner integrations

    Case study: Expedia

    Strong authentication

    MFA-protected API access

    Password policies

    Enhanced documentation and videos

  • ACCESS TO

    SERVICE APIs

  • Amazon DynamoDB Fine Grained

    Access Control

    Directly and securely access application

    data in Amazon DynamoDB

    Specify access permissions at table, item

    and attribute levels

    With Web Identity Federation, completely

    remove the need for proxy servers to

    perform authorization

  • MORE CONTROL

    ON YOUR DATA

  • MFA DELETE PROTECTION

  • YOUR DATA STAYS

    WHERE YOU PUT IT

  • REDUNDANCY

    & INTEGRITY CHECKS

  • USE MULTIPLE AZs AMAZON S3

    AMAZON DYNAMODB

    AMAZON RDS MULTI-AZ

    AMAZON EBS SNAPSHOTS

  • DATA ENCRYPTION

    CHOOSE WHATS RIGHT FOR YOU:

    Automated AWS manages encryption

    Enabled user manages encryption using AWS

    Client-side user manages encryption using their own mean

  • AWS CloudHSM

    Managed and monitored by AWS, but you

    control the keys

    Increase performance for applications that

    use HSMs for key storage or encryption

    Comply with stringent regulatory and

    contractual requirements for key protection

    EC2 Instance

    AWS CloudHSM

    AWS CloudHSM

  • ENCRYPT YOUR DATA AWS CLOUDHSM

    AMAZON S3 SSE

    AMAZON GLACIER

    AMAZON REDSHIFT

    AMAZON RDS

  • 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

    Axway, Cloud and Security

    David FIGINI, VP Cloud Managed Services EMEA

  • 11,000 customers

    100 countries

    332,5M revenue in 2013

    1,700+ employees

    HQ in Phoenix, AZ USA

    Offices in 19 countries

    Governing the flow of data

    DATA FLOW GOVERNANCE

  • Axway Cloud and AWS

    Start Quickly

    Everywhere

    No initial cost

    Pay per use

    Scale up and down

    No commitment

    Repeatable

    Reliable

    Secure

    VPC (Virtual Private

    Cloud) Privatization for Cloud components.

    Data centers (zones) - Tier IV and compliant with all major third-party certifications.

    Storage 99.999999999 durability

    Database Multizone configuration

    Elastic Load Balancers Zone independence

    VPN AWS Direct Connect provides dedicated private networking for increased bandwidth and reliability.

    EC2 Instances Elastic computing

    Cloud Formation Reliable delivery from Web Services

    Applications Designed for no single points of failure and non-repudiation.

    All services are monitored through a centralized location utilizing, SES, SNS, Cloud Watch, Nagios, etc.

  • Axway Cloud threat mitigation

    Architecture and Datacenter Vulnerabilities

    Service Platform Availability

    Information Confidentiality and Integrity Loss

    Decrease in Functional Performance

    Human Activities

    Multi AZ Auto-Scaling groups Very High Availability

    Solution deployed by Axway OS Patch

    management

    Data encryption at rest and for communications

    Backup policy based on snapshots

    Data loss and confidentiality

    Access to environments is centralized and all activity is tracked Human activity

    Security and monitoring tools (Ossec, syslog, Nagios, CloudWatch, )

    Splunk to receive, process and present security events

    Real time monitoring

  • Axway Cloud security architecture

    SOC1 Type 2 certification achieved in March

    ISO27001 Beginning of 2015

    Management

    Solution

    Access

    Control

    Axway data center

    Amazon

    Route 53

    Axway

    workforce VPN

    Elastic Load

    Balancing

    Supervision

    Monitoring

    & Security

    tools

    VPC peering

    Solution

    Elastic Load

    Balancing

    VPC peering

    Monitoring

    & Security

    data