Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Security, Privacy, & Compliance Overview
Max Ramsay | Sr. Manager, Americas Security SA
Customers Running Every Imaginable Use Case
2
800+ Government Agencies
3,000+ Education Institutions
10,000+ Nonprofits
Vodafone built a mobile payment app
Amazon Web Services was the clear choice in terms of security.
Stefano Harak Online Senior Product Manager
PCI and DSS compliance was essential Launched in 3 months Reduced CapEx by 30% Deployed to 7 channels, including Facebook
Payments
Bristol-Myers Squibb moved clinical trials to AWS
Clinical trial simulations took 98% less time More efficient and iterative simulations results in fewer human trials 64% savings on clinical trial costs
We’re using fewer subjects in these trials, and needing fewer blood samples.
On-Premises Cloud
# of Simulations
# of Servers
Total Run Time (hr)
2000
2
60
2000
256
1.2
Russell Towell Senior Solutions Specialist
Pegasystems put healthcare data on AWS
Company: Provides software for business process management, CRM, and case management Challenge: Pega tech is used cross-functionally across the healthcare industry; all data is considered PHI Results: Pega and their customers are HIPAA compliant on AWS
NASDAQ put SEC regulated data on AWS
Company: provides products and services to manage the entire life cycle of a trade Challenge: Securely storing and managing vast amounts of data with strict compliance requirements Results: NASDAQ and FinQloud customers meets stringent SEC 17a-4 requirements for financial record retention
Cognia put credit card data on AWS
Company: Global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS
Platform Services
Caching
Relational
No SQL
Hadoop
Real-time
Data Workflows
Data Warehouse
Queuing
Orchestration
App Streaming
Transcoding
Search
Containers
Dev/ops Tools
Resource Templates
Usage Tracking
Monitoring and Logs
Identity
Sync
Mobile Analytics
Notifications
Foundation Services
Compute (VMs, Auto-scaling and Load Balancing)
Storage (Object, Block and Archive)
Security & Access Control Networking
Infrastructure Regions CDN and Points of Presence Availability Zones
Enterprise Applications Virtual
Desktops Collaboration and Sharing
Databases
Analytics App Services Deployment & Management Mobile Services
AWS Covers the Depth and Breadth of Needs
2007 2008 2009 2010 2011 2012 2013 2014
9 24
48 61
82
159
280 300+
There is no compression algorithm for experience
AWS Rapid Pace of Innovation
Since inception AWS has: • Released 896 new services and features • Introduced over 35 major new services • Announced 44 price reductions
Security & compliance requirements from every industry
Security Infrastructure
Expert Audits: Transparency, Accuracy
SME
SME
SME
SME
SME
Layers of security controls in AWS
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
Request reports at: aws.amazon.com/compliance/#contact
2007 2008 2009 2010 2011 2012 2013 2014
13/48 16/61
23/82
51/159
71/280 75/300+
New Security Service Launches and Feature Updates
Rapid pace of security innovation & customer driven improvements
Build everything on a constantly improving security baseline
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
AWS is responsible for the security OF
the Cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer applications & content
Cust
omer
s Security & compliance is a shared responsibility
Customers are responsible for
their security IN the Cloud
AWS is responsible for the security OF
the Cloud
• AWS makes no secondary use of customer content • Manage your privacy objectives any way that you want • Keep data in your format and move it, or delete it, at any time
you choose • No automatic replication of data outside of your chosen AWS
Region • Customers can encrypt their content any way they choose
You always have full ownership and control
AWS Region
US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
You decide where to put your content and applications
China (Beijing)
Every network has fine-grained security built-in A
vaila
bilit
y Zo
ne A
Ava
ilabi
lity
Zone
B
You control your VPC address range • Your own private, isolated
section of the AWS cloud • Every VPC has a private IP
address space you define • Create your own subnets and
control all internal and external connectivity
AWS network security • AWS network will prevent
spoofing and other common layer 2 attacks
• Every compute instance gets multiple security groups - stateful firewalls
• Every subnet gets network access control lists (NACL)
You can create multi-tier architectures
VPC A - 10.0.0.0/16
Ava
ilabi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump host
10.0.4.0/24
EC2 App Log
EC2 Web
Load balancing
Connect privately to your existing datacenters
VPC A - 10.0.0.0/16
Ava
ilabi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC2 Web EC2 EC2 Web
Use Internet VPNs or use AWS Direct
Connect
Your premises
Load balancing
Create flexible multi-VPC hybrid environments
Your organization
Project Teams Marketing
Business Units Reporting
Digital / Websites
Dev and Test
Redshift EMR
Analytics
Internal Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/Backup
Encrypt your Elastic Block Store volumes any way you like
• AWS native EBS encryption for free with a mouse-click
• Encrypt yourself using free utilities, plus Trend Micro,
SafeNet and other partners for high-assurance key
management solutions
Amazon S3 offers either server or client-side encryption
• Manage your own keys or let AWS do it for you
Redshift has one-click disk encryption as standard
• Encrypt your data analytics
• You can supply your own keys
RDS supports transparent data encryption (TDE)
• Easily encrypt sensitive database tables
You can encrypt your sensitive information
DBA
You can enforce consistent security on your hosts
EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
You control the configuration of your EC2 compute instances and can configure and harden operating environments to your own specs
Use host-based protection software • Apply best-practice top 5 mitigation strategies Think about how you will manage administrative users • Restrict access as much as you require Build out the rest of your standard security environment • Connect to your existing services, e.g. SIEM,
monitoring, patching
Control access and segregate duties everywhere
With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with your existing corporate directory using SAML 2.0 and single sign-on
AWS account owner
Network management
Security management
Server management
Storage management
Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were made
Who did what and when and from where (IP address) • Support for many AWS services and growing - includes
EC2, EBS, VPC, RDS, IAM and RedShift • Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic
Get consistent visibility of logs that you can monitor
AWS Trusted Advisor
Over 1.7 Million recommendations More than $300M in estimated cost savings 37 checks in 4 categories Now with Free Tier
Cost optimizing
• RI recommendation • Low utilized instances • Low utilized EBS
volumes
Security
• Open ports • Unrestricted access • IAM use • Logging
Fault Tolerance
• EBS snapshots • Multi-AZ • VPN tunnel • Auto scaling setting
Performance
• Service limit • High utilized EC2
Instance • EBS PIOPS • Security rules
Accreditation & Compliance: on-prem and on AWS
On-prem
• Start with bare concrete
• Functionally optional (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in security innovation
On AWS
• Start on base of accredited services
• Functionally necessary – high watermark of requirements
• Audits done by third party experts
• Accountable to everyone
• Continuous monitoring
• Compliance approach based on all workload scenarios
• Security innovation drives broad compliance
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Your own accreditation
Meet Your Security & Compliance Objectives
Your own certifications
Your own external audits
Customer scope and effort is reduced
Better results
through focused efforts
Built on AWS
consistent baseline controls
Thank You!
aws.amazon.com/security aws.amazon.com/compliance Max Ramsay - [email protected]