Security, Privacy, & Compliance Overview

Max Ramsay | Sr. Manager, Americas Security SA

Customers Running Every Imaginable Use Case

2

800+ Government Agencies

3,000+ Education Institutions

10,000+ Nonprofits

Vodafone built a mobile payment app

Amazon Web Services was the clear choice in terms of security.

Stefano Harak Online Senior Product Manager

PCI and DSS compliance was essential Launched in 3 months Reduced CapEx by 30% Deployed to 7 channels, including Facebook

Payments

Bristol-Myers Squibb moved clinical trials to AWS

Clinical trial simulations took 98% less time More efficient and iterative simulations results in fewer human trials 64% savings on clinical trial costs

We’re using fewer subjects in these trials, and needing fewer blood samples.

On-Premises Cloud

# of Simulations

# of Servers

Total Run Time (hr)

2000

2

60

2000

256

1.2

Russell Towell Senior Solutions Specialist

Pegasystems put healthcare data on AWS

Company: Provides software for business process management, CRM, and case management Challenge: Pega tech is used cross-functionally across the healthcare industry; all data is considered PHI Results: Pega and their customers are HIPAA compliant on AWS

NASDAQ put SEC regulated data on AWS

Company: provides products and services to manage the entire life cycle of a trade Challenge: Securely storing and managing vast amounts of data with strict compliance requirements Results: NASDAQ and FinQloud customers meets stringent SEC 17a-4 requirements for financial record retention

Cognia put credit card data on AWS

Company: Global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS

Platform Services

Caching

Relational

No SQL

Hadoop

Real-time

Data Workflows

Data Warehouse

Queuing

Orchestration

App Streaming

Transcoding

Email

Search

Containers

Dev/ops Tools

Resource Templates

Usage Tracking

Monitoring and Logs

Identity

Sync

Mobile Analytics

Notifications

Foundation Services

Compute (VMs, Auto-scaling and Load Balancing)

Storage (Object, Block and Archive)

Security & Access Control Networking

Infrastructure Regions CDN and Points of Presence Availability Zones

Enterprise Applications Virtual

Desktops Collaboration and Sharing

Databases

Analytics App Services Deployment & Management Mobile Services

AWS Covers the Depth and Breadth of Needs

2007 2008 2009 2010 2011 2012 2013 2014

9 24

48 61

82

159

280 300+

There is no compression algorithm for experience

AWS Rapid Pace of Innovation

Since inception AWS has: • Released 896 new services and features • Introduced over 35 major new services • Announced 44 price reductions

Security & compliance requirements from every industry

Security Infrastructure

Expert Audits: Transparency, Accuracy

SME

SME

SME

SME

SME

Layers of security controls in AWS

Cross-service Controls

Service-specific Controls

Managed by AWS

Managed by Customer

Security of the Cloud

Security in the Cloud

Cloud Service Provider Controls

Optimized Network/OS/App Controls

Request reports at: aws.amazon.com/compliance/#contact

2007 2008 2009 2010 2011 2012 2013 2014

13/48 16/61

23/82

51/159

71/280 75/300+

New Security Service Launches and Feature Updates

Rapid pace of security innovation & customer driven improvements

Build everything on a constantly improving security baseline

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

AWS is responsible for the security OF

the Cloud

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer applications & content

Cust

omer

s Security & compliance is a shared responsibility

Customers are responsible for

their security IN the Cloud

AWS is responsible for the security OF

the Cloud

• AWS makes no secondary use of customer content • Manage your privacy objectives any way that you want • Keep data in your format and move it, or delete it, at any time

you choose • No automatic replication of data outside of your chosen AWS

Region • Customers can encrypt their content any way they choose

You always have full ownership and control

AWS Region

US-WEST (N. California) EU-WEST (Ireland)

ASIA PAC (Tokyo)

ASIA PAC (Singapore)

US-WEST (Oregon)

SOUTH AMERICA (Sao Paulo)

US-EAST (Virginia)

GOV CLOUD

ASIA PAC (Sydney)

You decide where to put your content and applications

China (Beijing)

Every network has fine-grained security built-in A

vaila

bilit

y Zo

ne A

Ava

ilabi

lity

Zone

B

You control your VPC address range • Your own private, isolated

section of the AWS cloud • Every VPC has a private IP

address space you define • Create your own subnets and

control all internal and external connectivity

AWS network security • AWS network will prevent

spoofing and other common layer 2 attacks

• Every compute instance gets multiple security groups - stateful firewalls

• Every subnet gets network access control lists (NACL)

You can create multi-tier architectures

VPC A - 10.0.0.0/16

Ava

ilabi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

10.0.3.0/24

EC2

10.0.5.0/24

Jump host

10.0.4.0/24

EC2 App Log

EC2 Web

Load balancing

Connect privately to your existing datacenters

VPC A - 10.0.0.0/16

Ava

ilabi

lity

Zone

A

10.0.1.0/24

10.0.2.0/24

EC2

10.0.3.0/24

EC2

10.0.4.0/24

EC2 App

EC2 Web EC2 Web EC2 EC2 Web

Use Internet VPNs or use AWS Direct

Connect

Your premises

Load balancing

Create flexible multi-VPC hybrid environments

Your organization

Project Teams Marketing

Business Units Reporting

Digital / Websites

Dev and Test

Redshift EMR

Analytics

Internal Enterprise

Apps

Amazon S3

Amazon Glacier

Storage/Backup

Encrypt your Elastic Block Store volumes any way you like

• AWS native EBS encryption for free with a mouse-click

• Encrypt yourself using free utilities, plus Trend Micro,

SafeNet and other partners for high-assurance key

management solutions

Amazon S3 offers either server or client-side encryption

• Manage your own keys or let AWS do it for you

Redshift has one-click disk encryption as standard

• Encrypt your data analytics

• You can supply your own keys

RDS supports transparent data encryption (TDE)

• Easily encrypt sensitive database tables

You can encrypt your sensitive information

DBA

You can enforce consistent security on your hosts

EC2

AMI catalogue Running instance Your instance

Hardening

Audit and logging

Vulnerability management

Malware and HIPS

Whitelisting and integrity

User administration

Operating system

You control the configuration of your EC2 compute instances and can configure and harden operating environments to your own specs

Use host-based protection software • Apply best-practice top 5 mitigation strategies Think about how you will manage administrative users • Restrict access as much as you require Build out the rest of your standard security environment • Connect to your existing services, e.g. SIEM,

monitoring, patching

Control access and segregate duties everywhere

With AWS IAM you get to control who can do what in your AWS environment and from where Fine-grained control of your AWS cloud with multi-factor authentication Integrate with your existing corporate directory using SAML 2.0 and single sign-on

AWS account owner

Network management

Security management

Server management

Storage management

Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in

your S3 buckets, no matter how those API calls were made

Who did what and when and from where (IP address) • Support for many AWS services and growing - includes

EC2, EBS, VPC, RDS, IAM and RedShift • Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic

Get consistent visibility of logs that you can monitor

AWS Trusted Advisor

Over 1.7 Million recommendations More than $300M in estimated cost savings 37 checks in 4 categories Now with Free Tier

Cost optimizing

• RI recommendation • Low utilized instances • Low utilized EBS

volumes

Security

• Open ports • Unrestricted access • IAM use • Logging

Fault Tolerance

• EBS snapshots • Multi-AZ • VPN tunnel • Auto scaling setting

Performance

• Service limit • High utilized EC2

Instance • EBS PIOPS • Security rules

Accreditation & Compliance: on-prem and on AWS

On-prem

• Start with bare concrete

• Functionally optional (you can build a secure system without it)

• Audits done by an in-house team

• Accountable to yourself

• Typically check once a year

• Workload-specific compliance checks

• Must keep pace and invest in security innovation

On AWS

• Start on base of accredited services

• Functionally necessary – high watermark of requirements

• Audits done by third party experts

• Accountable to everyone

• Continuous monitoring

• Compliance approach based on all workload scenarios

• Security innovation drives broad compliance

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Your own accreditation

Meet Your Security & Compliance Objectives

Your own certifications

Your own external audits

Customer scope and effort is reduced

Better results

through focused efforts

Built on AWS

consistent baseline controls

Thank You!

aws.amazon.com/security aws.amazon.com/compliance Max Ramsay - mramsay@amazon.com