15
Amazon Web Services Security & Compliance Overview Dob Todorov Principal Security & Compliance Architect EMEA

AWS Security & Compliance in the AWS Cloud IP Expo 2013

Embed Size (px)

DESCRIPTION

Services Enterprise IT Success in the Cloud Security must be the number one priority for any cloud provider and that's no different for Amazon Web Services. Dob Todorov will share AWS insights into cloud security and how AWS meets the needs of today's IT security challenges.

Citation preview

Page 1: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Amazon Web Services Security & Compliance Overview

Dob Todorov Principal Security & Compliance Architect EMEA

Page 2: AWS Security & Compliance in the AWS Cloud IP Expo 2013

undifferentiated heavy lifting

Page 3: AWS Security & Compliance in the AWS Cloud IP Expo 2013

utility computing

Page 4: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Hundreds of Thousands of Customers in 190 Countries…

Page 5: AWS Security & Compliance in the AWS Cloud IP Expo 2013

US West (Northern California)

US East (Northern Virginia)

EU (Ireland)

Asia Pacific (Singapore)

Asia Pacific (Tokyo)

AWS Regions

AWS Edge Locations

GovCloud (US ITAR Region)

US West (Oregon)

South America (Sao Paulo)

Asia Pacific (Sydney)

Page 6: AWS Security & Compliance in the AWS Cloud IP Expo 2013

A B

A B

C

A B

C

A B

C A B

A B A B A B

US West (Northern California)

US West (Oregon)

South America (Sao Paolo)

Asia Pacific (Singapore)

EU West (Dublin)

US East (Virginia)

Asia Pacific (Tokyo)

Asia Pacific (Australia)

Page 7: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Personal Data Protection in Europe

• EC Directive 95/46/EC: Personal Data Protection • Use Amazon Web Services Dublin Region

• Safe Harbour EU Compliant

• Safe Harbour Switzerland Compliant

Page 8: AWS Security & Compliance in the AWS Cloud IP Expo 2013

The Shared Responsibility Model in the Cloud

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection (Encryption/Integrity/Identity)

Optional -- Opaque Data: 0s and 1s (in flight/at rest)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Page 9: AWS Security & Compliance in the AWS Cloud IP Expo 2013

User Identification, Authentication and Authorisation in the Cloud

Amazon Identity &

Access Management

IAM Users

EC2

DynamoDB

S3

Active Directory/

LDAP

AD/LDAP Users

Enterprise

Applications

Corporate

Systems

Page 10: AWS Security & Compliance in the AWS Cloud IP Expo 2013

User Identification, Authentication and Authorisation in the Cloud

Amazon Identity &

Access Management

Access Token for

Federated

Access

EC2

DynamoDB

S3

Active Directory/

LDAP

AD/LDAP Users

Enterprise

Applications

Corporate

Systems

Page 11: AWS Security & Compliance in the AWS Cloud IP Expo 2013

The Shared Responsibility Model in the Cloud

Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Client-side Data Encryption & Data Integrity Authentication

Server-side Encryption (File System and/or Data)

Network Traffic Protection (Encryption/Integrity/Identity)

Optional -- Opaque Data: 0s and 1s (in flight/at rest)

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer Data

Security OF the Cloud

Security IN the Cloud

Page 12: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Customer-managed Controls on Amazon EC2

OS-level Firewalls/IDS/IPS Systems/Deep Security

Data

Security Groups &

Network Access Control Lists

Industry Standard Protocols:

IPSec, SSL, SSH

OS-level: Encrypted File System,

Bitlocker, dm-crypt, Secure Cloud

Security OF the Cloud

Security IN the Cloud

Applications

Platforms

Operating Systems

Network Security

Encryption of Data at Rest

Encryption of data in Flight

Page 13: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Data Protection at Rest and in Flight

OS-level Firewalls/IDS/IPS Systems/Deep Security

Data

Security Groups &

Network Access Control Lists

Industry Standard Protocols:

IPSec, SSL, SSH

OS-level: Encrypted File System,

Bitlocker, dm-crypt, Secure Cloud

Applications

Platforms

Operating Systems

Network Security

Encryption of Data at Rest

Encryption of data in Flight

Application-level

Encryption

Platform-level

Encryption

Volume-level Encryption

Network Traffic

Encryption

Page 14: AWS Security & Compliance in the AWS Cloud IP Expo 2013

AWS Certifications & Accreditations

SOC 1 (SSAE 16 & ISAE 3402) Type II Audit

SOC 2

SOC 3 Audit (new in 2013)

ISO 27001

Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

Security IN the Cloud

Security OF the Cloud

Page 15: AWS Security & Compliance in the AWS Cloud IP Expo 2013

Q&A