Stephen SchmidtVP, Security Engineering

Chief Information Security Officer

Cloud Security is:• Universal• Visible• Auditable• Transparent• Shared• Familiar

Universal Cloud SecurityEvery Customer Has Access to the Same Security Capabilities, and Gets to Choose What’s Right for Their Business• Governments• Financial Sector• Pharmaceuticals• Entertainment• Start-Ups• Social Media• Home Users• Retail

Visible Cloud Security

AWS  allows  you  to  see  your  en#re  infrastructure  at  the  click  of  a  mouse.  Can  you  map  your  current  network?

ThisOr

This?

Auditable Cloud SecurityHow  do  you  know  AWS  is  right  for  your  business?    

- 3rd  Party  Audits• Independent  auditors

- ArCfacts• Plans,  Policies  and  Procedures

- Logs• Obtained• Retained• Analyzed

Transparent Cloud SecurityChoose the audit/certification that’s right for you:• ISO-27001• SOC-1, SOC-2• FedRAMP• PCI

Control Objective 1: Security Organization• Who we are• Proper control & access within the organization

Control Objective 2: Amazon User Access• How we vet our staff• Minimization of access

Security & Compliance Control Objectives

Security & Compliance Control Objectives

Control Objective 3: Logical Security• Our staff start with no systems access• Need-based access grants• Rigorous systems separation• Systems access grants regularly re-evaluated & automatically revoked

Security & Compliance Control Objectives

Control Objective 4: Secure Data Handling• Storage media destroyed before being permitted outside our datacenters• Media destruction consistent with US Dept. of Defense Directive 5220.22

Control Objective 5: Physical Security and Environmental Safeguards• Keeping our facilities safe• Maintaining the physical operating parameters of our datacenters

Security & Compliance Control Objectives

Control Objective 6: Change Management• Continuous Operation

Control Objective 7: Data Integrity, Availability and Redundancy• Ensuring your data remains safe, intact & available

Control Objective 8: Incident Handling• Processes & procedures for mitigating and managing potential issues

Shared Responsibility• Let  AWS  do  the  heavy  liIing• This  is  what  we  do  –  and  we  do  it  all  the  Cme• As  the  AWS  customer  you  can  focus  on  your  business  and  not  be  distracted  

by  the  muck

AWS• FaciliCes• Physical  Security• Physical  Infrastructure• Network  Infrastructure• VirtualizaCon  Infrastructure

Customer• Choice  of  Guest  OS• ApplicaCon  ConfiguraCon  OpCons• Account  Management  flexibility• Security  Groups• Network  ACLs

Physical Security

Distributed  Regions  –  MulCple  Availability  Zones

Asia%Pacific%(Sydney)%

Network Security

• DDoS attacks defended at the border• Man in the Middle attacks• SSL endpoints• IP Spoofing prohibited• Port scanning prohibited• Packet Sniffing prevented

Amazon EC2 SecurityHost operating system• Individual SSH keyed logins via bastion host for AWS admins• All accesses logged and audited

Guest operating system• Customer controlled at root level• AWS admins cannot log in• Customer-generated keypairs

Stateful firewall• Mandatory inbound firewall, default deny mode

Signed API calls• Require X.509 certificate or customer’s secret AWS key

Amazon Virtual Private Cloud (VPC)• Create a logically isolated environment in Amazon’s highly scalable infrastructure

• Specify your private IP address range into one or more public or private subnets

• Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists

• Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups

• Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted VPN connection and/or AWS Direct Connect

Amazon VPC - Dedicated Instances• Option to ensure physical hosts are not shared with other customers

• $10/hr flat fee per Region + small hourly charge

• Can identify specific Instances as dedicated

• Optionally configure entire VPC as dedicated

Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS• Requirements are based on contractual or regulatory mandates for keeping

encryption keys stored in a specific manner or with specific access controls• Good key management is critical

Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises datacenters• Applications may slow down due to network latency• Requires several DCs to provide high availability, disaster recovery and durability

of keys

Customer Challenge: Encryption

• AWS offers several data protection mechanisms including access control, encryption, etc.

• AWS CloudHSM complements existing AWS data protection and encryption solutions

• With AWS CloudHSM customers can:• Encrypt data inside AWS• Store keys in AWS within a Hardware Security Module• Decide how to encrypt data – the AWS CloudHSM implements

cryptographic functions and key storage for customer applications• Use third party validated hardware for key storage

AWS Data Protection Solutions

HSM – Hardware Security Module•  A hardware device that performs cryptographic operations and key storage •  Used for strong protection of private keys •  Tamper resistant – keys are protected physically and logically

–  If a tampering attempt is detected, the appliance destroys the keys •  Device administration and security administration are logically separate

–  Physical control of the appliance does not grant access to the keys •  Certified by 3rd parties to comply with government standards for physical and

logical security: –  FIPS 140-2 –  Common Criteria EAL4+

•  Example vendors include: SafeNet, Thales •  Historically located in on-premises datacenters

HSM

What is AWS CloudHSM?

• Customers receive dedicated access to HSM appliances• HSMs are physically located in AWS datacenters – in close network

proximity to Amazon EC2 instances• Physically managed and monitored by AWS, but customers control their

own keys• HSMs are inside customer’s VPC – dedicated to the customer and

isolated from the rest of the network

AWS  CloudHSM

AWS CloudHSM Service Highlights• Secure Key Storage – customers retain control of their own keys and

cryptographic operations on the HSM• Contractual and Regulatory Compliance – helps customers comply with

the most stringent regulatory and contractual requirements for key protection

• Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage

• Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC

• Better Application Performance – reduce network latency and increase the performance of AWS applications that use HSMs

• Large Silicon Valley company: video DRM

• Start-up document rights management service: enterprise document protection• Amazon Web Services: Root of trust for Public Key Infrastructure (PKI)

authentication system• Very large financial services organization: Root of trust for key management

system for virtual machine authentication & encryption

Customer use cases

Key Storage & Secure Operations for AWS

CloudHSMs are in the customer’s VPC and isolated from other AWS networksE

Secure key storage in tamper-resistant/tamper-evident hardware available in multiple regions and AZs

D

Application performance improves (due to close network proximity with AWS workloads)

C

Customers control and manage their own keys

B

AWS manages the HSM appliance but does not have access to customers’ keys

A

AWS

Amazon Virtual Private Cloud

AWS CloudHSM Amazon VPC Instance

SSL

Application

HSM Client

C

D

E

B

A

On-Premises Integration with AWS CloudHSM

HSM

Customers’ applications continue to use standard crypto APIs (PKCS#11, MS CAPI, JCA/JCE, etc.).

SafeNet HSM client replaces existing crypto service provider libraries and connects to the HSM to implement API calls in hardware

SafeNet HSM  Client  can  share  load  and  store  keys  redundantly  across  mulCple  HSMs

Key  material  is  securely  replicated  to  HSM(s)  in  the  customer’s  datacenter

B

A

C

D

AWS

Amazon  Virtual  Private  Cloud

AWS  CloudHSMAmazon  VPC  Instance

Corporate  Datacenter

SSL

VPN INTERNET

AWS  Direct  Connect

Application

HSM Client

A

C

D

BSSL

AWS Deployment Models

Logical Server and Application Isolation

Granular Information Access Policy

Logical Network Isolation

Physical server Isolation

Government Only Physical Network and Facility Isolation

ITAR Compliant(US Persons Only)

Sample Workloads

Commercial  Cloud ü   ü       Public  facing  apps.  Web  sites,  Dev  test  etc.

Virtual  Private  Cloud  (VPC)

ü   ü   ü   ü     Data  Center  extension,  TIC  environment,  email,  FISMA  low  and  Moderate

AWS  GovCloud  (US) ü   ü   ü   ü   ü   ü   US  Persons  Compliant  and  Government  Specific  Apps.

AWS Security Resources

• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Regularly Updated• Feedback is welcome

Thank you.

Bronze Sponsors

Silver Sponsors

Gold Sponsor