Embed Size (px)
DESCRIPTION
Stephen Schmidt's deep dive into the culture and inner workings of how AWS Security keeps customer's safe every day, including what practices customers can adopt to improve their own position.
Citation preview
JOB ZERO
Job Zero
Network Security
Physical Security
Platform Security
People & Procedures
Job Zero What We Do
Heavy Lifting
SHARED
constantly improving
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
AWS is responsible for the security OF
the Cloud
GxP ISO 13485 AS9100 ISO/TS 16949
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
Client-‐side Data Encryp2on
Server-‐side Data Encryp2on
Network Traffic Protec2on
Pla<orm, Applica2ons, Iden2ty & Access Management
Opera2ng System, Network & Firewall Configura2on
Customer applica2ons & content Cu
stom
ers
shared responsibility
Customers have their choice of
security configurations IN
the Cloud
AWS is responsible for the security OF
the Cloud
FAMILIAR
familiar
– Agility
AWS
The practice of security at AWS is different, but the outcome is familiar:
Focus on your business, not the undifferentiated heavy lifting
This applies within AWS, just as it does for our customers
The practice of security at AWS is different, but the outcome is familiar:
Focus on your business, not the undifferentiated heavy lifting
Make it easier for our customers (internal & external) to do
the “right” thing
The practice of security at AWS is different, but the outcome is familiar:
Apply more effort to the “why” rather than the “how”
Why is what really matters
When something goes wrong, ask the “five why’s”
The practice of security at AWS is different, but the outcome is familiar:
Decentralize - don’t be a bottleneck
It’s human nature to go around a bottleneck
The practice of security at AWS is different, but the outcome is familiar:
So what does your security team look like?
The practice of security at AWS is different, but the outcome is familiar:
Everyone’s an owner
When the problem is “mine” rather than “hers” there’s a much higher likelihood I’ll do
the right thing
Measure constantly, report regularly, & hold senior executives accountable for
security – have them drive the right culture
The practice of security at AWS is different, but the outcome is familiar:
Our Tenets (unless you know better):
Our Tenets (unless you know better):
• We lead AWS in helping prevent unauthorized access to AWS resources: our customers’ or ours. We continuously assess our systems, identify exposures, evaluate risks, and relentlessly drive mitigations.
Our Tenets (unless you know better):
• We are the one-stop shop for all security questions within AWS. In cases where we don’t own the answer, we own getting the question answered.
Our Tenets (unless you know better):
• We build systems and provide recommendations that make it easier to build secure systems than it is to build insecure ones.
Our Culture:
• Saying “no” is a failure
Our Culture:
• Measure measure measure • 5 min metrics are too coarse • 1 min metrics just barely OK
Our Culture:
• Base decisions on facts, metrics & detailed understanding of your environment and adversaries
Our Culture:
• Produce services that others can consume through hardened APIs
Our Culture:
• Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
Our Culture:
• Proactive monitoring rules the day • What’s “normal” in your environment? • Depending on signatures == waiting to
find out WHEN you’ve been had
Our Culture:
• Collect, digest, disseminate & use intelligence
Our Culture:
• Make your compliance team a part of your security operations
Simple Security Controls
REDUCTION
REDUCTION
BETTER OFF IN AWS
