1 / 36

Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA

Amazon Web Services Security & Compliance Overview. Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA. undifferentiated heavy lifting. utility computing. AWS provides broad and deep services to support any cloud workload.

coy
Télécharger la présentation

Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Amazon Web ServicesSecurity & Compliance Overview Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA

  2. undifferentiated heavy lifting

  3. utility computing

  4. AWS provides broad and deep services to support any cloud workload Deployment & Administration Application Services Compute Storage Database Networking AWS Global Infrastructure

  5. Hundreds of Thousands of Customers in 190 Countries…

  6. Every Imaginable Use Case Facebook page Mars exploration ops Consumer social app Ticket pricing optimization SAP & Sharepoint Securities Trading Data Archiving Free steak campaign Financial markets analytics Gene sequencing Marketing web site Interactive TV apps R&D data analysis Consumer social app Big data analytics Web site & media sharing Disaster recovery Media streaming Web and mobile apps Streaming webcasts Facebook app Consumer social app

  7. “AWS is the overwhelming market share leader, withmore than five times the compute capacity in use than the aggregate total of the other fourteen providers.” Gartner “Magic Quadrant for Cloud Infrastructure as a Service,” Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes, August 19, 2013. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.. The Gartner report is available upon request from Steven Armstrong (asteven@amazon.com). Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  8. Notable Financial Services Stories

  9. Dutch National Bank (regulator)

  10. Asia Pacific (Singapore) Asia Pacific (Tokyo) GovCloud (US ITAR Region) US West (Northern California) US West (Oregon) US East (Northern Virginia) South America (Sao Paulo) EU (Ireland) Asia Pacific (Sydney) AWS Regions AWS Edge Locations

  11. EU West (Dublin) US East (Virginia) Asia Pacific (Tokyo) Asia Pacific (Australia) A A A B B B C C C A A A A A B B B B B US West (Northern California) US West (Oregon) South America (Sao Paolo) Asia Pacific (Singapore)

  12. Personal Data Protection in Europe • EC Directive 95/46/EC: Personal Data Protection • Use Amazon Web Services Dublin Region • Safe Harbour EU Compliant • Safe Harbour Switzerland Compliant

  13. The Shared Responsibility Model in the Cloud Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Optional -- Opaque Data: 0s and 1s (in flight/at rest) Foundation Services Networking Database Compute Storage Edge Locations AWS Global Infrastructure Availability Zones Regions

  14. The Shared Responsibility Model in the Cloud Security IN the Cloud Customer Data Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Optional -- Opaque Data: 0s and 1s (in flight/at rest) Security OF the Cloud Foundation Services Networking Database Compute Storage Edge Locations AWS Global Infrastructure Availability Zones Regions

  15. Customer-managed Controls on Amazon EC2 Data Applications Platforms Security IN the Cloud Operating Systems OS-level Firewalls/IDS/IPS Systems/Deep Security Network Security Security OF the Cloud Security Groups & Network Access Control Lists Encryption of data in Flight Industry Standard Protocols: IPSec, SSL, SSH Encryption of Data at Rest OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud

  16. Data Protection at Rest and in Flight Data Application-level Encryption Applications Platform-level Encryption Platforms Operating Systems OS-level Firewalls/IDS/IPS Systems/Deep Security Network Security Security Groups & Network Access Control Lists Encryption of data in Flight Network Traffic Encryption Industry Standard Protocols: IPSec, SSL, SSH Encryption of Data at Rest OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud Volume-level Encryption

  17. AWS Certifications & Accreditations ISO 27001 Security IN the Cloud SOC 1 (SSAE 16 & ISAE 3402) Type II Audit SOC 2 SOC 3 Audit (new in 2013) Security OF the Cloud Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

  18. Q&A

  19. User Identification, Authentication and Authorisation in the Cloud Enterprise Applications Active Directory/ LDAP Corporate Systems AD/LDAP Users EC2 DynamoDB Amazon Identity & Access Management S3 IAM Users

  20. User Identification, Authentication and Authorisation in the Cloud Enterprise Applications Corporate Systems Active Directory/ LDAP AD/LDAP Users EC2 DynamoDB Access Token for Federated Access Amazon Identity & Access Management S3

  21. User Identification, Authentication and Authorisation in the Cloud Enterprise Applications Shibboleth Corporate Systems AD/LDAP Users EC2 DynamoDB Access Token for Federated Access Amazon Identity & Access Management S3

  22. SLAs, RTOs/RPOs Business Processes CBA Defined by Business RTO RPO System Design System SLAs Managed by AWS EC2 SLA S3 SLA CloudFront SLA RDS SLA

  23. Physical Security • Amazon has been building large-scale data centers for many years • Important attributes: • Non-descript facilities • Robust perimeter controls • Strictly controlled physical access • 2 or more levels of two-factor auth • Controlled, need-based access • All access is logged and reviewed • Separation of Duties • employees with physical access don’t have logical privileges • Maps to an Availability Zone ISO 27001 Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider

  24. Storage Device Decommissioning • All storage devices go through this process • Uses techniques from • DoD 5220.22-M (“National Industrial Security Program Operating Manual”) • NIST 800-88 (“Guidelines for Media Sanitization”) • Ultimately • degaussed • physically destroyed

  25. AWS CloudHSM Dedicated access to HSM appliances managed & monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection AWS CloudHSM EC2 Instance AWS CloudHSM

  26. Security of Data at Rest • S3 • Server side encryption (AES-256) – per object keys managed by AWS • Client-side asymmetric encryption – integrated within APIs • Client-side encryption: Amazon stores 0s and 1s • EC2 + EBS • Enable partition/disk level encryption • Windows: use EFS (local certificates/centralised X.509) • Linux: use cryptsetup/dm-crypt/others • RDS MySQL • Use SQL native encryption (server side) • Client side encryption • RDS Oracle • Client-side encryption

  27. Security of Data in Flight • AWS APIs are Web services • SOAP over HTTPS • REST over HTTPS • User and data authentication through request signatures • User access to Web Console • Admin access to Servers • Use SSH with asymmetric keys, or X.509 certificates • Use RDP + MPPE or SSL protection • Secure Application-level Protocols

  28. Network Traffic Flow Security • Security Groups • Inbound traffic must be explicitly specified by protocol, port, and security group • VPC adds outbound filters • VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters • OS Firewall (e.g., iptables) may be implemented • completely user controlled security layer • granular access control of discrete hosts • logging network events Inbound & Outbound Traffic OS Firewall Amazon Security Groups Encrypted File System Encrypted Swap File

  29. Amazon EC2 Instance Isolation … Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces … Customer 1 Security Groups Customer n Security Groups Customer 2 Security Groups Firewall Physical Interfaces

  30. Multi-tier Security Approach Example Web Tier Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion Amazon EC2 Security Group Firewall Sync with on-premises database All other Internet ports blocked by default

  31. Amazon VPC Network Security Controls

  32. Layered Defence

  33. AWS Multi-Factor Authentication • Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you • Additional protection for account information • Works with • Master Account • IAM Users • Integrated into • AWS Management Console • Key pages on the AWS Portal • S3 (Secure Delete)

  34. AWS Trusted Advisor Available Programmatically via AWS Support APIs

  35. Manage and Monitor Your Environments from Anywhere

  36. Security & Compliance Resources • Answers to many security & privacy questions • Security Whitepaper • Risk and Compliance Whitepaper • Security Best Practices Whitepaper • AWS Auditing Checklist • Security Blog • Security bulletins • Penetration Testing http://aws.amazon.com/security/ http://aws.amazon.com/compliance/

More Related