We’ve entered a new connectivity oriented world where we can access information any time, any place, on any device, 24 hours a day, and cloud computing is a major enabler of this flexibility. Like you, more and more businesses are looking to the cloud for better, faster, more powerful and affordable communications and while many would think that security in the cloud is much different, the reality is less dramatic. Moving to the cloud still requires using proven security techniques, but sometimes in new and dynamic ways that adapt to the elastic nature of cloud architecture. Join us as we discuss the latest cloud security solutions, including real world examples of how organizations like yours are succeeding against new and evolving threats. We will examine security considerations beyond what is provided by security-conscious cloud providers like Amazon Web Services and what additional factors you might want to think about when deploying to the cloud.

1. Security & Compliance
Bill Murray
Manager, AWS Security Programs
July 18, 2013

2. Cloud Security Is

3. Universal Cloud Security

4. Visible Cloud Security
This
Or
This?

5. Auditable Cloud Security

6. Transparent Cloud Security

7. Security & Compliance Control Objectives
• Control Objective 1: Security Organization
– Who we are
– Proper control & access within the organization
• Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access

8. • Control Objective 3: Logical Security
– Our staff start with no systems access
– Need-based access grants
– Rigorous systems separation
– Systems access grants regularly re-evaluated & automatically
revoked
Security & Compliance Control Objectives

9. • Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our
datacenters
– Media destruction consistent with US Dept. of Defense Directive
5220.22
• Control Objective 5: Physical Security and Environmental
Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters
Security & Compliance Control Objectives

10. • Control Objective 6: Change Management
– Continuous Operation
• Control Objective 7: Data Integrity, Availability and Redundancy
– Ensuring your data remains safe, intact & available
• Control Objective 8: Incident Handling
– Processes & procedures for mitigating and managing potential
issues
Security & Compliance Control Objectives

11. Shared Responsibility

12. Facilities & Physical Security

13. Physical Security
Availability
Zone A
Availability
Zone B
Availability
Zone C
Asia Pacific (Tokyo)
Availability
Zone A
Availability
Zone B
Availability
Zone C
EU (Ireland)
Availability
Zone A
Availability
Zone B
South America (Sao Paulo)
Availability
Zone A
Availability
Zone B
Asia Pacific (Sydney)
Availability
Zone A
Availability
Zone B
GovCloud (OR)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
US East (VA)
Availability
Zone A
Availability
Zone B
US West (CA)
Availability
Zone A
Availability
Zone B
Asia Pacific (Singapore)
Availability
Zone A
Availability
Zone B
Availability
Zone C
US West (OR)

14. Network Security

15. Amazon EC2 Security
• Host operating system
– Individual SSH keyed logins via
bastion host for AWS admins
– All accesses logged and audited
• Guest operating system
– Customer controlled at root level
– AWS admins cannot log in
– Customer-generated keypairs
• Stateful firewall
– Mandatory inbound firewall, default
deny mode
• Signed API calls
– Require X.509 certificate or
customer’s secret AWS key

16. Amazon VPC Architecture
Customer’s
Network
Amazon
Web Services
Cloud
Secure VPN
Connection over
the Internet
Subnets
Customer’s isolated
AWS resources
Router
VPN Gateway
Internet
NAT
AWS Direct Connect –
Dedicated
Path/Bandwidth

17. Shared Responsibility

18. The Cloud Changes Nothing… and Everything!
Ken Low
Director of Enterprise Security
July 18, 2013

19. Cloud Security is a Shared Responsibility
• Consumers of cloud services are responsible for
– Security of the instance (OS & Applications)
– Ensuring business application SLA’s are maintained
– Ultimately it boils down to protecting your instances from compromise and the
integrity of the applications running in the cloud …
• How do you protect AWS instances?
– Traditional network IDS/IPS appliances are not feasible
– Network interception methods are not effective or scalable in the cloud
– Agent-based host security controls are more effective

20. Cloud Security is a Shared Responsibility
• What type of host security controls are required?
• Security principles don’t change
• Implementation & Management change drastically
The Need Preferred Security Control
Data confidentiality Encryption
Block malicious software Anti-Malware
Detect & track vulnerabilities Vulnerability scanning services
Control server communications Host-firewalls (in addition to AWS security groups)
Detect suspicious activity Intrusion Prevention
Detect unauthorized changes File Integrity Monitoring
Block OS & App vulnerabilities Patch & shield vulnerabilities
Data monitoring & compliance DLP

21. Trend Micro Deep Security for AWS
• World’s No. 1 server security solution, hosted on AWS
• Designed to automate and simplify security operations in and across AWS applications.
• Provides AWS instance-based security (Available in two versions)
– Trend Micro Deep Security software (now)
– Trend Micro Deep Security as a Service (available in NA now, APAC in 2014)

22. What Protection does Deep Security Provide?
Anti-malware
New malware is being created every second of every day, Deep Security as a Service provides timely
protection against this avalanche of malware being used to attack systems and steal data
Web Reputation
Control which domains your servers can communicate with to reduce the risk of compromise
Firewall
Create a firewall perimeter around each cloud server to block attacks and limit communication to
only the ports and protocols necessary, in addition to cloud provider controls
Intrusion Prevention
Shield unpatched vulnerabilities from attack with auto-updating security policies that ensure
the right protection is applied to the right cloud servers at the right time
Integrity Monitoring
Meet your compliance monitoring requirements, while ensuring unauthorized or out of
policy changes are detected and reported

23. What Protection does Deep Security Provide?
• Deep Security as a Service is a SaaS solution that delivers comprehensive security for
cloud servers
• Built on security technology proven across thousands of organizations, it provides:
Protection from attacks
Combine Anti-malware and Intrusion Prevention to
prevent attacks that can lead to data theft and
system compromise
Server hardening
Reduce your exposure to attack by ensuring your
cloud servers are only communicating with
expected systems
Compliance Monitoring
Integrity Monitoring provides an audit trail of
changes to critical server operating system,
configuration, and application files
Automated Management
Achieve automated and consistent protection for
existing and new cloud servers with security
recommendation scans & streamlined deployment
The Takeaway: The security solution
designed specifically to work hand-in-hand
with AWS, running on AWS.

24. Who Needs This Solution?
• IT Managers, IT Directors, Compliance Officers and CIOs using
Amazon Web Services
• Organizations that are leveraging AWS for ad-hoc or temporary projects
• Business units that require additional security and are using AWS
• Organizations that want to leverage security expertise from a proven
vendor in a way that is natural for an AWS environment

25. Trend Micro Deep Security as a Service*
DS as a Service
ManagerDS as a Service
ManagerDS as a Service
ManagerDS as a Service
Manager
Protection for AWS
From AWS
*Available in NA now, APAC in 2014.
Deep Security
Agents
Deep Security
Agents
Deep Security
Agents

26. Which Deep Security version is for you?
Buy Deep Security Software
• Datacenter security
requirements
• Hybrid cloud environments
• Prefer to run Deep Security
Managers themselves
• Require a solution now
Buy Deep Security as a Service
• AWS only security requirement
• Want the convenience of a SaaS
• Available in NA now, APAC in
2014

27. Summary of Key Features:
✔ AWS connector for Instance inventory synchronization
✔ Deployment scripts for integration with RightScale, Chef, Puppet, & OpsWorks
✔ Templates for consistent & automated security policy enforcement
✔ Roles based administration
✔ Dashboards with customizable widgets
✔ Alerts & reporting capabilities
✔ Broad platform support
Advanced Protection from the Cloud
For the Cloud …

28. Trend Micro SecureCloud for AWS
• Protection for data in the cloud
• Automated encryption and key management
• Solution that helps you protect the privacy of data in AWS, making sure that only
authorized servers can access encryption keys
• Trend Micro’s highly automated data protection approach safely delivers encryption
keys to valid devices without the need for you to deploy an entire file system and
management infrastructure
• Key benefits:
– Policy-Based Key Management
– Enterprise-Controlled Encryption and
Key Management
– Standard Protocols and Advanced
Encryption
– Authentication
– Logging, Reporting, and Auditing
– Separation of Duties

29. Why Trend Micro and AWS?
Trend micro, a global leader in cloud security, delivers flexible, proven solutions for
AWS which
• have been architected to be highly effective and efficient in protecting the data
and applications running on EC2
• have been built to the highest government standards, including common criteria
EAL4+
• integrate seamlessly with cloud management tools such as AWS
CloudFormation, RightScale, Chef and Puppet to automate security
management
• reduce security management costs by automating security tasks and lowering
the preparation time and effort required to support audits

30. Trend Micro Resources for Cloud Best Security Practices
Most complete set of tools built specifically for the cloud:
 Bi-directional stateful firewall
 Anti-Malware
 Intrusion Prevention
 Integrity Monitoring
 Log Inspection
 Domain whitelisting
 Data encryption and key management
Host-based all-in-one security:
Top 10 Best Practices for securing your AWS instances
Blog series at Cloud.TrendMicro.com
Twitter: @TrendMicro
Try out a new cloud-based security service for your
AWS instances with our new free beta AWS-Based
service:
http://DeepSecurity.TrendMicro.com/trial

32. • Customers have requirements that require them to use specific encryption
key management procedures not previously possible on AWS
– Requirements are based on contractual or regulatory mandates for keeping
encryption keys stored in a specific manner or with specific access controls
– Good key management is critical
• Customers want to run applications and store data in AWS but previously
had to retain keys in HSMs in on-premises datacenters
– Applications may slow down due to network latency
– Requires several DCs to provide high availability, disaster recovery and durability
of keys
Customer Challenge: Encryption

33. • AWS offers several data protection mechanisms including access control,
encryption, etc.
• AWS data encryption solutions allow customers to:
– Encrypt and decrypt sensitive data inside or outside AWS
– Decide which data to encrypt
• AWS CloudHSM complements existing AWS data protection and encryption
solutions
• With AWS CloudHSM customers can:
– Encrypt data inside AWS
– Store keys in AWS within a Hardware Security Module
– Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions and
key storage for customer applications
– Use third party validated hardware for key storage
• AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards)
AWS Data Protection Solutions

34. • Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances
• Physically managed and monitored by AWS, but customers control their
own keys
• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
What is AWS CloudHSM?
AWS CloudHSM

35. • Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM
• Contractual and Regulatory Compliance – helps customers comply with
the most stringent regulatory and contractual requirements for key
protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in
multiple Availability Zones and Regions to help customers build highly
available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the
customer’s VPC
• Better Application Performance – reduce network latency and increase
the performance of AWS applications that use HSMs
AWS CloudHSM Service Highlights

36. • Customers use AWS CloudHSM as an architectural building block in securing
applications
– Object encryption
– Digital Rights Management (DRM)
– Document signing
– Secure document repository
– Database encryption
– Transaction processing
How Customers Use AWS CloudHSM

37. Familiar Cloud Security

38. AWS Security Resources
• http://aws.amazon.com/security/
• Security Whitepaper
• Risk and Compliance Whitepaper
• Regularly Updated
• Feedback is welcome

39. Business Transformation Track