Security must be at the forefront for any online business. At AWS, security is priority number one. Stephen Schmidt, vice president and chief information officer for AWS, shares his insights into cloud security and how AWS meets our customers' demanding security and compliance requirements, and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.
5. constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
6. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
14. You are making
API calls...
On a growing set of
services around the
worldâŚ
AWS CloudTrail
is continuously
recording API
callsâŚ
And delivering
log files to you
AWS CLOUDTRAIL
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
27. First class security and compliance
starts (but doesnât end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
28. Encryption & Best Practices with AWS
Managed key encryption
Key storage with AWS CloudHSM
Customer-supplied key encryption
DIY on Amazon EC2
Create, store, & retrieve keys securely
Rotate keys regularly
Securely audit access to keys
Partner enablement of crypto
29.
30.
31.
32.
33.
34. Nasdaq is a great example of security excellence in the cloud
35. Nasdaq Use Case Requirement
Replace on-premises data warehouse while keeping
equivalent schemas and data
Only one year of capacity remaining
4-8 billion rows of new information stored daily stock trading
Must cost less than existing system
Must satisfy multiple security and regulatory audits
Must perform similarly to legacy warehouse under
concurrent query load
AWSâs ability to satisfy multiple security and regulatory audits was critical to
Nasdaqâs migrating its data warehouse to AWS
36. Nasdaq Data Warehouse Implementation
Pull data from numerous sources, validate data, and securely load into Redshift
37. AWS CloudTrail to monitor and audit environment
Network isolation with Amazon VPC and AWS
Direct Connect
Encryption in flight using TLS and Amazon
Redshift JDBC connections
Encryption at rest with Amazon S3 (client-side,
AES-256) with Amazon Redshift cluster
encryption enabled and AWS CloudHSM
Nasdaq Security Best Practices
AWS CloudHSM integration was critical to Nasdaq adoption of AWS
41. The practice of security at AWS is
different, but the outcome is familiar:
So what does your security team look like?
42. Our Culture:
Everyoneâs an owner
When the problem is âmineâ rather than
âhersâ thereâs a much higher likelihood Iâll do
the right thing
43. Measure constantly, report regularly, and
hold senior executives accountable for
security â have them drive the right
culture
Our Culture:
46. Our Culture:
Apply more effort to the âwhyâ rather than the
âhowâ
Why is what really matters
When something goes wrong, ask the âfive whysâ
50. Our Culture:
Proactive monitoring rules the day
⢠Whatâs ânormalâ in your environment?
⢠Depending on signatures == waiting to
find out WHEN youâve been had