This session provides real guidance and practical answers to government users’ questions about security and compliance, helping agencies move away from the “worry-based fiction” of the cloud
Speaker: Stephen Squigg, Solutions Architect, Amazon Web Services, APAC
Strategies for Landing an Oracle DBA Job as a Fresher
Security and Compliance in the Cloud
1. AWS Government, Education, &
Nonprofits Symposium
Canberra, Australia | May 6, 2015
Stephen Quigg
Principal Solutions Architect, APAC
Amazon Web Services
Security and Compliance in the Cloud
5. The practice of security at AWS is
different, but the outcome is familiar:
So what does your security team look like?
• Operations
• Engineering
• Application Security
• Compliance
6. Measure constantly, report regularly, and
hold senior executives accountable for
security – have them drive the right
culture
Our Culture:
11. Build everything on a constantly improving security baseline
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS
Foundation
Services
Compute Storage Database Networking
AWS
Global
Infrastructure Regions
Availability
Zones
Edge
Locations
AWS is
responsible for
the security OF
the Cloud
12. AWS
Foundation
Services
Compute Storage Database Networking
AWS
Global
Infrastructure Regions
Availability
Zones
Edge
Locations
Client-‐side
Data
Encryption
Server-‐side
Data
Encryption
Network
Traffic
Protection
Platform,
Applications,
Identity
&
Access
Management
Operating
System,
Network,
&
Firewall
Configuration
Customer
applications
&
content
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Security is shared between AWS and its customers
Customers
13. AWS
Foundation
Services
Compute Storage Database Networking
AWS
Global
Infrastructure Regions
Availability
Zones
Edge
Locations
Client-‐side
Data
Encryption
Server-‐side
Data
Encryption
Network
Traffic
Protection
Platform,
Applications,
Identity
&
Access
Management
Operating
System,
Network,
&
Firewall
Configuration
Customer
applications
&
content
Customers get their
own solutions and
configurations
assessed
The AWS platform
has been iRAP
assessed and
certified
AWS is certified by the ASD for unclassified DLM
Customers
14. AWS
Foundation
Services
Compute Storage Database Networking
AWS
Global
Infrastructure Regions
Availability
Zones
Edge
Locations
Meet your own
individual
departmental needs
We have many Government customers in Australia
AWS
Foundation
Services
Customers
The AWS platform
has been iRAP
assessed and
certified
16. Security is Familiar
• We strive to make security at AWS as familiar as
what you are doing right now
– Visibility
– Auditability
– Controllability
– Agility
22. Security is Visible
• Who is accessing the resources?
• Who took what action?
– When?
– From where?
– What did they do?
– Logs Logs Logs
23. You are
making API
calls...
On a growing set
of services
around the
world…
AWS
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
Redshift
AWS CloudFormation
AWS Elastic Beanstalk
24. AWS Config tells you
what has changed
AWS Config is a fully managed service that provides
you with an inventory of your AWS resources, lets
you audit the resource configuration history and
notifies you of resource configuration changes.
26. Use cases enabled by Config
• Security Analysis: Am I safe?
• Audit Compliance: Where is the evidence?
• Change Management: What will this change
affect?
• Troubleshooting: What has changed?
27. What will this change affect?
• When your resources are
created, updated, or deleted,
these configuration changes
are streamed to Amazon SNS
• Relationships between
resources are understood, so
that you can proactively assess
change impact
28. What changed?
• It is critical to be able to quickly
answer “What has changed?”
• You can quickly identify the
recent configuration changes to
your resources by using the
console or by building custom
integrations with the regularly
exported resource history files
32. You are in control of privacy
Choose geographic location and AWS will not
replicate it elsewhere unless you choose to do
so
Control format, accuracy and encryption any
way that you choose
Control who can access content
Control content lifecycle and disposal
Customers retain full ownership and control of their content
33. US-WEST (Oregon)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
US-WEST (N. California)
SOUTH AMERICA
(Sao Paulo)
US-EAST (Virginia)
AWS GovCloud (US)
ASIA PAC (Sydney)
ASIA PAC
(Singapore)
CHINA (Beijing)
EU-CENTRAL (Frankfurt)
Your data stays where you put it
11 AWS
Regions
34. US-WEST (Oregon)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
US-WEST (N. California)
SOUTH AMERICA
(Sao Paulo)
US-EAST (Virginia)
AWS GovCloud (US)
ASIA PAC (Sydney)
ASIA PAC
(Singapore)
CHINA (Beijing)
EU-CENTRAL (Frankfurt)
Build resilience and durability everywhere
26 Availability
Zones
37. First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
38. AWS Key Management Service
One-click Encryption
Centralized key management
(create, delete, view, set policies)
Enforced, automatic key rotation
Visibility into any changes via CloudTrail
Encryption key management and compliance made easy
39. Available, durable, and integrated with AWS Services
Keys stored
in HSMs
Integrated with
AWS Services
Highly Available
and durable
44. • SafeNet Luna SA managed and
monitored by AWS, but you fully
control and manage the keys
• Increase performance for applications
that use HSMs for key storage or
encryption
• Comply with stringent requirements
for key protection
• You can also use your own HSMs in
your own facilities
EC2 Instance
AWS CloudHSM
AWS CloudHSM
You can also store your Encryption Keys
in AWS CloudHSM
46. Create your own private, isolated section of the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private Cloud
• Provision a logically
isolated section of the
AWS cloud
• You choose a private IP
range for your VPC
• Segment this into subnets
to deploy your compute
instances
AWS network security
• AWS network will prevent
spoofing and other
common layer 2 attacks
• You cannot sniff anything
but your own EC2 host
network interface
• Control all external routing
and connectivity
47. Segregate your VPC into subnets to create your architecture
Web App
DBWeb
48. Each subnet has directional network access control lists
App
DBWeb
Web
Allow
Deny all traffic
Allow
Allow
49. Each EC2 instance has five stateful security group firewalls
App
DB
Port
3306
Web
Web
Port 443
Port 443
Port
443
Port
443
Port443
50. Control which subnets can route to the Internet or
on-premise
App
DBWeb
Web
PUBLIC
PRIVATE PRIVATE
REPLICATE ON-PREM
51. ApplicationServices
You can securely share resources between VPCs
Digital
WebsitesBig Data
Analytics
Enterprise
Apps
Route traffic between
VPCs in private and peer
specific subnets
between each VPC
Even between AWS
accounts
Common Services
Security Services
AWS VPC
Peering
52. You can connect resiliently and in private to your own datacentres
YOUR AWS ENVIRONMENT
AWS
Direct
Connect
YOUR
PREMISES
Digital
Websites
Big Data
Analytics
Dev and
Test
Enterprise
Apps
AWS
Internet
VPN
53. Launch
instance EC2
AMI catalogue Running instance Your instance
Hardening and configuration
Audit and logging
Vulnerability management
Malware and IPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
Configure your environment as you like
You get to apply your existing security policy
Create or import your own ‘gold’ images
• Import existing VMs to AWS or save your own
custom images
Choose how to build your standard host security
environment
Apply your existing host controls and configurations
56. Security is about how quickly you can protect
DevOps isn’t just for coders
• Make security be architecture rather than operations
• Automate security patch deployment
• When new patch released
• Understand if you need it (software manifest)
• Build and deploy patch in test environment
• Automatically test the system still works
• Promote to live environment
== Patched as quickly as possible
57. Security is about detecting signs of an incident
Cloudwatch Logs lets you grab everything
and monitor activity
• When storage is cheap you might as well collect and keep your logs
• Cloudwatch Logs makes it easy to capture any log and store it in a
durable manner
• Integration with Cloudwatch Metrics and Alarms means you can
continually scan for events you know might be suspicious
IF (detect web attacker > 10 in a 1 minute period)
ALARM == TRUE == INCIDENT IN PROGRESS!
58. Security is about how quickly you can react
The first response should be your automation
• Trigger workflow to act - automating the first line of response
can markedly improve customers time to react during incidents
• If == bad limit functionality whilst investigating, e.g. go read
only or deny more user registration
• If badness > really bad shut off internet connectivity
until CERT can investigate
60. Innovations Are For Auditors Too
Auditing-centric services and features
• New: AWS Config
• New: AWS Key
Management Service (AWS
KMS)
• AWS Trusted Advisor
checks
• Last AWS sign in
• AWS CloudTrail
• IAM Credential Reports
• Policies
62. Geographic
data locality
Control over regional
replication
Policies, resource
level permissions,
temporary credentials
Fine-grained
access control In-depth
logging
AWS
CloudTrail
and Config
Fine-grained visibility and control for accounts, resources, data
Visibility into
resources and
usage
Service
Describe*
APIs and
AWS
CloudWatch
Control over
deployment
AWS
CloudFormation
Step 2: Get transparent governance
63. Step 3: Get evidence you can audit
• Many compliance audits require
access to the state of your
systems at arbitrary times (i.e.
PCI, HIPAA)
• A complete inventory of all
resources and their
configuration attributes is
available for any point in time
69. Security is Job Zero
YOU ARE BETTER OFF IN AWS THAN YOU ARE
IN YOUR OWN ENVIRONMENT
– “Based on our experience, I believe that we can be even more
secure in the AWS cloud than in our own data centers.”
-Tom Soderstrom, CTO, NASA JPL
– Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
70. Resources for You
• aws.amazon.com/compliance
• Self-paced labs (Qwiklabs)
https://run.qwiklab.com/
– Auditing Your AWS Security Architecture
• aws.amazon.com/security
– Special Australian Government iRAP guidance coming soon!
– Best practices and operational checklists
– Architectural guidance
– Detailed security information about the AWS services