SlideShare ist ein Scribd-Unternehmen logo

Security and Compliance in the Cloud

Amazon Web Services
Amazon Web Services

This session provides real guidance and practical answers to government users’ questions about security and compliance, helping agencies move away from the “worry-based fiction” of the cloud Speaker: Stephen Squigg, Solutions Architect, Amazon Web Services, APAC

Technologie
1 von 71
AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 6, 2015 Stephen Quigg Principal Solutions Architect, APAC Amazon Web Services Security and Compliance in the Cloud
SECURITY IS JOB ZERO
Security is Job Zero Network Security Physical Security Platform Security People & Procedures
HOW DOES AWS PRACTICE SECURITY?
The practice of security at AWS is different, but the outcome is familiar: So what does your security team look like? • Operations • Engineering • Application Security • Compliance
Measure constantly, report regularly, and hold senior executives accountable for security – have them drive the right culture Our Culture:
Our Culture: Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
Simple Security Controls
 Easy to Get Right
 Easy to Audit

This To This
SECURITY IS SHARED
Build everything on a constantly improving security baseline GxP ISO 13485 AS9100 ISO/TS 16949 AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations AWS is responsible for the security OF the Cloud
AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Client-­‐side  Data   Encryption Server-­‐side  Data   Encryption Network  Traffic   Protection Platform,  Applications,  Identity  &  Access  Management Operating  System,  Network,  &  Firewall  Configuration Customer  applications  &  content Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud Security is shared between AWS and its customers Customers
AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Client-­‐side  Data   Encryption Server-­‐side  Data   Encryption Network  Traffic   Protection Platform,  Applications,  Identity  &  Access  Management Operating  System,  Network,  &  Firewall  Configuration Customer  applications  &  content Customers get their own solutions and configurations assessed The AWS platform has been iRAP assessed and certified AWS is certified by the ASD for unclassified DLM Customers
AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Meet your own individual departmental needs We have many Government customers in Australia AWS  Foundation  Services Customers The AWS platform has been iRAP assessed and certified
SECURITY IS FAMILIAR
Security is Familiar • We strive to make security at AWS as familiar as what you are doing right now – Visibility – Auditability – Controllability – Agility
VISIBILITY
VISIBILITY HOW OFTEN DO YOU MAP YOUR NETWORK? WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
Trusted Advisor checks your account
Security is Visible • Who is accessing the resources? • Who took what action? – When? – From where? – What did they do? – Logs Logs Logs
You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
AWS Config tells you
 what has changed AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
Use cases enabled by Config • Security Analysis: Am I safe? • Audit Compliance: Where is the evidence? • Change Management: What will this change affect? • Troubleshooting: What has changed?
What will this change affect? • When your resources are created, updated, or deleted, these configuration changes are streamed to Amazon SNS • Relationships between resources are understood, so that you can proactively assess change impact
What changed? • It is critical to be able to quickly answer “What has changed?” • You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
Integrated Support from Our Partner Ecosystem
CONTROL
CONTROL OF YOUR DATA
You are in control of privacy Choose geographic location and AWS will not replicate it elsewhere unless you choose to do so Control format, accuracy and encryption any way that you choose Control who can access content Control content lifecycle and disposal Customers retain full ownership and control of their content
US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) Your data stays where you put it 11 AWS Regions
US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) Build resilience and durability everywhere 26 Availability Zones
Cache content close to your customers 53 CloudFront Edge locations
transit AWS region AWS edge AWS edge AWS edgetransit transit Route 53 CloudFront Exploit the resilience of an AWS Region
First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
AWS Key Management Service One-click Encryption Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail Encryption key management and compliance made easy
Available, durable, and integrated with AWS Services Keys stored in HSMs Integrated with AWS Services Highly Available and durable
AWS Key Management Service
 Integrated with AWS IAM Console
AWS Key Management Service
 Integrated with Amazon EBS
AWS Key Management Service
 Integrated with Amazon S3
AWS Key Management Service
 Integrated with Amazon Redshift
• SafeNet Luna SA managed and monitored by AWS, but you fully control and manage the keys • Increase performance for applications that use HSMs for key storage or encryption • Comply with stringent requirements for key protection • You can also use your own HSMs in your own facilities EC2 Instance AWS CloudHSM AWS CloudHSM You can also store your Encryption Keys in AWS CloudHSM
CONTROL OF YOUR INFRASTRUCTURE
Create your own private, isolated section of the AWS cloud AvailabilityZoneA AvailabilityZoneB AWS Virtual Private Cloud • Provision a logically isolated section of the AWS cloud • You choose a private IP range for your VPC • Segment this into subnets to deploy your compute instances AWS network security • AWS network will prevent spoofing and other common layer 2 attacks • You cannot sniff anything but your own EC2 host network interface • Control all external routing and connectivity
Segregate your VPC into subnets to create your architecture Web App DBWeb
Each subnet has directional network access control lists App DBWeb Web Allow Deny all traffic Allow Allow
Each EC2 instance has five stateful security group firewalls App DB Port 3306 Web Web Port 443 Port 443 Port 443 Port 443 Port443
Control which subnets can route to the Internet or 
 on-premise App DBWeb Web PUBLIC PRIVATE PRIVATE REPLICATE ON-PREM
ApplicationServices You can securely share resources between VPCs Digital WebsitesBig Data Analytics Enterprise Apps Route traffic between VPCs in private and peer specific subnets between each VPC Even between AWS accounts Common Services Security Services AWS VPC Peering
You can connect resiliently and in private to your own datacentres YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES Digital Websites Big Data Analytics Dev and Test Enterprise Apps AWS Internet VPN
Launch instance EC2 AMI catalogue Running instance Your instance Hardening and configuration Audit and logging Vulnerability management Malware and IPS Whitelisting and integrity User administration Operating system Configure instance Configure your environment as you like You get to apply your existing security policy Create or import your own ‘gold’ images • Import existing VMs to AWS or save your own custom images Choose how to build your standard host security environment Apply your existing host controls and configurations
SECURITY THROUGH AGILITY
As AWS innovates you get to innovate
Security is about how quickly you can protect DevOps isn’t just for coders • Make security be architecture rather than operations • Automate security patch deployment • When new patch released • Understand if you need it (software manifest) • Build and deploy patch in test environment • Automatically test the system still works • Promote to live environment == Patched as quickly as possible
Security is about detecting signs of an incident
 Cloudwatch Logs lets you grab everything and monitor activity • When storage is cheap you might as well collect and keep your logs • Cloudwatch Logs makes it easy to capture any log and store it in a durable manner • Integration with Cloudwatch Metrics and Alarms means you can continually scan for events you know might be suspicious IF (detect web attacker > 10 in a 1 minute period) ALARM == TRUE == INCIDENT IN PROGRESS!
Security is about how quickly you can react
 The first response should be your automation • Trigger workflow to act - automating the first line of response can markedly improve customers time to react during incidents • If == bad limit functionality whilst investigating, e.g. go read only or deny more user registration • If badness > really bad shut off internet connectivity until CERT can investigate
AUDIT EVERYTHING
Innovations Are For Auditors Too Auditing-centric services and features • New: AWS Config • New: AWS Key Management Service (AWS KMS) • AWS Trusted Advisor checks • Last AWS sign in • AWS CloudTrail • IAM Credential Reports • Policies
Step 1: Get an AWS User Account
Geographic data locality Control over regional replication Policies, resource level permissions, temporary credentials Fine-grained access control In-depth logging AWS CloudTrail and Config Fine-grained visibility and control for accounts, resources, data Visibility into resources and usage Service Describe* APIs and 
 AWS CloudWatch Control over deployment AWS CloudFormation Step 2: Get transparent governance
Step 3: Get evidence you can audit • Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA) • A complete inventory of all resources and their configuration attributes is available for any point in time
Ways to Inventory Assets
Last AWS Sign In
AWS CloudTrail
IAM Credential Reports
Policies
Security is Job Zero YOU ARE BETTER OFF IN AWS THAN YOU ARE IN YOUR OWN ENVIRONMENT – “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL – Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
Resources for You • aws.amazon.com/compliance • Self-paced labs (Qwiklabs) https://run.qwiklab.com/ – Auditing Your AWS Security Architecture • aws.amazon.com/security – Special Australian Government iRAP guidance coming soon! – Best practices and operational checklists – Architectural guidance – Detailed security information about the AWS services
Thank You

Empfohlen

Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS Cloud
Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
BizTalk360
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 

Empfohlen

Disaster Recovery with the AWS Cloud
Disaster Recovery with the AWS CloudDisaster Recovery with the AWS Cloud
Disaster Recovery with the AWS Cloud
Amazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
Amazon Web Services
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
BizTalk360
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
Amazon Web Services
 
Cloud security and compliance ppt
Cloud security and compliance pptCloud security and compliance ppt
Cloud security and compliance ppt
Krupa Rajani
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and HistoryAWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and History
Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
Julien SIMON
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
Amazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Web Services
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
Amazon Web Services
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Amazon Web Services
 
AWS 101: Introduction to AWS
AWS 101: Introduction to AWSAWS 101: Introduction to AWS
AWS 101: Introduction to AWS
Ian Massingham
 
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Marius Zaharia
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Amazon Web Services
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
Scott Arveseth
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
Amazon Web Services
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)
WinWire Technologies Inc
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
AWS Riyadh User Group
 
Leveraging AWS Support for Customer Engagement
Leveraging AWS Support for Customer EngagementLeveraging AWS Support for Customer Engagement
Leveraging AWS Support for Customer Engagement
Amazon Web Services
 
Introduction to AWS Enterprise Support
Introduction to AWS Enterprise SupportIntroduction to AWS Enterprise Support
Introduction to AWS Enterprise Support
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

AWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and HistoryAWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and History
Amazon Web Services
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
Amazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)
WinWire Technologies Inc
 

Was ist angesagt? (20)

AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security Hub
 
Cloud security and compliance ppt
Cloud security and compliance pptCloud security and compliance ppt
Cloud security and compliance ppt
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
AWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and HistoryAWSome Day 2016 - Module 1: AWS Introduction and History
AWSome Day 2016 - Module 1: AWS Introduction and History
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
AWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics WebinarAWS Cloud Security & Compliance Basics Webinar
AWS Cloud Security & Compliance Basics Webinar
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
 
(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector(SEC324) NEW! Introducing Amazon Inspector
(SEC324) NEW! Introducing Amazon Inspector
 
AWS WAF - A Web App Firewall
AWS WAF - A Web App FirewallAWS WAF - A Web App Firewall
AWS WAF - A Web App Firewall
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
Webinar AWS 201 - Using Amazon Virtual Private Cloud (VPC)
 
AWS 101: Introduction to AWS
AWS 101: Introduction to AWSAWS 101: Introduction to AWS
AWS 101: Introduction to AWS
 
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
Multi-Tenant Identity and Azure Resource Governance - Identity Days 2019
 
Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...Designing security & governance via AWS Control Tower & Organizations - SEC30...
Designing security & governance via AWS Control Tower & Organizations - SEC30...
 
Cloud Security (AWS)
Cloud Security (AWS)Cloud Security (AWS)
Cloud Security (AWS)
 
AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar AWS Web Application Firewall and AWS Shield - Webinar
AWS Web Application Firewall and AWS Shield - Webinar
 
Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)Secure Your Cloud Environment with Azure Active Directory (AD)
Secure Your Cloud Environment with Azure Active Directory (AD)
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 

Andere mochten auch

Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
Hassan EL ALLOUSSI
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
Flex pod spring2013-slideshare
Flex pod spring2013-slideshareFlex pod spring2013-slideshare
Flex pod spring2013-slideshare
Michael Harding
 
AWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best PracticesAWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best Practices
Amazon Web Services
 
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Amazon Web Services
 

Andere mochten auch (20)

Leveraging AWS Support for Customer Engagement
Leveraging AWS Support for Customer EngagementLeveraging AWS Support for Customer Engagement
Leveraging AWS Support for Customer Engagement
 
Introduction to AWS Enterprise Support
Introduction to AWS Enterprise SupportIntroduction to AWS Enterprise Support
Introduction to AWS Enterprise Support
 
AWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - KeynoteAWS Enterprise Summit Netherlands - Keynote
AWS Enterprise Summit Netherlands - Keynote
 
AWS Summit 2013 | India - AWS Support - Optimizing your Costs and Infrastruct...
AWS Summit 2013 | India - AWS Support - Optimizing your Costs and Infrastruct...AWS Summit 2013 | India - AWS Support - Optimizing your Costs and Infrastruct...
AWS Summit 2013 | India - AWS Support - Optimizing your Costs and Infrastruct...
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 
Presentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloudPresentation Pci-dss compliance on the cloud
Presentation Pci-dss compliance on the cloud
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
AMRO C.V
AMRO C.VAMRO C.V
AMRO C.V
 
Neev cloud services with AWS
Neev cloud services with AWSNeev cloud services with AWS
Neev cloud services with AWS
 
RDP Support escalation matrix
RDP Support escalation matrixRDP Support escalation matrix
RDP Support escalation matrix
 
Flex pod spring2013-slideshare
Flex pod spring2013-slideshareFlex pod spring2013-slideshare
Flex pod spring2013-slideshare
 
Security in cloud computing
Security in cloud computingSecurity in cloud computing
Security in cloud computing
 
Building Social Proficiency Across The Organization
Building Social Proficiency Across The OrganizationBuilding Social Proficiency Across The Organization
Building Social Proficiency Across The Organization
 
Staying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave MillierStaying Secure When Moving to the Cloud - Dave Millier
Staying Secure When Moving to the Cloud - Dave Millier
 
Azure App Service
Azure App ServiceAzure App Service
Azure App Service
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
AWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best PracticesAWS Summit 2011: Application Security Best Practices
AWS Summit 2011: Application Security Best Practices
 
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
Building a Cloud Culture at Yelp (BDT305) | AWS re:Invent 2013
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
(SEC301) Encryption and Key Management in AWS | AWS re:Invent 2014
 

Ähnlich wie Security and Compliance in the Cloud

AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
Amazon Web Services Korea
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 

Ähnlich wie Security and Compliance in the Cloud (20)

AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
AWS Enterprise Summit - 클라우드에서의 보안 - 양승도
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
AWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the CloudAWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the Cloud
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Intro & Security Update
Intro & Security UpdateIntro & Security Update
Intro & Security Update
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Segurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWSSegurança de Ponta a Ponta na AWS
Segurança de Ponta a Ponta na AWS
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Kürzlich hochgeladen

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

Security and Compliance in the Cloud

  • 1. AWS Government, Education, & Nonprofits Symposium Canberra, Australia | May 6, 2015 Stephen Quigg Principal Solutions Architect, APAC Amazon Web Services Security and Compliance in the Cloud
  • 3. Security is Job Zero Network Security Physical Security Platform Security People & Procedures
  • 4. HOW DOES AWS PRACTICE SECURITY?
  • 5. The practice of security at AWS is different, but the outcome is familiar: So what does your security team look like? • Operations • Engineering • Application Security • Compliance
  • 6. Measure constantly, report regularly, and hold senior executives accountable for security – have them drive the right culture Our Culture:
  • 7. Our Culture: Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
  • 8. Simple Security Controls
 Easy to Get Right
 Easy to Audit

  • 11. Build everything on a constantly improving security baseline GxP ISO 13485 AS9100 ISO/TS 16949 AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations AWS is responsible for the security OF the Cloud
  • 12. AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Client-­‐side  Data   Encryption Server-­‐side  Data   Encryption Network  Traffic   Protection Platform,  Applications,  Identity  &  Access  Management Operating  System,  Network,  &  Firewall  Configuration Customer  applications  &  content Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud Security is shared between AWS and its customers Customers
  • 13. AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Client-­‐side  Data   Encryption Server-­‐side  Data   Encryption Network  Traffic   Protection Platform,  Applications,  Identity  &  Access  Management Operating  System,  Network,  &  Firewall  Configuration Customer  applications  &  content Customers get their own solutions and configurations assessed The AWS platform has been iRAP assessed and certified AWS is certified by the ASD for unclassified DLM Customers
  • 14. AWS  Foundation  Services Compute Storage Database Networking AWS  Global   Infrastructure Regions Availability  Zones Edge  Locations Meet your own individual departmental needs We have many Government customers in Australia AWS  Foundation  Services Customers The AWS platform has been iRAP assessed and certified
  • 16. Security is Familiar • We strive to make security at AWS as familiar as what you are doing right now – Visibility – Auditability – Controllability – Agility
  • 18. VISIBILITY HOW OFTEN DO YOU MAP YOUR NETWORK? WHAT’S IN YOUR ENVIRONMENT RIGHT NOW?
  • 19.
  • 20.
  • 21. Trusted Advisor checks your account
  • 22. Security is Visible • Who is accessing the resources? • Who took what action? – When? – From where? – What did they do? – Logs Logs Logs
  • 23. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
  • 24. AWS Config tells you
 what has changed AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
  • 25. Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
  • 26. Use cases enabled by Config • Security Analysis: Am I safe? • Audit Compliance: Where is the evidence? • Change Management: What will this change affect? • Troubleshooting: What has changed?
  • 27. What will this change affect? • When your resources are created, updated, or deleted, these configuration changes are streamed to Amazon SNS • Relationships between resources are understood, so that you can proactively assess change impact
  • 28. What changed? • It is critical to be able to quickly answer “What has changed?” • You can quickly identify the recent configuration changes to your resources by using the console or by building custom integrations with the regularly exported resource history files
  • 29. Integrated Support from Our Partner Ecosystem
  • 32. You are in control of privacy Choose geographic location and AWS will not replicate it elsewhere unless you choose to do so Control format, accuracy and encryption any way that you choose Control who can access content Control content lifecycle and disposal Customers retain full ownership and control of their content
  • 33. US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) Your data stays where you put it 11 AWS Regions
  • 34. US-WEST (Oregon) EU-WEST (Ireland) ASIA PAC (Tokyo) US-WEST (N. California) SOUTH AMERICA (Sao Paulo) US-EAST (Virginia) AWS GovCloud (US) ASIA PAC (Sydney) ASIA PAC (Singapore) CHINA (Beijing) EU-CENTRAL (Frankfurt) Build resilience and durability everywhere 26 Availability Zones
  • 35. Cache content close to your customers 53 CloudFront Edge locations
  • 37. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
  • 38. AWS Key Management Service One-click Encryption Centralized key management (create, delete, view, set policies) Enforced, automatic key rotation Visibility into any changes via CloudTrail Encryption key management and compliance made easy
  • 39. Available, durable, and integrated with AWS Services Keys stored in HSMs Integrated with AWS Services Highly Available and durable
  • 40. AWS Key Management Service
 Integrated with AWS IAM Console
  • 41. AWS Key Management Service
 Integrated with Amazon EBS
  • 42. AWS Key Management Service
 Integrated with Amazon S3
  • 43. AWS Key Management Service
 Integrated with Amazon Redshift
  • 44. • SafeNet Luna SA managed and monitored by AWS, but you fully control and manage the keys • Increase performance for applications that use HSMs for key storage or encryption • Comply with stringent requirements for key protection • You can also use your own HSMs in your own facilities EC2 Instance AWS CloudHSM AWS CloudHSM You can also store your Encryption Keys in AWS CloudHSM
  • 45. CONTROL OF YOUR INFRASTRUCTURE
  • 46. Create your own private, isolated section of the AWS cloud AvailabilityZoneA AvailabilityZoneB AWS Virtual Private Cloud • Provision a logically isolated section of the AWS cloud • You choose a private IP range for your VPC • Segment this into subnets to deploy your compute instances AWS network security • AWS network will prevent spoofing and other common layer 2 attacks • You cannot sniff anything but your own EC2 host network interface • Control all external routing and connectivity
  • 47. Segregate your VPC into subnets to create your architecture Web App DBWeb
  • 48. Each subnet has directional network access control lists App DBWeb Web Allow Deny all traffic Allow Allow
  • 49. Each EC2 instance has five stateful security group firewalls App DB Port 3306 Web Web Port 443 Port 443 Port 443 Port 443 Port443
  • 50. Control which subnets can route to the Internet or 
 on-premise App DBWeb Web PUBLIC PRIVATE PRIVATE REPLICATE ON-PREM
  • 51. ApplicationServices You can securely share resources between VPCs Digital WebsitesBig Data Analytics Enterprise Apps Route traffic between VPCs in private and peer specific subnets between each VPC Even between AWS accounts Common Services Security Services AWS VPC Peering
  • 52. You can connect resiliently and in private to your own datacentres YOUR AWS ENVIRONMENT AWS Direct Connect YOUR PREMISES Digital Websites Big Data Analytics Dev and Test Enterprise Apps AWS Internet VPN
  • 53. Launch instance EC2 AMI catalogue Running instance Your instance Hardening and configuration Audit and logging Vulnerability management Malware and IPS Whitelisting and integrity User administration Operating system Configure instance Configure your environment as you like You get to apply your existing security policy Create or import your own ‘gold’ images • Import existing VMs to AWS or save your own custom images Choose how to build your standard host security environment Apply your existing host controls and configurations
  • 55. As AWS innovates you get to innovate
  • 56. Security is about how quickly you can protect DevOps isn’t just for coders • Make security be architecture rather than operations • Automate security patch deployment • When new patch released • Understand if you need it (software manifest) • Build and deploy patch in test environment • Automatically test the system still works • Promote to live environment == Patched as quickly as possible
  • 57. Security is about detecting signs of an incident
 Cloudwatch Logs lets you grab everything and monitor activity • When storage is cheap you might as well collect and keep your logs • Cloudwatch Logs makes it easy to capture any log and store it in a durable manner • Integration with Cloudwatch Metrics and Alarms means you can continually scan for events you know might be suspicious IF (detect web attacker > 10 in a 1 minute period) ALARM == TRUE == INCIDENT IN PROGRESS!
  • 58. Security is about how quickly you can react
 The first response should be your automation • Trigger workflow to act - automating the first line of response can markedly improve customers time to react during incidents • If == bad limit functionality whilst investigating, e.g. go read only or deny more user registration • If badness > really bad shut off internet connectivity until CERT can investigate
  • 60. Innovations Are For Auditors Too Auditing-centric services and features • New: AWS Config • New: AWS Key Management Service (AWS KMS) • AWS Trusted Advisor checks • Last AWS sign in • AWS CloudTrail • IAM Credential Reports • Policies
  • 61. Step 1: Get an AWS User Account
  • 62. Geographic data locality Control over regional replication Policies, resource level permissions, temporary credentials Fine-grained access control In-depth logging AWS CloudTrail and Config Fine-grained visibility and control for accounts, resources, data Visibility into resources and usage Service Describe* APIs and 
 AWS CloudWatch Control over deployment AWS CloudFormation Step 2: Get transparent governance
  • 63. Step 3: Get evidence you can audit • Many compliance audits require access to the state of your systems at arbitrary times (i.e. PCI, HIPAA) • A complete inventory of all resources and their configuration attributes is available for any point in time
  • 69. Security is Job Zero YOU ARE BETTER OFF IN AWS THAN YOU ARE IN YOUR OWN ENVIRONMENT – “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -Tom Soderstrom, CTO, NASA JPL – Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
  • 70. Resources for You • aws.amazon.com/compliance • Self-paced labs (Qwiklabs) https://run.qwiklab.com/ – Auditing Your AWS Security Architecture • aws.amazon.com/security – Special Australian Government iRAP guidance coming soon! – Best practices and operational checklists – Architectural guidance – Detailed security information about the AWS services