Security on AWS
•
21 likes•7,970 views
Overview of Security processes and features of AWS and how Palo Alto Networks fits into AWS security.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Security on AWS
Similar to Security on AWS (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Security on AWS
- 1. 1 | ©2015, Palo Alto Networks. Confidential and Proprietary. Security on Amazon Web Services Scott Ward – Solutions Architect - AWS
- 3. Why AWS? No Up-Front Capital Expense Low Cost Only Pay For What You Use Self Service Easily Scale Up and Down Agility and Flexibility Go Global in Minutes Security & Compliance
- 4. SECURITY IS JOB ZERO
- 5. Security is Job Zero Network Security Physical Security Platform Security People & Procedures
- 7. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client and Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is shared between AWS and customers Customers are responsible for their security IN the Cloud AWS looks after the security of the platform
- 8. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Encryption Key Management Client and Server Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints • Customers configure AWS security features • Get access to a mature vendor marketplace • Can implement and manage their own controls as well as configure AWS features Security is shared between AWS and customers
- 9. Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities What does AWS do in the Shared Responsibility Model?
- 10. Network configuration Security groups OS firewalls Operating systems Application security Service configuration Auth & acct management Authorization policies Customers What does the customer do in the Shared Responsibility Model?
- 11. Shared Responsibility – The Total Package Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Application security Service configuration AuthN & acct management Authorization policies + = More secure and compliant systems than any one entity could achieve on its own. Customers
- 12. Amazon Virtual Private Cloud (VPC) Create a logically isolated environment in Amazon’s highly scalable infrastructure Specify your private IP address range into one or more public or private subnets Control inbound and outbound access to and from individual subnets Protect your instances with stateful filters for inbound and outbound traffic Expose instances in your VPC for public internet access Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection
- 13. VPC Component overview Access Control Lists Firewall controlling traffic in and out of a subnet Separate inbound and outbound rules Rules can allow or deny traffic Stateless (inbound and outbound rules evaluated differently) Route Tables Rules to determine where network traffic is routed VPC provides default table to cover private traffic in your VPC Create additional tables to control subnet routing Subnets Sub network within your VPC Tied to one Availability Zone Public and Private Subnets
- 14. VPC Component overview Security Groups Control inbound and outbound traffic to EC2 instances Assign one or many Security groups to one or many instances Internet Gateway Target for internet routable traffic Virtual Private Gateway VPN concentrator on the Amazon side of the VPN connection
- 15. VPC Peering Connect two VPCs in the same Region No IP address conflicts Bridged by routing table entries (both sides of peering relationship) Offer & Accept model Customer B receives request from ACustomer A initiates peer to B
- 16. • Establish a dedicated network connection from your premises to AWS • Reduces bandwidth costs for high volume data transfers • Offers consistent network performance • 1Gbps and 10Gbps connection speeds corporate data center Amazon Direct Connect Dedicated Network Connections
- 17. Amazon VPC Network Security Controls
- 18. region Availability Zone security group security group 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 VPC Router Internet Gateway Availability Zone security group security group 10.0.3.0/24 10.0.4.0/24 Web Web DB DB VPC Architecture – Basic Components
- 19. region Availability Zone security group security group 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 VPC Router Virtual Private Gateway Internet Gateway Availability Zone security group security group 10.0.3.0/24 10.0.4.0/24 Web Web DB DB Customer Gateway Your premises VPC – Hybrid Connection
- 20. Palo Alto Networks on AWS….Use Cases Hybrid Cloud VPC to VPC Security Internet Facing Application Global Protect
- 21. region Availability Zone security group security group 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 VPC Router Virtual Private Gateway Internet Gateway Availability Zone security group security group 10.0.3.0/24 10.0.4.0/24 Web Web DB DB Customer Gateway Your premises VPC – Hybrid Connection with Palo Alto
- 22. region Availability Zone security group security group 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 VPC Router Internet Gateway Availability Zone security group security group 10.0.3.0/24 10.0.4.0/24 Web Web DB DB Customer Gateway Your premises VPC – Hybrid Connection with Palo Alto v2 VM Series
- 23. region Availability Zone security group security group 10.0.0.0/16 10.0.1.0/24 10.0.2.0/24 VPC Router Internet Gateway Availability Zone security group 10.0.3.0/24 Web DB B Elastic IP 54.x.x.x VPC – Palo Alto in Public Subnet VM Series
- 24. EC2 Security Host operating system (below the hypervisor) Individual SSH keyed logins via bastion host for AWS admins All accesses logged and audited – in near real time Guest (a.k.a. Instance) operating system Customer controlled (customer owns root/administrator) AWS admins cannot log in Customer-generated key-pairs Signed API calls Require X.509 certificate or customer’s secret AWS key Stateful firewall Mandatory inbound firewall, default deny mode (also outbound firewall in VPC) Customer controls configuration via Security Groups
- 25. Amazon EC2 Instance Isolation Physical Interfaces Customer 1 Customer 2 Customer n… … Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups Hypervisor Virtual Interfaces
- 26. Controlling your EC2 instances You choose and control your image • AWS Catalog • Your own • Marketplace • Community You determine network placement • VPC • Subnet • Security Groups • Public IP address You configure your instance • Harden operating system • Host based firewall • Control admin/user access • Logging Launch instance EC 2 AMI catalogue Running instance Your instance Configure instance
- 27. 27 | ©2012, Palo Alto Networks. Confidential and Proprietary. CONTROL
- 28. Customers retain ownership of their intellectual property and content • AWS personnel have no access to customer content or guest OS • Customers manage their privacy objectives how they choose to – read AWS privacy whitepapers on our Compliance website • Select the AWS geographical Region and no automatic replication elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS Customers retain full ownership and control of their content
- 29. AWS Key Management Service • A managed service that makes it easy for you to create, control, rotate, and use your encryption keys, integrated with Amazon EBS, Amazon S3, Amazon Redshift, and Amazon RDS– more services coming soon • Integrated with AWS CloudTrail to provide auditable logs to help your regulatory and compliance activities • Two-tiered key hierarchy using envelope encryption • Unique data keys used to encrypt customer data, AWS KMS master keys encrypt data keys • Benefits of envelope encryption: • Limits risk of a compromised data key • Better performance for encrypting large data • Easier to manage a small number of master keys than millions of data keys Customer Master Key(s) Data Key 1 Amazon S3 Object Amazon EBS Volume Amazon Redshift Cluster Data Key 2 Data Key 3 Data Key 4 Custom Application AWS KMS
- 30. Tamper-evident customer controlled hardware security module within the AWS Region for your VPC • Industry-standard SafeNet Luna devices. Common Criteria EAL4+, NIST FIPS 140-2 certified • No access from Amazon administrators who manage and maintain the appliance • High availability and replication to on-premise HSMs Reliable & Durable Key Storage • Use for transparent data encryption on self- managed databases and natively with AWS Redshift • Integrate with applications using Java APIs • Integration with marketplace disk-encryption and configuration guides for SSL certificate storage AWS CloudHSM for storing your encryption keys
- 31. Encryption & Best Practices with AWS • Managed key encryption • Key storage with AWS CloudHSM • Customer-supplied key encryption • DIY on Amazon EC2 • Create, store, & retrieve keys securely • Rotate keys regularly • Securely audit access to keys • Partner enablement of crypto First class security and compliance starts (but doesn’t end!) with encryption
- 32. Storage Protection Amazon Simple Storage Service (S3) Access controls at bucket and object level Restrict access and rights Versioning S3 Cryptographic Features HTTPS for in transit data S3 Server Side Encryption S3 Client Side Encryption MD5 Checksums to verify file integrity Amazon Elastic Block Store (EBS) Implement AWS managed encryption Implement your own encryption AWS Partner solutions to help with encryption management and implementation EBS
- 34. AWS Compliance AWS maintains a formal control environment • SOC 1 Type II report published every six months • SOC 2 Security and Availability report every six months • ISO 27001 Certification • ISO 9001 Certification • Certified PCI DSS 3.0 Level 1 Service Provider • FedRAMP Certification • HIPAA BAAs • DoD CSM Levels 1-2, 3-5 GxP ISO 13485 AS9100 ISO/TS 16949 + Many more
- 35. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Your own compliant solutions • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints You can build end-to-end compliant solutions Your own 27001 and 9001 certifications Your own financial or SOC audits if you are a service provider • Achieve PCI, HIPAA and MPAA compliance • Certify against ISO27001 with a reduced scope • Have key controls audited or publish your own independent attestations Customers
- 36. AWS Config AWS Config is a fully managed service that provides you with an inventory of your AWS resources, lets you audit the resource configuration history and notifies you of resource configuration changes.
- 37. Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
- 38. AWS CLOUDTRAIL You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you Redshift AWS CloudFormation AWS Elastic Beanstalk
- 39. AWS CloudTrail logs …….powerful use cases CloudTrail can help you achieve many tasks • Security analysis • Track changes to AWS resources, for example VPC security groups and NACLs • Compliance – understand AWS API call history • Troubleshoot operational issues – quickly identify the most recent changes to your environment
- 40. WRAP UP
- 41. Security is Job Zero What our customers and analysts are saying “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.” -CTO – Large US Space Agency Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
- 42. AWS Security and Compliance Centers http://aws.amazon.com/security/ http://aws.amazon.com/compliance/ • Answers to many security & privacy questions • Security whitepaper • Risk and Compliance whitepaper • Auditing Security whitepaper • Security at Scale: Governance in AWS whitepaper • Security at Scale: Logging in AWS whitepaper • Security bulletins • Customer penetration testing • Security best practices • More information on: • AWS Identity & Access Management (AWS IAM) • AWS Multi-Factor Authentication (AWS MFA)
- 43. Thank you for your time. scotward@amazon.com aws.amazon.com
Editor's Notes
- AWS is a comprehensive cloud services platform, offering compute power, storage, content delivery, and other functionality that enables businesses to cost-effectively deploy applications and services.
- At AWS we hold Security as our number one priority. We take if very seriously to ensure that our customers are always protected and that they feel they are operating in a safe environment. Security starts at the top in Amazon with a dedicated CISO and strong cultural focus through operational excellence and root cause analysis Dedicated internal security teams constantly looking at the security of our services and how we better can help our customers secure themselves Talk about how you can improve your security footprint
- AWS security gives you a security model that is familiar. It is important to call out that security at AWS continues to evolve. One of the best things for AWS is a tough set of customers. You can see some of the customer logos in the middle of this slide. When big institutions submit stringent security requirements to us, and review the audit findings of our compliance auditors, we frequently build their requirements and incorporate their feedback into the platform. EVERYBODY benefits from them. We don’t build “one off” solutions for anyone, so everybody benefits from the improvements made for any customer. In many cases, this results in a better security profile than what each individual firm could accomplish on their own.
- Within AWS security is shared. It’s not all on AWS and not all on the customer.
- Security at AWS is based on the Shared Responsibility model. We look after the security OF the cloud, which is the platform that customers use to run their AWS solutions. Customers look after security IN the cloud.
- Some deeper insight into the shared responsibility model. For the customer portion of the responsibility model they implement the features that they need to ensure that their workloads are secure and meet any compliance requirements that are relevant to their workloads. First they can configure many AWS security features to help them out with securing their workloads. On top of that there is a rich partner eco-system that has products and solutions to assist with the security aspect. Finally, customers have full control to manage their own account and configure things as they see fit for their security needs. This model allows your security professionals to focus on a subset of the problem.
- Dedicated Global Security team Physical data center security Within the data center we own security of the actual Compute, Storage, and Network infrastructure which are managed to security best practices as well as a variety of security compliance standards. --Talk about separation of duties Storage Device Decommission Virtualization Layer (EC2) Hardened Service Endpoints Rich IAM capabilities Auditors
- Patch OS Enforce Network rules Control host OS access Control AWS Resource access Control application functionality and security Deploy additional security mechanisms Protect data
- Combine the AWS side and the Customer side of the model and you have a more secure and compliant system than any one entity could achieve on its own.
- So let’s move onto the networking portion of AWS and the security features that exist. It all starts with the Virtual Private Cloud (VPC). VPC is ….. Your private network in the AWS cloud. You define the IP address space You control the configuration You can define what is public and what is private Levels of filtering to control traffic into and out of your VPC Link your VPC with your on-premise infrastructure via IPSEC VPN connection.
- From a networking standpoint much of this should be familiar. You should feel warm and fuzzy and right at home with many of these items. These are the items that are delivered and available for you to use when you create a VPC. Access Control Lists, Route Tables, Subnets, and Security Groups are available for you to customize to your needs.
- VPC peering is another feature that allows you to extend your VPC to be able to communicate with other VPCs. Prior to VPC peering you would have to implement an IPSEC tunnel into each VPC in order to be able to communicate between VPCs. Use cases where this would be relevant. Offering Peering between a test/dev account and production. Offering peering between a management account and the VPC of a customer Keep in mind that this functionality is only for VPCs within the same region. If you want to go VPC to VPC in different regions you are still going to need to do the IPSEC tunnel.
- Direct connect is your dedicated pipe into the AWS data center. Offers up consistent performance and you are not relying on open internet networks for your data transfers. You establish a connection at one of your co-location partners who will then establish the connection to AWS. Good for a long term pipe where you want a dedicated connection. Also good for short term where you just want to do a large data transfer. Available at speeds of 1GPBS and 10GPBS. This type of solution plays well into the Hybrid architecture which we will be talking about a little later on.
- Here we have another representation that outlines the different layers that exist with a VPC and where they sit in relation to the traffic flow in and out of a VPC.
- Example without a Virtual Private gateway This is not showing components like load balancers or how traffic is coming in but we are trying to represent the breakdown between VPC, AZ, and Subnet.
- Example with a Virtual Private Gateway Make point about the VPG being a fully resilient regional service and you can create two high-availability VPNs into the AWS region. The customer gateway is YOUR VPN endpoint – we publish configuration guides for most popular VPN terminators on our website, to help you get set up quickly.
- We have covered a lot of different security aspects within AWS. Now let’s take a look at how Palo Alto fits into that equation as part of the customer portion of the shared responsibility model. Internet Facing VPC with one VM series protecting one or more internal subnets For anyone who was part of the hands on labs this is what we built out in lab 2 Hybrid Cloud Extend or Burst your private Data center into AWS VPC to VPC security. Similar to a Hybrid cloud but facilitating the connection between two AWS VPCs This could be for VPCs within the same region and account or could be across multiple AWS regions an possibly multiple AWS accounts Global Protect Solution that is providing you a remote access for VPN sessions running on PC/Mac/iOS/Android
- Example with a Virtual Private Gateway connecting to Palo Alto Networks. This covers our Hybrid use case.
- Example with a Virtual Private Gateway connecting to Palo Alto Networks. This covers our Hybrid use case. In this example you get access to all your loved Palo Alto Series features, running in AWS. This covers our hybrid example but is a fair representation of what would happen in the VPC to VPC option as well. Just replace the on-premise piece with another VPC.
- Internet Facing Application Here we have a Palo Alto EC2 instance sitting in a public instance which has a public IP Address tied to it. This allows the Palo Alto device to take in traffic and do its job to examine and route the traffic to the appropriate instances in the other, hopefully private, subnets. Now this is publicly facing but you can still control what type of traffic comes in via ACLs and Security Groups before they even hit your Palo Also device.
- Let’s dive more into how security is implemented for EC2
- So with virtual infrastructure how do we make sure that each instance is secure and isolated from other instances running on the same physical infrastructure.
- AWS Personnel have no access to customer content or the guest operating system Customers manage their own data access policies Customers choose the region they want to operate in and AWS does not automatically replicate the data outside of that region. A customer must enable configuration or run code/commands to move the data outside of the region. Customers have many ways that they can encrypt and protect their data to make it secure at the levels they need (More on this one later).
- Key management is a managed service that makes it easy for you to create, control, and use your encryption Keys. It is integrated with several AWS services now and with more soon. With this service you have a way to centrally and securely store YOUR keys and use those keys to protect data within AWS services or to utilize within your custom application. You get to utilize a secure service to act as your keystore which allows you to protect your data but not have to focus on the task of managing or building that key store, thus allowing you to focus more on your applications. You can actually use this regardless of where your applications are running and can integrate with it via an AWS provided SDK. KMS is scaleable, durable and highly available. Allowing you to just use it without having to focus on all the components required to make this happen. Good reference: http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
- For those of you who are using an HSM on site today this should seem familiar. This is the same hardened hardware security model you are used to but available in the AWS cloud. Why would someone want to use this? Compliance is one good reason if your compliance requires a dedicated security device. Key benefits: Using AWS CloudHSM means you can now run high-assurance encryption within your AWS VPC without the need for on-premise integration CloudHSM gives customers a high level of assurance that their sensitive encryption keys are protected within their AWS VPC, in a manner that protects them from unauthorized disclosure
- So along with control goes the ability to protect your data in the way that you want. What we are trying to represent here on this slide is that you have a lot of flexibility when it comes to protecting your data on AWS. You can use AWS managed solutions or bring/implement your own solutions in order to meet your needs.
- S3 is a service intended for object storage. This could be data backups, log files, configuration files, or documents. EBS is network block storage which is attached to your EC2 instance. Good use case for constantly changing data such as things like a database.
- Many customers have workloads that require that they meet strict audit and control requirements. With AWS it is still possible to achieve these compliance requirements, by leveraging the work that AWS has done around compliance. AWS does this by doing the following: • Obtaining industry certifications and independent third party attestations described in this document • Publishing information about the AWS security and control practices in whitepapers and web site content • Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required) With this work AWS is obtaining the compliance certification for the AWS portion of the shared responsibility model. The customer is still responsible for maintaining the compliance in their portion of the shared responsibility model, most often the same things that they may already be doing in their on-premise environment. The big thing here is that the customer no longer needs to devote time and attention to the compliance steps associated with securing the infrastructure as that is what AWS takes responsibility for. So those people who used to focus on security of the infrastructure get to go focus on something that is more important to the customer’s business
- When we take the shared responsibility model, add in the compliance and security work that AWS does on the platform, you get the ability to build an end to end compliant solution.
- AWS config is one of our newer services. With this service you get an inventory of your AWS resources, the ability to audit resource configuration history, and receive notifications when resource configuration changes.
- Quick overview of AWS Config and its integration possibilities. What this is representing is changes to various resources, with details of those changes being fed through AWS config and then recorded and notified on. Use Cases enabled by Config Security Analysis: Ami I Safe? Audit Comopliance: where is the evidence? Change Management: What will this change affect? Troubleshooting: What has Changed?
- From a security professional perspective CloudTrail is an exciting service. CloudTrail is your eyes behind the scenes at AWS. It gives you insight into all of the API calls made which are associated with your account(s). It lets you understand the who did what from where, when. Cloud Trail captures API calls made against your AWS resources and then places the log files into an S3 bucket for you to analyze. It tells you who did what and from what IP. Emphasize that these API calls could be coming from the management console as well as CLI and SDK calls.
- Use Cases enabled by CloudTrail Security Analysis – Use log files as input into log management and anlysis solutions to perform security analysis and to detect user behavior patterns. Track Changes to AWS Resources – Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC Security groups and Amazon EBS Volumes. Troubleshoot Operational Issues – Identify the most recent actions made to resources in your AWS account Compliance AID – Easier to demonstrate compliance with internal policies and regulatory standards.
- Wrapping up. Once again Security is Job Zero at AWS. We take this seriously and work very hard to make sure that everything is secure. Through our efforts and the work we have done around the shared responsibility model you have a more secure environment than you could enable on your own.
- Quick pointer to a couple of key areas. The AWS Security site and the AWS compliance site. Lots of good and detailed information on these sites. On the security site is our security whitepaper which covers in depth many of the items I talked about, as well as security for each of the AWS services.