SlideShare ist ein Scribd-Unternehmen logo

Understanding AWS security

Amazon Web Services
Amazon Web Services

The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability and control. You have to know what you have and where it is before you can assess the environment against best practices and internal or compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says: "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish.

1 von 90
AWS Summit 2014 Understanding AWS Security Jean-Pierre Le Goaller Principal Solutions Architect @jplegoal
We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013
EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
SECURITY IS SHARED
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
WHAT WE DO WHAT YOU HAVE TO DO
Shared Responsibility • AWS • Facility operations • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure • Customer • Guest OS Management • Application Configuration • Account Management • Security Groups • ACLs • Identity Management
Different customer viewpoints on security • CEO: protect shareholder value • PR exec: keep out of the news • CI{S}O: preserve the Confidentiality, Integrity and Availability (CIA) of data
AWS SECURITY OFFERS MORE VISIBILITY CONTROL AUDITABILITY
MORE VISIBILITY
CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
Visibility • Logs == one component of visibility – Obtain – Retain – Analyze
TRUSTED ADVISOR
MORE CONTROL
Defense in Depth – Multi level security • Physical security of the data centers • Network security • System security • Data security
LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO A SPECIFIC WORK
MORE CONTROL ON YOUR NETWORK
Use Security Groups
Use Amazon Virtual Private Cloud (VPC)
Private Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Private Subnet Private Subnet Availability Zone B 10.1.1.11 /24 10.1.3.33 /24 10.1.2.22 /24 10.1.4.44 /24
Private Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Private Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24
Public Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Public Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 Internet Gateway Route Table Destination Target 10.1.0.0/16 local 0.0.0.0/0 IG
Public Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Public Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 Internet Gateway Virtual Private Gateway VPN connection Customer data center Customer data center AWS Direct Connect Route Table Destination Target 10.1.0.0/16 local Internal CIDR VGW
EVEN MORE CONTROL ON YOUR NETWORK
Additional Network Security Control available from AWS Partners AWS Marketplace: http://aws.amazon.com/marketplace – 1-Click Launch into VPC of appliances from: – aiScaler – Barracuda – Brocade – Checkpoint – Cisco – Citrix – Dome9 – F5 – Imperva – Riverbed – Sophos – Trend Micro And many more…
MORE CONTROL ON IDENTITY & ACCESS
USE AWS IAM IDENTITY & ACCESS MANAGEMENT
CONTROL WHO CAN DO WHAT IN YOUR AWS ACCOUNT
ACCESS TO SERVICE APIs
MULTI-FACTOR AUTHENTICATION: MFA DELETE PROTECTION MFA-PROTECTED API ACCESS
MFA-PROTECTED API ACCESS { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": ["*"], "Condition": {"Null": {"aws:MultiFactorAuthAge": "false"}} }] }
SSO and IDENTITY FEDERATION with SAML 2.0
MORE CONTROL ON YOUR DATA
YOUR DATA STAYS WHERE YOU PUT IT
Regions and Availability Zones Australia
DATA ENCRYPTION Server-side encryption: managed by AWS • Amazon Elastic Block Store (EBS) • Amazon Redshift • Amazon S3 • Amazon Glacier • AWS Storage Gateway • AWS Relational Database Service TDE (Oracle and SQL Server)
DATA ENCRYPTION Client-side encryption: managed by Customer • Open-source solutions: • Block: Loop-AES, dm-crypt, TrueCrypt • File: eCryptfs, EncFS • Commercial solutions: • Trend Micro Secure Cloud • Safenet Protect V • Customer-managed Key Management Infrastructure
AWS CloudHSM Powered by Luna SA HSM appliance from Safenet Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM
“GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS. MEASURE SPEED OF DETECTION AND EXECUTION.
MORE AUDITABILITY
AWS CLOUDTRAIL
You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
Use Cases enabled by CloudTrail • Troubleshoot Operational Issues • Track Changes to AWS Resources • Security Analysis • Compliance Aid
VULNERABILITY & PENETRATION TESTING
VULNERABILITY & PENETRATION TESTING
Security and HIPAA on AWS © 2010 Orbograph Ltd. – All rights reserved Ran Rothschild September 17, 2014
Orbotech (ORBK) Quality control for world’s largest electronics manufacturers $440M PUBLICALLY TRADED FIRM EMPLOYEES IN MORE THAN 40 OFFICES 1650+ 6 R&D CENTERS WORLDWIDE Key enabler of advanced electronic devices 30+ YEARS OF LEADERSHIP AT THE © 2010 Orbograph Ltd. – All rights reserved CUTTING-EDGE OF INNOVATION PATENTS AND PATENT APPLICATIONS 500+
Lines of Business NEXT GENERATION RECOGNITION 18 Years of Continual Process Improvements… Check Processing Automation HEALTHCARE PAYMENTS AUTOMATION CENTER 3+ Years of Innovation… Delivering Healthcare Payments Automation within Revenue Cycle Management (RCM) © 2010 Orbograph Ltd. – All rights reserved (HPAC)
Challenges/Problems We needed to build an infrastructure that was Dynamic, Elastic, Cost Effective and Secure that would fully comply with HIPAA. © 2010 Orbograph Ltd. – All rights reserved
© 2010 Orbograph Ltd. – All rights reserved
The Fluidity of HIPAA © 2010 Orbograph Ltd. – All rights reserved
© 2010 Orbograph Ltd. – All rights reserved WE WERE CONCERNED
© 2010 Orbograph Ltd. – All rights reserved The Solution
LEVERAGE © 2010 Orbograph Ltd. – All rights reserved
The Implementation methodology We use best of breed layered security 1. Optimal security solutions 2. Different solutions 3. Hybrid – AWS and external © 2010 Orbograph Ltd. – All rights reserved
Some examples © 2010 Orbograph Ltd. – All rights reserved AWS out of the box: VPC  Subnets  IAM  Security Groups  Trusted Advisor AWS Audited Security Processes
Some examples © 2010 Orbograph Ltd. – All rights reserved External:  Porticor - Full disk encryption – Combining and splitting encryption keys  Sophos for IDS/IPS DOME9 - Security Group management MFA
The Power of Architecture Planning Governance Constant evaluation and adaptation © 2010 Orbograph Ltd. – All rights reserved
© 2010 Orbograph Ltd. – All rights reserved
THANK YOU FOR LISTENING Email: ran.rothschild@orbograph.com LinkedIn: il.linkedin.com/in/ranrothschild/ © 2010 Orbograph Ltd. – All rights reserved
on “private clouds”...
92% of private clouds are still falling short of the core requirements: self-service, full automation, tracking and monitoring.
What are customers really looking for ?
PRIVATE COMPUTE PRIVATE STORAGE PRIVATE NETWORK PRIVATE KEY MANAGEMENT GOVERNANCE
PRIVATE COMPUTE PRIVATE STORAGE PRIVATE NETWORK PRIVATE KEY MANAGEMENT GOVERNANCE
INTEGRATION WITH ON-PREMISES RESOURCES Integrated networking Integrated access control Integrated cloud backups Single pane of glass # 192.168.1.11 # 192.168.1.10 Microsoft Active Directory Custom LDAP App 1 AWS Storage Gateway
MORE VISIBILITY MORE CONTROL MORE AUDITABILITY
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO – NASA JPL
Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
AWS.AMAZON.COM/SECURITY
Thank You! AWS EXPERT? GET CERTIFIED! Jean-Pierre Le Goaller aws.amazon.com/certification Principal Solutions Architect @jplegoal

Empfohlen

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 

Empfohlen

Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
AWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & ComplianceAWS Security Week: Security, Identity, & Compliance
AWS Security Week: Security, Identity, & Compliance
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
Amazon Web Services
 
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Amazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
Amazon Web Services
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
Amazon Web Services
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
PolarSeven Pty Ltd
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
Sundeep Roxx
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
Amazon Web Services
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
Amazon Web Services
 
Programando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormationProgramando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormation
Amazon Web Services LATAM
 
AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor
Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
Amazon Web Services
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
Amazon Web Services
 

Was ist angesagt? (20)

AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
The 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS SecurityThe 2014 AWS Enterprise Summit - Understanding AWS Security
The 2014 AWS Enterprise Summit - Understanding AWS Security
 
Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017Managing Security with AWS | AWS Public Sector Summit 2017
Managing Security with AWS | AWS Public Sector Summit 2017
 
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best PracticesAWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
AWS 201 - A Walk through the AWS Cloud: AWS Security Best Practices
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
 
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Security in the Cloud - AWS Symposium 2014 - Washington D.C.
Security in the Cloud - AWS Symposium 2014 - Washington D.C.
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
Managing Security on AWS
Managing Security on AWSManaging Security on AWS
Managing Security on AWS
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 
Intro to AWS Security
Intro to AWS SecurityIntro to AWS Security
Intro to AWS Security
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
 
Aws security best practices
Aws security best practicesAws security best practices
Aws security best practices
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices Journey Through The Cloud - Security Best Practices
Journey Through The Cloud - Security Best Practices
 
What's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow DublinWhat's (nearly) new | AWS Security Roadshow Dublin
What's (nearly) new | AWS Security Roadshow Dublin
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
AWS Security Fundamentals
AWS Security FundamentalsAWS Security Fundamentals
AWS Security Fundamentals
 

Andere mochten auch

AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor
Amazon Web Services
 
AWS Customer Presentation - SemantiNet
AWS Customer Presentation - SemantiNet AWS Customer Presentation - SemantiNet
AWS Customer Presentation - SemantiNet
Amazon Web Services
 
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
Amazon Web Services
 
AWS Customer Presentation - qlik Tech
AWS Customer Presentation - qlik TechAWS Customer Presentation - qlik Tech
AWS Customer Presentation - qlik Tech
Amazon Web Services
 
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and FutureAWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
Amazon Web Services
 
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
Amazon Web Services
 
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
Amazon Web Services
 
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorksAWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
Amazon Web Services
 

Andere mochten auch (20)

Programando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormationProgramando sua infraestrutura com o AWS CloudFormation
Programando sua infraestrutura com o AWS CloudFormation
 
AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor AWS Customer Presentation - Porticor
AWS Customer Presentation - Porticor
 
AWS Customer Presentation - SemantiNet
AWS Customer Presentation - SemantiNet AWS Customer Presentation - SemantiNet
AWS Customer Presentation - SemantiNet
 
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
AWS Public Sector Symposium 2014 Canberra | Black Belt Tips on AWS
 
Big Data on AWS - AWS Washington D.C. Symposium 2014
Big Data on AWS - AWS Washington D.C. Symposium 2014Big Data on AWS - AWS Washington D.C. Symposium 2014
Big Data on AWS - AWS Washington D.C. Symposium 2014
 
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
(APP203) How Sumo Logic and Anki Build Highly Resilient Services on AWS to Ma...
 
AWSome Day Bangkok Opening Keynote
AWSome Day Bangkok Opening KeynoteAWSome Day Bangkok Opening Keynote
AWSome Day Bangkok Opening Keynote
 
(PFC402) Bigger, Faster: Performance Tips for High Speed and High Volume Appl...
(PFC402) Bigger, Faster: Performance Tips for High Speed and High Volume Appl...(PFC402) Bigger, Faster: Performance Tips for High Speed and High Volume Appl...
(PFC402) Bigger, Faster: Performance Tips for High Speed and High Volume Appl...
 
Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS Continuous Integration and Deployment Best Practices on AWS
Continuous Integration and Deployment Best Practices on AWS
 
Keynote - Werner Vogels
Keynote - Werner Vogels Keynote - Werner Vogels
Keynote - Werner Vogels
 
AWS Public Sector Symposium 2014 Canberra | Getting Started with AWS for Gove...
AWS Public Sector Symposium 2014 Canberra | Getting Started with AWS for Gove...AWS Public Sector Symposium 2014 Canberra | Getting Started with AWS for Gove...
AWS Public Sector Symposium 2014 Canberra | Getting Started with AWS for Gove...
 
High Availability Websites: part two
High Availability Websites: part twoHigh Availability Websites: part two
High Availability Websites: part two
 
AWS Customer Presentation - qlik Tech
AWS Customer Presentation - qlik TechAWS Customer Presentation - qlik Tech
AWS Customer Presentation - qlik Tech
 
AWS Summit Stockholm 2014 – T3 – disaster recovery on AWS
AWS Summit Stockholm 2014 – T3 – disaster recovery on AWSAWS Summit Stockholm 2014 – T3 – disaster recovery on AWS
AWS Summit Stockholm 2014 – T3 – disaster recovery on AWS
 
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and FutureAWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
AWS Customer Presentation - NASA JPL Pervasive Cloud Now and Future
 
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
AWS Customer Presentation: Washington Post - AWS NYC Summit 2012
 
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
(GAM304) How Riot Games re:Invented Their AWS Model | AWS re:Invent 2014
 
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorksAWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
AWS Webcast - Intro to DevOps: Using Amazon RDS with AWS OpsWorks
 
AWS Summit Stockholm 2014 – T4 – Continuous integration on AWS
AWS Summit Stockholm 2014 – T4 – Continuous integration on AWSAWS Summit Stockholm 2014 – T4 – Continuous integration on AWS
AWS Summit Stockholm 2014 – T4 – Continuous integration on AWS
 
High Availability Websites: part one
High Availability Websites: part oneHigh Availability Websites: part one
High Availability Websites: part one
 

Ähnlich wie Understanding AWS security

Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud final
sapenov
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
RightScale
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
DevOps.com
 
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
GregOracle
 

Ähnlich wie Understanding AWS security (20)

Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2
 
Cisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private cloudsCisco Connect Ottawa 2018 consuming public and private clouds
Cisco Connect Ottawa 2018 consuming public and private clouds
 
Con8836 leveraging the cloud to simplify your identity management implement...
Con8836 leveraging the cloud to simplify your identity management implement...Con8836 leveraging the cloud to simplify your identity management implement...
Con8836 leveraging the cloud to simplify your identity management implement...
 
Autonomous Database Security Features
Autonomous Database Security FeaturesAutonomous Database Security Features
Autonomous Database Security Features
 
Cloud Computing and the Promise of Everything as a Service
Cloud Computing and the Promise of Everything as a ServiceCloud Computing and the Promise of Everything as a Service
Cloud Computing and the Promise of Everything as a Service
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud final
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech TalksHow to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
How to Easily and Securely Connect Devices to AWS IoT - AWS Online Tech Talks
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
 
OpenStack + CloudFoundry Austin Meetup
OpenStack + CloudFoundry Austin MeetupOpenStack + CloudFoundry Austin Meetup
OpenStack + CloudFoundry Austin Meetup
 
OS + CF Austin meetup
OS + CF Austin meetupOS + CF Austin meetup
OS + CF Austin meetup
 
Security in Cloud Computing
Security in Cloud ComputingSecurity in Cloud Computing
Security in Cloud Computing
 
Hybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerůHybridní cloud s F5 v prostředí kontejnerů
Hybridní cloud s F5 v prostředí kontejnerů
 
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
OOW13:Leveraging the Cloud to Simplify Your Identity Management Implementatio...
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security Mapping
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Understanding AWS security

  • 1. AWS Summit 2014 Understanding AWS Security Jean-Pierre Le Goaller Principal Solutions Architect @jplegoal
  • 2. We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013
  • 3. EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
  • 5. WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
  • 6. WHAT WE DO WHAT YOU HAVE TO DO
  • 7. Shared Responsibility • AWS • Facility operations • Physical Security • Physical Infrastructure • Network Infrastructure • Virtualization Infrastructure • Customer • Guest OS Management • Application Configuration • Account Management • Security Groups • ACLs • Identity Management
  • 8. Different customer viewpoints on security • CEO: protect shareholder value • PR exec: keep out of the news • CI{S}O: preserve the Confidentiality, Integrity and Availability (CIA) of data
  • 9. AWS SECURITY OFFERS MORE VISIBILITY CONTROL AUDITABILITY
  • 11. CAN YOU MAP YOUR NETWORK? WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
  • 12.
  • 13.
  • 14. Visibility • Logs == one component of visibility – Obtain – Retain – Analyze
  • 16.
  • 17.
  • 18.
  • 20. Defense in Depth – Multi level security • Physical security of the data centers • Network security • System security • Data security
  • 21. LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL REQUIRED TO DO A SPECIFIC WORK
  • 22. MORE CONTROL ON YOUR NETWORK
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. Use Amazon Virtual Private Cloud (VPC)
  • 31. Private Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Private Subnet Private Subnet Availability Zone B 10.1.1.11 /24 10.1.3.33 /24 10.1.2.22 /24 10.1.4.44 /24
  • 32. Private Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Private Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24
  • 33. Public Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Public Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 Internet Gateway Route Table Destination Target 10.1.0.0/16 local 0.0.0.0/0 IG
  • 34. Public Subnet Private Subnet Availability Zone A VPC CIDR: 10.1.0.0 /16 Public Subnet Private Subnet Availability Zone B Instance A 10.1.1.11 /24 Instance C 10.1.3.33 /24 Instance B 10.1.2.22 /24 Instance D 10.1.4.44 /24 Internet Gateway Virtual Private Gateway VPN connection Customer data center Customer data center AWS Direct Connect Route Table Destination Target 10.1.0.0/16 local Internal CIDR VGW
  • 35. EVEN MORE CONTROL ON YOUR NETWORK
  • 36. Additional Network Security Control available from AWS Partners AWS Marketplace: http://aws.amazon.com/marketplace – 1-Click Launch into VPC of appliances from: – aiScaler – Barracuda – Brocade – Checkpoint – Cisco – Citrix – Dome9 – F5 – Imperva – Riverbed – Sophos – Trend Micro And many more…
  • 37.
  • 38. MORE CONTROL ON IDENTITY & ACCESS
  • 39. USE AWS IAM IDENTITY & ACCESS MANAGEMENT
  • 40. CONTROL WHO CAN DO WHAT IN YOUR AWS ACCOUNT
  • 41.
  • 42.
  • 43.
  • 45. MULTI-FACTOR AUTHENTICATION: MFA DELETE PROTECTION MFA-PROTECTED API ACCESS
  • 46.
  • 47. MFA-PROTECTED API ACCESS { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:StopInstances", "ec2:TerminateInstances" ], "Resource": ["*"], "Condition": {"Null": {"aws:MultiFactorAuthAge": "false"}} }] }
  • 48. SSO and IDENTITY FEDERATION with SAML 2.0
  • 49. MORE CONTROL ON YOUR DATA
  • 50. YOUR DATA STAYS WHERE YOU PUT IT
  • 51. Regions and Availability Zones Australia
  • 52. DATA ENCRYPTION Server-side encryption: managed by AWS • Amazon Elastic Block Store (EBS) • Amazon Redshift • Amazon S3 • Amazon Glacier • AWS Storage Gateway • AWS Relational Database Service TDE (Oracle and SQL Server)
  • 53. DATA ENCRYPTION Client-side encryption: managed by Customer • Open-source solutions: • Block: Loop-AES, dm-crypt, TrueCrypt • File: eCryptfs, EncFS • Commercial solutions: • Trend Micro Secure Cloud • Safenet Protect V • Customer-managed Key Management Infrastructure
  • 54. AWS CloudHSM Powered by Luna SA HSM appliance from Safenet Managed and monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM AWS CloudHSM
  • 55.
  • 56. “GAME DAYS” INSERT ARTIFICIAL SECURITY INCIDENTS. MEASURE SPEED OF DETECTION AND EXECUTION.
  • 59. You are making API calls... On a growing set of services around the world… CloudTrail is continuously recording API calls… And delivering log files to you
  • 60. Use Cases enabled by CloudTrail • Troubleshoot Operational Issues • Track Changes to AWS Resources • Security Analysis • Compliance Aid
  • 63.
  • 64. Security and HIPAA on AWS © 2010 Orbograph Ltd. – All rights reserved Ran Rothschild September 17, 2014
  • 65. Orbotech (ORBK) Quality control for world’s largest electronics manufacturers $440M PUBLICALLY TRADED FIRM EMPLOYEES IN MORE THAN 40 OFFICES 1650+ 6 R&D CENTERS WORLDWIDE Key enabler of advanced electronic devices 30+ YEARS OF LEADERSHIP AT THE © 2010 Orbograph Ltd. – All rights reserved CUTTING-EDGE OF INNOVATION PATENTS AND PATENT APPLICATIONS 500+
  • 66. Lines of Business NEXT GENERATION RECOGNITION 18 Years of Continual Process Improvements… Check Processing Automation HEALTHCARE PAYMENTS AUTOMATION CENTER 3+ Years of Innovation… Delivering Healthcare Payments Automation within Revenue Cycle Management (RCM) © 2010 Orbograph Ltd. – All rights reserved (HPAC)
  • 67. Challenges/Problems We needed to build an infrastructure that was Dynamic, Elastic, Cost Effective and Secure that would fully comply with HIPAA. © 2010 Orbograph Ltd. – All rights reserved
  • 68. © 2010 Orbograph Ltd. – All rights reserved
  • 69. The Fluidity of HIPAA © 2010 Orbograph Ltd. – All rights reserved
  • 70. © 2010 Orbograph Ltd. – All rights reserved WE WERE CONCERNED
  • 71. © 2010 Orbograph Ltd. – All rights reserved The Solution
  • 72. LEVERAGE © 2010 Orbograph Ltd. – All rights reserved
  • 73. The Implementation methodology We use best of breed layered security 1. Optimal security solutions 2. Different solutions 3. Hybrid – AWS and external © 2010 Orbograph Ltd. – All rights reserved
  • 74. Some examples © 2010 Orbograph Ltd. – All rights reserved AWS out of the box: VPC  Subnets  IAM  Security Groups  Trusted Advisor AWS Audited Security Processes
  • 75. Some examples © 2010 Orbograph Ltd. – All rights reserved External:  Porticor - Full disk encryption – Combining and splitting encryption keys  Sophos for IDS/IPS DOME9 - Security Group management MFA
  • 76. The Power of Architecture Planning Governance Constant evaluation and adaptation © 2010 Orbograph Ltd. – All rights reserved
  • 77. © 2010 Orbograph Ltd. – All rights reserved
  • 78. THANK YOU FOR LISTENING Email: ran.rothschild@orbograph.com LinkedIn: il.linkedin.com/in/ranrothschild/ © 2010 Orbograph Ltd. – All rights reserved
  • 80. 92% of private clouds are still falling short of the core requirements: self-service, full automation, tracking and monitoring.
  • 81. What are customers really looking for ?
  • 82. PRIVATE COMPUTE PRIVATE STORAGE PRIVATE NETWORK PRIVATE KEY MANAGEMENT GOVERNANCE
  • 83. PRIVATE COMPUTE PRIVATE STORAGE PRIVATE NETWORK PRIVATE KEY MANAGEMENT GOVERNANCE
  • 84. INTEGRATION WITH ON-PREMISES RESOURCES Integrated networking Integrated access control Integrated cloud backups Single pane of glass # 192.168.1.11 # 192.168.1.10 Microsoft Active Directory Custom LDAP App 1 AWS Storage Gateway
  • 85. MORE VISIBILITY MORE CONTROL MORE AUDITABILITY
  • 86. “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers” Tom Soderstrom – CTO – NASA JPL
  • 87. Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations. Source: IDC 2013 U.S. Cloud Security Survey, doc #242836, September 2013
  • 88.
  • 90. Thank You! AWS EXPERT? GET CERTIFIED! Jean-Pierre Le Goaller aws.amazon.com/certification Principal Solutions Architect @jplegoal

Hinweis der Redaktion

  1. Auditability to us is our way to have a conversation with a customer about the way we practice the art and science of security. The way we have that conversation with customers requires a common language, just as we all speak different languages. there are many different languages spoken on the audit world as well. out of a audit process comes out a series of artifacts. those artifacts are the proof that we are doing what we are saying. and that proof is made available to the auditors who act on behalf of our customers to examine what we do and how we do it. all the things that are control objects that appear in that list, are items our auditors evaluate during the proccess of the soc1 or the soc2 audit. so they will come to our facilities and see that you have camera at 67 different locations here, show me the view from the camera 25 that hows the locking door number one. and we have to pull it up and show to them. they say ok. now i wanna see the video recorded from that camera on june 24 from 9am to 10am and we have to pull it up and show to them. to demonstrate that we actually have the recordings we say we do and we keep them for the amount of time that we say we do. AUDITABLE Don’t trust me, trust the independent 3rd party auditors (Ernst & Young)
  2. Lets talk about private clouds… Old guard hardware and software companies like to talk about how easy it is to building something that resembles AWS inside a customer’s data center… of course this usually involves buying more hardware and more software… the problem here is that the reality of the customer experience is typically very different from the private cloud dream that these companies are being sold.
  3. According to research from Forrester, a vast majority of customers are struggling mightily to build on-premises environments that deliver even the most basic core functionality that end users expect from clouds… things like self-service provisioning, automation, resource tracking and monitoring.
  4. Now why are companies trying to build private clouds in the first place? Lets look at the functional requirements that we hear the most from our conversations with customers.
  5. They’re looking for a private network, private compute, private storage, private management of their encryption keys and then governance functionality so that they can maintain the control they expect over resources.
  6. the good news is that you can get all of this in the cloud with AWS Goversnance: fine grained access control, auditability (CloudTrail) etc…
  7. AWS has a wide range of data protection capabilities. With S3, encrypting all of your data is as easy checking a box in the AWS management console. With EBS, you can use an encrypted file system of your choice to provide encrypted block storage for your EC2 instances. For customers with requirements for single-tenant, isolated encryption key management, we offer a service called CloudHSM: generate, use and store encryption keys. AWS staff does not have access to these keys. Uses SafeNet Luna. Independently validated devices. For customers with regulatory requirements for single-tenant object or block storage, we offer the capability to connect their EC2 instances to dedicated storage arrays over a private, low-latency connection.
  8. For customers who want a cloud with private compute capabilities, we offer a range of options to isolate their compute resources from other AWS customers. For further isolation of your compute resources, you can logically isolate your instances in a private network using VPC For customers with regulatory or compliance requirements for single-tenant hardware, we have EC2 dedicated instances that provide physical isolation.
  9. For customers who want a cloud with private networking, we have VPC, which lets customers define their own private, isolated network and with AWS direct connect, customers can bypass the public Internet and connect to AWS through private and dedicated network connections.
  10. AWS also give you the ability to support enterprise governance requirements. With our IAM service, we give customers fine-grained control over what employees can access and what they can do with those resources. Our CloudTrail service logs user activities to enable audits of employee use of your AWS account. And, we give you full control over where your data is stored so you can easily comply with data residency compliance requirements