The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability and control. You have to know what you have and where it is before you can assess the environment against best practices and internal or compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says: "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish.
1. AWS Summit 2014
Understanding AWS Security
Jean-Pierre Le Goaller
Principal Solutions Architect
@jplegoal
2. We’ll also see organizations adopt cloud
services for the improved security
protections and compliance controls that
they otherwise could not provide as
efficiently or effectively themselves.
Security’s Cloud Revolution is Upon Us
Forrester Research, Inc., August 2, 2013
3. EVERY CUSTOMER
HAS ACCESS TO THE
SAME SECURITY CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS
8. Different customer viewpoints on security
• CEO: protect shareholder value
• PR exec: keep out of the news
• CI{S}O: preserve the Confidentiality, Integrity and Availability (CIA) of
data
31. Private Subnet
Private Subnet
Availability Zone A
VPC CIDR: 10.1.0.0 /16
Private Subnet
Private Subnet
Availability Zone B
10.1.1.11 /24
10.1.3.33 /24
10.1.2.22 /24
10.1.4.44 /24
32. Private Subnet
Private Subnet
Availability Zone A
VPC CIDR: 10.1.0.0 /16
Private Subnet
Private Subnet
Availability Zone B
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
33. Public Subnet
Private Subnet
Availability Zone A
VPC CIDR: 10.1.0.0 /16
Public Subnet
Private Subnet
Availability Zone B
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
Internet
Gateway
Route Table
Destination Target
10.1.0.0/16 local
0.0.0.0/0 IG
34. Public Subnet
Private Subnet
Availability Zone A
VPC CIDR: 10.1.0.0 /16
Public Subnet
Private Subnet
Availability Zone B
Instance A
10.1.1.11 /24
Instance C
10.1.3.33 /24
Instance B
10.1.2.22 /24
Instance D
10.1.4.44 /24
Internet
Gateway
Virtual
Private
Gateway
VPN
connection
Customer
data center
Customer
data center
AWS Direct
Connect
Route Table
Destination Target
10.1.0.0/16 local
Internal CIDR VGW
54. AWS CloudHSM
Powered by Luna SA HSM appliance from
Safenet
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that use
HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
55.
56. “GAME DAYS”
INSERT ARTIFICIAL SECURITY INCIDENTS.
MEASURE SPEED OF DETECTION AND EXECUTION.
59. You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
60. Use Cases enabled by CloudTrail
• Troubleshoot Operational Issues
• Track Changes to AWS Resources
• Security Analysis
• Compliance Aid
86. “Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
87. Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
90. Thank You!
AWS EXPERT?
GET CERTIFIED!
Jean-Pierre Le Goaller aws.amazon.com/certification
Principal Solutions Architect
@jplegoal
Hinweis der Redaktion
Auditability to us is our way to have a conversation with a customer about the way we practice the art and science of security.
The way we have that conversation with customers requires a common language, just as we all speak different languages. there are many different languages spoken on the audit world as well.
out of a audit process comes out a series of artifacts. those artifacts are the proof that we are doing what we are saying. and that proof is made available to the auditors who act on behalf of our customers to examine what we do and how we do it.
all the things that are control objects that appear in that list, are
items our auditors evaluate during the proccess of the soc1 or the soc2 audit.
so they will come to our facilities and see that you have camera at 67
different locations here, show me the view from the camera 25 that hows
the locking door number one. and we have to pull it up and show to them.
they say ok. now i wanna see the video recorded from that camera on june
24 from 9am to 10am and we have to pull it up and show to them. to
demonstrate that we actually have the recordings we say we do and we
keep them for the amount of time that we say we do.
AUDITABLE
Don’t trust me, trust the independent 3rd party auditors(Ernst & Young)
Lets talk about private clouds…
Old guard hardware and software companies like to talk about how easy it is to building something that resembles AWS inside a customer’s data center… of course this usually involves buying more hardware and more software…
the problem here is that the reality of the customer experience is typically very different from the private cloud dream that these companies are being sold.
According to research from Forrester, a vast majority of customers are struggling mightily to build on-premises environments that deliver even the most basic core functionality that end users expect from clouds… things like self-service provisioning, automation, resource tracking and monitoring.
Now why are companies trying to build private clouds in the first place? Lets look at the functional requirements that we hear the most from our conversations with customers.
They’re looking for a private network, private compute, private storage, private management of their encryption keys and then governance functionality so that they can maintain the control they expect over resources.
the good news is that you can get all of this in the cloud with AWS
Goversnance: fine grained access control, auditability (CloudTrail) etc…
AWS has a wide range of data protection capabilities. With S3, encrypting all of your data is as easy checking a box in the AWS management console. With EBS, you can use an encrypted file system of your choice to provide encrypted block storage for your EC2 instances.
For customers with requirements for single-tenant, isolated encryption key management, we offer a service called CloudHSM: generate, use and store encryption keys. AWS staff does not have access to these keys. Uses SafeNet Luna. Independently validated devices.
For customers with regulatory requirements for single-tenant object or block storage, we offer the capability to connect their EC2 instances to dedicated storage arrays over a private, low-latency connection.
For customers who want a cloud with private compute capabilities, we offer a range of options to isolate their compute resources from other AWS customers.
For further isolation of your compute resources, you can logically isolate your instances in a private network using VPC
For customers with regulatory or compliance requirements for single-tenant hardware, we have EC2 dedicated instances that provide physical isolation.
For customers who want a cloud with private networking, we have VPC, which lets customers define their own private, isolated network and with AWS direct connect, customers can bypass the public Internet and connect to AWS through private and dedicated network connections.
AWS also give you the ability to support enterprise governance requirements.
With our IAM service, we give customers fine-grained control over what employees can access and what they can do with those resources.
Our CloudTrail service logs user activities to enable audits of employee use of your AWS account.
And, we give you full control over where your data is stored so you can easily comply with data residency compliance requirements