AWS Summit Berlin 2013 - Keynote Steve Schmidt

2.146 Aufrufe

Veröffentlicht am

Keynote from the Berlin AWS Summit 2013

Veröffentlicht in: Technologie, Business
0 Kommentare
0 Gefällt mir
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Keine Downloads
Aufrufe insgesamt
Auf SlideShare
Aus Einbettungen
Anzahl an Einbettungen
Gefällt mir
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie

AWS Summit Berlin 2013 - Keynote Steve Schmidt

  1. 1. Stephen SchmidtVP, Security EngineeringChief Information Security Officer
  2. 2. Cloud Security is:• Universal• Visible• Auditable• Transparent• Shared• Familiar
  3. 3. Universal Cloud SecurityEvery Customer Has Access to the Same Security Capabilities, and Getsto Choose What’s Right for Their Business• Governments• Financial Sector• Pharmaceuticals• Entertainment• Start-Ups• Social Media• Home Users• Retail
  4. 4. Visible Cloud SecurityAWS  allows  you  to  see  your  en#re  infrastructure  at  the  click  of  a  mouse.  Can  you  map  your  current  network?ThisOrThis?
  5. 5. Auditable Cloud SecurityHow  do  you  know  AWS  is  right  for  your  business?    - 3rd  Party  Audits• Independent  auditors- ArCfacts• Plans,  Policies  and  Procedures- Logs• Obtained• Retained• Analyzed
  6. 6. Transparent Cloud SecurityChoose the audit/certification that’s rightfor you:• ISO-27001• SOC-1, SOC-2• FedRAMP• PCI
  7. 7. Control Objective 1: Security Organization• Who we are• Proper control & access within the organizationControl Objective 2: Amazon User Access• How we vet our staff• Minimization of accessSecurity & Compliance Control Objectives
  8. 8. Security & Compliance Control ObjectivesControl Objective 3: Logical Security• Our staff start with no systems access• Need-based access grants• Rigorous systems separation• Systems access grants regularly re-evaluated & automatically revoked
  9. 9. Security & Compliance Control ObjectivesControl Objective 4: Secure Data Handling• Storage media destroyed before being permitted outside our datacenters• Media destruction consistent with US Dept. of Defense Directive 5220.22Control Objective 5: Physical Security and Environmental Safeguards• Keeping our facilities safe• Maintaining the physical operating parameters of our datacenters
  10. 10. Security & Compliance Control ObjectivesControl Objective 6: Change Management• Continuous OperationControl Objective 7: Data Integrity, Availability and Redundancy• Ensuring your data remains safe, intact & availableControl Objective 8: Incident Handling• Processes & procedures for mitigating and managing potential issues
  11. 11. Shared Responsibility• Let  AWS  do  the  heavy  liIing• This  is  what  we  do  –  and  we  do  it  all  the  Cme• As  the  AWS  customer  you  can  focus  on  your  business  and  not  be  distracted  by  the  muckAWS• FaciliCes• Physical  Security• Physical  Infrastructure• Network  Infrastructure• VirtualizaCon  InfrastructureCustomer• Choice  of  Guest  OS• ApplicaCon  ConfiguraCon  OpCons• Account  Management  flexibility• Security  Groups• Network  ACLs
  12. 12. Physical SecurityDistributed  Regions  –  MulCple  Availability  ZonesAsia%Pacific%(Sydney)%
  13. 13. Network Security• DDoS attacks defended at the border• Man in the Middle attacks• SSL endpoints• IP Spoofing prohibited• Port scanning prohibited• Packet Sniffing prevented
  14. 14. Amazon EC2 SecurityHost operating system• Individual SSH keyed logins via bastion host for AWS admins• All accesses logged and auditedGuest operating system• Customer controlled at root level• AWS admins cannot log in• Customer-generated keypairsStateful firewall• Mandatory inbound firewall, default deny modeSigned API calls• Require X.509 certificate or customer’s secret AWS key
  15. 15. Amazon Virtual Private Cloud (VPC)• Create a logically isolated environment in Amazon’s highly scalable infrastructure• Specify your private IP address range into one or more public or private subnets• Control inbound and outbound access to and from individual subnets using statelessNetwork Access Control Lists• Protect your Instances with stateful filters for inbound and outbound traffic usingSecurity Groups• Bridge your VPC and your onsite IT infrastructure with an industry standardencrypted VPN connection and/or AWS Direct Connect
  16. 16. Amazon VPC - Dedicated Instances• Option to ensure physical hosts are not shared with other customers• $10/hr flat fee per Region + small hourly charge• Can identify specific Instances as dedicated• Optionally configure entire VPC as dedicated
  17. 17. Customers have requirements that require them to use specific encryptionkey management procedures not previously possible on AWS• Requirements are based on contractual or regulatory mandates for keepingencryption keys stored in a specific manner or with specific access controls• Good key management is criticalCustomers want to run applications and store data in AWS but previously hadto retain keys in HSMs in on-premises datacenters• Applications may slow down due to network latency• Requires several DCs to provide high availability, disaster recovery and durabilityof keysCustomer Challenge: Encryption
  18. 18. • AWS offers several data protection mechanisms including access control,encryption, etc.• AWS CloudHSM complements existing AWS data protection and encryptionsolutions• With AWS CloudHSM customers can:• Encrypt data inside AWS• Store keys in AWS within a Hardware Security Module• Decide how to encrypt data – the AWS CloudHSM implementscryptographic functions and key storage for customer applications• Use third party validated hardware for key storageAWS Data Protection Solutions
  19. 19. HSM – Hardware Security Module•  A hardware device that performs cryptographic operations and key storage•  Used for strong protection of private keys•  Tamper resistant – keys are protected physically and logically–  If a tampering attempt is detected, the appliance destroys the keys•  Device administration and security administration are logically separate–  Physical control of the appliance does not grant access to the keys•  Certified by 3rd parties to comply with government standards for physical andlogical security:–  FIPS 140-2–  Common Criteria EAL4+•  Example vendors include: SafeNet, Thales•  Historically located in on-premises datacentersHSM
  20. 20. What is AWS CloudHSM?• Customers receive dedicated access to HSM appliances• HSMs are physically located in AWS datacenters – in close networkproximity to Amazon EC2 instances• Physically managed and monitored by AWS, but customers control theirown keys• HSMs are inside customer’s VPC – dedicated to the customer andisolated from the rest of the networkAWS  CloudHSM
  21. 21. AWS CloudHSM Service Highlights• Secure Key Storage – customers retain control of their own keys andcryptographic operations on the HSM• Contractual and Regulatory Compliance – helps customers comply withthe most stringent regulatory and contractual requirements for keyprotection• Reliable and Durable Key Storage – AWS CloudHSMs are located inmultiple Availability Zones and Regions to help customers build highlyavailable applications that require secure key storage• Simple and Secure Connectivity – AWS CloudHSMs are in thecustomer’s VPC• Better Application Performance – reduce network latency and increasethe performance of AWS applications that use HSMs
  22. 22. • Large Silicon Valley company: video DRM• Start-up document rights management service: enterprise document protection• Amazon Web Services: Root of trust for Public Key Infrastructure (PKI)authentication system• Very large financial services organization: Root of trust for key managementsystem for virtual machine authentication & encryptionCustomer use cases
  23. 23. Key Storage & Secure Operations for AWSCloudHSMs are in the customer’s VPCand isolated from other AWS networksESecure key storage in tamper-resistant/tamper-evident hardware available inmultiple regions and AZsDApplication performance improves (due toclose network proximity with AWSworkloads)CCustomers control and manage their ownkeysBAWS manages the HSM appliance butdoes not have access to customers’keysAAWSAmazon Virtual Private CloudAWS CloudHSM Amazon VPC InstanceSSLApplicationHSM ClientCDEBA
  24. 24. On-Premises Integration with AWS CloudHSMHSMCustomers’ applications continue touse standard crypto APIs(PKCS#11, MS CAPI, JCA/JCE,etc.).SafeNet HSM client replacesexisting crypto service providerlibraries and connects to the HSM toimplement API calls in hardwareSafeNet HSM  Client  can  share  load  and  store  keys  redundantly  across  mulCple  HSMsKey  material  is  securely  replicated  to  HSM(s)  in  the  customer’s  datacenterBACDAWSAmazon  Virtual  Private  CloudAWS  CloudHSMAmazon  VPC  InstanceCorporate  DatacenterSSLVPN INTERNETAWS  Direct  ConnectApplicationHSM ClientACDBSSL
  25. 25. AWS Deployment ModelsLogical Server andApplicationIsolationGranularInformation AccessPolicyLogicalNetworkIsolationPhysical serverIsolationGovernment OnlyPhysical Network andFacility IsolationITAR Compliant(US PersonsOnly)Sample WorkloadsCommercial  Cloud ü   ü       Public  facing  apps.  Web  sites,  Dev  test  etc.Virtual  Private  Cloud  (VPC)ü   ü   ü   ü     Data  Center  extension,  TIC  environment,  email,  FISMA  low  and  ModerateAWS  GovCloud  (US) ü   ü   ü   ü   ü   ü   US  Persons  Compliant  and  Government  Specific  Apps.
  26. 26. AWS Security Resources•• Security Whitepaper• Risk and Compliance Whitepaper• Regularly Updated• Feedback is welcome
  27. 27. Thank you.
  28. 28. Bronze SponsorsSilver SponsorsGold Sponsor