The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the security programs, procedures and best practices you can use to enhance your current security posture.
Haitian culture and stuff and places and food and travel.pptx
Move Away From the Worry-Based Fiction of the Cloud - AWS Washington D.C. Symposium 2014
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Assurance:
DoD Community
Chris Gile
Bill Murray
awsbill@amazon.com
cgile@amazon.com
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security in the Cloud
Bill Murray
Sr. Manager
AWS Security Programs
3. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Different Customer Viewpoints on Security
Public Affairs
keep out of the news
Leader
protect shareholder
value
CI{S}O
preserve the
confidentiality, integrity
and availability of data
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security Is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
SECURITY IS SHARED
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
WHAT
WE DO
FOR YOU
WHAT YOU DO
YOURSELF
8. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR
ENTERPRISE
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
“Based on our experience, I believe that we
can be even more secure in the AWS cloud
than in our own data centers”
Tom Soderstrom – CTO
NASA JPL
10. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
MORE VISIBILITY
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
19. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS CLOUDTRAIL
20. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
You are making
API calls...
On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
21. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security Analysis
Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
Track Changes to AWS Resources
Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational Issues
Quickly identify the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.
22. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LOGS
OBTAINED, RETAINED,
ANALYZED
23. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
MORE CONTROL
24. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Defense in Depth
Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security
25. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Delivers More Control & Granularity
Customize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
26. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
AT AWS
27. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK
28. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
SEPARATE NETWORKS FOR CORPORATE WORK VS.
ACCESSING CUSTOMER DATA
29. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT
SENSITIVE INFORMATION LIKE DATA CENTER
LOCATIONS
30. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER
TO ACCESS DATA CENTERS
31. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT,
AND EASIEST TO ENFORCE
40. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
41. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
42. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
43. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
44. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
45. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service Providers]
provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013
46. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS.AMAZON.COM/
SECURITY
47. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS Security Whitepapers
48. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Assurance:
DoD Community
Chris Gile
49. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Increasing
Security and
Operating
Requirements
DoD Cloud Security Model
(Administered via DISA)
15 FedRAMP
Compliant CSP1
10 – IaaS, 3- PaaS, 2- SaaS
FedRAMP Authority to Operate
CSM ATO
Levels 1-2
(Public)
CSM ATO
Levels 3-5
(NIPR)
CSM ATO
Level 6
(SIPR)
1
2
3
4
5
6
Providers are a mix of IaaS,
PaaS, SaaS
(Initial Focus on IaaS)
3 Provisional
Authorizations
granted1
0 Provisional
Authorization
granted2
100’s of Cloud Service
Providers (CSP)
System-
Specific
ATO
John Doe
DoD DAA
The DoD
provisionally
authorized
commercial CSP
offering is eligible to
be included in the
Enterprise Cloud
Service Catalog
1 Source: http://www.gsa.gov/portal/content/131931
2 Provisional ATO granted as of 2/15/2014
Cloud Services Provider
DoD Cloud Security Model (CSM) - ATO Process
50. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Shared Security Responsibility
• AWS & Customers both have
security/compliance obligations
• Logical assessment &
accreditation boundaries
• How are our ATOs consumed?
– Agencies & Partners
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Compliance of
the Cloud
Compliance in
the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App
Controls
51. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Availability
Zone C
Sample US Region
- Multiple Isolated locations within a Region
- Availability Zone = 1 or more “data center”
- Independent Failure Zone
- Physically separated
- On separate Low Risk Flood Plains
- Discrete UPS
- Onsite backup generation facilities
- Fed from different segments of utility provider
- Redundantly connected to multiple tier-1 ISP’s
- No “Disaster Recovery Datacenter”
- Built for Continuous Availability
- Customer decides Availability Zone for Compute
~ DoD Data Center
Availability
Zone B
Availability
Zone A
AWS Availability Zone (AZ) View
52. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS FedRAMP Program
• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))
– EC2, S3, EBS, VPC, IAM
– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls (298)
• Agency ATO packages have reciprocity with federal agencies
• AWS will directly field FedRAMP package requests from all customers, though agencies can still request AWS
FedRAMP package from FedRAMP PMO if desired
– AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package
• AWS Security Assurance supports the lifecycle of customer engagements with supporting personnel and
resources
cloud.cio.gov/fedramp/amazon
53. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS DoD CSM Program
• 2/6/14 Provisional Authorization for Levels 1-2
• DISA managed Cloud Security Model (CSM)
• 68 additional control enhancements overlaid on
FedRAMP Moderate
• Partners have achieved MAC II Sensitive DIACAP ATOs
54. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Building Solutions on AWS
• Partners & Agencies can leverage FedRAMP compliant AWS
• AWS’ FedRAMP package covers AWS infrastructure and
underlying management of services
• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS
• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199,
etc.
– SSP Template: Pre-populated with inherited control language, guidance
on completing shared controls
– ATO Letters as stand alone documents
– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services
55. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Documentation Support
• AWS Package is specific to the
AWS Infrastructure
• Partner’s Package is specific to
the Partner’s Application or
managed services
• Inherited vs. Shared Controls
56. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Certifications & Compliance
• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications
– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)
57. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Customer Resources
• Whitepapers
– Risk & Compliance Whitepaper
– Overview of Security Processes
– “Security at Scale” series
• Governance in AWS
• Logging in AWS
• Template
– FedRAMP SSP Template
• Workbooks
– FISMA-High
– CJIS
58. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Other Compliance Programs
• FISMA-High Handbook
– Workbook available for partners under NDA
– 84 additional control enhancements [21
inherited, 54 shared, 9 customer]
• CJIS Handbook
– Available under NDA
– 121 security requirements; 10 inherited, 87
shared, and 24 customer-responsible
requirements
• Both are partner-based approaches
to build a portfolio of authorizations
59. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Compliance & Security Centers
• Answers to many security and compliance
questions
• Security whitepaper
• Risk and Compliance whitepaper
• Overview of Security Processes whitepaper
• “Security at Scale” whitepaper series
• Security bulletins
• Customer penetration testing requests
• Security best practices
• Request more information by contacting us
aws.amazon.com/security
aws.amazon.com/compliance
60. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Additional AWS Security &
Compliance References
• https://aws.amazon.com/security
• https://aws.amazon.com/compliance
• https://aws.amazon.com/compliance/#whitepapers
• https://aws.amazon.com/compliance/fedramp-faqs
• https://aws.amazon.com/govcloud-us
• https://aws.amazon.com/documentation
• https://aws.amazon.com/iam
awscompliance@amazon.com
61. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You
Chris Gile
Bill Murray
awsbill@amazon.com
cgile@amazon.com
Hinweis der Redaktion
This circle represents all the security-related activities that you have to do to protect your system and make sure it is compliant to the regulations applicable to your business
Being able to focus on your business is one of AWS’s core value proposition. It also applies to AWS Security.
On AWS, small developer has same security as big company. No price change for security.
You get the same access for security.
Financial sector
Pharmaceuticals
Entertainment
Start-ups
Social media
Home users
Retail
We give you the tools to do the same:
USE IAM(otherwise it’s like logging as root)
…Each user can have a specific policy which defines what she can do with AWS. You can pick a policy from the list of predefined ones we offer …