Availability of cloud computing is helping Financial Services organizations realize accelerated go-to-market speeds, global scalability, and cost efficiencies. This new world forces considerations for security programs – what is different in the cloud and what do I do differently? AWS Security Architects will share protocols that need to be considered in the cloud, on premises, or in a hybrid model. They will also share best practices, lessons learned, efficiencies, and design patterns and architectures unique to cloud.

1. An Evolving Security Landscape
Security Patterns in the Cloud
Bill Shinn – AWS Principal Security Solutions Architect

2. Cloud focuses on differentiation

3. Global Industry Observations
Regulatory compliance
continues to drive expense
A desire for increased wallet share
is driving a focus on innovation
Increasing amounts of data,
finite resources for analytics
Digitization and disruptive technology
are accelerating transformation

4. Move from risk-laden
up-front expense to
flexible variable expense
Stop guessing
at capacity planning
Go global in
minutes
Reasons Cloud Computing is Gaining Traction in FinServ
Remove complicated infrastructure
management that adds little
business value

5. Reasons Cloud Computing is Gaining Traction in FinServ
Lower the time spent
on infrastructure
Dedicate more
resources to
innovation
Concentrate on
new business
initiatives

6. What is Amazon Web Services?

7. Administration
& Security
Access
Control
Identity
Management
Key Management
& Storage
Monitoring
& Logs
Resource &
Usage Auditing
Platform
Services
Analytics App Services Developer Tools & Operations Mobile Services
Data
Pipelines
Data
Warehouse
Hadoop
Real-time
Streaming Data
Application
Lifecycle
Management
Containers
Deployment
DevOps
Event-driven
Computing
Resource
Templates
Identity
Mobile
Analytics
Push
Notifications
Sync
App
Streaming
Email
Queuing &
Notifications
Search
Transcoding
Workflow
Core
Services
CDN
Compute
(VMs, Auto-scaling, and
Load Balancing)
Databases
(Relational, NoSQL, and
Caching)
Networking
(VPC, DX, and DNS)
Storage
(Object, Block, EFS,
and Archival)
Infrastructure
Availability
Zones
Points of
Presence
Regions
Enterprise
Applications
Business
Email
Sharing &
Collaboration
Virtual
Desktop
Technical &
Business Support
Account
Management
Partner
Ecosystem
Professional
Services
Security &
Pricing Reports
Solutions
Architects
Support
Training &
Certification
Machine
Learning
What is Amazon Web Services?

8. Global Footprint
12 (10 Public, China Region and
GovCloud Region)
2016 – Canada, Ohio, India, UK and
another China Region
32 Availability zones (adding 11 more in
2016 across new Regions)
55+ Edge locations
Over 1 million active customers across
190 countries
900+ Government Agencies & 3,400+
Educational Institutions
1,000+ Financial Services Organizations
Everyday, AWS adds enough new server capacity to support Amazon.com
when it was a $7 billion global enterprise.
Region
Edge location

9. Leveraged by Financial Services Institutions & Enterprises
Worldwide

10. Cloud Security – What’s different &
what’s the same?

11. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a shared responsibility
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

12. Accreditation & Compliance, Old and New
Old world
• Functionally optional (you can build a
secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Must maintain talent and keep pace
• Check typically once a year
• Workload-specific compliance checks
New world
• Functionally necessary – high watermark
of requirements
• Audits done by third party experts
• Accountable to everyone
• Superior security drives broad
compliance
• Continuous monitoring
• Compliance approach based on all
workload scenarios

13. OR
Move
Fast
Stay
Secure

14. AND
Move
Fast
Stay
Secure

15. Making life easier
Choosing security does not mean giving up
on convenience or introducing complexity

16. Strengthen your security posture
Get native functionality and tools
at no additional charge
Over 30 global compliance
certifications and accreditations
Leverage security enhancements gleaned
from 1M+ customer experiences
Benefit from AWS industry leading
security teams 24/7, 365 days a year
Security infrastructure built to
satisfy military, global banks, and other
high-sensitivity organizations

17. Access a deep set of cloud security tools
Encryption
Key
Management
Service
CloudHSM Server-side
Encryption
Networking
Virtual
Private
Cloud
Web
Application
Firewall
Compliance
ConfigCloudTrailService
Catalog
Identity
IAM Active
Directory
Integration
SAML
Federation

18. AWS Accreditations and Security Assurance Programs
ISO 9001
SOC 3
SOC 2
ISO 27001
ISO 27017
PCI DSS Level 1ISO 27018
SOC 1 / ISAE 3402
GxPHIPAA
ITAR
FERPA
FISMA, RMF, and DIACAP
FedRAMP
Section 508 / VPAT
DoD SRG Levels 2 & 4
FIPS 140-2
CJIS
Cloud Security Alliance
MPAA
NIST
MLPS Level 3
G-Cloud
IT-Grundschutz
MTCS Tier 3
IRAP Cyber Essentials Plus

19. Evolving the Practice of Security Architecture
Security architecture as a seperate function can no longer
exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
“pane of glass” technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current Security
Architecture
Practice

20. Evolving the Practice of Security Architecture
Security architecture can now be part of the ‘maker’ team
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved Security
Architecture
Practice

21. Cloud Security – Design Patterns

22. Non-Persistent Platforms
Auto-scaling groups will ensure that
capacity is predictable while you rotate
out portions of the environment. You can
also swap out the base AMI In an auto-
scaling launch configuration with a freshly
patched one, then progressively kill off
stale instances.
Changing the paradigm of what a target
or attack surface looks like. Automation
around Amazon Machine Image creation
and bootstrapping with tools like AWS
OpsWorks, Amazon Elastic Beanstalk,
Chef or Puppet means you can constantly
lay down a moving target.
Amazon Auto-scaling
Groups
AWS Elastic
Compute Cloud
+

23. Agile Network Architecture
Update and change private network
addressing, subnets, route tables and
administrative control of network
functions to move systems and
applications in response to vulnerabilities,
regulatory changes, project partnerships,
etc.
Use named security groups to logically
control access between systems of like
trust or based on data classification.
Security attributes of system move with
the system independent of network
location. Relocate systems via API call to
address changing threat environment.
Security
Groups
Amazon VPC
+

24. Standardized Environments & Change Detection
Interrogate and describe entire
environment with Java, Python, .NET,
Ruby, PHP or nodeJS SDKs. Detect
change in standardized environment
programmatically and integrate with
existing asset and SIEM workflows.
AWS SDKs
Use CloudFormation to create an
environment that mirrors your security
standards. One API call results in
hardened AMIs with base security
controls installed, predictable firewall and
network configuration, and appropriately
defined access and roles.
+
AWS
CloudFormation

25. Managing Change at Scale
Use built-in or custom rules to respond to
changes in configuration.
Config tracks all changes to core
infrastructure in a time-series view and
reflects the relationships impacted by
each change.
AWS Config RulesAWS Config
+

26. Consolidated API Logging
Log archival solution for life-cycle
management.
CloudTrail provides increased visibility
into your user activity by recording AWS
API calls. Integration with Amazon SNS
and ecosystem partners facilitates
analytics.
Provides logging up and down the stack
in one place (storage, networking,
instances, identity).
Amazon S3 + Glacier
+
AWS CloudTrail &
CloudWatch Events

27. Instance Identity
Security token service generates unique
credentials and constantly rotates an
additional token.
Identity and Access Management roles
for EC2 instances provide entitlements to
the instance itself. Credentials are
presented through a RESTful meta-data
service accessible only on the local host.
Credentials can be leveraged by apps
that need to call AWS APIs, retrieve data
from S3, etc. Native integration with
SDKs and CLI tools.
Security Token Service
+
Identity
Management