Security & Compliance (Part 2)
•
3 likes•541 views
Here is the second part of the Security and Compliance Best Practices
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Security & Compliance (Part 2)
Similar to Security & Compliance (Part 2) (20)
More from Amazon Web Services
More from Amazon Web Services (20)
Recently uploaded
Recently uploaded (20)
Security & Compliance (Part 2)
- 1. danilop@amazon.com @danilop Danilo Poccia — Technical Evangelist Security Best Practices
- 2. Evolution “Cloud will account for 92 percent of data center traffic by 2020” - Global Cloud Index (GCI) Forecast
- 3. Confidentiality – only authorized users can access data Integrity – data can’t be changed without detection Availability – data is accessible when needed Goals for secure application design
- 4. • Access control on systems and/or data itself • Principal, Action, Resource, Condition • Encryption • Renders data inaccessible without a key • Authenticated encryption protects data from modification • Easier to tightly control access to a key than the data • Independent controls for keys and data Confidentiality
- 5. • Physical integrity • Replicate across independent systems • Mitigates risk of data corruption or code errors • Logical integrity • Checksum • Message authentication code (MAC) • Digital signature Integrity
- 6. • Ability to access ANY copy of the data • How much time can your users live with zero access? • Latency of access to primary copy of the data • How much time can your users wait for normal access? Availability
- 7. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
- 8. Customers choose where to place their data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless the customer tell us to do so Customers always own their data, the ability to encrypt it, move it, and delete it DATA OWNERSHIP
- 10. Our Audit and Certification Approach 70+ services 7,710 Audit Artifacts 2,670 Controls 3,030 Audit Requirements
- 11. COMPLIANCE – AWS ARTIFACT AWS Artifact provides customers with an easier process to obtain AWS compliance reports (SOC, PCI, ISO) with self- service, on-demand access via the console AWS Artifact
- 12. SOLUTIONS IN AWS MARKETPLACE INFRASTRUCTURE SECURITY LOGGING & MONITORING CONFIGURATION & VULNERABILITY ANALYSIS DATA PROTECTION aws.amazon.com/mp/security IDENTITY & ACCESS MANAGEMENT Deep Security-as-a-Service VM-Series Next- Generation Firewall Bundle 2 vSEC Web Application Firewall Unified Threat Management 9 FortiGate-VM SecureSphere WAF CloudInsight Security Platform (ESP) for AWS SecOps Log Management & Analytics Enterprise Cost & Security Management DataControl Transparent Encryption for AWS SafeNet ProtectV Identity & Access Management or AWS Security Manager OneLogin for AWS Identity Management for the Cloud ▪ One-click launch ▪ Ready-to-run on AWS ▪ Pay only for what you use
- 13. MAKING COMPLIANCE EASIER AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN CLOUDTRAIL AND CLOUDWATCH EVENTS Amazon S3 AWS Lambda Amazon CloudWatch AWS CloudTrail
- 14. Apply the security principles of “least privilege” and “segregation of responsibilities” AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
- 15. AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations • IAM console now helps prevent you from accidentally deleting in-use resources
- 16. AWS IDENTITY AND ACCESS MANAGEMENT FEATURES ADDED IN 2016 • Administrator • Billing • Database Administrator • Data Scientist • Developer Power User • Network Administrator • System Administrator • Security Auditor • Support User • View-Only User • AWS Identity and Access Management (IAM) made 10 AWS managed policies available that align with common job functions in organizations
- 17. SECURITY ASSESSMENT TOOL ANALYZING END TO END APPLICATION CONFIGURATION AND ACTIVITY AMAZON INSPECTOR
- 18. Configuration Scanning Engine Activity Monitoring Built-in Content Library Automatable via API Fully Auditable AWS SOLUTION: AMAZON INSPECTOR Improved security posture Increased agility Embedded expertise Streamlined compliance AMAZON INSPECTOR BENEFITS
- 19. AWS KEY MANAGEMENT SERVICE CONTROL YOUR ENCRYPTION KEYS
- 20. AWS SOLUTION: KEY MANAGEMENT SERVICE Decide on an encryption key management strategy Manage and use keys in AWS Key Management Service (AWS KMS) Use service-provided built-in key management Use your own key management system Manage and use keys in AWS CloudHSM
- 21. • Bring your own keys to AWS Key Management Service using the KMS import key feature • AWS encryption SDK KEY MANAGEMENT SERVICE Features added in 2016
- 22. AWS ORGANIZATIONS MANAGE ACCOUNTS AND POLICIES
- 23. AWS Organizations Programmatic creation of new AWS accounts • New AWS accounts can only be created from the master account • As part of the creation process you can configure - Email address (required) - Account name (required) - IAM role name (required - default name is OrganizationAccountAccessRole) • Trust policy configured for AssumeRole access from master account • Permissions configured with FULL CONTROL - IAM user access to billing (optional) Note! IAM users still need permissions • New AWS account - Automatically part of your organization - Cannot be removed from the organization 77
- 24. AWS Organizations Invite existing AWS accounts to an organization • Invitation can only be initiated from master account • Invited AWS account can accept or decline invitation - Default action is DECLINE - Can be controlled with IAM permissions • When invitation is accepted - AWS account becomes member of your organization - Applicable OCPs automatically applied 78
- 25. AWS Organizations Logically group AWS accounts • Group AWS accounts into organizational units (OUs) for management convenience • AWS account can be member of multiple OUs • Only AWS accounts can be member of an OU 79
- 26. AWS Organizations Example A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Security 80
- 27. AWS Organizations Apply Organizational Control Policies (OCP) • Describes controls to be applied • Different use cases have different types of OCPs • OCPs can be attached to - Organization - OUs - AWS account • OCPs are inherited up the hierarchy (AWS account, OU, organization) 81
- 28. AWS Organizations Example A6 Development Test Production A8A1 A5 A4A3 A2 A9 A7 Security 82
- 29. AWS Organizations OCP supported in V1: Service Control Policies (SCPs) • Enables you to control which AWS service APIs are accessible - Define the list of APIs that are allowed – whitelisting - Define the list of APIs that must be blocked – blacklisting • Cannot be overridden by local administrator • Necessary but not sufficient • Resultant permission on IAM user/role is intersection between SCP and assigned IAM permissions • IAM policy simulator is SCP aware 83
- 30. AWS Organizations Simplified billing • Single payer for all AWS accounts • All AWS usage across AWS accounts in your organization rolled up for volume pricing and billing • All existing Consolidated Billing families will be migrated to an organization in billing mode 84
- 31. THE CASE FOR CHANGE SECURITY AS CODE
- 32. The case for change • DevOps, Agile, and Scrum on the rise… • Workload migrations to software defined environments… • Mass adoption of the public cloud… • Talent migration to progressive cloud companies… • Startups have game-changing tech at their disposal… • Competitive landscape is becoming fierce… • The perimeter is no longer an option… • Security, now more than ever, is an arms race…
- 33. The DevSecOps mindset • Customer focus • Open and transparent • Iteration over perfection • Hunting over reaction • Hmmm → Wait a minute, this sounds like a manifesto… insert shameless plug here: http://www.devsecops.org
- 34. Where to start? • Pontificate? • Checklists? • 1-pagers? 6-pagers? Documents? Page 3 of 433 Security as code
- 35. Security as code is easy with AWS AWS provides all the APIs! • Programmatically test environments • Determine state of environment at a specific point in time • Repeatable processes • Scalable operations
- 36. How can we learn DevSecOps? Security as Code? Security as Operations? Compliance Operations? Science? Experiment: Automate Policy Governance Experiment: Detection via Security Operations Experiment: Compliance via DevSecOps Toolkit Experiment: Science via Profiling DevOps + Security Start Here? DevOps + DevSecOps
- 37. Ready to build your DevSecOps platform? insights security sciencesecurity tools & data AWS accounts S3 Glacier EC2 CloudTrail ingestion threat intel Anot pres be d
- 38. Evolution Today's "cloud-first" strategy is already moving toward "cloud-only" - IDC, “Industry Predictions for 2017”
- 39. • https://aws.amazon.com/security/ • https://aws.amazon.com/compliance/ • https://aws.amazon.com/blogs/security/ ADDITIONAL RESOURCES
- 40. @AWScloud for AWS News & Announcements @danilop Danilo Poccia — Technical Evangelist