Asia Pacific

Report
Amazon Web Services
Security & Compliance Overview
Attila Lengyel Enterprise Account Manager
Dob Todorov Principal Security & Compliance Architect EMEA
undifferentiated
heavy lifting
utility
computing
AWS provides broad and deep services to
support any cloud workload
Deployment & Administration
Application Services
Compute
Storage
Database
Networking
AWS Global Infrastructure
Hundreds of Thousands of Customers in 190 Countries…
Every Imaginable Use Case
Free steak
campaign
Facebook
page
Mars exploration
ops
Consumer
social app
Ticket pricing
optimization
SAP &
Sharepoint
Securities Trading
Data Archiving
Gene
sequencing
Marketing
web site
Interactive
TV apps
Financial markets
analytics
R&D data
analysis
Consumer
social app
Big data
analytics
Web site &
media sharing
Disaster
recovery
Media
streaming
Streaming
webcasts
Facebook
app
Consumer
social app
Web and
mobile apps
“AWS is the overwhelming market share
leader, with more than five times
the compute capacity in use than
the aggregate total of the other fourteen
providers.”
Gartner “Magic Quadrant for Cloud Infrastructure as a Service,” Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes, August 19, 2013. This Magic Quadrant graphic was published by Gartner, Inc.
as part of a larger research note and should be evaluated in the context of the entire report.. The Gartner report is available upon request from Steven Armstrong ([email protected]). Gartner does not
endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of
the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of
merchantability or fitness for a particular purpose.
Notable Financial Services Stories
Dutch National Bank (regulator)
GovCloud
US West
US West
US East
(US ITAR Region)(Northern California) (Oregon) (Northern Virginia)
South America
EU
(Sao Paulo)
(Ireland)
Asia Pacific Asia Pacific
(Singapore)
(Tokyo)
Asia Pacific
(Sydney)
AWS Regions
AWS Edge Locations
EU West
US East
Asia Pacific
Asia Pacific
(Dublin)
(Virginia)
(Tokyo)
(Australia)
A
B A
B A
C
A
C
B A
B A
B
B A
B
C
B A
US West
US West
South America
Asia Pacific
(Northern California)
(Oregon)
(Sao Paolo)
(Singapore)
Personal Data Protection in Europe
• EC Directive 95/46/EC: Personal Data Protection
• Use Amazon Web Services Dublin Region
• Safe Harbour EU Compliant
• Safe Harbour Switzerland Compliant
The Shared Responsibility Model in the Cloud
Customer Data
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Optional -- Opaque Data: 0s and 1s (in flight/at rest)
Foundation Services
Compute
AWS Global Infrastructure
Database
Storage
Networking
Availability Zones
Edge Locations
Regions
The Shared Responsibility Model in the Cloud
Customer Data
Security IN the Cloud
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption
(File System and/or Data)
Network Traffic Protection
(Encryption/Integrity/Identity)
Optional -- Opaque Data: 0s and 1s (in flight/at rest)
Foundation Services
Compute
Security OF the Cloud
AWS Global Infrastructure
Database
Storage
Networking
Availability Zones
Edge Locations
Regions
Customer-managed Controls on Amazon EC2
Data
Applications
Platforms
Operating Systems
OS-level Firewalls/IDS/IPS Systems/Deep Security
Security Groups &
Network Access Control Lists
Industry Standard Protocols:
IPSec, SSL, SSH
OS-level: Encrypted File System,
Bitlocker, dm-crypt, Secure Cloud
Network Security
Encryption of data in Flight
Encryption of Data at Rest
Security IN
the Cloud
Security OF
the Cloud
Data Protection at Rest and in Flight
Data
Applications
Platforms
Application-level
Encryption
Platform-level
Encryption
Operating Systems
OS-level Firewalls/IDS/IPS Systems/Deep Security
Security Groups &
Network Access Control Lists
Industry Standard Protocols:
IPSec, SSL, SSH
OS-level: Encrypted File System,
Bitlocker, dm-crypt, Secure Cloud
Network Security
Encryption of data in Flight
Encryption of Data at Rest
Network Traffic
Encryption
Volume-level Encryption
AWS Certifications & Accreditations
ISO 27001
SOC 1 (SSAE 16 & ISAE 3402) Type II Audit
SOC 2
SOC 3 Audit (new in 2013)
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Service
Provider
Security IN
the Cloud
Security OF
the Cloud
Q&A
User Identification, Authentication and Authorisation in the Cloud
Enterprise
Applications
Active Directory/
LDAP
Corporate
Systems
AD/LDAP Users
EC2
DynamoDB
Amazon Identity &
Access Management
S3
IAM Users
User Identification, Authentication and Authorisation in the Cloud
Enterprise
Applications
Corporate
Systems
Active Directory/
LDAP
AD/LDAP Users
EC2
DynamoDB
Amazon Identity &
Access Management
Access Token for
Federated
Access
S3
User Identification, Authentication and Authorisation in the Cloud
Enterprise
Applications
Shibboleth
Corporate
Systems
AD/LDAP Users
EC2
DynamoDB
Amazon Identity &
Access Management
Access Token for
Federated
Access
S3
SLAs, RTOs/RPOs
CBA
Business Processes
Defined by
Business
RTO
System
Design
Managed by
AWS
RPO
System SLAs
EC2
SLA
S3
SLA
CloudFront
SLA
RDS
SLA
Physical Security
• Amazon has been building large-scale data centers for
many years
• Important ISO
attributes:
27001
• Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
• Controlled, need-based access
• All access is logged and reviewed
• SeparationPayment
of Duties
Card Industry Data Security
• employees
with physical
access
have logical
Standard
(PCI DSS)
Level 1don’t
Service
privileges Provider
• Maps to an Availability Zone
Storage Device Decommissioning
• All storage devices go through this process
• Uses techniques from
• DoD 5220.22-M (“National Industrial Security Program
Operating Manual”)
• NIST 800-88 (“Guidelines for Media Sanitization”)
• Ultimately
• degaussed
• physically destroyed
AWS CloudHSM
Dedicated access to HSM
appliances managed &
monitored by AWS, but you
control the keys
Increase performance for
applications that use HSMs for
key storage or encryption
AWS CloudHSM
EC2 Instance
AWS CloudHSM
Comply with stringent regulatory
and contractual requirements for
key protection
Security of Data at Rest
• S3
• Server side encryption (AES-256) – per object keys managed by AWS
• Client-side asymmetric encryption – integrated within APIs
• Client-side encryption: Amazon stores 0s and 1s
• EC2 + EBS
• Enable partition/disk level encryption
• Windows: use EFS (local certificates/centralised X.509)
• Linux: use cryptsetup/dm-crypt/others
• RDS MySQL
• Use SQL native encryption (server side)
• Client side encryption
• RDS Oracle
• Client-side encryption
Security of Data in Flight
• AWS APIs are Web services
• SOAP over HTTPS
• REST over HTTPS
• User and data authentication through request signatures
• User access to Web Console
• Admin access to Servers
• Use SSH with asymmetric keys, or X.509 certificates
• Use RDP + MPPE or SSL protection
• Secure Application-level Protocols
Network Traffic Flow Security
• VPC also adds Network Access Control Lists
(ACLs): inbound and outbound stateless
filters
• OS Firewall (e.g., iptables) may be
implemented
completely user controlled security layer
granular access control of discrete hosts
logging network events
-
OS Firewall
-
Inbound & Outbound Traffic
Amazon Security Groups
• Security Groups
Inbound traffic must be explicitly specified
by protocol, port, and security group
VPC adds outbound filters
Encrypted
File System
Encrypted
Swap File
Amazon EC2 Instance Isolation
Customer 1
…
Customer 2
Customer n
Hypervisor
Virtual Interfaces
Customer 1
Security Groups
Customer 2
Security Groups
Firewall
Physical Interfaces
…
Customer n
Security Groups
Multi-tier Security Approach Example
Web Tier
Application Tier
Database Tier
Ports 80 and 443 only
open to the Internet
Engineering staff have ssh
access to the App Tier,
which acts as Bastion
Amazon EC2
Security Group
Firewall
Sync with on-premises
database
All other Internet ports
blocked by default
Amazon VPC Network Security Controls
Layered Defence
AWS Multi-Factor Authentication
• Helps prevent anyone with unauthorized knowledge of your e-mail address and
password from impersonating you
• Additional protection for account information
• Works with
• Master Account
• IAM Users
• Integrated into
• AWS Management Console
• Key pages on the AWS Portal
• S3 (Secure Delete)
AWS Trusted Advisor
Available Programmatically via AWS Support APIs
Manage and Monitor Your Environments
from Anywhere
Security & Compliance Resources
• Answers to many security & privacy
questions
• Security Whitepaper
• Risk and Compliance Whitepaper
• Security Best Practices Whitepaper
• AWS Auditing Checklist
• Security Blog
• Security bulletins
• Penetration Testing
http://aws.amazon.com/security/
http://aws.amazon.com/compliance/

similar documents