Presentation is loading. Please wait.

Presentation is loading. Please wait.

Amazon Web Services Security & Compliance Overview Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA.

Similar presentations


Presentation on theme: "Amazon Web Services Security & Compliance Overview Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA."— Presentation transcript:

1 Amazon Web Services Security & Compliance Overview Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA

2 undifferentiated heavy lifting

3 utility computing

4 AWS provides broad and deep services to support any cloud workload AWS Global Infrastructure Application Services Networking Deployment & Administration DatabaseStorageCompute

5 Hundreds of Thousands of Customers in 190 Countries…

6 Free steak campaign Facebook page Mars exploration ops Consumer social app Ticket pricing optimization SAP & Sharepoint Securities Trading Data Archiving Gene sequencing Marketing web site Interactive TV apps Financial markets analytics R&D data analysis Consumer social app Big data analytics Web site & media sharing Disaster recovery Media streaming Web and mobile apps Streaming webcasts Facebook app Consumer social app Every Imaginable Use Case

7 Gartner “Magic Quadrant for Cloud Infrastructure as a Service,” Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes, August 19, This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.. The Gartner report is available upon request from Steven Armstrong Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.Steven “AWS is the overwhelming market share leader, with more than five times the compute capacity in use than the aggregate total of the other fourteen providers.”

8 Notable Financial Services Stories

9 Dutch National Bank (regulator)

10 US West (Northern California) US East (Northern Virginia) EU (Ireland) Asia Pacific (Singapore) Asia Pacific (Tokyo) AWS Regions AWS Edge Locations GovCloud (US ITAR Region) US West (Oregon) South America (Sao Paulo) Asia Pacific (Sydney)

11 AB AB C AB C AB C ABABABAB US West (Northern California) US West (Oregon) South America (Sao Paolo) Asia Pacific (Singapore) EU West (Dublin) US East (Virginia) Asia Pacific (Tokyo) Asia Pacific (Australia)

12 Personal Data Protection in Europe EC Directive 95/46/EC: Personal Data Protection Use Amazon Web Services Dublin Region Safe Harbour EU Compliant Safe Harbour Switzerland Compliant

13 The Shared Responsibility Model in the Cloud Foundation Services ComputeStorage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Network Traffic Protection (Encryption/Integrity/Identity) Optional -- Opaque Data: 0s and 1s (in flight/at rest) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data

14 The Shared Responsibility Model in the Cloud Foundation Services ComputeStorage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption & Data Integrity Authentication Server-side Encryption (File System and/or Data) Server-side Encryption (File System and/or Data) Network Traffic Protection (Encryption/Integrity/Identity) Network Traffic Protection (Encryption/Integrity/Identity) Optional -- Opaque Data: 0s and 1s (in flight/at rest) Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Data Security OF the Cloud Security IN the Cloud

15 Customer-managed Controls on Amazon EC2 OS-level Firewalls/IDS/IPS Systems/Deep Security Data Security Groups & Network Access Control Lists Industry Standard Protocols: IPSec, SSL, SSH OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud Security OF the Cloud Security IN the Cloud Applications Platforms Operating Systems Network Security Encryption of Data at Rest Encryption of data in Flight

16 Data Protection at Rest and in Flight OS-level Firewalls/IDS/IPS Systems/Deep Security Data Security Groups & Network Access Control Lists Industry Standard Protocols: IPSec, SSL, SSH OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud Applications Platforms Operating Systems Network Security Encryption of Data at Rest Encryption of data in Flight Application-level Encryption Platform-level Encryption Volume-level Encryption Network Traffic Encryption

17 AWS Certifications & Accreditations SOC 1 (SSAE 16 & ISAE 3402) Type II Audit SOC 2 SOC 3 Audit (new in 2013) ISO Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider Security IN the Cloud Security OF the Cloud

18 Q&A

19 User Identification, Authentication and Authorisation in the Cloud Amazon Identity & Access Management IAM Users EC2 DynamoDB S3 Active Directory/ LDAP AD/LDAP Users Enterprise Applications Corporate Systems

20 User Identification, Authentication and Authorisation in the Cloud Amazon Identity & Access Management Access Token for Federated Access EC2 DynamoDB S3 Active Directory/ LDAP AD/LDAP Users Enterprise Applications Corporate Systems

21 User Identification, Authentication and Authorisation in the Cloud Amazon Identity & Access Management Access Token for Federated Access EC2 DynamoDB S3 Shibboleth AD/LDAP Users Enterprise Applications Corporate Systems

22 CBA Defined by Business System Design Managed by AWS SLAs, RTOs/RPOs EC2 SLA System SLAs S3 SLA CloudFront SLA RDS SLA RTORPO Business Processes

23 Physical Security ISO Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical access 2 or more levels of two-factor auth Controlled, need-based access All access is logged and reviewed Separation of Duties employees with physical access don’t have logical privileges Maps to an Availability Zone

24 Storage Device Decommissioning All storage devices go through this process Uses techniques from DoD M (“National Industrial Security Program Operating Manual”) NIST (“Guidelines for Media Sanitization”) Ultimately degaussed physically destroyed

25 AWS CloudHSM Dedicated access to HSM appliances managed & monitored by AWS, but you control the keys Increase performance for applications that use HSMs for key storage or encryption Comply with stringent regulatory and contractual requirements for key protection EC2 Instance AWS CloudHSM

26 Security of Data at Rest S3 Server side encryption (AES-256) – per object keys managed by AWS Client-side asymmetric encryption – integrated within APIs Client-side encryption: Amazon stores 0s and 1s EC2 + EBS Enable partition/disk level encryption Windows: use EFS (local certificates/centralised X.509) Linux: use cryptsetup/dm-crypt/others RDS MySQL Use SQL native encryption (server side) Client side encryption RDS Oracle Client-side encryption

27 Security of Data in Flight AWS APIs are Web services SOAP over HTTPS REST over HTTPS User and data authentication through request signatures User access to Web Console Admin access to Servers Use SSH with asymmetric keys, or X.509 certificates Use RDP + MPPE or SSL protection Secure Application-level Protocols

28 Network Traffic Flow Security Security Groups - Inbound traffic must be explicitly specified by protocol, port, and security group - VPC adds outbound filters VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters OS Firewall (e.g., iptables) may be implemented - completely user controlled security layer - granular access control of discrete hosts - logging network events Encrypted File System Encrypted Swap File OS Firewall Amazon Security Groups Inbound & Outbound Traffic

29 Amazon EC2 Instance Isolation Physical Interfaces Customer 1 Hypervisor Customer 2Customer n … … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups

30 Multi-tier Security Approach Example Web Tier Application Tier Database Tier Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion All other Internet ports blocked by default Sync with on-premises database Amazon EC2 Security Group Firewall

31 Amazon VPC Network Security Controls

32 Layered Defence

33 AWS Multi-Factor Authentication Helps prevent anyone with unauthorized knowledge of your address and password from impersonating you Additional protection for account information Works with Master Account IAM Users Integrated into AWS Management Console Key pages on the AWS Portal S3 (Secure Delete)

34 AWS Trusted Advisor Available Programmatically via AWS Support APIs

35 Manage and Monitor Your Environments from Anywhere

36 Answers to many security & privacy questions Security Whitepaper Risk and Compliance Whitepaper Security Best Practices Whitepaper AWS Auditing Checklist Security Blog Security bulletins Penetration Testing Security & Compliance Resources


Download ppt "Amazon Web Services Security & Compliance Overview Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA."

Similar presentations


Ads by Google