AWS Public Sector
Jerusalem | 19 Nov 2014
AWS Security & Compliance
CJ Moses
General Manager, Government Cloud Solu3ons
Security Is Our No.1 Priority
Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE & PROCEDURES NETWORK
SECURITY
PHYSICAL SECURITY PLATFORM SECURITY
SECURITY IS
SHARED
WHAT NEEDS
TO BE DONE
TO KEEP THE
SYSTEM SAFE
WHAT WE
DO
FOR YOU
WHAT YOU DO
YOURSELF
EVERY CUSTOMER HAS ACCESS
TO THE
SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE
“Based on our experience, I believe that we can
be
even more secure in the AWS cloud
than in
our own data centers”
Tom Soderstrom – CTO NASA JPL
IDC Survey
APtudes and Percep3ons Around Security and Cloud Services
Nearly 60% of organiza3ons agreed that CSPs [Cloud Service Providers]
provide beYer security than their own IT organiza3on
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
MORE
VISIBILITY
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
TRUSTED ADVISOR
MORE
AUDITABILITY
LOGS
OBTAINED, RETAINED, ANALYZED
You are making
API calls... of services around On a growing set the world… CloudTrail is continuously recording API calls… And delivering log files to you
AWS Public Sector
AWS CLOUDTRAIL
Security Analysis
Use log files as an input into log management and analysis solu3ons to perform security analysis
and to detect user behavior paYerns.
Track Changes to AWS Resources
Track crea3on, modifica3on, and dele3on of AWS resources such as Amazon EC2 instances,
Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Opera@onal Issues
Quickly iden3fy the most recent changes made to resources in your environment.
Compliance Aid
Easier to demonstrate compliance with internal policies and regulatory standards.
MORE
CONTROL
Defense in Depth
Mul3 level security
•
Physical security of the data centers
•
Network security
•
System security
•
Data security
DATA
AWS Security Delivers More Control & Granularity
Customize the implementa3on based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM Amazon VPC AWS Direct Connect AWS Storage Gateway
LEAST PRIVILEGE PRINCIPLE
AT AWS
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIAL
REQUIRED TO DO SPECIFIC WORK
LEAST PRIVILEGE PRINCIPLE
SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING
CUSTOMER DATA
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-‐TO-‐KNOW ABOUT SENSITIVE
INFORMATION LIKE DATA CENTER LOCATIONS
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-‐TO-‐KNOW IN ORDER TO ACCESS
DATA CENTERS
SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND
EASIEST TO ENFORCE
AWS IAM
IDENTITY & ACCESS MANAGEMENT
CONTROL
WHO
CAN DO
WHAT
WITH YOUR AWS ACCOUNT
MFA DELETE PROTECTION
YOUR DATA
STAYS
WHERE YOU PUT IT
AWS Global Infrastructure!
11 Regions
28 Availability Zones 54 Edge Locations
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-‐AZ
AMAZON EBS SNAPSHOTS
ENCRYPT
YOUR
DATA
AWS CLOUDHSM
AWS Key Management Service
AMAZON EBS
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated
– AWS manages encryp3on
(e.g. S3 SSE)
Enabled
– user manages encryp3on using AWS
(e.g. AWS CloudHSM, AWS KMS)
Client-‐side
– user manages encryp3on using their own means
AWS CloudHSM
Managed and monitored by AWS, but
you
control the keys
Increase performance
for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory
and
contractual requirements for key protection
EC2 InstanceAWS CloudHSM AWS CloudHSM
AWS Key Management Service
Managed service that makes it easy for you to
create and control the encryp3on keys used to
encrypt your data, and uses Hardware Security
Modules (HSMs) to protect the security of your
keys.
Integrated with other AWS services including
Amazon EBS, Amazon S3, Amazon Redshim and
AWS CloudTrail to provide you with logs of all key
usage to help meet your regulatory and
compliance needs.
AWS CodeDeploy
AWS CodeDeploy is a service that automates code deployments to Amazon EC2 instances. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid down3me during deployment, and handles the complexity of upda3ng your applica3ons. You can use AWS CodeDeploy to automate deployments, elimina3ng the need for error-‐prone manual opera3ons, and the service scales with your infrastructure so you can easily deploy to one EC2 instance or thousands.
AWS CodeCommit
AWS CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories. CodeCommit eliminates the need for you to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to store anything from code to binaries, and it supports the standard func3onality of Git allowing it to work seamlessly with your exis3ng Git-‐ based tools. Your team can also use CodeCommit’s online code tools to browse, edit, and collaborate on projects. CodeCommit will be available in early 2015.
AWS CodePipeline
AWS CodePipeline is a con@nuous delivery and release automa@on service that aids smooth
deployments. You can design your development workflow for checking in code, building the code, deploying your applica3on into staging, tes3ng it, and releasing it to produc3on. You can integrate 3rd party tools into any step of your release process or you can use CodePipeline as an end-‐to-‐end solu3on. CodePipeline enables you to rapidly deliver features and updates with high quality through the
automa3on of your build, test, and release process. CodePipeline will be available in early 2015.
MORE
AUDITABILITY
MORE
VISIBILITY
MORE
CONTROL
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS Security Whitepapers
AWS Government
Jerusalem | 19 Nov 2014!