aws summit benelux 2013 - aws cloud security keynote

Bill Murray

General Manager, AWS Security Programs

AWS Cloud Security

Cloud Security is:

• Universal

• Visible

• Auditable

• Transparent

• Shared

• Familiar

Universal Cloud Security

• Every Customer Has Access to the Same Security Capabilities, and Gets to Choose What’s Right for Their Business - Governments

- Financial Sector

- Pharmaceuticals

- Entertainment

- Start-Ups

- Social Media

- Home Users

- Retail

Visible Cloud Security

• AWS allows you to see your ENTIRE infrastructure at the click of a mouse.

- Can you map your current network?

This

Or

This?

Auditable Cloud Security

• How do you know AWS is right for your business?

- 3rd Party Audits

• Independent auditors

- Artifacts

• Plans, Policies and Procedures

- Logs

• Obtained

• Retained

• Analyzed

Transparent Cloud Security

• Choose the audit/certification that’s right for you:

- ISO-27001

- SOC-1, SOC-2, SOC-3

- FedRAMP

- PCI

Security & Compliance Control Objectives

• Control Objective 1: Security Organization – Who we are

– Proper control & access within the organization

• Control Objective 2: Amazon User Access

– How we vet our staff

– Minimization of access

Security & Compliance Control Objectives

• Control Objective 3: Logical Security

– Our staff start with no systems access

– Need-based access grants

– Rigorous systems separation

– Systems access grants regularly re-evaluated & automatically

revoked

Security & Compliance Control Objectives

• Control Objective 4: Secure Data Handling

– Storage media destroyed before being permitted outside our datacenters

– Media destruction consistent with US Dept. of Defense Directive 5220.22

• Control Objective 5: Physical Security and Environmental Safeguards

– Keeping our facilities safe

– Maintaining the physical operating parameters of our datacenters

Security & Compliance Control Objectives

• Control Objective 6: Change Management

– Continuous Operation

• Control Objective 7: Data Integrity, Availability and Redundancy

– Ensuring your data remains safe, intact & available

• Control Objective 8: Incident Handling

– Processes & procedures for mitigating and managing potential

issues

Shared Responsibility

• Let AWS do the heavy lifting

• This is what we do – and we do it all the time

• As the AWS customer you can focus on your business and not be distracted by the muck

• AWS • Facilities

• Physical Security

• Physical Infrastructure

• Network Infrastructure

• Virtualization Infrastructure

• Customer • Choice of Guest OS

• Application Configuration Options

• Account Management flexibility

• Security Groups

• Network ACLs

Physical Security

• Large non-descript facilities

• Robust perimeter controls

• 2 factor authentication for entry

• Controlled, need-based access for AWS employees

• All access is logged and reviewed

Physical Security

• Distributed Regions – Multiple Availability Zones

Network Security

• DDoS attacks defended at the border

• Man in the Middle attacks

• SSL endpoints

• IP Spoofing prohibited

• Port scanning prohibited

• Packet Sniffing prevented

Amazon EC2 Security

• Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited

• Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs

• Stateful firewall – Mandatory inbound firewall, default deny mode

• Signed API calls – Require X.509 certificate or customer’s secret AWS key

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n

…

… Virtual Interfaces

Firewall

Customer 1 Security Groups

Customer 2 Security Groups

Customer n Security Groups

Customer’s

Network

Amazon

Web Services

Cloud

Secure VPN Connection

over the Internet

Subnets

Customer’s isolated

AWS resources

Amazon VPC Architecture

Router

VPN Gateway Internet

NAT

AWS Direct Connect –

Dedicated

Path/Bandwidth

VPC - Dedicated Instances

• Option to ensure physical hosts are not shared with other customers

• $2/hr flat fee per Region + small hourly charge

• Can identify specific Instances as dedicated

• Optionally configure entire VPC as dedicated

• Customers have requirements defining specific encryption key management procedures – Requirements are based on contractual or regulatory mandates for

keeping encryption keys stored in a specific manner or with specific access controls

• Customers want to use AWS but had to retain keys in HSMs in on-premises datacenters – Applications may slow down due to network latency

– Requires several DCs to provide high availability, disaster recovery and durability of keys

Customer Challenge: Encryption

• Customers receive dedicated access to HSM appliances

• HSMs are physically located in AWS datacenters – in close network

proximity to Amazon EC2 instances

• Physically managed and monitored by AWS, but customers control

their own keys

• HSMs are inside customer’s VPC – dedicated to the customer and

isolated from the rest of the network

What is AWS CloudHSM?

AWS CloudHSM

AWS CloudHSM

• With AWS CloudHSM customers can: – Encrypt data inside AWS

– Store keys in AWS within a Hardware Security Module

– Decide how to encrypt data

• The AWS CloudHSM implements cryptographic functions and key

storage for customer applications

– Use third party validated hardware for key storage

• AWS CloudHSMs are designed to meet Common Criteria EAL4+

and FIPS 140-2 standards

• Secure Key Storage – customers retain control of their own keys and cryptographic operations on

the HSM

• Contractual and Regulatory Compliance – helps customers comply with the most stringent requirements for key

protection

• Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to

help customers build highly available applications that require secure key storage

• Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC

• Better Application Performance – reduce network latency and increase the performance

AWS CloudHSM Service Highlights

• AWS offers several data protection mechanisms – Access control

– Encryption

• AWS data encryption solutions allow – Encrypt and decrypt sensitive data inside or outside AWS

– Decide which data to encrypt

– Partner with 3rd party key management solutions

• AWS CloudHSM complements existing AWS data

protection and encryption solutions

AWS Data Protection Solutions

9/30/2013 Slides not intended for redistribution.

Familiar Cloud Security

• Everything You Do Now Can Be Done in the Cloud

- Intrusion Detection

- Intrusion Prevention

- Packet Capture

- Firewalls

- Access Control Lists

- Multi-Factor Authentication

- Identity and Access Management

AWS Security Resources

• http://aws.amazon.com/security/

• Security Whitepaper

• Risk and Compliance Whitepaper

• Regularly Updated

• Feedback is welcome

THANK YOU!!

• bmurray@amazon.com

• #billmurray00