shared responsibility deep dive
Post on 21-Feb-2017
1.434 Views
Preview:
TRANSCRIPT
Shared Responsibility Deep Dive
Gavin FitzpatrickSecurity Assurance Technical Architect- EMEA
22/10/2015
Intro to AWS
Everyday, AWS adds enough new server capacity to support Amazon.com
when it was a $7 billion global enterprise.
where to place data
isolated by
design
• Data is not replicated to other AWS regions
manages
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentC
ust
om
ers Customers are
responsible for
their security and
compliance IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Infrastructure Services
Container Services
Abstract Services
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Cu
sto
mer
s
Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
Network Traffic ProtectionEncryption / Integrity / Identity
AW
S IAM
Cu
stom
er IA
M
Operating System, Network & Firewall Configuration
Server-Side EncryptionFire System and/or Data
• AWS Responsibility:• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Co
nfigu
ration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Cu
sto
mer
s
Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
Network Traffic ProtectionEncryption / Integrity / Identity
AW
S IAM
Cu
stom
er IA
M
• AWS Responsibility:• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
• High Availability
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Cu
sto
mer
s
Managed by
Managed by
Optional – Opaque Data: 1’s and 0’s
(in flight / at rest)Data Protection by the Platform
Protection of Data at Rest
Network Traffic Protection by the PlatformProtection of Data at in Transit
Client-Side Data Encryption & Data Integrity Authentication
AW
S IAM
• AWS Responsibility:• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS IAM
• AWS API Endpoints
• Operating System
• Platform / Application
• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
Infrastructure Services
Applications
Operating System
Container Services Abstract Services
Networking/Firewall
Data
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Customer IAM
AWS IAM
OF
AWS Foundation Services
Hypervisor Compute Storage Network
AWS Global
InfrastructureRegions
AWS is responsible
for the security OF
the cloudAW
S
Availability Zones Edge Locations
on AWS
•Start on base of accredited services
•Functionally necessary – high watermark of
requirements
•Audits done by third party experts
•Accountable to everyone
•Continuous monitoring
•Compliance approach based on all workload
scenarios
•Security innovation drives broad compliance
on-Prem
• Start with bare concrete
• Functionally optional
– (you can build a secure system without it)
• Audits done by an in-house team
• Accountable to yourself
• Typically check once a year
• Workload-specific compliance checks
• Must keep pace and invest in security innovation
Auditing - Comparisonon-Prem vs on AWS
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Your own accreditation
Your own certifications
Your own external audits Customer scope and
effort is reduced
Better results
through focused
efforts
Built on AWS
consistent baseline
controls
Cu
sto
mer
s
accreditation certification possible
•Security Control Responsibility Matrix (CRM)
•AWS CloudFormation templates
•User Guides and Scripts to assist with deployment
Helpful Resources
https://aws.amazon.com/compliance/compliance-enablers/
https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/
https://aws.amazon.com/compliance
https://aws.amazon.com/security
https://blogs.aws.amazon.com/security/
awsaudittraining@amazon.com
awscompliance
top related