aws re:invent 2016: re:source mini con for security services state of the union (sec312)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Stephen Schmidt

Vice President and Chief Information Security Officer

November 29, 2016

SEC312

Security Services:

State of the Union

Evolution“Cloud will account for 92 percent of

data center traffic by 2020”

- Global Cloud Index (GCI) Forecast

• AWS compliance program – updates

• How Johnson & Johnson thinks about automation

• Security tool enhancements in 2016

• How AWS handles security at scale

• What’s coming at re:Invent 2016?

DURING THIS STATE OF THE UNION …

CARE DEEPLY ABOUT DATA SECURITY

WE WORK TO GET THIS RIGHT FOR CUSTOMERS

AWS COMPLIANCE

Customers choose where to place their data

AWS regions are geographically isolated by design

Data is not replicated to other AWS regions

and doesn’t move unless the customer tell us to do so

Customers always own their data, the ability

to encrypt it, move it, and delete it

DATA OWNERSHIP

Our Audit and Certification Approach

70+

services

7,710 Audit

Artifacts

2,670

Controls

3,030 Audit

Requirements

COMPLIANCE – AWS ARTIFACT

AWS Artifact provides customers with an easier process to

obtain AWS compliance reports (SOC, PCI, ISO) with self-

service, on-demand access via the console

AWS Artifact

MAKING COMPLIANCE EASIER

AWS SOLUTION: MARKETPLACE PROGRAM


AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS

SOLUTIONS IN AWS MARKETPLACE

INFRASTRUCTURE

SECURITYLOGGING

& MONITORING

CONFIGURATION

& VULNERABILITY

ANALYSIS

DATA

PROTECTION

aws.amazon.com/mp/security

IDENTITY & ACCESS

MANAGEMENT

Deep Security-as-a-Service

VM-Series Next-

Generation

Firewall Bundle 2

vSEC

Web Application

Firewall

Unified Threat

Management 9

FortiGate-VM

SecureSphere WAF

CloudInsight

Security Platform

(ESP) for AWS

SecOps

Log Management & Analytics

Enterprise

Cost & Security Management

DataControl

Transparent

Encryption for AWS

SafeNet ProtectV

Identity & Access

Management or AWS

Security Manager

OneLogin for AWS

Identity Management

for the Cloud

One-click launch

Ready-to-run on AWS

Pay only for what you use


AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN

CLOUDTRAIL AND CLOUDWATCH EVENTS

Amazon S3 AWS Lambda

Amazon CloudWatch

AWS CloudTrail

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Johnson & Johnson

Marene Allison

Chief Information Security

Officer

I have the absolute best job in the world…

250 operating companies, 60 countries, 126,900 employees

World’s sixth-largest consumer health, pharmaceuticals, and biologics

company

– Most comprehensive medical device company

– 5th largest pharmaceutical company globally

– 6th largest biotech company globally

– 6th largest consumer health care company globally

We touch 1 billion customers every day

We provide products for all stages of life

2015 worldwide sales $70.1 billion

Automate everything

Cutting-edge,

software defined

data center

Enterprise

guardrails:

self-service with

control

Segregated

environments for

containment

Simplify relentlessly

CORE PRINCIPLES FOR SECURITY, COMPLIANCE, AND MANAGEMENT

ENFORCE LEAST PRIVILEGE APPROACH

LOG EVERYTHING

J&J IDENTITY & GROUP MANAGEMENT

J&J NETWORK EXTENSION

ENFORCE OUR IMAGES

ACCOUNT ISOLATION

Thank you!

AWS IDENTITY AND ACCESS MANAGEMENT (IAM)

SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES

Apply the security principles of

“least privilege” and

“segregation of responsibilities”

AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT

AWS IDENTITY AND ACCESS MANAGEMENT

FEATURES ADDED IN 2016

• AWS Identity and Access Management (IAM) made 10 AWS

managed policies available that align with common job

functions in organizations

• IAM console now helps prevent you from

accidentally deleting in-use resources

SECURITY ASSESSMENT TOOL ANALYZING END TO END

APPLICATION CONFIGURATION AND ACTIVITY

AMAZON INSPECTOR

Configuration

Scanning

Engine

Activity

Monitoring

Built-in

Content

Library

Automatable

via API

Fully

Auditable

AWS SOLUTION: AMAZON INSPECTOR

Improved security posture Increased agility Embedded expertise Streamlined compliance

AMAZON INSPECTOR BENEFITS

AMAZON INSPECTOR

FEATURES ADDED IN 2016

• CIS certs for Windows Server 2008 R2, Server

2012, and Server 2012 R2

• Assessments complete even if some targeted

agents are offline

• Filter findings based on severity levels

AWS KEY MANAGEMENT SERVICE

CONTROL YOUR ENCRYPTION KEYS

AWS SOLUTION: KEY MANAGEMENT SERVICE

Decide on an encryption key management strategy

Manage and use

keys in AWS Key

Management Service

(AWS KMS)

Use service-provided

built-in key

management

Use your own key

management system

Manage and use keys

in AWS CloudHSM

• Bring your own keys to AWS Key Management

Service using the KMS import key feature

• AWS encryption SDK

KEY MANAGEMENT SERVICE

Features added in 2016

CONSTRAINT-BASED MONITORING

AUTOMATED REASONING

AWS SOLUTION: CONSTRAINT-BASED MONITORING

A TOOL FOR STATIC ANALYSIS

OF AMAZON EC2/VPC NETWORKS

AWS SOLUTION: CONSTRAINT-BASED MONITORING

• Making undecidable problems feel decidable in practice

• Abstraction to finite/tractable problems

• Counterexample-guided abstraction refinement

• Interpolation for guessing inductive invariants

To learn more please reference Byron Cook’s session, we’ll be posting online

next week: SEC401 – Automated Formal Reasoning About AWS Systems

SPEED OF SECURITY

GO BIG WITH INSTANCES

X1 INSTANCES

P2 INSTANCES

AWS Security – 2016 Pace of Innovation

• Reviewed 2,233 services and features in the last year

• 319 compliance programs in scope across 40+ services

• 5,769 overall security reviews YTD

How AWS handles security at scale

• We operate over 2,400 controls, but multiply that by the 64

services we have, over a period of 6 months that may be

30 million instances of control performance

• We collect terabytes and terabytes of logs on our own data

AWS CloudTrail logs are a treasure trove of information

• Examples: event type, source IP, principal/AKID, MFA used

Use data to rapidly detect and respond to threats

• “Walking” credentials

• Compromised accounts

• Other malicious behavior

Detecting anomalies through AWS CloudTrail Logs

Collecting raw NetFlow-like logs in AWS

Scenario:

You purchased a company running on EC2

You've been asked "Tell us of any known suspicious activity or activity

indicating possible compromise for the main web server"

Autoticketing

• Find and close gaps in security monitoring

• Be highly accurate and actionable

• Deliver results with low latency

How AWS handles security at scale

Work

generator

CorpS3

Results

processor

SNSLambda

(async)

Scan

target

Lambda

(sync)

Change Management

• Problem: controlled automated deployment and validation of

daily deployments

• Our response: automated auditable deployment and validation

environment

• How we use it: auditor validation of our preventative and

detective change management controls

• Benefit: all changes to environment and controlled and

documented

Change Management

1 2 3 4 5

Change Management

QA & Code Review

1 2 3 4 5 6

Change Management

Flagged Deployment

ID: 47365690

Deployer: johndoe@

Deployment Time: 09:56:23 11/15/2016

Flag reason: Approval was not documented in the change ticket

AWS Security – re:Invent 2016 Preparation

• Reviewed and tested 91 service and feature launches for

re:Invent 2016

• Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security

completed 139 pen-tests (equaling 2,357 person days)

What’s Coming in the Next Few Days?

The Future …

Recurrent Neural Networks

Using the Cloud to Secure the Cloud

New Regions in:

• UK (London)

• Canada (Montreal)

• France (Paris)

• China (Ningxia)

EvolutionToday's "cloud-first" strategy is

already moving toward "cloud-only"

- IDC, “Industry Predictions for 2017”

• https://aws.amazon.com/security/

• https://aws.amazon.com/compliance/

• https://aws.amazon.com/blogs/security/

ADDITIONAL RESOURCES

Thank you!

aws re:invent 2016: re:source mini con for security services state of the union (sec312)

Technology