aws re:invent 2016: re:source mini con for security services state of the union (sec312)
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stephen Schmidt
Vice President and Chief Information Security Officer
November 29, 2016
SEC312
Security Services:
State of the Union
Evolution“Cloud will account for 92 percent of
data center traffic by 2020”
- Global Cloud Index (GCI) Forecast
• AWS compliance program – updates
• How Johnson & Johnson thinks about automation
• Security tool enhancements in 2016
• How AWS handles security at scale
• What’s coming at re:Invent 2016?
DURING THIS STATE OF THE UNION …
CARE DEEPLY ABOUT DATA SECURITY
WE WORK TO GET THIS RIGHT FOR CUSTOMERS
AWS COMPLIANCE
Customers choose where to place their data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions
and doesn’t move unless the customer tell us to do so
Customers always own their data, the ability
to encrypt it, move it, and delete it
DATA OWNERSHIP
Our Audit and Certification Approach
70+
services
7,710 Audit
Artifacts
2,670
Controls
3,030 Audit
Requirements
COMPLIANCE – AWS ARTIFACT
AWS Artifact provides customers with an easier process to
obtain AWS compliance reports (SOC, PCI, ISO) with self-
service, on-demand access via the console
AWS Artifact
MAKING COMPLIANCE EASIER
AWS SOLUTION: MARKETPLACE PROGRAM
MAKING COMPLIANCE EASIER
AWS SOLUTION: MARKETPLACE PROGRAM – ALLGRESS
SOLUTIONS IN AWS MARKETPLACE
INFRASTRUCTURE
SECURITYLOGGING
& MONITORING
CONFIGURATION
& VULNERABILITY
ANALYSIS
DATA
PROTECTION
aws.amazon.com/mp/security
IDENTITY & ACCESS
MANAGEMENT
Deep Security-as-a-Service
VM-Series Next-
Generation
Firewall Bundle 2
vSEC
Web Application
Firewall
Unified Threat
Management 9
FortiGate-VM
SecureSphere WAF
CloudInsight
Security Platform
(ESP) for AWS
SecOps
Log Management & Analytics
Enterprise
Cost & Security Management
DataControl
Transparent
Encryption for AWS
SafeNet ProtectV
Identity & Access
Management or AWS
Security Manager
OneLogin for AWS
Identity Management
for the Cloud
One-click launch
Ready-to-run on AWS
Pay only for what you use
MAKING COMPLIANCE EASIER
AWS SOLUTION: AMAZON S3 DATA EVENTS AVAILABLE IN
CLOUDTRAIL AND CLOUDWATCH EVENTS
Amazon S3 AWS Lambda
Amazon CloudWatch
AWS CloudTrail
• AWS compliance program – updates
• How Johnson & Johnson thinks about automation
• Security tool enhancements in 2016
• How AWS handles security at scale
• What’s coming at re:Invent 2016?
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Johnson & Johnson
Marene Allison
Chief Information Security
Officer
I have the absolute best job in the world…
250 operating companies, 60 countries, 126,900 employees
World’s sixth-largest consumer health, pharmaceuticals, and biologics
company
– Most comprehensive medical device company
– 5th largest pharmaceutical company globally
– 6th largest biotech company globally
– 6th largest consumer health care company globally
We touch 1 billion customers every day
We provide products for all stages of life
2015 worldwide sales $70.1 billion
Automate everything
Cutting-edge,
software defined
data center
Enterprise
guardrails:
self-service with
control
Segregated
environments for
containment
Simplify relentlessly
CORE PRINCIPLES FOR SECURITY, COMPLIANCE, AND MANAGEMENT
ENFORCE LEAST PRIVILEGE APPROACH
LOG EVERYTHING
J&J IDENTITY & GROUP MANAGEMENT
J&J NETWORK EXTENSION
ENFORCE OUR IMAGES
ACCOUNT ISOLATION
Thank you!
• AWS compliance program – updates
• How Johnson & Johnson thinks about automation
• Security tool enhancements in 2016
• How AWS handles security at scale
• What’s coming at re:Invent 2016?
AWS IDENTITY AND ACCESS MANAGEMENT (IAM)
SECURELY CONTROL ACCESS TO AWS SERVICES AND RESOURCES
Apply the security principles of
“least privilege” and
“segregation of responsibilities”
AWS SOLUTION: AWS IDENTITY AND ACCESS MANAGEMENT
AWS IDENTITY AND ACCESS MANAGEMENT
FEATURES ADDED IN 2016
• AWS Identity and Access Management (IAM) made 10 AWS
managed policies available that align with common job
functions in organizations
• IAM console now helps prevent you from
accidentally deleting in-use resources
SECURITY ASSESSMENT TOOL ANALYZING END TO END
APPLICATION CONFIGURATION AND ACTIVITY
AMAZON INSPECTOR
Configuration
Scanning
Engine
Activity
Monitoring
Built-in
Content
Library
Automatable
via API
Fully
Auditable
AWS SOLUTION: AMAZON INSPECTOR
Improved security posture Increased agility Embedded expertise Streamlined compliance
AMAZON INSPECTOR BENEFITS
AMAZON INSPECTOR
FEATURES ADDED IN 2016
• CIS certs for Windows Server 2008 R2, Server
2012, and Server 2012 R2
• Assessments complete even if some targeted
agents are offline
• Filter findings based on severity levels
AWS KEY MANAGEMENT SERVICE
CONTROL YOUR ENCRYPTION KEYS
AWS SOLUTION: KEY MANAGEMENT SERVICE
Decide on an encryption key management strategy
Manage and use
keys in AWS Key
Management Service
(AWS KMS)
Use service-provided
built-in key
management
Use your own key
management system
Manage and use keys
in AWS CloudHSM
• Bring your own keys to AWS Key Management
Service using the KMS import key feature
• AWS encryption SDK
KEY MANAGEMENT SERVICE
Features added in 2016
CONSTRAINT-BASED MONITORING
AUTOMATED REASONING
AWS SOLUTION: CONSTRAINT-BASED MONITORING
A TOOL FOR STATIC ANALYSIS
OF AMAZON EC2/VPC NETWORKS
AWS SOLUTION: CONSTRAINT-BASED MONITORING
• Making undecidable problems feel decidable in practice
• Abstraction to finite/tractable problems
• Counterexample-guided abstraction refinement
• Interpolation for guessing inductive invariants
To learn more please reference Byron Cook’s session, we’ll be posting online
next week: SEC401 – Automated Formal Reasoning About AWS Systems
SPEED OF SECURITY
GO BIG WITH INSTANCES
X1 INSTANCES
P2 INSTANCES
• AWS compliance program – updates
• How Johnson & Johnson thinks about automation
• Security tool enhancements in 2016
• How AWS handles security at scale
• What’s coming at re:Invent 2016?
AWS Security – 2016 Pace of Innovation
• Reviewed 2,233 services and features in the last year
• 319 compliance programs in scope across 40+ services
• 5,769 overall security reviews YTD
How AWS handles security at scale
• We operate over 2,400 controls, but multiply that by the 64
services we have, over a period of 6 months that may be
30 million instances of control performance
• We collect terabytes and terabytes of logs on our own data
AWS CloudTrail logs are a treasure trove of information
• Examples: event type, source IP, principal/AKID, MFA used
Use data to rapidly detect and respond to threats
• “Walking” credentials
• Compromised accounts
• Other malicious behavior
Detecting anomalies through AWS CloudTrail Logs
Collecting raw NetFlow-like logs in AWS
Scenario:
You purchased a company running on EC2
You've been asked "Tell us of any known suspicious activity or activity
indicating possible compromise for the main web server"
Autoticketing
• Find and close gaps in security monitoring
• Be highly accurate and actionable
• Deliver results with low latency
How AWS handles security at scale
Work
generator
CorpS3
Results
processor
SNSLambda
(async)
Scan
target
Lambda
(sync)
Change Management
• Problem: controlled automated deployment and validation of
daily deployments
• Our response: automated auditable deployment and validation
environment
• How we use it: auditor validation of our preventative and
detective change management controls
• Benefit: all changes to environment and controlled and
documented
Change Management
1 2 3 4 5
Change Management
QA & Code Review
1 2 3 4 5 6
Change Management
Flagged Deployment
ID: 47365690
Deployer: johndoe@
Deployment Time: 09:56:23 11/15/2016
Flag reason: Approval was not documented in the change ticket
• AWS compliance program – updates
• How Johnson & Johnson thinks about automation
• Security tool enhancements in 2016
• How AWS handles security at scale
• What’s coming at re:Invent 2016?
AWS Security – re:Invent 2016 Preparation
• Reviewed and tested 91 service and feature launches for
re:Invent 2016
• Leading into 2016 re:Invent (Sept-Nov 2016), AWS Security
completed 139 pen-tests (equaling 2,357 person days)
What’s Coming in the Next Few Days?
The Future …
Recurrent Neural Networks
Using the Cloud to Secure the Cloud
New Regions in:
• UK (London)
• Canada (Montreal)
• France (Paris)
• China (Ningxia)
EvolutionToday's "cloud-first" strategy is
already moving toward "cloud-only"
- IDC, “Industry Predictions for 2017”
• https://aws.amazon.com/security/
• https://aws.amazon.com/compliance/
• https://aws.amazon.com/blogs/security/
ADDITIONAL RESOURCES
Thank you!