cloud security, risk and compliance on aws
TRANSCRIPT
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Karim Hopper, Solution Architecture APAC
27 May 2015
Governance, Risk and Compliance Considerations for the Cloud
Hong Kong
Demonstrating Compliance
AWS Assurance ProgramsConsistent, regular and exhaustive 3rd party evaluations
Customers control how they manage their own risks
AWS Managed and Audited Controls
SOC 1
AWS SOC 2 PCI-DSS NIST 800-53 ISO 270001
Virtual Private Cloud
Key Management Logging
AWS Provided, Customer Configured and Managed Controls
Other AWS features and services
Classification
Security Policy
Customer Provided and Managed Controls
Encryption
Governance
ITDaM
ITSM
Monitoring
Operations
Malware
Risk Management
Cus
tom
ers
Customer Risk Appetite and Desired Control Environment
Business Risks Sourcing Risks Technology Risks Security Risks Compliance
Compliance Programs
Reports and letters of attestation are available for a number of certifications
SOC 1 (Type 2) Controls safeguarding customer data; auditor validated over a 6 month period. Evaluates control design, and evidence of controls working (Formerly SAS 70)
SOC 2 (Type 2) Provides additional transparency into AWS security and availability, including BCP
ISO 27001 Widely adopted global security standard for ISMS. Evaluates management of information security risks that affect confidentiality, integrity and availability of company and customer information
PCI DSS Level 3.0 Customers can run PCI compliant technology infrastructure for storing, processing and transmitting credit card information to the cloud
Security Shared Responsibility Model
AWS is responsible for the security OF
the cloud
AWS Foundation Services
AWS Global Infrastructure Regions
AWS
Availability Zones Edge Locations
Hypervisor Compute Storage Network
Customer applications and content
Security Shared Responsibility Model
AWS Foundation Services
Hypervisor Compute Storage Network
AWS Global Infrastructure Regions
AWS is responsible for the security OF
the cloud
Platform, Applications, Identity and Access Management
Operating System, Network and Firewall Configuration
Client-side data encryption
Server-side data encryption
Network Traffic Protection
The customer is responsible for
configuring security IN the cloudC
usto
mer
sAW
S
Availability Zones Edge Locations
Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
AWS Employee Access
Staff vetting and enforcement of the principle of least privilege• No logical access to customer instances
• Control-plane access limited and monitoredBastion hosts, least privileged model, zoned data center access
• Access based on strict business needs
• Separate privileged account management systems
For more on compliance…http://aws.amazon.com/compliance
• Whitepapers
• Work books
• Reference Architectures
• Security and privacy resources
Security is our #1 priority
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers.”
Tom Soderstrom, CTO, NASA JPL
Nearly 60% of organizations agreed that CSPs [cloud service providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey
doc #242836, September 2013
AWS Security in Context
VISIBILITY
AUDITABILITY
CONTROL
AGILITY
Customer get more…
Through our…
Visibility
Visibility
Customers can see their entire infrastructure at a click of a mouse Using AWS CloudTrail customers can continuously record activities happening on the AWS platform
Use cases enabled by AWS CloudTrail
Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns
Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes
Troubleshoot Operational IssuesIdentify the most recent actions made to resources in your AWS account
Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards
VisibilityAWS Trusted Advisor Recommends security best practices (identifies potential security issues)
Auditability
Auditability
The AWS Config Service lets customers audit the historical configuration of resources and send notifications when those resources change
Use CasesSecurity Analysis Am I safe?Audit Compliance Where is the evidence?Change Management What will this change affect?Troubleshooting What has changed?
Auditability AWS Config ServiceReview the historical configuration of resources and send notifications when those resources change
Control
ControlAWS offers several flexible encryption options
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
KMI
Encryption Method
Key Storage
Key Management
Customer Managed
AWS Managed
AWS manages the method, storage and KMI
AWS Key Management Service
AWS provides key storageCustomer manages encryption method & management layer of
KMIAWS CloudHSM
Customer controls everythingE.g. KMI / keys stored on-
premise and client side encryption used
A B C
Control
AWS Key Management Service• A managed service that makes it easy for you to create, control, and use your
encryption keys• Integrated with AWS SDKs and AWS services including storage, compute and
database / data warehouse • CloudTrail support
AWS CloudHSM• Dedicated Safenet Luna-based solution (FIPS 2 compliant)
Control
Data Destruction• Storage media destroyed before being permitted outside our datacenters• Media destruction consistent with US Dept. of Defense Directive 5220.22
Control – Customers choose what they need
AWS CloudHSM
Defense in depthApplication log file captureIsolated, private networking environmentsFine grained access controlsSegregation of dutiesMulti-factor authentication, identity federationSingle tenant / dedicated serversDirect connections HSM-based key storageMultiple tiers of firewalls
AWS IAM
Amazon VPC
AWS Direct Connect
AWS delivers more control and granularity
Agility
New Security 29Features year to date
RDS Encryption using KMS
Oracle TDE with CloudHSM
S3 Endpoints in VPC
IAM Managed Policies
Glacier Vault Access Policies
…
Chief Info. Security Officer (CISO)
Operations
Engineering
Application Security
Compliance
CEO Amazon.com
AWS Security Organization
Amazon’s Culture• Everyone’s an owner
• Decentralize – security engineers are embedded in service teams
• Executive accountability
• Metrics driven – measuring constantly
• Five Why’s to establish the cause of error
• Test Constantly
• Understand normal and then identify anomalies
Thank you
aws.amazon.com/compliance aws.amazon.com/security
http://www.linkedin.com/in/karimhopper