move away from the worry-based fiction of the cloud - aws washington d.c. symposium 2014
DESCRIPTION
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the security programs, procedures and best practices you can use to enhance your current security posture.TRANSCRIPT
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Assurance: DoD Community
Chris Gile
Bill [email protected]
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Security in the Cloud
Bill MurraySr. Manager AWS Security Programs
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Different Customer Viewpoints on Security
Public Affairskeep out of the news
Leaderprotect shareholder
value
CI{S}Opreserve the
confidentiality, integrity and availability of data
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Security Is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE & PROCEDURES
NETWORK SECURITY
PHYSICAL SECURITY
PLATFORM SECURITY
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
SECURITY IS SHARED
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
WHAT WE DO
FOR YOU
WHAT YOU DO YOURSELF
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
EVERY CUSTOMER HAS ACCESS
TO THE SAME SECURITY
CAPABILITIES
CHOOSE WHAT’S RIGHT FOR YOUR ENTERPRISE
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO NASA JPL
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS SECURITY OFFERS MORE
VISIBILITY
AUDITABILITY
CONTROL
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
MORE VISIBILITY
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
CAN YOU MAP YOUR NETWORK?
WHAT IS IN YOUR ENVIRONMENT
RIGHT NOW?
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
TRUSTED ADVISOR
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
MORE AUDITABILITY
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS CLOUDTRAILNOW IN
EU-W
EST
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
You are making API calls...
On a growing set of services around
the world…
CloudTrail is continuously recording API
calls…
And delivering log files to you
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Security AnalysisUse log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.
Track Changes to AWS ResourcesTrack creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational IssuesQuickly identify the most recent changes made to resources in your environment.
Compliance AidEasier to demonstrate compliance with internal policies and regulatory standards.
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LOGSOBTAINED, RETAINED,
ANALYZED
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
MORE CONTROL
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Defense in Depth
Multi level security• Physical security of the data centers• Network security• System security• Data security
DATA
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Delivers More Control & GranularityCustomize the implementation based on your business needs
AWS CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted
Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct Connect
AWS Storage Gateway
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
AT AWS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
CONFINE ROLES ONLY TO THE MATERIALREQUIRED TO DO SPECIFIC WORK
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
SEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATA CENTER
LOCATIONS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
LEAST PRIVILEGE PRINCIPLE
MUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATA CENTERS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
SIMPLE SECURITY CONTROLS
ARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS IAMIDENTITY & ACCESS MANAGEMENT
BEST PRACTIC
E
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
CONTROL WHO CAN DO WHAT
WITH YOUR AWS ACCOUNT
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
MFA DELETE PROTECTIONBEST P
RACTICE
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
YOUR DATA STAYSWHERE YOU PUT IT
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
USE MULTIPLE AZs
AMAZON S3
AMAZON DYNAMODB
AMAZON RDS MULTI-AZ
AMAZON EBS SNAPSHOTS
BEST PRACTIC
E
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
DATA ENCRYPTIONCHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS CloudHSM
Managed and monitored by AWS, but you control the keys
Increase performance for applications that use HSMs for key storage or encryption
Comply with stringent regulatory and contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
ENCRYPT YOUR DATA
AWS CLOUDHSM
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
BEST PRACTIC
E
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization
Source: IDC 2013 U.S. Cloud Security Survey
Doc #242836, September 2013
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS.AMAZON.COM /
SECURITY
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES
AWS Security Whitepapers
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Security Assurance: DoD Community
Chris Gile
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Increasing Security and
Operating Requirement
s
DoD Cloud Security Model(Administered via DISA)
15 FedRAMP Compliant CSP1
10 – IaaS, 3- PaaS, 2- SaaS
FedRAMP Authority to OperateCSM ATO Levels 1-2
(Public)
CSM ATO Levels 3-5
(NIPR)
CSM ATO Level 6 (SIPR)
1
2
3
4
5
6
Providers are a mix of IaaS, PaaS, SaaS(Initial Focus on IaaS)
3 ProvisionalAuthorizations
granted1
0 Provisional
Authorization granted2
100’s of Cloud Service Providers
(CSP)
System-Specific
ATO
John DoeDoD DAA
The DoD provisionally authorized
commercial CSP offering is eligible to be included in
the Enterprise Cloud Service
Catalog
1 Source: http://www.gsa.gov/portal/content/131931
2 Provisional ATO granted as of 2/15/2014
Cloud Services ProviderDoD Cloud Security Model (CSM) - ATO Process
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Shared Security Responsibility
• AWS & Customers both have security/compliance obligations
• Logical assessment & accreditation boundaries
• How are our ATOs consumed?– Agencies & Partners
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer
Compliance of the Cloud
Compliance in the Cloud
Cloud Service Provider Controls
Optimized Network/OS/App Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Availability Zone C
Sample US Region
- Multiple Isolated locations within a Region
- Availability Zone = 1 or more “data center”
- Independent Failure Zone
- Physically separated
- On separate Low Risk Flood Plains
- Discrete UPS
- Onsite backup generation facilities
- Fed from different segments of utility provider
- Redundantly connected to multiple tier-1 ISP’s
- No “Disaster Recovery Datacenter”
- Built for Continuous Availability
- Customer decides Availability Zone for Compute
~ DoD Data Center
Availability Zone B
Availability Zone A
AWS Availability Zone (AZ) View
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS FedRAMP Program• AWS has two Agency ATOs granted by HHS; assessment reviewed by HHS, FDA, CDC, and NIH covering:
– All AWS US Regions (US East/West, & GovCloud (US))
– EC2, S3, EBS, VPC, IAM
– New: Amazon Redshift (US East/West only)
• Assessed against all FedRAMP-Moderate controls (298)
• Agency ATO packages have reciprocity with federal agencies
• AWS will directly field FedRAMP package requests from all customers, though agencies can still request AWS FedRAMP package from FedRAMP PMO if desired
– AWS provides customers a FedRAMP SSP Template, inherited/shared control matrix, as well as FedRAMP package
• AWS Security Assurance supports the lifecycle of customer engagements with supporting personnel and resources
cloud.cio.gov/fedramp/amazon
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS DoD CSM Program• 2/6/14 Provisional Authorization for Levels 1-2 • DISA managed Cloud Security Model (CSM)• 68 additional control enhancements overlaid on
FedRAMP Moderate• Partners have achieved MAC II Sensitive DIACAP ATOs
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Building Solutions on AWS• Partners & Agencies can leverage FedRAMP compliant AWS• AWS’ FedRAMP package covers AWS infrastructure and underlying
management of services• Partner’s FedRAMP package includes inherited controls; shared
controls documents partner’s application/service built on AWS• To support partners we can provide:
– Partner FedRAMP package: ATO Letters, CIS spreadsheet, FIPS 199, etc.– SSP Template: Pre-populated with inherited control language, guidance on
completing shared controls– ATO Letters as stand alone documents– Support: Security Solutions Architects, Security Assurance Architects,
Professional Services
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Documentation Support
• AWS Package is specific to the AWS Infrastructure
• Partner’s Package is specific to the Partner’s Application or managed services
• Inherited vs. Shared Controls
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Certifications & Compliance• AWS Environment
– SOC 1/2/3
– ISO 27001 Certification
– Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
– FedRAMP (up to Moderate)
– AWS GovCloud (US) – ITAR compliant region
• Customers have deployed various compliant applications– Sarbanes-Oxley (SOX)
– HIPAA (healthcare)
– FISMA/FedRAMP (US Federal Government)
– DIACAP – up to MAC II Sensitive
– International Traffic in Arms Regulations (ITAR)
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Customer Resources• Whitepapers
– Risk & Compliance Whitepaper– Overview of Security Processes– “Security at Scale” series
• Governance in AWS• Logging in AWS
• Template– FedRAMP SSP Template
• Workbooks– FISMA-High– CJIS
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Other Compliance Programs
• FISMA-High Handbook– Workbook available for partners under NDA– 84 additional control enhancements [21 inherited, 54
shared, 9 customer]
• CJIS Handbook– Available under NDA– 121 security requirements; 10 inherited, 87 shared,
and 24 customer-responsible requirements
• Both are partner-based approaches to build a portfolio of authorizations
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Compliance & Security Centers• Answers to many security and compliance
questions• Security whitepaper• Risk and Compliance whitepaper• Overview of Security Processes whitepaper• “Security at Scale” whitepaper series
• Security bulletins• Customer penetration testing requests• Security best practices• Request more information by contacting us
aws.amazon.com/securityaws.amazon.com/compliance
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Additional AWS Security & Compliance References
• https://aws.amazon.com/security• https://aws.amazon.com/compliance• https://aws.amazon.com/compliance/#whitepapers • https://aws.amazon.com/compliance/fedramp-faqs• https://aws.amazon.com/govcloud-us • https://aws.amazon.com/documentation • https://aws.amazon.com/iam
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank YouChris Gile
Bill [email protected]