security & compliance in the cloud - pop-up loft tel aviv
TRANSCRIPT
![Page 1: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/1.jpg)
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dob Todorov
Regional Technology Officer, Public Sector and Principal Architect Security & Compliance EMEA
Security & Compliance in the Cloud
Tel Aviv Pop Up Loft
![Page 2: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/2.jpg)
21st Century IT Security
Cloud Security
![Page 3: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/3.jpg)
AWS Global Infrastructure
![Page 4: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/4.jpg)
“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO NASA JPL
![Page 5: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/5.jpg)
Cost of Security on Premises / Hosted Facility
CapEx OpExTechnology
(Physical Security, Infrastructure, Power,
Networking)
£££££ £££
Processes(standards, procedures,
guidelines, assurance, compliance)
£££ ££
People(hire, upskill, compensate,
train, manage)££ ££££
![Page 6: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/6.jpg)
Security and Business Value
Security as a “Feature”:• Qualitative measure: either secure or
insecure• No added end user value
Objective Reality:• Small or shrinking budgets• Threat vectors and agents rising in
number and sophistication
Challenge:How do we justify the cost of security?
![Page 7: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/7.jpg)
Cost of Security in the Cloud
CapEx OpEx
Technology(Physical Security,
Infrastructure, Power, Networking)
- -
Processes(standards, procedures, guidelines, assurance,
compliance)
- -
People(hire, upskill, compensate,
train, manage)- -
Infrastructure secure & compliant at no extra cost
ISO 27001
![Page 8: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/8.jpg)
ISO 27018: Protection of Personally Identifiable Information (PII)
Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011,
the Information Security Management System as defined and implemented by
headquartered in Seattle, Washington, United States of America,
certified under certification number [2013-009], is also compliant with the requirements as stated in the standard:
EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the
related ISMS certificate with number [2013-009].
*This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements
for information security and protection of personally identifiable information (PII) as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.
ISO/IEC 27018:2014
Issue date of certificate: October 1, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Certificate Certificate number: 2015-016
Certified by EY CertifyPoint since: October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY 1/3
o Customers control their content.o Customers' content will not be used for any
unauthorized purposes.o Physical media is destroyed prior to leaving
AWS data centers.o AWS provides customers the means to
delete their content.o AWS doesn’t disclose customers' content
![Page 9: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/9.jpg)
ISO 27017: Cloud Service Providers Code of Conduct
o Ongoing commitment to internationally-recognised best practices
o Highly precise controls for Cloud serviceso All AWS Regions and AWS Edge Locations
are within the scope
Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011,
the Information Security Management System as defined and implemented by
headquartered in Seattle, Washington, United States of America,
certified under certification number [2013-009], is also compliant with the requirements as stated in the standard:
EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the
related ISMS certificate with number [2013-009].
*This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements
for information security and related specific cloud security controls as stated in Statement of Applicability version 2015,02, approved on December 4, 2015.
ISO/IEC 27017:2015
Issue date of certificate: October 1, 2015
Re-issue date of certificate: December 7, 2015
Expiration date of certificate: November 12, 2016
Amazon Web Services, Inc.*
Certificate Certificate number: 2015-015
Certified by EY CertifyPoint since: October 1, 2015
© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.
Drs. R. Toppen RA
Director EY CertifyPoint
DIGITAL COPY 1/3
![Page 10: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/10.jpg)
Cloud Security Principles Complianceo Issued 1 Apr 2014 by the UK CESGo They replace the Business Impact Levels model (BIL: IL1-IL5+)o Distributed certification modelo Risk-based approach: suitability for purposeo New protective marking mechanismso AWS Whitepaper Available
![Page 11: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/11.jpg)
“You should probably start engaging with the idea that the Cloud can be considerably more secure than the private cloud or your own data centre, and start engaging with the risks that are building in the spaces where you haven't moved to the Cloud yet”
Dave Rogers - Head of Technology at UK Ministry of Justice Digital
![Page 12: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/12.jpg)
Cyber Essentials Plus Compliance in DublinCyber Essentials Plus is a UK Government-backed, industry-supported certification scheme that helps organisationsdemonstrate security against common cyber attacks.
The ‘Plus’ scheme benefits from independent testing and validation compared to the baseline ‘Cyber Essentials’ scheme that is self-attested.
![Page 13: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/13.jpg)
IT Grundschutz in Germany
![Page 14: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/14.jpg)
Shared Responsibility Model
![Page 15: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/15.jpg)
Shared Responsibility Model
Security OF the Cloud
Security IN the Cloud
![Page 16: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/16.jpg)
AWS Security Tools
AWS Trusted Advisor
AWS Config Rules
Amazon Inspector
Periodic evaluation of alignment with AWS Best Practices. Not just Security-related.
Create rules that govern configuration of your AWS resources. Continuous evaluation.
Security insights into your applications.Runs on EC2 instances; on-demand scans
AWS Compliance AWS: Security of the cloud
Customer: Security in the cloud
![Page 17: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/17.jpg)
![Page 18: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/18.jpg)
![Page 19: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/19.jpg)
Cloud Config Rules
![Page 20: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/20.jpg)
![Page 21: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/21.jpg)
Security by Design - SbD
• Systematic approach to ensure security
• Formalises AWS account design• Automates security controls• Streamlines auditing
• Provides control insights throughout the IT management process
AWS CloudTrailAWS
CloudHSM
AWS IAMAWS KMS
AWSConfig
![Page 22: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/22.jpg)
AWS Compliance Enterprise Accelerator: Scripting your governance policySet of CloudFormation Templates & Reference Arhcitectures that accelerate compliance with PCI, EU Personal Data Protection, HIPAA, FFIEC, FISMA, CJISResult: Reliable technical implementation of administrative controls
![Page 23: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/23.jpg)
What is Inspector?
• Application security assessment• Selectable built-in rules• Security findings
• Guidance and management• Automatable via APIs
![Page 24: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/24.jpg)
Rule packages
• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness
![Page 25: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/25.jpg)
What is AWS WAF?
Application DDoS
Good users
Bad guys
Web server Database
AWSWAF
AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.
Types of conditions in rules:1: Source IP/range2: String Match3: SQL Injection
![Page 26: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/26.jpg)
Why AWS WAF?
Application DDoS, Vulnerabilities, Abuse
Good users
Bad guys
Web server Database
![Page 27: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/27.jpg)
Anti DDoS with WAF & Lambda
![Page 28: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/28.jpg)
AWS DDoS Protection Whitepaper
![Page 29: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/29.jpg)
S2N – AWS Implementation of TLS
• Small: • ~6,000 lines of code, all audited• ~80% less memory consumed
• Fast: • 12% faster
• Simple: • Avoid rarely used options/extensions
![Page 30: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/30.jpg)
VPC Flow Logs
![Page 31: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/31.jpg)
Certification & Education
• Security Fundamentals on AWS• free, online course for security auditors and
analysts• Security Operations on AWS
• 3-day class for Security engineers, architects, analysts, and auditors
• AWS Certification• Security is part of all AWS exams
![Page 32: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/32.jpg)
Well-architected Framework
![Page 33: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/33.jpg)
Rich Security Capabilities in the Cloud
Prepare
Prevent
Detect
Respond
![Page 34: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/34.jpg)
o AWS Security Solutions Architectso AWS Professional Serviceso AWS Secure by Designo AWS Security Best Practiceso AWS Well-architectedo Partner Professional Serviceso AWS Training and Certificationo Understand Compliance Requirements
Prepare
![Page 35: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/35.jpg)
o Use IAM – consider MFA, roles, federation, SSOo Implement Amazon WAFo Leverage S2N for secure TLS connectionso Implement Config Rules to enforce complianceo Implement Amazon Inspector to identify
vulnerabilities early on
Prevent
![Page 36: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/36.jpg)
o Cloud Trail enabled across all accounts and serviceso Consider Config & Config Rules logso Inspector can be used as a detective toolo Trusted Advisor goes beyond just securityo Use CloudWatch logso VPC Flow Logs give insight into intended and
unintended communication taking place into your VPCo Do look at partner log management and security
monitoring solutions
Detect
![Page 37: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/37.jpg)
o Be Prepared: o Develop, acquire or hire Security Incident Response
capabilitieso Test preparedness via game days
o Automated response and containment is always better than manual response
o AWS supports forensic investigationso Leverage AWS Support for best resultso Talk to our security partners
Respond
![Page 38: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/38.jpg)
![Page 39: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/39.jpg)
Be Secure & Compliant in the Cloud!
![Page 40: Security & Compliance in the cloud - Pop-up Loft Tel Aviv](https://reader031.vdocuments.us/reader031/viewer/2022030315/5883860e1a28ab07628b5365/html5/thumbnails/40.jpg)
Thank you!