the aws shared security responsibility model in practice
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
The AWS Shared Security Responsibility Model in Practice
Patrick ShumateSolutions Architect, Amazon Web Services
AWS Global Footprint
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)Asia Pacific (Seoul)
Asia Pacific (Mumbai )
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
São Paulo
EU Central (Frankfurt)
Asia Pacific (Tokyo)
China (Beijing)
Asia Pacific (Seoul)
RegionAn independent collection of AWS resources in a defined geography
A solid foundation for meeting location-dependent privacy and compliance requirements
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)Asia Pacific (Seoul)
Asia Pacific (Mumbai )
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)Asia Pacific (Seoul)
Availability ZoneDesigned as independent failure zones
Physically separated within a typical metropolitan region
AWS Global Footprint
AWS Global Footprint
Edge Locationcollections of servers in geographically dispersed data centers
deliver content to end users with lower latency
AWS Global Footprint
AWS Global Footprint
13 (11) Regions35 (28) Availability Zones54 Edge locationsOver 1 million active customers
Every day, AWS adds enough new server capacity to support Amazon.com when it was a
$7 billion global enterprise.
https://aws.amazon.com/about-aws/global-infrastructure/
Data Locality
Customer chooses where to place data
AWS regions are geographically isolated by design
Data is not replicated to other AWS regions and doesn’t move unless you choose to move it
Data Locality in practiceBlock level storage
Instance Storage (Elastic Cloud Compute - EC2)
Elastic Block Storage (EBS)
Object level storageSimple Storage Service (S3)
Database storageRelational Database Service (RDS)
NoSQL (DynamoDB)
Columnar (Redshift)
Caching (Elasticache)
Shared Responsibility
Who manages which parts?
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer contentCu
stom
ers
AWS Shared Responsibility ModelCustomers are responsible for their security and compliance IN the Cloud
AWS is responsible for the security OFthe Cloud
AWS Shared Responsibility Model – Deep Dive
Will one model work for all services?
Infrastructure Services
ContainerServices
AbstractServices
Network Traffic ProtectionEncryption / Integrity / Identity
AWS Foundation ServicesCompute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Platform & Applications Management
Customer content
Cust
omer
s
AWS Shared Responsibility Model:for Infrastructure Services
Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
AWS IAM
Customer IAM
Operating System, Network & Firewall Configuration
Server-Side EncryptionFire System and/or Data
API Endpoints
Mgmt Protocols
API Calls
Infrastructure ServiceExample – EC2
• Foundation Services — Networking, Compute, Storage• AWS Global Infrastructure• AWS API Endpoints
AWS
• Customer Data• Customer Application• Operating System• Network & Firewall• Customer IAM (Corporate Directory
Service)
• High Availability, Scaling• Instance Management• Data Protection (Transit, Rest, Backup)
• AWS IAM (Users, Groups, Roles, Policies)C
usto
mer
s
RESPONSIBILITIES
AWS Foundation ServicesCompute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Optional – Opaque data: 1’s and 0’s (in transit/at rest)
Firewall
Configuration
Platform & Applications Management
Operating System, Network Configuration
Customer content
Cust
omer
s
AWS Shared Responsibility Model:for Container Services Managed by
Managed by
Client-Side Data encryption & Data Integrity Authentication
Network Traffic ProtectionEncryption / Integrity / Identity
AWS IAM
Customer IAM
API Endpoints
Mgmt Protocols
API Calls
Infrastructure ServiceExample – RDS
• Foundational Services – Networking, Compute, Storage
• AWS Global Infrastructure
• AWS API Endpoints• Operating System• Platform / Application
AWS
• Customer Data• Firewall (VPC)• Customer IAM (DB Users, Table
Permissions)
• AWS IAM (Users, Groups, Roles, Policies)
• High Availability• Data Protection (Transit, Rest,
Backup)• Scaling
Cus
tom
ers
RESPONSIBILITIES
AWS Foundation ServicesCompute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Platform & Applications Management
Operating System, Network & Firewall Configuration
Customer content
Cust
omer
s
AWS Shared Responsibility Model:for Abstract Services
Managed by
Managed by
Data Protection by the PlatformProtection of Data at Rest
Network Traffic Protection by the PlatformProtection of Data at in Transit
(optional)
Opaque Data: 1’s and 0’s
(in flight / at rest)
Client-Side Data Encryption & Data Integrity Authentication
API Endpoints
AWS IAM
API Calls
• Foundational Services • AWS Global Infrastructure• AWS API Endpoints• Operating System
• Platform / Application• Data Protection (Rest - SSE, Transit)
• High Availability / Scaling
AWS
• Customer Data• Data Protection (Rest – CSE)
• AWS IAM (Users, Groups, Roles, Policies)
Cus
tom
ers
Infrastructure ServiceExample – S3
Summary of Customer Responsibility in the Cloud
Customer IAM
AWS IAM
Firewall
Data
AWS IAM
Data
Applications
Operating System
Networking/Firewall
Data
Customer IAM
AWS IAM
InfrastructureServices
ContainerServices
AbstractServices
Shared Responsibility
What about security OF the cloud?
Security Shared Responsibility Model
AWS is responsible for the security OF
the cloud
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Auditing - Comparisonon-prem vs on AWS
Start with bare concreteFunctionally optional – you can build a secure system without itAudits done by an in-house teamAccountable to yourselfTypically check once a yearWorkload-specific compliance checksMust keep pace and invest in security innovation
on-prem
Start on base of accredited servicesFunctionally necessary – high watermark of requirementsAudits done by third party expertsAccountable to everyoneContinuous monitoringCompliance approach based on all workload scenariosSecurity innovation drives broad compliance
on AWS
What this means
You benefit from an environment built for the most security sensitive organizations
AWS manages 1,800+ security controls so you don’t have to
You get to define the right security controls for your workload sensitivity
You always have full ownership and control of your data
AWS Assurance Programs
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability ZonesEdge Locations
Meet your own security objectives
Customer scope and effort is reduced
Better results through focused efforts
Built on AWS consistent baseline controls
Your own external audits
Cust
omer
s Your own accreditation
Your own certifications
Compliance Resources
https://aws.amazon.com/compliance/resources/
Education — AWS Security & ComplianceAWS Security Fundamentals
3 hour eLearning courseTarget audience – Security Auditors/AnalystsIt’s Free
AWS Security Operations3 day Instructor Lead TrainingTarget audience – Security Engineer/Architects12 Modules + Labs
Self paces labs available on http://qwiklabs.comhttps://aws.amazon.com/training/course-descriptions/
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Thank You