AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security

transcript

AWS Security Stephen E. Schmidt, Directeur de la Sécurité

Different customer viewpoints on security

PR exec keep out of the news

CEO protect shareholder

CI{S}O preserve the

confidentiality, integrity and availability of data

Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE & PROCEDURES

NETWORK SECURITY

PHYSICAL SECURITY

PLATFORM SECURITY

SECURITY IS SHARED

WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE

WHAT WE DO

WHAT YOU HAVE TO DO

EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY

CAPABILITIES

CHOOSE WHAT’S RIGHT FOR YOUR BUSINESS

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”

Tom Soderstrom – CTO – NASA JPL

AWS SECURITY OFFERS MORE

VISIBILITY AUDITABILITY

CONTROL

MORE VISIBILITY

CAN YOU MAP YOUR NETWORK?

WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?

TRUSTED ADVISOR

MORE AUDITABILITY

SECURITY CONTROL OBJECTIVES

1. SECURITY ORGANIZATION 2. AMAZON USER ACCESS 3. LOGICAL SECURITY 4. SECURE DATA HANDLING 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS 6. CHANGE MANAGEMENT 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY 8. INCIDENT HANDLING

AWS CLOUDTRAIL

You are making API calls...

On a growing set of services around the

world…

CloudTrail is continuously recording API

calls…

And delivering log files to you

Security Analysis Use log files as an input into log management and analysis solutions to perform security analysis and to detect user behavior patterns.

Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2 instances, Amazon VPC security groups and Amazon EBS volumes.

Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.

Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.

‣  CloudTrail records API calls and delivers a log file to your S3 bucket.

‣  Typically, delivers an event within 15 minutes of the API call.

‣  Log files are delivered approximately every 5 minutes.

‣  Multiple partners offer integrated solutions to analyze log files.

LOGS OBTAINED, RETAINED, ANALYZED

PROTECT YOUR LOGS WITH IAM ARCHIVE YOUR LOGS

MORE CONTROL

Defense in Depth Multi level security

•  Physical security of the data centers •  Network security •  System security •  Data security DATA

AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs

AWS CloudHSM

Defense in depth

Rapid scale for security

Automated checks with AWS Trusted Advisor

Fine grained access controls

Server side encryption

Multi-factor authentication

Dedicated instances

Direct connection, Storage Gateway

HSM-based key storage

AWS IAM

Amazon VPC

AWS Direct Connect

AWS Storage Gateway

AWS STAFF ACCESS

‣  Staff vetting ‣  Staff has no logical access to customer instances ‣  Staff control-plane access limited & monitored

Bastion hosts, Least privileged model, Zoned data center access ‣  Business needs ‣  Separate PAMS

LEAST PRIVILEGE PRINCIPLE CONFINE ROLES ONLY TO THE MATERIAL

REQUIRED TO DO SPECIFIC WORK

MORE CONTROL ON IDENTITY & ACCESS

USE AWS IAM IDENTITY & ACCESS MANAGEMENT

CONTROL WHO CAN DO WHAT WITH YOUR AWS ACCOUNT

AWS IAM: Recent Innovations Securely control access to AWS services and resources

•  Delegation –  Roles for Amazon EC2

–  Cross-account access

•  Powerful integrated permissions –  Resource level permissions: Amazon

EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation

–  Access control policy variables

–  Policy Simulator

–  Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk

•  Federation –  Web Identity Federation

–  AD and Shibboleth examples

–  Partner integrations

–  Case study: Expedia

•  Strong authentication –  MFA-protected API access

–  Password policies

•  Enhanced documentation and videos

ACCESS TO SERVICE APIs

Amazon DynamoDB Fine Grained Access Control

Directly and securely access application data in Amazon DynamoDB Specify access permissions at table, item and attribute levels With Web Identity Federation, completely remove the need for proxy servers to perform authorization

MORE CONTROL OF YOUR DATA

MFA DELETE PROTECTION

YOUR DATA STAYS WHERE YOU PUT IT

USE MULTIPLE AZs AMAZON S3

AMAZON DYNAMODB AMAZON RDS MULTI-AZ

AMAZON EBS SNAPSHOTS

DATA ENCRYPTION

CHOOSE WHAT’S RIGHT FOR YOU: Automated – AWS manages encryption

Enabled – user manages encryption using AWS Client-side – user manages encryption using their own mean

AWS CloudHSM

Managed and monitored by AWS, but you control the keys

Increase performance for applications that use HSMs for key storage or encryption

Comply with stringent regulatory and contractual requirements for key protection

EC2 Instance

AWS CloudHSM

ENCRYPT YOUR DATA AWS CLOUDHSM AMAZON S3 SSE

AMAZON GLACIER AMAZON REDSHIFT

AMAZON RDS …

Axway, Cloud and Security David FIGINI, VP Cloud Managed Services EMEA

•  11,000 customers •  100 countries •  332,5M € revenue in 2013 •  1,700+ employees •  HQ in Phoenix, AZ USA •  Offices in 19 countries

Governing the flow of data

DATA FLOW GOVERNANCE

Axway Cloud and AWS •  Start Quickly •  Everywhere •  No initial cost •  Pay per use •  Scale up and down •  No commitment •  Repeatable •  Reliable •  Secure

VPC (Virtual Private Cloud) – Privatization for Cloud components.

Data centers (zones) - Tier IV and compliant with all major third-party certifications.

Storage – 99.999999999 durability

Database – Multizone configuration

Elastic Load Balancers – Zone independence

VPN – AWS Direct Connect provides dedicated private networking for increased bandwidth and reliability.

EC2 Instances – Elastic computing

Cloud Formation – Reliable delivery from Web Services

Applications – Designed for no single points of failure and non-repudiation.

All services are monitored through a centralized location utilizing, SES, SNS, Cloud Watch, Nagios, etc.

Axway Cloud threat mitigation

Architecture and Datacenter Vulnerabilities

Service Platform Availability

Information Confidentiality and Integrity Loss Decrease in Functional Performance

Human Activities

• Multi AZ Auto-Scaling groups Very High Availability

• Solution deployed by Axway OS Patch management

• Data encryption at rest and for communications

• Backup policy based on snapshots

Data loss and confidentiality

• Access to environments is centralized and all activity is tracked Human activity

• Security and monitoring tools (Ossec, syslog, Nagios, CloudWatch, …)

• Splunk to receive, process and present security events

Real time monitoring

Axway Cloud security architecture

•  SOC1 Type 2 certification achieved in March •  ISO27001 Beginning of 2015

Management

Solution

Access Control

Axway data center Amazon Route 53

Axway workforce VPN

Elastic Load Balancing

Supervision

Monitoring & Security

VPC peering

Solution

Elastic Load Balancing

VPC peering

Monitoring & Security

Access

CloudWatch Amazon SES

Auto Scaling group

AZ #2 CloudTrail

•  Axway governs the flow of data in the Cloud

•  Axway Cloud is based on a strong AWS partnership

•  Security = AWS + Axway + Processes+ People

Takeaways from Axway

Axway, Cloud and Security David FIGINI, VP Cloud Managed Services EMEA

Merci !

MORE AUDITABILITY MORE VISIBILITY MORE CONTROL

IDC Survey Attitudes and Perceptions Around Security and Cloud Services Nearly 60% of organizations agreed that CSPs [Cloud Service Providers] provide better security than their own IT organization

Source: IDC 2013 U.S. Cloud Security Survey Doc #242836, September 2013

AWS.AMAZON.COM / SECURITY

AWS SECURITY WHITEPAPERS

RISK & COMPLIANCE

AUDITING SECURITY CHECKLIST

SECURITY PROCESSES

SECURITY BEST PRACTICES

AWS MARKETPLACE SECURITY SOLUTIONS

AWS Security Stephen E. Schmidt, Directeur de la Sécurité

Merci !

AWS Paris Summit 2014 - Keynote Stephen Schmidt - AWS Security

Technology