Post on 25-May-2015
description
transcript
Monday, April 29, 13
Stephen Schmidt
Chief Information Security Officer, AWS
Monday, April 29, 13
Cloud Security is:
• Universal• Visible• Auditable• Transparent• Shared• Familiar
Monday, April 29, 13
Universal Cloud Security
Every&customer&has&access&to&the&same&security&capabili3es,&and&gets&to&choose&what’s&right&for&their&business
- Start<Ups- Social&Media- Home&Users- Retail
- Governments- Financial&Sector- Pharmaceu3cals- Entertainment
Monday, April 29, 13
Visible Cloud Security
AWS$allows$you$to$see$your$en#re$infrastructure$at$the$click$of$a$mouse.$Can$you$map$your$current$network?
ThisOr
This?
Monday, April 29, 13
Auditable Cloud Security
How$do$you$know$AWS$is$right$for$your$business?$$
- 3rd$Party$Audits• Independent$auditors
- Ar<facts• Plans,$Policies$and$Procedures
- Logs• Obtained• Retained• Analyzed
Monday, April 29, 13
SOC 1/2 – Control Objectives
• Control Objective 1: Security Organization• Control Objective 2: Amazon User Access• Control Objective 3: Logical Security• Control Objective 4: Secure Data Handling• Control Objective 5: Physical Security and Environmental Safeguards• Control Objective 6: Change Management• Control Objective 7: Data Integrity, Availability and Redundancy• Control Objective 8: Incident Handling
Monday, April 29, 13
Steve HowesChief Executive Officer
Monday, April 29, 13
Monday, April 29, 13
An$Integrated$Network
• 21#franchised#rail#companies
• 2,500#stations
• 10,000#miles
Monday, April 29, 13
National#Reservations#Service
Data#Distribution#Service
Product#Management#Service
Ticket#on#Departure#Service
PointsOfSale
X10,000
Apportionment#Engine
Settlement#Service
System$Schema<c
PreFsales
PostFsales
Monday, April 29, 13
National#Reservations#Service
Data#Distribution#Service
Product#Management#Service
Ticket#on#Departure#Service
PointsOfSale
X10,000
Apportionment#Engine
Settlement#Service
System$Schema<c
AWS#Hosted
PreFsales
PostFsales
Monday, April 29, 13
£#7.5#billon
Annual$rail$industry$revenue......
Monday, April 29, 13
• Our#systems#handle#£7.5B#of#transactions#annually
• Revenue#collected#by#the#retailer#must#be#correctly#settled#to#the#operators#to#the#penny,#auditable#to#the#highest#standards
• We#handle#£5B#of#payment#card#transactions#annually
• Our#passengers#depend#absolutely#on#our#services
RSP$and$Security
Monday, April 29, 13
• We#need#a#‘trusted’#environment,#more#than#the#narrow#meaning#of#security:– Compliance#– Governance– Risk#management– Availability– Integrity– Privacy
• Simply,#through#AWS#and#our#SI#Partner#Smart421#we#are#able#to#meet#all#of#these#requirements
Why$AWS?
Monday, April 29, 13
Monday, April 29, 13
Shared Responsibility• Let$AWS$do$the$heavy$liWing• This$is$what$we$do$–$and$we$do$it$all$the$<me• As$the$AWS$customer$you$can$focus$on$your$business$and$not$be$distracted$
by$the$muck
• AWS• Facili<es• Physical$Security• Physical$Infrastructure• Network$Infrastructure• Virtualiza<on$
Infrastructure
• Customer• Choice$of$Guest$OS• Applica<on$Configura<on$Op<ons• Account$Management$flexibility• Security$Groups• Network$ACLs
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway$Internet
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway$Internet
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway$Internet
NAT
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer’sNetwork
AmazonWeb$ServicesCloud
Secure&VPN&Connec-on&over&the&Internet
Subnets
Customer’s$isolated$AWS$resources
Amazon VPC Architecture
Router
VPN&Gateway$Internet
NAT
AWS&Direct&Connect&–&Dedicated&Path/Bandwidth
Monday, April 29, 13
Customer Challenge: Encryption (part 1)
• Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS
– Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls
– Good key management is critical
Monday, April 29, 13
Customer Challenge: Encryption (part 2)
• Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises data centers
– Applications may slow down due to network latency
– Requires several DCs to provide high availability, disaster recovery and durability of keys
Monday, April 29, 13
AWS Data Protection Solutions• AWS offers several data protection mechanisms including access control,
encryption, etc.• AWS data encryption solutions allow customers to:
– Encrypt and decrypt sensitive data inside or outside AWS– Decide which data to encrypt
• AWS CloudHSM complements existing AWS data protection and encryption solutions
• With AWS CloudHSM customers can:– Encrypt data inside AWS– Store keys in AWS within a Hardware Security Module– Decide how to encrypt data – the AWS CloudHSM implements cryptographic
functions and key storage for customer applications– Use third party validated hardware for key storage
Monday, April 29, 13
HSM – Hardware Security Module• A hardware device that performs cryptographic operations and key storage • Used for strong protection of private keys • Tamper resistant – keys are protected physically and logically
– If a tampering attempt is detected, the appliance destroys the keys • Device administration and security administration are logically separate
– Physical control of the appliance does not grant access to the keys • Certified by 3rd parties to comply with government standards for physical and
logical security: – FIPS 140-2 – Common Criteria EAL4+
• Example vendors include: SafeNet, Thales • Historically located in on-premises datacenters
HSM
Monday, April 29, 13
What is AWS CloudHSM?
• Customers receive dedicated access to HSM appliances• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances• Physically managed and monitored by AWS, but customers control their
own keys• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
AWS$CloudHSM
Monday, April 29, 13
AWS CloudHSM Service Highlights• Secure Key Storage – customers retain control of their own keys and
cryptographic operations on the HSM• Contractual and Regulatory Compliance – helps customers comply with
the most stringent regulatory and contractual requirements for key protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC
• Better Application Performance – reduce network latency and increase the performance of AWS applications that use HSMs
Monday, April 29, 13
How Customers Use AWS CloudHSM
• Customers use AWS CloudHSM as an architectural building block in securing applications– Object encryption– Digital Rights Management (DRM)– Document signing– Secure document repository– Database encryption– Transaction processing
Monday, April 29, 13
Customer use cases
• Large Silicon Valley company: video DRM
• Start-up document rights management service: enterprise document
protection
• Very large tech company: Root of trust for Public Key Infrastructure (PKI)
authentication system
• Very large financial services organization: Root of trust for key
management system for virtual machine authentication & encryption
Monday, April 29, 13
On-Premises Integration with AWS CloudHSM
HSM
Customers’ applications continue to use standard crypto APIs (PKCS#11, MS CAPI, JCA/JCE, etc.).
SafeNet HSM client replaces existing crypto service provider libraries and connects to the HSM to implement API calls in hardware
SafeNet HSM$Client$can$share$load$and$store$keys$redundantly$across$mul<ple$HSMs
Key$material$is$securely$replicated$to$HSM(s)$in$the$customer’s$datacenter
B
A
C
D
AWS
Amazon$Virtual$Private$Cloud
AWS$CloudHSMAmazon$VPC$Instance
Corporate$Datacenter
SSL
VPN INTERNET
AWS$Direct$Connect
Application
HSM Client
A
C
D
BSSL
Monday, April 29, 13
Key Storage & Secure Operations for AWS Workloads
CloudHSMs are in the customer’s VPC and isolated from other AWS networksE
Secure key storage in tamper-resistant/tamper-evident hardware available in multiple regions and AZs
D
Application performance improves (due to close network proximity with AWS workloads)
C
Customers control and manage their own keys
B
AWS manages the HSM appliance but does not have access to customers’ keys
A
AWS
Amazon Virtual Private Cloud
AWS CloudHSM Amazon VPC Instance
SSL
Application
HSM Client
C
D
E
B
A
Monday, April 29, 13
Monday, April 29, 13
AWS Deployment Models
Logical Server and Application Isolation
Granular Information Access Policy
Logical Network Isolation
Physical server Isolation
Government Only Physical Network and Facility Isolation
ITAR Compliant(US Persons Only)
Sample Workloads
Commercial$Cloud # $ # $ $ $ Public$facing$apps.$Web$sites,$Dev$test$etc.
Virtual$Private$Cloud$(VPC)
# $ # $ # $ # $ $ Data$Center$extension,$TIC$environment,$email,$FISMA$low$and$Moderate
AWS$GovCloud$(US) # $ # $ # $ # $ # $ # $ US$Persons$Compliant$and$Government$Specific$Apps.
Monday, April 29, 13
AWS Security Resources
• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Regularly Updated• Feedback is welcome
Monday, April 29, 13
Thank you.
Monday, April 29, 13
Bronze sponsors
Silver sponsors
Gold sponsor
Monday, April 29, 13