An Evolving Security Landscape

Security Patterns in the Cloud

Bill Shinn – AWS Principal Security Solutions Architect

Cloud focuses on differentiation

Global Industry Observations

Regulatory compliance

continues to drive expense A desire for increased wallet share

is driving a focus on innovation

Increasing amounts of data,

finite resources for analytics

Digitization and disruptive technology

are accelerating transformation

Move from risk-laden

up-front expense to

flexible variable expense

Stop guessing

at capacity planning

Go global in

minutes

Reasons Cloud Computing is Gaining Traction in FinServ

Remove complicated infrastructure

management that adds little

business value

Reasons Cloud Computing is Gaining Traction in FinServ

Lower the time spent

on infrastructure

Dedicate more

resources to

innovation

Concentrate on

new business

initiatives

What is Amazon Web Services?

Administration

& Security

Access

ControlIdentity

Management

Key Management

& Storage

Monitoring

& Logs

Resource &

Usage Auditing

Platform

Services

Analytics App Services Developer Tools & Operations Mobile Services

Data

Pipelines

Data

Warehouse

Hadoop

Real-time

Streaming Data

Application

Lifecycle

Management

Containers

Deployment

DevOps

Event-driven

Computing

Resource

Templates

Identity

Mobile

Analytics

Push

Notifications

Sync

App

Streaming

Email

Queuing &

Notifications

Search

Transcoding

Workflow

Core

Services

CDNCompute(VMs, Auto-scaling, and

Load Balancing)

Databases(Relational, NoSQL, and

Caching)

Networking(VPC, DX, and DNS)

Storage(Object, Block, EFS,

and Archival)

Infrastructure

Availability

Zones

Points of

PresenceRegions

Enterprise

Applications

Business

Email

Sharing &

Collaboration

Virtual

Desktop

Technical &

Business Support

Account

Management

Partner

Ecosystem

Professional

Services

Security &

Pricing Reports

Solutions

ArchitectsSupport

Training &

Certification

Machine

Learning

What is Amazon Web Services?

Global Footprint

12 (10 Public, China Region and GovCloud Region)

2016 – Canada, Ohio, India, UK and another China Region

32 Availability zones (adding 11 more in 2016 across new Regions)

55+ Edge locations

Over 1 million active customers across 190 countries

900+ Government Agencies & 3,400+ Educational Institutions

1,000+ Financial Services Organizations

Everyday, AWS adds enough new server capacity to support Amazon.com

when it was a $7 billion global enterprise.

Region

Edge location

Leveraged by Financial Services Institutions & Enterprises

Worldwide

Cloud Security – What’s different &

what’s the same?

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure

Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Cu

sto

mer

s

Security is a shared responsibility

Customers are

responsible for

their security IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

Accreditation & Compliance, Old and New

Old world

• Functionally optional (you can build a

secure system without it)

• Audits done by an in-house team

• Accountable to yourself

• Must maintain talent and keep pace

• Check typically once a year

• Workload-specific compliance checks

New world

• Functionally necessary – high watermark

of requirements

• Audits done by third party experts

• Accountable to everyone

• Superior security drives broad

compliance

• Continuous monitoring

• Compliance approach based on all

workload scenarios

OR

Move

Fast

Stay

Secure

AND

Move

Fast

Stay

Secure

Making life easier

Choosing security does not mean giving up

on convenience or introducing complexity

Strengthen your security posture

Get native functionality and tools

at no additional charge

Over 30 global compliance

certifications and accreditations

Leverage security enhancements gleaned

from 1M+ customer experiences

Benefit from AWS industry leading

security teams 24/7, 365 days a year

Security infrastructure built to

satisfy military, global banks, and other

high-sensitivity organizations

Access a deep set of cloud security tools

Encryption

Key

Management

Service

CloudHSM Server-side

Encryption

Networking

Virtual

Private

Cloud

Web

Application

Firewall

Compliance

ConfigCloudTrailService

Catalog

Identity

IAM Active

Directory

Integration

SAML

Federation

AWS Accreditations and Security Assurance Programs

ISO 9001

SOC 3

SOC 2

ISO 27001

ISO 27017

PCI DSS Level 1ISO 27018

SOC 1 / ISAE 3402

GxPHIPAA

ITAR

FERPA

FISMA, RMF, and DIACAP

FedRAMP

Section 508 / VPAT

DoD SRG Levels 2 & 4

FIPS 140-2

CJIS

Cloud Security Alliance

MPAA

NIST

MLPS Level 3

G-Cloud

IT-Grundschutz

MTCS Tier 3

IRAP Cyber Essentials Plus

Evolving the Practice of Security Architecture

Security architecture as a seperate function can no longer

exist

Static position papers,

architecture diagrams &

documents

UI-dependent consoles and “pane of glass” technologies

Auditing, assurance, and

compliance are decoupled,

separate processes

Current Security

Architecture

Practice

Evolving the Practice of Security Architecture

Security architecture can now be part of the ‘maker’ team

Architecture artifacts

(design choices, narrative,

etc.) committed to common

repositories

Complete solutions account for automation

Solution architectures are

living audit/compliance

artifacts and evidence in a

closed loop

Evolved Security

Architecture

Practice

Cloud Security – Design Patterns

Non-Persistent Platforms

Auto-scaling groups will ensure that

capacity is predictable while you rotate

out portions of the environment. You can

also swap out the base AMI In an auto-

scaling launch configuration with a freshly

patched one, then progressively kill off

stale instances.

Changing the paradigm of what a target

or attack surface looks like. Automation

around Amazon Machine Image creation

and bootstrapping with tools like AWS

OpsWorks, Amazon Elastic Beanstalk,

Chef or Puppet means you can constantly

lay down a moving target.

Amazon Auto-scaling

Groups

AWS Elastic

Compute Cloud

+

Agile Network Architecture

Update and change private network

addressing, subnets, route tables and

administrative control of network

functions to move systems and

applications in response to vulnerabilities,

regulatory changes, project partnerships,

etc.

Use named security groups to logically

control access between systems of like

trust or based on data classification.

Security attributes of system move with

the system independent of network

location. Relocate systems via API call to

address changing threat environment.

Security

Groups

Amazon VPC

+

Standardized Environments & Change Detection

Interrogate and describe entire

environment with Java, Python, .NET,

Ruby, PHP or nodeJS SDKs. Detect

change in standardized environment

programmatically and integrate with

existing asset and SIEM workflows.

AWS SDKs

Use CloudFormation to create an

environment that mirrors your security

standards. One API call results in

hardened AMIs with base security

controls installed, predictable firewall and

network configuration, and appropriately

defined access and roles.

+AWS

CloudFormation

Managing Change at Scale

Use built-in or custom rules to respond to

changes in configuration.

Config tracks all changes to core

infrastructure in a time-series view and

reflects the relationships impacted by

each change.

AWS Config RulesAWS Config

+

Consolidated API Logging

Log archival solution for life-cycle

management.

CloudTrail provides increased visibility

into your user activity by recording AWS

API calls. Integration with Amazon SNS

and ecosystem partners facilitates

analytics.

Provides logging up and down the stack

in one place (storage, networking,

instances, identity).

Amazon S3 + Glacier

+AWS CloudTrail &

CloudWatch Events

Instance Identity

Security token service generates unique

credentials and constantly rotates an

additional token.

Identity and Access Management roles

for EC2 instances provide entitlements to

the instance itself. Credentials are

presented through a RESTful meta-data

service accessible only on the local host.

Credentials can be leveraged by apps

that need to call AWS APIs, retrieve data

from S3, etc. Native integration with

SDKs and CLI tools.

Security Token Service

+Identity

Management