© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Dob Todorov

Regional Technology Officer, Public Sector and Principal Architect Security & Compliance EMEA

Security in the Cloud

21st Century IT Security

Cloud Security

“Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”

Tom Soderstrom – CTO NASA JPL

Cost of Security on Premises / Hosted Facility

CapEx OpExTechnology

(Physical Security, Infrastructure, Power,

Networking)

£££££ £££

Processes(standards, procedures, guidelines, assurance,

compliance)

£££ ££

People(hire, upskill, compensate,

train, manage)££ ££££

Security and Business Value

Security as a “Feature”:• Qualitative measure: either secure or insecure

• No added end user value

Objective Reality:• Small or shrinking budgets• Threat vectors and agents rising in number and sophistication

Challenge:How do we justify the cost of security?

Cost of Security in the Cloud

CapEx OpEx

Technology(Physical Security,

Infrastructure, Power, Networking)

-­ -­

Processes(standards, procedures, guidelines, assurance,

compliance)

-­ -­

People(hire, upskill, compensate,

train, manage)-­ -­

Infrastructure secure & compliant at no extra cost

Cloud Security Principles Complianceo Issued 1 Apr 2014 by the CESGo They replace the Business Impact Levels model (BIL: IL1-­IL5+)o Distributed certification modelo Risk-­based approach: suitability for purposeo New protective marking mechanismso AWS Whitepaper Available

Cyber Essentials Plus Compliance in Dublin

Cyber Essentials Plus is a UK Government-­backed, industry-­supported certification scheme that helps organisations demonstrate security against common cyber attacks.

The ‘Plus’ scheme benefits from independent testing and validation compared to the baseline ‘Cyber Essentials’ scheme that is self-­attested.

ISO 27018

Based on certification examination in conformity with defined requirements in ISO/IEC17021:2011 and ISO/IEC 27006:2011,

the Information Security Management System as defined and implemented by

headquartered in Seattle, Washington, United States of America,

certified under certification number [2013-009], is also compliant with the requirements as stated in the standard:

EY CertifyPoint will, according to the certification agreement dated October 23, 2014, perform surveillance audits and acknowledge the certificate until the expiration date of this certificate or the expiration of the

related ISMS certificate with number [2013-009].

*This certificate is applicable for the assets, services and locations as described in the scoping section on the back of this certificate, with regard to the specific requirements

for information security and protection of personally identifiable information (PII) as stated in Statement of Applicability version 2015,01, approved on September 15, 2015.

ISO/IEC 27018:2014

Issue date of certificate: October 1, 2015

Expiration date of certificate: November 12, 2016

Amazon Web Services, Inc.*

Certificate Certificate number: 2015-016

Certified by EY CertifyPoint since: October 1, 2015

© Copyrights with regard to this document reside with Ernst & Young CertifyPoint B.V. headquartered at Antonio Vivaldistraat 150, 1083 HP Amsterdam, The Netherlands. All rights reserved.

Drs. R. Toppen RA

Director EY CertifyPoint

DIGITAL COPY 1/3

o Customers control their content.o Customers' content will not be used for any unauthorized purposes.

o Physical media is destroyed prior to leaving AWS data centers.

o AWS provides customers the means to delete their content.

o AWS doesn’t disclose customers' content

AWS Security Tools

AWS Trusted Advisor

AWS Config Rules

Amazon Inspector

Periodic evaluation of alignment with AWS Best Practices. Not just Security-­related.

Create rules that govern configuration of your AWS resources. Continuous evaluation.

Security insights into your applications.Runs on EC2 instances;; on-­demand scans

AWS Compliance AWS: Security of the cloud

Customer: Security in the cloud

Cloud Config Rules

Security by Design -­ SbD

• Systematic approach to ensure security• Formalizes AWS account design• Automates security controls• Streamlines auditing

• Provides control insights throughout the IT management process

AWS CloudTrailAWS

CloudHSM

AWS IAMAWS KMS

AWSConfig

GoldBase -­ Scripting your governance policy

Set of CloudFormation Templates & Reference Arhcitectures that accelerate compliance with PCI, EU Personal Data Protection, HIPAA, FFIEC, FISMA, CJISResult: Reliable technical implementation of administrative controls

What is Inspector?

• Application security assessment• Selectable built-­in rules• Security findings

• Guidance and management• Automatable via APIs

Rule packages

• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness

Why AWS WAF?

Application DDoS, Vulnerabilities, Abuse

Good users

Bad guys

Web server Database

What is AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

AWSWAF

AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.

Types of conditions in rules:1: Source IP/range2: String Match3: SQL Injection

S2N – AWS Implementation of TLS

• Small: • ~6,000 lines of code, all audited• ~80% less memory consumed

• Fast: • 12% faster

• Simple: • Avoid rarely used options/extensions

VPC Flow Logs

Certification & Education

• Security Fundamentals on AWS• free, online course for security auditors and analysts

• Security Operations on AWS• 3-­day class for Security engineers, architects, analysts, and auditors

• AWS Certification• Security is part of all AWS exams

Rich Security Capabilities in the Cloud

Prepare

Prevent

Detect

Respond

o AWS Security Solutions Architectso AWS Professional Serviceso AWS Secure by Design & Gold Baseo AWS Security Best Practiceso Partner Professional Serviceso AWS Training and Certificationo Understand Compliance Requirements

Prepare

o Use IAM – consider MFA, roles, federation, SSOo Implement Amazon WAFo Leverage S2N for secure TLS connectionso Implement Config Rules to enforce complianceo Implement Amazon Inspector to identify vulnerabilities early on

Prevent

o Cloud Trail enabled across all accounts and serviceso Consider Config & Config Rules logso Inspector can be used as a detective toolo Trusted Advisor goes beyond just securityo Use CloudWatch logso VPC Flow Logs give insight into intended and unintended communication taking place into your VPC

o Do look at partner log management and security monitoring solutions

Detect

o Be Prepared: o Develop, acquire or hire Security Incident Response capabilities

o Test preparedness via game dayso Automated response and containment is always better than manual response

o AWS supports forensic investigationso Leverage AWS Support for best resultso Talk to our security partners

Respond

Be Secure & Compliant in the Cloud!