AWS Summit London - Keynote - Stephen Schmidt

Monday, April 29, 13

Stephen Schmidt

Chief Information Security Officer, AWS


Cloud Security is:

• Universal• Visible• Auditable• Transparent• Shared• Familiar


Universal Cloud Security

Every&customer&has&access&to&the&same&security&capabili3es,&and&gets&to&choose&what’s&right&for&their&business

- Start<Ups- Social&Media- Home&Users- Retail

- Governments- Financial&Sector- Pharmaceu3cals- Entertainment


Visible Cloud Security

AWS$allows$you$to$see$your$en#re$infrastructure$at$the$click$of$a$mouse.$Can$you$map$your$current$network?

ThisOr

This?


Auditable Cloud Security

How$do$you$know$AWS$is$right$for$your$business?$$

- 3rd$Party$Audits• Independent$auditors

- Ar<facts• Plans,$Policies$and$Procedures

- Logs• Obtained• Retained• Analyzed


SOC 1/2 – Control Objectives

• Control Objective 1: Security Organization• Control Objective 2: Amazon User Access• Control Objective 3: Logical Security• Control Objective 4: Secure Data Handling• Control Objective 5: Physical Security and Environmental Safeguards• Control Objective 6: Change Management• Control Objective 7: Data Integrity, Availability and Redundancy• Control Objective 8: Incident Handling


Steve HowesChief Executive Officer



An$Integrated$Network

• 21#franchised#rail#companies

• 2,500#stations

• 10,000#miles


National#Reservations#Service

Data#Distribution#Service

Product#Management#Service

Ticket#on#Departure#Service

PointsOfSale

X10,000

Apportionment#Engine

Settlement#Service

System$Schema<c

PreFsales

PostFsales


National#Reservations#Service

Data#Distribution#Service

Product#Management#Service

Ticket#on#Departure#Service

PointsOfSale

X10,000

Apportionment#Engine

Settlement#Service

System$Schema<c

AWS#Hosted

PreFsales

PostFsales


£#7.5#billon

Annual$rail$industry$revenue......


• Our#systems#handle#£7.5B#of#transactions#annually

• Revenue#collected#by#the#retailer#must#be#correctly#settled#to#the#operators#to#the#penny,#auditable#to#the#highest#standards

• We#handle#£5B#of#payment#card#transactions#annually

• Our#passengers#depend#absolutely#on#our#services

RSP$and$Security


• We#need#a#‘trusted’#environment,#more#than#the#narrow#meaning#of#security:– Compliance#– Governance– Risk#management– Availability– Integrity– Privacy

• Simply,#through#AWS#and#our#SI#Partner#Smart421#we#are#able#to#meet#all#of#these#requirements

Why$AWS?



Shared Responsibility• Let$AWS$do$the$heavy$liWing• This$is$what$we$do$–$and$we$do$it$all$the$<me• As$the$AWS$customer$you$can$focus$on$your$business$and$not$be$distracted$

by$the$muck

• AWS• Facili<es• Physical$Security• Physical$Infrastructure• Network$Infrastructure• Virtualiza<on$

Infrastructure

• Customer• Choice$of$Guest$OS• Applica<on$Configura<on$Op<ons• Account$Management$flexibility• Security$Groups• Network$ACLs


Customer’sNetwork

AmazonWeb$ServicesCloud

Secure&VPN&Connec-on&over&the&Internet

Subnets

Customer’s$isolated$AWS$resources

Amazon VPC Architecture

Router

VPN&Gateway

AWS&Direct&Connect&–&Dedicated&Path/Bandwidth


Customer’sNetwork



Subnets



Router

VPN&Gateway



Customer’sNetwork



Subnets



Router

VPN&Gateway$Internet



Customer’sNetwork



Subnets



Router




Customer’sNetwork



Subnets



Router


NAT



Customer’sNetwork



Subnets



Router


NAT



Customer Challenge: Encryption (part 1)

• Customers have requirements that require them to use specific encryption key management procedures not previously possible on AWS

– Requirements are based on contractual or regulatory mandates for keeping encryption keys stored in a specific manner or with specific access controls

– Good key management is critical


Customer Challenge: Encryption (part 2)

• Customers want to run applications and store data in AWS but previously had to retain keys in HSMs in on-premises data centers

– Applications may slow down due to network latency

– Requires several DCs to provide high availability, disaster recovery and durability of keys


AWS Data Protection Solutions• AWS offers several data protection mechanisms including access control,

encryption, etc.• AWS data encryption solutions allow customers to:

– Encrypt and decrypt sensitive data inside or outside AWS– Decide which data to encrypt

• AWS CloudHSM complements existing AWS data protection and encryption solutions

• With AWS CloudHSM customers can:– Encrypt data inside AWS– Store keys in AWS within a Hardware Security Module– Decide how to encrypt data – the AWS CloudHSM implements cryptographic

functions and key storage for customer applications– Use third party validated hardware for key storage


HSM – Hardware Security Module•  A hardware device that performs cryptographic operations and key storage •  Used for strong protection of private keys •  Tamper resistant – keys are protected physically and logically

–  If a tampering attempt is detected, the appliance destroys the keys •  Device administration and security administration are logically separate

–  Physical control of the appliance does not grant access to the keys •  Certified by 3rd parties to comply with government standards for physical and

logical security: –  FIPS 140-2 –  Common Criteria EAL4+

•  Example vendors include: SafeNet, Thales •  Historically located in on-premises datacenters

HSM


What is AWS CloudHSM?

• Customers receive dedicated access to HSM appliances• HSMs are physically located in AWS datacenters – in close network

proximity to Amazon EC2 instances• Physically managed and monitored by AWS, but customers control their

own keys• HSMs are inside customer’s VPC – dedicated to the customer and

isolated from the rest of the network

AWS$CloudHSM


AWS CloudHSM Service Highlights• Secure Key Storage – customers retain control of their own keys and

cryptographic operations on the HSM• Contractual and Regulatory Compliance – helps customers comply with

the most stringent regulatory and contractual requirements for key protection

• Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to help customers build highly available applications that require secure key storage

• Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC

• Better Application Performance – reduce network latency and increase the performance of AWS applications that use HSMs


How Customers Use AWS CloudHSM

• Customers use AWS CloudHSM as an architectural building block in securing applications– Object encryption– Digital Rights Management (DRM)– Document signing– Secure document repository– Database encryption– Transaction processing


Customer use cases

• Large Silicon Valley company: video DRM

• Start-up document rights management service: enterprise document

protection

• Very large tech company: Root of trust for Public Key Infrastructure (PKI)

authentication system

• Very large financial services organization: Root of trust for key

management system for virtual machine authentication & encryption


On-Premises Integration with AWS CloudHSM

HSM

Customers’ applications continue to use standard crypto APIs (PKCS#11, MS CAPI, JCA/JCE, etc.).

SafeNet HSM client replaces existing crypto service provider libraries and connects to the HSM to implement API calls in hardware

SafeNet HSM$Client$can$share$load$and$store$keys$redundantly$across$mul<ple$HSMs

Key$material$is$securely$replicated$to$HSM(s)$in$the$customer’s$datacenter

B

A

C

D

AWS

Amazon$Virtual$Private$Cloud

AWS$CloudHSMAmazon$VPC$Instance

Corporate$Datacenter

SSL

VPN INTERNET

AWS$Direct$Connect

Application

HSM Client

A

C

D

BSSL


Key Storage & Secure Operations for AWS Workloads

CloudHSMs are in the customer’s VPC and isolated from other AWS networksE

Secure key storage in tamper-resistant/tamper-evident hardware available in multiple regions and AZs

D

Application performance improves (due to close network proximity with AWS workloads)

C

Customers control and manage their own keys

B

AWS manages the HSM appliance but does not have access to customers’ keys

A

AWS

Amazon Virtual Private Cloud

AWS CloudHSM Amazon VPC Instance

SSL

Application

HSM Client

C

D

E

B

A



AWS Deployment Models

Logical Server and Application Isolation

Granular Information Access Policy

Logical Network Isolation

Physical server Isolation

Government Only Physical Network and Facility Isolation

ITAR Compliant(US Persons Only)

Sample Workloads

Commercial$Cloud # $ # $ $ $ Public$facing$apps.$Web$sites,$Dev$test$etc.

Virtual$Private$Cloud$(VPC)

# $ # $ # $ # $ $ Data$Center$extension,$TIC$environment,$email,$FISMA$low$and$Moderate

AWS$GovCloud$(US) # $ # $ # $ # $ # $ # $ US$Persons$Compliant$and$Government$Specific$Apps.


AWS Security Resources

• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Regularly Updated• Feedback is welcome


Thank you.


Bronze sponsors

Silver sponsors

Gold sponsor


Date post:	25-May-2015
Category:	Technology
Upload:	amazon-web-services
View:	870 times
Download:	3 times

AWS Summit London - Keynote - Stephen Schmidt

Technology