Home >Technology >AWS Webcast - Understanding the AWS Security Model

AWS Webcast - Understanding the AWS Security Model

Date post:16-Jul-2015
View:1,691 times
Download:5 times
Share this document with a friend
  • 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

    Max Ramsay, Head of Americas Security Solution Architecture, AWS

    March 19th, 2015

    Understanding the AWS

    Shared Security Model

  • Security is Job Zero

    Familiar Security

    ModelValidated and driven by

    customers security expertsBenefits all customers





  • Vodafone built a mobile payment app

    Amazon Web Services was the

    clear choice in terms of security.

    Stefano Harak

    Online Senior Product Manager

    PCI and DSS compliance was essential

    Launched in 3 months

    Reduced CapEx by 30%

    Deployed to 7 channels, including Facebook


  • Agenda

    AWS Culture

    Shared Security Model


    Tools & Features

    Where to get help

  • Security & compliance requirements from every industry

  • Expert Audits: Transparency & Accuracy






  • Security, compliance, governance, and audit related launches and updates

    AWS constantly innovating driven by your needs

  • Native tools improve compliance efficiency

    Discover and provision cloud services

    Audit and troubleshoot configuration

    changes in the cloud

    Get consistent visibility of cloud logs

  • AWS Foundation Services

    Compute Storage Database Networking

    AWS Global Infrastructure


    Availability Zones

    Edge Locations

    Identity Data Infrastructure

    Customer applications & content


    AWS and you share responsibility for security

    You get to

    define your

    controls IN the


    AWS takes care

    of the security


    the Cloud

  • What this means

    You benefit from an environment built for the most security sensitive organizations

    AWS manages 1,800+ security controls so you dont have to

    You get to define the right security controls for your workload sensitivity

    You always have full ownership and control of your data

  • Key AWS Certifications and Assurance Programs

  • IT Grundschutz Certification Workbook

    Assessed by TV TRUST IT

    AWS controls meet BSI IT Grundschutz requirements

    Customers can integrate AWS infrastructure into their own ISMS and be compliant

    Report and workbook available at aws.amazon.com/compliance

  • On AWS

    Start on base of accredited services

    Functionally necessary high watermark of requirements

    Audits done by third party experts

    Accountable to everyone

    Continuous monitoring

    Compliance approach based on all workload scenarios

    Security innovation drives broad compliance


    Start with bare concrete

    Functionally optional (you can build a secure system without it)

    Audits done by an in-house team

    Accountable to yourself

    Typically check once a year

    Workload-specific compliance checks

    Must keep pace and invest in securityinnovation

    Accreditation & Compliance: on-prem vs on AWS

  • AWS Security Tools & Features


    Customer applications & content

    Oversight & Monitoring

    AWS and its partners offer over 700 security services, tools and features

    Mirror the familiar controls you deploy within your on-premenvironments

  • Infrastructure: Enforce consistent security on hosts


    AMI catalogue Running instance Your instance


    Audit and logging

    Vulnerability management

    Malware and HIPS

    Whitelisting and integrity

    User administration

    Operating system

    You fully control EC2 instances

    Configure and harden to your own specs!

    Use host-based protection software

    Manage administrative users

    Enforce separation of duties & least privilege

    Build out the rest of your standard security environment

    Connect to your existing services, e.g. SIEM, monitoring,


  • Create flexible, resilient, segmented environments

    Your organization

    Project Teams Marketing

    Business Units Reporting

    Digital /


    Dev and








    Amazon S3

    Amazon Glacier



  • Encrypt your Elastic Block Store volumes any way you like

    AWS native EBS encryption for free with a mouse-click

    Encrypt yourself using free utilities, plus Trend Micro, SafeNet and

    other partners for high-assurance key management solutions

    Amazon S3 offers either server or client-side encryption

    Manage your own keys or let AWS do it for you

    Redshift has one-click disk encryption as standard

    Encrypt your data analytics

    You can supply your own keys

    Amazon RDS supports encryption

    Encrypt your MySQL or PostgreSQL databases using keys you manage through AWS Key Management Service (KMS)

    Supports Transparent Data Encryption in SQL Server and Oracle

    Data: Encrypt your sensitive information


  • Identity: Control access and segregate duties


    You get to control who can do what in your AWS

    environment when and from where

    Fine-grained control of your AWS cloud with multi-

    factor authentication

    Integrate with your existing corporate directory using

    SAML 2.0 and single sign-on

    AWS account owner

    Network management

    Security management

    Server management

    Storage management

  • Full visibility of your AWS environment

    CloudTrail will record access to API calls and save logs in your

    S3 buckets, no matter how those API calls were made

    Who did what and when and from where (IP address)

    Support for many AWS services and growing - includes EC2,

    EBS, VPC, RDS, IAM and RedShift

    Easily Aggregate all log information

    Out of the box integration with log analysis tools from

    AWS partners including Splunk, AlertLogic and


    Monitoring: Get consistent visibility of logs

  • AWS Marketplace: One-stop shop for security tools

    Advanced Threat


    Application Security

    Identity and Access Mgmt

    Encryption & Key Mgmt

    Server & Endpoint


    Network Security

    Vulnerability & Pen Testing

  • Getting help Trusted Advisor

    Performs a series of security configuration checks of your AWS environment:

    Open ports

    Unrestricted access

    IAM use

    CloudTrail Logging

    S3 Bucket Permissions

    Multi-factor auth

    Password Policy

    DB Access Risk

    DNS Records

    Load Balancer config

  • Getting Help: Support

    Account Team

    Your Account Manager is your advocate

    Solutions Architects have a wealth of expertise

    Four tiers of support

    Free Basic, forum-based & health check support

    Developer Email support & best practice guidance

    Business Phone/chat/email support, 1 hour response time

    Enterprise 15 min response time, dedicated Technical Account Manager

  • Getting Help: Professional Services

    AWS Professional Services

    Enterprise Security Architecture

    Policy & Controls Mapping

    SOC Design

    AWS Partner Network

    Over 600 certified AWS Consulting Partners worldwide

  • Summary

    Security is job zero for AWS

    AWS takes care of the security OF the Cloud

    You define your controls IN the Cloud

    Compliance is more cost effective in AWS

    You can take advantage of over 700 services, tools and features from AWS and partners

    AWS and partner resources on hand to help

  • Thank you!

Popular Tags:
of 25/25
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Max Ramsay, Head of Americas Security Solution Architecture, AWS March 19 th , 2015 Understanding the AWS Shared Security Model
Embed Size (px)