Security in the Cloud

Stephen E. Schmidt,

Vice President, Security Engineering &

Chief Information Security Officer

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

8th BirthdayLaunched on March 14th, 2006

Startups on AWS

Enterprises on AWS

Public Sector on AWS

System Integrators on AWS

ISVs on AWS

Why are enterprises & government adopting cloud computing and AWS so quickly?

The primary reason enterprises &

governments are moving so quickly to

AWS and the cloud

#1: Agility

Why does agility matter?

Old World: Infrastructure in weeks

Enterprises & Government Can’t Afford to Be Slow

A Culture of Innovation: Experiment Often & Fail Without Risk

Regions Availability Zones Content Delivery POPs

#2: Platform Breadth and Depth

10 regions26 availability zones51 edge locations

It’s Not Just Having Services in a Couple of Regions…

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Direct ConnectRoute 53

VPCNetworking

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Direct ConnectRoute 53

VPCNetworking

Analytics

Data Pipeline

Redshift

EMRKinesis

SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface

Direct ConnectRoute 53

VPCNetworking

Analytics

Data Pipeline

Redshift

EMRKinesis

SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net

OpsWorks CloudFormationContainers & Deployment (PaaS)

Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface

Direct ConnectRoute 53

VPC

Networking

Analytics

Data Pipeline

Redshift

EMRKinesis

SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Technology Partners Consulting Partners AWS MarketplaceEcosystemElastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net

OpsWorks CloudFormationContainers & Deployment (PaaS)

Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface

Direct ConnectRoute 53

VPCNetworking

Analytics

Data Pipeline

Redshift

EMRKinesis

SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Support CertificationTrainingProfessional Services

Technology Partners Consulting Partners AWS MarketplaceEcosystemElastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net

OpsWorks CloudFormationContainers & Deployment (PaaS)

Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface

Direct ConnectRoute 53

VPCNetworking

Analytics

Data Pipeline

Redshift

EMRKinesis

SWFSNS SQS CloudSearchSES AppStreamCloudFront

Application Services

WorkSpaces

Regions Availability Zones Content Delivery POPs

Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache

StorageCompute Databases

RDS

MySQL, PostgreSQL

Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling

#2: Platform Breadth and Depth

Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload

PEOPLE & PROCEDURES

NETWORK SECURITY

PHYSICAL SECURITY

PLATFORM SECURITY

“[Enterprise customers are] skipping the years of early getting-their-feet-wet, and immediately jumping in with more significant projects, with more ambitious goals…”

“Increasingly, organizations are asking what can’t go to the cloud, rather than what can…”

“As 2014 dawns, we’re moving into an era of truly mainstream adoption of cloud…”

• SECURITY IS SHARED

WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE

WHAT WE DO

FOR YOU

WHAT YOU DO YOURSELF

• EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES

• CHOOSE WHAT’S RIGHT FOR YOUR WORKLOAD

• CLOUD SECURITY OFFERS MORE

• VISIBILITY• AUDITABILITY• CONTROL

• MORE VISIBILITY

• CAN YOU MAP YOUR NETWORK?

• WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?

• MORE AUDITABILITY

• SECURITY CONTROL OBJECTIVES

• 1. SECURITY ORGANIZATION• 2. AMAZON USER ACCESS• 3. LOGICAL SECURITY• 4. SECURE DATA HANDLING• 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS• 6. CHANGE MANAGEMENT• 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY• 8. INCIDENT HANDLING

• MORE CONTROL

Defense in DepthMulti level security

• Physical security of the data centers• Network security• System security• Data security

DATA

• LEAST PRIVILEGE PRINCIPLE

• AT AWS

• LEAST PRIVILEGE PRINCIPLECONFINE ROLES ONLY TO THE MATERIALREQUIRED TO DO SPECIFIC WORK

• LEAST PRIVILEGE PRINCIPLESEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA

• LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATACENTER LOCATIONS

• LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATACENTERS

• SIMPLE SECURITY CONTROLSARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE

• IDC Survey

• Attitudes and Perceptions Around Security and Cloud Services• Nearly 60% of organizations agreed that CSPs [Cloud Service

Providers] provide better security than their own IT organization

• Source: IDC 2013 U.S. Cloud Security Survey• Doc #242836, September 2013

• “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”

Tom Soderstrom – CTO – NASA JPL

AWS Security

Stephen E. Schmidt, Chief Information Security Officer

Thank You!