(sec201) aws security keynote address | aws re:invent 2014

JOB ZERO

Job Zero

Network

SecurityPhysical

Security

Platform

SecurityPeople &

Procedures

SHARED

constantly improving

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

AWS is

responsible for

the security OF

the Cloud

GxP

ISO 13485

AS9100

ISO/TS 16949

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & contentC

ust

om

ers

shared responsibility

Customers have

their choice of

security

configurations IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

FAMILIAR

familiar

– Agility

VISIBILITY

VISIBILITY

RIGHT NOW?

Visible

You are making

API calls...On a growing set of

services around the

world…

AWS CloudTrail

is continuously

recording API

calls…

And delivering

log files to you

AWS CLOUDTRAIL

RedshiftAWS CloudFormation

AWS Elastic Beanstalk

Use cases enabled by CloudTrail

CloudTrail Regional Availability

AUDITABILITY

and notifies you

Continuous ChangeRecordingChanging

Resources

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

Integrated Support from Our Partner Ecosystem

CONTROL

First class security and compliance

starts (but doesn’t end!) with encryption

Automatic encryption with managed keys

Bring your own keys

Dedicated hardware security modules

Encryption & Best Practices with AWS

Managed key encryption

Key storage with AWS CloudHSM

Customer-supplied key encryption

DIY on Amazon EC2

Create, store, & retrieve keys securely

Rotate keys regularly

Securely audit access to keys

Partner enablement of crypto

Nasdaq is a great example of security excellence in the cloud

Nasdaq Use Case Requirement

Replace on-premises data warehouse while keeping

equivalent schemas and data

Only one year of capacity remaining

4-8 billion rows of new information stored daily stock trading

Must cost less than existing system

Must satisfy multiple security and regulatory audits

Must perform similarly to legacy warehouse under

concurrent query load

AWS’s ability to satisfy multiple security and regulatory audits was critical to

Nasdaq’s migrating its data warehouse to AWS

Nasdaq Data Warehouse ImplementationPull data from numerous sources, validate data, and securely load into Redshift

AWS CloudTrail to monitor and audit environment

Network isolation with Amazon VPC and AWS

Direct Connect

Encryption in flight using TLS and Amazon

Redshift JDBC connections

Encryption at rest with Amazon S3 (client-side,

AES-256) with Amazon Redshift cluster

encryption enabled and AWS CloudHSM

Nasdaq Security Best PracticesAWS CloudHSM integration was critical to Nasdaq adoption of AWS

Block key

Amazon

S3

Block key

Cluster key Cluster key

Master key

AWS

CloudHSM

1MB

1MB

Amazon Redshift and Encryption

AGILITY

AWS

The practice of security at AWS is

different, but the outcome is familiar:

So what does your security team look like?

Our Culture:

Everyone’s an owner

When the problem is “mine” rather than

“hers” there’s a much higher likelihood I’ll do

the right thing

Measure constantly, report regularly, and

hold senior executives accountable for

security – have them drive the right

culture

Our Culture:

Our Culture:

Measure measure measure

• 5 min metrics are too coarse

• 1 min metrics just barely OK

Our Culture:

Saying “no” is a failure

Our Culture:

Apply more effort to the “why” rather than the

“how”

Why is what really matters

When something goes wrong, ask the “five whys”

Our Culture:

Decentralize — don’t be a bottleneck

It’s human nature to go around a bottleneck

Our Culture:

Produce services that others can consume

through hardened APIs

Our Culture:

Test, CONSTANTLY

• Inside/outside

• Privileged/unprivileged

• Black-box/white-box

• Vendor/self

Our Culture:

Proactive monitoring rules the day

• What’s “normal” in your environment?

• Depending on signatures == waiting to

find out WHEN you’ve been had

Our Culture:

Collect, digest, disseminate, & use intelligence

Our Culture:

Make your compliance team a part of your

security operations

Our Culture:

Base decisions on facts, metrics, & detailed

understanding of your environment and

adversaries

Simple Security Controls

REDUCTION

REDUCTION

ENCRYPTION

GRANULAR

SEPARATION

BETTER OFF IN AWS

Please give us your feedback on this session.

Complete session evaluations and earn re:Invent swag.

http://bit.ly/awsevals