ARCHITECTING  FOR  GREATER  SECURITYCarlos  Conde  •  Technology  Evangelist  •  @caarlco

Architecting  for  Greater  SecurityCarlos  Conde  – Technology  Evangelist

“…  We’ll  also  see  organizations  adopt  cloud  services  for  the  improved  security  protections  and  compliance  controls  that  they  otherwise  could  not  provide  as  efficiently  or  effectively  

themselves.”

Security’s  Cloud  Revolution  is  Upon  Us  Forrester  Research,  Inc.,  August  2,  2013  

EVERY  CUSTOMER  HAS  ACCESS  TO  THE  SAME  SECURITY  CAPABILITIES

Choose  what’s  right  for  your  business.

SECURITY  IS  A  SHARED  RESPONSIBILITY

WHAT  NEEDS  TO  BE  DONE  TO  KEEP  THE  SYSTEM  SAFE

WHAT  AWS  DO

WHAT  YOU  HAVE  TO  DO

MORE  CONTROLMORE  VISIBILITY

MORE AUDITABILITY

MORE  CONTROLMORE  VISIBILITY

MORE AUDITABILITY

LEAST  PRIVILEGE  PRINCIPLEConfine  roles  only  to  the  materialrequired  to  do  specific  work

AWS  IAMIdentity  &  Access  Management.

Control  who does  what in  your  AWS  account  with  fine-­grained  policies.

LEAST  PRIVILEGE  PRINCIPLEConfine  network  access  only  to  the  nodes

required  to  do  specific  work

DATA  PROTECTION  PRINCIPLEProtect  data  in  transit  &  at  rest

ENCRYPT  YOUR  DATAAMAZON  EMRAMAZON  S3  SSE  AMAZON  GLACIERAMAZON  REDSHIFTAMAZON  RDS

…

CHOOSE  THE  RIGHT  MODEL  FOR  YOUR  NEEDSAutomated  – AWS  manages  encryption  

Enabled  – user  manages  encryption  using  AWSClient-­side  – user  manages  encryption  using  their  own  mean

AWS  Private  Key  Management  Capabilities

AWS  CloudHSMDedicated  HSM  appliances

Managed  and  monitored  by  AWS,  but  you  control  the  keys

Increase  performance  for  applications  that  use  HSMs  for  

key  storage  or  encryption

Comply  with  stringent  regulatory  and  contractual  

requirements  for  key  protectionEC2  InstanceAWS  CloudHSM

MORE  CONTROLMORE  VISIBILITY

MORE AUDITABILITY

VISIBILITY  PRINCIPLEYou  can’t  protect  what  you  don’t  know  about

LOG  FILESObtained,  Analysed,  Retained

AWS  CloudWatch Logs

PROTECT  YOUR  LOGS  WITH  IAMARCHIVE  YOUR  LOGS

MAKE  SECURITY  ACTIONABLEAutomate  log  reviews  with  AWS  Lambda.

Automatically  shutdown  non-­compliant   instances.Validate  changes.

Rollback  unapproved   changes.

CONTINUOUS  DEPLOYMENT  FOR  SECURITY

Automated  deployments  are  more  secure.Enables  “SSH-­less”  production  environments.

Rapid  deployment  of  security  fixes.Use  AWS  CodeDeploy.

MORE  CONTROLMORE  VISIBILITY

MORE AUDITABILITY

You  are  making  API  calls...

On  a  growing  set  of  services  around  the  

world…

CloudTrail  is  continuously  recording  API  

calls…

And  delivering  log  files  to  you

AWS  CloudTrail

AWS  ConfigSystem  change  deltas  time  series

Continuous ChangeRecordingChanging Resources

AWS ConfigHistory

Stream

Snapshot (ex. 2014-11-05)AWS Config

AWS  Assurance  Programs

aws.amazon.com /  compliance

AWS  Data  Processing  Agreement  contains  Model  Clauses

The  Article  29  Working  Party  has  approved  the  AWS  Data  Processing  Agreement  which  includes  the  Model  Clauses.

For  more  details:  bit.ly/aws-­dpa

Data  stays  where  the  user  stores  it.

2  regions  in  EU.

VULNERABILITY  &  PENETRATION  TESTING

MORE  CONTROLMORE  VISIBILITY

MORE AUDITABILITY

on  “private  clouds”...

92%  of  private  clouds  are  still  falling  short  of  the  core  requirements:  self-­service,  full  automation,  tracking  and  monitoring.

What  are  customers  really  looking  for  ?

PRIVATE  COMPUTE

PRIVATE  STORAGE

PRIVATE  NETWORK

PRIVATE  KEY  MANAGEMENT GOVERNANCE

PRIVATE  COMPUTE

PRIVATE  STORAGE

PRIVATE  NETWORK

PRIVATE  KEY  MANAGEMENT GOVERNANCE

AWS  Private  Storage  Capabilities

Encrypted  object  storage

Private  encryption  key  management

Single-­tenant  block  storage

Amazon  S3 Amazon  EBS Amazon  CloudHSM

Encrypted  block  storage

EC2AWS  

DirectConnect

Choose  the  right  level  of  storage  isolation  for  every  workload

AWS  Private  Compute  CapabilitiesChoose  the  right  level  of  compute  isolation  for  every  workload

EC2  in  a  VPC Dedicated   instances

Single  tenant  infrastructure

Software-­defined  network  isolation

Physical  isolation

Fine  grained  access  roles  and  groups

Identity  &  Access  Management

AWS  Private  Network  Capabilities

Software-­defined  private  network

AWS  Virtual  Private  Cloud  (VPC)

Dedicated  private  network  connection  to  AWS

AWS  Direct  Connect

All  services

AWS  Private  Key  Management  Capabilities

AWS  CloudHSMDedicated  HSM  appliances

Managed  and  monitored  by  AWS,  but  you  control  the  keys

Increase  performance  for  applications  that  use  HSMs  for  

key  storage  or  encryption

Comply  with  stringent  regulatory  and  contractual  

requirements  for  key  protectionEC2  InstanceAWS  CloudHSM

AWS  Governance

Geographic  data  locality

Fine-­grained  access  control  over  data  and  resources

Control  over  regional  replication

Policies,  resource  level  permissions,  

temporary  credentials

Fine-­grainedaccess  control

In-­depth  audits

AWS  CloudTrail

INTEGRATION  WITHON-­PREMISES  RESOURCES

Integrated  networking

Integrated  access  control

Integrated  cloud  backups

Single  pane  of  glass

#  192.168.1.10

#  192.168.1.11

Microsoft  Active  Directory

Custom  LDAP

App  1AWS  Storage  Gateway

PRIVATE  COMPUTE

PRIVATE  STORAGE

PRIVATE  NETWORK

PRIVATE  KEY  MANAGEMENT GOVERNANCE

“Based  on  our  experience,I  believe  that  we  can  be  even  more  secure  in  the  AWS  cloud  than  in  our  own  data  centers”

Tom  Soderstrom – CTO  – NASA  JPL

aws.amazon.com/security

LONDON

AGENDA13:00  -­ 13:45   Get  better  business  results  with  the  cloud13:50  -­ 14:35   Architecting  for  Greater  Security  on  AWS14:35  -­ 14:55   Coffee  Break14:55  -­ 15:40 Pragmatic  approach  to  migration  to  the  AWS  Cloud15:45  -­ 16:30   AWS  Innovation  in  the  Datacenter16:30  -­ 18:00   Networking  Session