attila lengyel enterprise account manager dob todorov principal security & compliance ...
DESCRIPTION
Amazon Web Services Security & Compliance Overview. Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA. undifferentiated heavy lifting. utility computing. AWS provides broad and deep services to support any cloud workload. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/1.jpg)
Amazon Web ServicesSecurity & Compliance Overview
Attila Lengyel Enterprise Account Manager
Dob Todorov Principal Security & Compliance Architect EMEA
![Page 2: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/2.jpg)
undifferentiated heavy lifting
![Page 3: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/3.jpg)
utility computing
![Page 4: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/4.jpg)
AWS provides broad and deep services to support any cloud workload
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
![Page 5: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/5.jpg)
Hundreds of Thousands of Customers in 190 Countries…
![Page 6: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/6.jpg)
Free steak campaign
Facebook page
Mars exploration
ops
Consumer social app
Ticket pricing optimization
SAP & Sharepoint
Securities Trading Data Archiving
Gene sequencing
Marketing web site
Interactive TV apps
Financial markets analytics
R&D data analysis
Consumer social app
Big data analytics
Web site & media sharing
Disaster recovery
Media streaming
Web and mobile apps
Streaming webcasts
Facebook app
Consumer social app
Every Imaginable Use Case
![Page 7: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/7.jpg)
Gartner “Magic Quadrant for Cloud Infrastructure as a Service,” Lydia Leong, Douglas Toombs, Bob Gill, Gregor Petri, Tiny Haynes, August 19, 2013. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.. The Gartner report is available upon request from Steven Armstrong ([email protected]). Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
“AWS is the overwhelming market share leader, with more than five times the compute capacity in use than the aggregate total of the other fourteen
providers.”
![Page 8: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/8.jpg)
Notable Financial Services Stories
![Page 9: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/9.jpg)
Dutch National Bank (regulator)
![Page 10: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/10.jpg)
US West(Northern California)
US East(Northern Virginia)
EU(Ireland)
Asia Pacific(Singapore)
Asia Pacific(Tokyo)
AWS Regions
AWS Edge Locations
GovCloud(US ITAR Region)
US West(Oregon)
South America(Sao Paulo)
Asia Pacific(Sydney)
![Page 11: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/11.jpg)
A B
A BC
A BC
A BC
A B
A B A B A BUS West
(Northern California)US West
(Oregon)South America
(Sao Paolo)Asia Pacific
(Singapore)
EU West(Dublin)
US East(Virginia)
Asia Pacific(Tokyo)
Asia Pacific(Australia)
![Page 12: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/12.jpg)
Personal Data Protection in Europe•EC Directive 95/46/EC: Personal Data Protection• Use Amazon Web Services Dublin Region
•Safe Harbour EU Compliant•Safe Harbour Switzerland Compliant
![Page 13: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/13.jpg)
The Shared Responsibility Model in the Cloud
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection(Encryption/Integrity/Identity)
Optional -- Opaque Data: 0s and 1s (in flight/at rest)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
![Page 14: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/14.jpg)
The Shared Responsibility Model in the Cloud
Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability ZonesEdge Locations
Client-side Data Encryption & Data Integrity Authentication
Server-side Encryption (File System and/or Data)
Network Traffic Protection(Encryption/Integrity/Identity)
Optional -- Opaque Data: 0s and 1s (in flight/at rest)
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Data
Security OF the Cloud
Security IN the Cloud
![Page 15: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/15.jpg)
Customer-managed Controls on Amazon EC2
OS-level Firewalls/IDS/IPS Systems/Deep Security
Data
Security Groups &Network Access Control Lists
Industry Standard Protocols: IPSec, SSL, SSH
OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud
Security OF the Cloud
Security IN the Cloud
Applications
Platforms
Operating Systems
Network Security
Encryption of Data at Rest
Encryption of data in Flight
![Page 16: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/16.jpg)
Data Protection at Rest and in Flight
OS-level Firewalls/IDS/IPS Systems/Deep Security
Data
Security Groups &Network Access Control Lists
Industry Standard Protocols: IPSec, SSL, SSH
OS-level: Encrypted File System, Bitlocker, dm-crypt, Secure Cloud
Applications
Platforms
Operating Systems
Network Security
Encryption of Data at Rest
Encryption of data in Flight
Application-level Encryption
Platform-level Encryption
Volume-level Encryption
Network Traffic Encryption
![Page 17: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/17.jpg)
AWS Certifications & Accreditations
SOC 1 (SSAE 16 & ISAE 3402) Type II AuditSOC 2 SOC 3 Audit (new in 2013)
ISO 27001
Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
Security IN the Cloud
Security OF the Cloud
![Page 18: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/18.jpg)
Q&A
![Page 19: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/19.jpg)
User Identification, Authentication and Authorisation in the Cloud
Amazon Identity & Access
ManagementIAM Users
EC2
DynamoDB
S3
Active Directory/LDAP
AD/LDAP Users
Enterprise Applications
Corporate Systems
![Page 20: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/20.jpg)
User Identification, Authentication and Authorisation in the Cloud
Amazon Identity & Access
Management
Access Token for Federated
Access
EC2
DynamoDB
S3
Active Directory/LDAP
AD/LDAP Users
Enterprise Applications
Corporate Systems
![Page 21: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/21.jpg)
User Identification, Authentication and Authorisation in the Cloud
Amazon Identity & Access
Management
Access Token for Federated
Access
EC2
DynamoDB
S3
Shibboleth
AD/LDAP Users
Enterprise Applications
Corporate Systems
![Page 22: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/22.jpg)
CBA
Defined byBusinessSystem DesignManaged byAWS
SLAs, RTOs/RPOs
EC2 SLA
System SLAs
S3 SLA
CloudFront
SLARDS SLA
RTO RPO
Business Processes
![Page 23: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/23.jpg)
Physical Security
ISO 27001
Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service Provider
• Amazon has been building large-scale data centers for many years
• Important attributes:• Non-descript facilities• Robust perimeter controls• Strictly controlled physical access• 2 or more levels of two-factor auth
• Controlled, need-based access • All access is logged and reviewed• Separation of Duties• employees with physical access don’t have logical
privileges• Maps to an Availability Zone
![Page 24: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/24.jpg)
Storage Device Decommissioning
•All storage devices go through this process•Uses techniques from
•DoD 5220.22-M (“National Industrial Security Program Operating Manual”)
•NIST 800-88 (“Guidelines for Media Sanitization”)•Ultimately
•degaussed•physically destroyed
![Page 25: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/25.jpg)
AWS CloudHSMDedicated access to HSM appliances managed &
monitored by AWS, but you control the keys
Increase performance for applications that use HSMs
for key storage or encryption
Comply with stringent regulatory and contractual
requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
![Page 26: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/26.jpg)
Security of Data at Rest• S3
• Server side encryption (AES-256) – per object keys managed by AWS• Client-side asymmetric encryption – integrated within APIs• Client-side encryption: Amazon stores 0s and 1s
• EC2 + EBS• Enable partition/disk level encryption• Windows: use EFS (local certificates/centralised X.509)• Linux: use cryptsetup/dm-crypt/others
• RDS MySQL• Use SQL native encryption (server side)• Client side encryption
• RDS Oracle• Client-side encryption
![Page 27: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/27.jpg)
Security of Data in Flight• AWS APIs are Web services
• SOAP over HTTPS• REST over HTTPS• User and data authentication through request signatures
• User access to Web Console
• Admin access to Servers• Use SSH with asymmetric keys, or X.509 certificates• Use RDP + MPPE or SSL protection
• Secure Application-level Protocols
![Page 28: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/28.jpg)
Network Traffic Flow Security• Security Groups- Inbound traffic must be explicitly specified
by protocol, port, and security group-VPC adds outbound filters
• VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters
• OS Firewall (e.g., iptables) may be implemented
-completely user controlled security layer -granular access control of discrete hosts- logging network events
Encrypted File System
Encrypted Swap File
OS
Fire
wal
l
Amaz
on S
ecur
ity G
roup
s
Inbound & Outbound Traffic
![Page 29: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/29.jpg)
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
![Page 30: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/30.jpg)
Multi-tier Security Approach Example Web Tier
Application Tier
Database Tier
Ports 80 and 443 only open to the Internet
Engineering staff have ssh access to the App Tier, which acts as Bastion
All other Internet ports blocked by default
Sync with on-premises database
Amazon EC2 Security Group
Firewall
![Page 31: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/31.jpg)
Amazon VPC Network Security Controls
![Page 32: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/32.jpg)
Layered Defence
![Page 33: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/33.jpg)
AWS Multi-Factor Authentication• Helps prevent anyone with unauthorized knowledge of your e-mail address
and password from impersonating you• Additional protection for account information• Works with
• Master Account• IAM Users
• Integrated into• AWS Management Console• Key pages on the AWS Portal• S3 (Secure Delete)
![Page 34: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/34.jpg)
AWS Trusted Advisor
Available Programmatically via AWS Support APIs
![Page 35: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/35.jpg)
Manage and Monitor Your Environments from Anywhere
![Page 36: Attila Lengyel Enterprise Account Manager Dob Todorov Principal Security & Compliance Architect EMEA](https://reader033.vdocuments.net/reader033/viewer/2022052704/5681685c550346895dde943f/html5/thumbnails/36.jpg)
• Answers to many security & privacy questions
• Security Whitepaper• Risk and Compliance Whitepaper• Security Best Practices Whitepaper• AWS Auditing Checklist
•Security Blog•Security bulletins•Penetration Testing http://aws.amazon.com/security/
http://aws.amazon.com/compliance/
Security & Compliance Resources