Security of your data in AWS

Stephen Schmidt

VP Security Engineering & Chief Information Security Officer

• Universal

• Visible

• Auditable

• Transparent

• Shared

• Familiar

Cloud Security is:

Every customer has access to the same security capabilities, and gets to choose what’s right for their business.

– Governments

– Financial Sector

– Pharmaceuticals

– Entertainment

– Start-Ups

– Social Media

– Home Users

– Retail

Universal Cloud Security

AWS allows the customer to see their ENTIRE

infrastructure at the click of a mouse

Visible Cloud Security

This

Or

This?

• How does a customer know AWS is right for their business? – 3rd Party Audits

• Independent auditors

• Artifacts – Plans, Policies and Procedures

• Logs – Obtained

– Retained

– Analyzed

Auditable Cloud Security

Choose the audit/certification that’s right for them: – ISO-27001

– SOC-1, SOC-2, SOC-3

– FedRAMP

– PCI

Transparent Cloud Security

Control Objective 1: Security Organization

– Who we are

– Proper control & access within the organization

Control Objective 2: Amazon User Access

– How we vet our staff

– Minimization of access

Security & Compliance Control Objectives

Control Objective 3: Logical Security

– Our staff start with no systems access

– Need-based access grants

– Rigorous systems separation

– Systems access grants regularly re-evaluated &

automatically revoked

Security & Compliance Control Objectives

Control Objective 4: Secure Data Handling – Storage media destroyed before being permitted outside our

datacenters

– Media destruction consistent with US Dept. of Defense Directive

5220.22

Control Objective 5: Physical Security and

Environmental Safeguards – Keeping our facilities safe

– Maintaining the physical operating parameters of our datacenters

Security & Compliance Control Objectives

Control Objective 6: Change Management – Continuous Operation

Control Objective 7: Data Integrity, Availability and

Redundancy – Ensuring your data remains safe, intact & available

Control Objective 8: Incident Handling – Processes & procedures for mitigating and managing potential issues

Security & Compliance Control Objectives

• Let AWS do the heavy lifting

• This is what we do – and we do it all the time

• The customer can focus on their business and not be distracted by

the muck

AWS Shared Responsibility Model

• Large non-descript facilities

• Robust perimeter controls

• 2 factor authentication for entry

• Controlled, need-based access for AWS

employees

• All access is logged and reviewed

Physical Security

Physical Security

Asia Pacific (Sydney)

• DDoS attacks defended at the border

• Man in the Middle attacks

• SSL endpoints

• IP Spoofing prohibited

• Port scanning prohibited

• Packet Sniffing prevented

Network Security

• AWS offers several data protection mechanisms including access control, encryption, etc.

• AWS data encryption solutions allow customers to: – Encrypt and decrypt sensitive data inside or outside AWS

– Decide which data to encrypt

• AWS CloudHSM complements existing AWS data protection and encryption solutions

• With AWS CloudHSM customers can: – Encrypt data inside AWS

– Store keys in AWS within a Hardware Security Module

– Decide how to encrypt data – the AWS CloudHSM implements cryptographic functions and key storage for customer applications

– Use third party validated hardware for key storage

– AWS CloudHSMs are designed to meet Common Criteria EAL4+ and FIPS 140-2 standards)

AWS Data Protection Solutions

• http://aws.amazon.com/security/ – Security Whitepaper

– Risk and Compliance Whitepaper

– Regularly Updated

– Feedback is welcome

• http://blogs.aws.amazon.com/security

AWS Security Center