cloud computing for the enterprise, dr werner vogels, cto amazon.com
TRANSCRIPT
Cloud Computing for the Enterprise
Dr. Werner Vogels
CTO, Amazon.com
April 24, 2012
AWS Global Infrastructure US West
(Northern
California)
US East (Northern
Virginia)
EU (Ireland)
Asia
Pacific (Singapore)
Asia
Pacific (Tokyo)
GovCloud (US ITAR
Region)
US West (Oregon)
South
America (Sao Paulo)
AWS Regions
AWS Edge Locations
Powering the Most Popular Internet Businesses
Trusted by Enterprises
And Government Agencies
What Enterprises are Running on AWS
Web
Applications
Big Data & High
Performance Computing
Business
Applications
Disaster Recovery
& Archive
Peak Requests:
650,000+
per second
Total Number of Objects Stored in Amazon S3
2.9 Billion 14 Billion 40 Billion 102 Billion
762 Billion
262 Billion
905 Billion
Q4 2006 Q4 2007 Q4 2008 Q4 2009 Q4 2010 Q4 2011 Q1 2012
The Scale of AWS: Amazon S3 Growth
Scale & Innovation… … Drive Costs Down
Invest in Capital
Invest in Technology
Improve Efficiency
Reduce Prices
Attract More Customers
19 Price Reductions
Our Price Reduction Philosophy
AWS Platform Overview
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
AWS Global Infrastructure
Edge Locations
Availability Zones
Regions
Secure, redundant Cloud
infrastructure for global companies
and global apps
AWS Networking Services Extend your enterprise infrastructure
to the AWS Cloud
Amazon Route 53 Scalable Domain Name Service
AWS Direct Connect Private, Dedicated Connection to AWS
Amazon Virtual Private Cloud VPN to Extend Your Network Topology to AWS
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Compute Services Scalable Linux and Windows
compute services
Auto Scaling
Rule-driven scaling service for EC2
Amazon EC2
Virtual Servers in the AWS Cloud
Amazon Elastic Load Balancing
Virtual load balancers for EC2
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Storage Services
Amazon S3 Redundant, High-Scale Object Store
Amazon Elastic Block Store
Persistent block storage for EC2
Scalable and Durable High Performance Cloud Storage
AWS Storage Gateway
Seamless backup of enterprise data to S3
Database Services Scalable and Durable High
Performance Cloud Storage Amazon DynamoDB
High Performance NoSQL Database Service
Amazon RDS
Managed Oracle & MySQL Database Service
Amazon ElastiCache
Managed Memecached Service Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
AWS App Services Highly abstracted services
that replace software for
commonly needed application
functionality
Amazon SES Simple Transactional Email Service
Amazon SQS Simple Queuing Service
Amazon SNS Simple Notification Service
Amazon SWF Simple Workflow Service
Amazon CloudSearch Managed Search Service that Automatically Scales
Amazon CloudFront Global Content Delivery Service
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Ecosystem App Services 3rd party highly abstracted services
that replace software for commonly
needed application functionality
… and already run on AWS
Test
Services
BI
Services
Developer
Services
Log Analysis
Services
Security
Services
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
Deployment & Administration 3rd party managed services that
replace software for commonly
needed application functionality
… and already run on AWS
AWS Ecosystem
AWS Management Console Web-based management interface
Amazon CloudWatch Automated monitoring & alerts
AWS Elastic Beanstalk Java & PHP App deployment & management
AWS CloudFormation Automated AWS resource provisioning
AWS IAM Identity & Access Management
Amazon Elastic MapReduce Big Data Analytics Service
Compute Storage
AWS Global Infrastructure
Database
App Services
Deployment & Administration
Networking
2011 2010 2009 2008
82
61
48
24
2007
9
Including:
Amazon SimpleDB
Amazon Cloudfront
Amazon EBS
EC2 Availability Zones
EC2 Elastic IP Addresses
Including:
Amazon FPS
Red Hat Enterprise on EC2
Including:
Amazon RDS
Amazon VPC
Amazon EMR
EC2 Auto Scaling
EC2 Reserved Instances
EC2 Elastic Load Balance
AWS Import/Export
AWS Mngmt Console
Win Srv 2008 on EC2
IBM Apps on EC2
Including:
Amazon SNS
Amazon CloudFront
Amazon Route 53
S3 Bucket Policies
RDS Multi-AZ Support
RDS Reserved Databases
AWS Import/Export
AWS IAM Beta
AWS Singapore Region
Cluster Instances for EC2
Micro Instances for EC2
Amazon Linux AMI
Oracle Apps on EC2
SUSE Linux on EC2
VM Import for EC2
Including:
AWS Oregon Region
Elastic Beanstalk (Beta)
Amazon SES (Beta)
AWS CloudFormation
Amazon RDS for Oracle
AWS Direct Connect
AWS GovCloud (US)
Amazon ElastiCache
VPC Virtual Networking
VPC Dedicated Instances
SMS Text Notification
CloudFront Live Streaming
AWS Tokyo Region
SAP RDS on EC2
SAP BO on EC2
Win Srv 2008 R2 on EC2
Win Srv 2003 VM Import
Amazon S3 SSE
AWS Pace of Innovation…
February
Amazon DynamoDB
AWS Storage Gateway
Amazon RDS on Amazon VPC
AWS IAM Identity Federation
Windows Free Usage Tier
New Premium Support Features
New AWS Direct Connect Locations
January March
Amazon Simple Workflow Service
Amazon DynamoDB in Japan
ElastiCache in Oregon and Sao Paulo
Amazon S3 Lower Prices
AWS CloudFormation for VPC
New Osaka and Milan Edge Locations
Amazon DynamoDB in Europe
Storage Gateway in South America
CloudFront Live Streaming
Route 53 Latency Based Routing
PHP and Git for Elastic Beanstalk
CloudFront Lowers Content Expiration
RDS Increases Backup Retention
IAM Password Management
IAM User Access to Account Billing
Amazon RDS Free Trial program
Amazon EC2 Medium Instances
64-bit AMI on Small & Medium
EC2 Linux Login from Console
Beanstalk Resource Permissions
EC2, RDS, ElastiCache Lower Prices
7 6
15
…Continuing in the First Quarter of 2012
AWS Direct Connect
Private secure connection to AWS
Bypass the public Internet
High bandwidth and predictable
latency
AWS Direct
Connect
Internet
Corporate Data Center
AWS Cloud
AWS Storage Gateway
Snapshots in
Amazon S3
Your Data Center
Easily backup on-premises data to AWS
Store snapshots in Amazon S3 for
backup and disaster recovery
Simple software appliance - no changes
required to your on-premises architecture
S3
AWS
Storage
Gateway
Amazon Simple Workflow Service
On Premises Mobile Cloud
Run application workflows and business
processes on AWS
Manage processes across Cloud,
mobile and on-premises environments
Use any programming language for
workflow logic
Amazon SWF
Amazon DynamoDB
Non Relational (NoSQL)
Database
Fast & predictable performance
Seamless Scalability
Zero administration
Amazon CloudSearch
Fully managed search service
Up and running in less than an hour
Automatically scales for data and traffic
Starting at less than $100 / month
PHP & Git Deployment for AWS Beanstalk
Run and manage existing PHP
applications with no changes to
application code
Provides full control over the
infrastructure and the software
PHP
Elastic Load
Balancer
yourApp.elasticbeanstalk.com
Elastic Beanstalk
Amazon
Linux
Apache HTTP
Server Your App
git push
AWS Marketplace
Find, buy and run software running
on AWS
More than 250 listings at launch
Sell your software or SaaS app to
our hundreds of thousands of
customers
aws.amazon.com/marketplace
The AWS Mission
Enable businesses and developers to use web services
to build scalable, sophisticated applications.
The Seven Transformations
of Cloud Computing
A common misconception:
cloud computing is only about….
Saving money Doing things faster
Cloud Transforms what’s possible
Transformation 1:
Distributed Architectures Made Easy
High
Availability
Building Distributed Architectures
with Traditional Infrastructure is Difficult
Cloud Computing Makes This Easier
Distributed
Infrastructure
Building
Blocks
Availability
Zones
AWS
Regions EC2
Instances
Elastic Load
Balancer
Multi-AZ
Services
S3
RDS
DynamoDB
Loosely Coupled
Process Coordination
SWF
SNS
SQS
Architecture Templates for Common Patterns
aws.amazon.com/architecture
MICROSOFT SHAREPOINT
… open source Simian Army
coming soon
Transformation 2:
Embracing the security advantages of shared systems
Infrastructure
Every Customer Gets the
Highest Level of Security
AWS Security Infrastructure
SOC 1/SSAE 16/ISAE 3402,
ISO 27001, PCI DSS, HIPAA, ITAR,
FISMA Moderate, FIPS 140-2
Your
Apps
Applications
Flexibility to Choose the Right
Security Model for Each Application
Transformation 3:
From Scaling by
Architecture …
to Scaling By
Command
Kit, go
faster
Yes
Michael
Scaling by Architecture: NoSQL Database
Cluster
Set up
more servers
Config &
Tune Shard &
Repartition
Rinse &
Repeat
Scaling by Command with Amazon
DynamoDB
Amazon DynamoDB
Data is automatically spread
across enough hardware to deliver
single digit millisecond latency.
Transformation 4:
A Supercomputer in the Hands of Every Developer
Supercomputers Today are Privileges of the
Elite
Expensive
Rationed time
Only for the “highest value” jobs
Supercomputers by the Hour… for Everyone.
AWS built the 42nd fastest supercomputer in the world
1,064 Amazon EC2 CC2 instances with17,024 cores
240 teraflops cluster (240 trillion calculations per second)
Less than $1,000 per hour
Develops leading computational
chemistry algorithms
51,132 Cores…
3 Hours…
$4,828/ hour …
Instead of $20M in datacenter spend…
Transformation 5:
Experiment Often & Fail Quickly
Traditional Infrastructure Drives up the Cost
of Failure … Innovation Suffers
How many big ticket
technology ideas can
your budget tolerate?
Experiment Often & Fail Quickly with AWS
Cost of failure falls dramatically
People are free to try out new ideas
More risk taking, more innovation
Transformation 6:
Big Data without Big Servers
Attacking Big Data Problems Shouldn’t Be
This Complicated Storing Massive Data
Volumes Into A Huge Data
Warehouse
Investing In Expensive
Server Clusters To Process
The Data
Amazon S3
Load Data in
the Cloud
Organize &
Analyze Data
Visualize
Results
1 2 3
Amazon DynamoDB
Hadoop Clusters
Amazon EMR
The Cloud Makes This a Lot Simpler
Transformation 7:
Mobile Ecosystem for a Mobile-First World
Building Mobile
Applications on Your
Own is Hard
What Your Mobile App Requires
Rich media experience
Multi-device access
Location context aware
Real-time presence driven
Social graph based
User generated content
Virtual goods economy
Recommendations
Integration with social networks
Advertisement
Premium support
PBS Video for iPad Launched Nov ‘10
PBSKids Video for iPad Launched April ‘11
Fun With Numbers - February 2012
Total Video
Unique visitors: 30M/mo
Visits: 57M/mo
Page views: 367M / mo
Video streams: 145M/mo
Hours watched: 2.3M/mo
Mobile Video
115k unique visitors per day
310k daily app opens
27% of hours watched, 40%
of streams
Thank You!
How Enterprises are using the AWS Cloud
Dan Powers
VP, Global Sales and Business Development
Trusted by Enterprises throughout the world
Why?
“IT spends 80% of its time and resources keeping the lights on”
Contract negotiation
Large Capital Expenditures
Patching Software Out of Datacenter Space
Prices too high for IT products
Slow IT Deployments Scaling down as needed
Underutilized IT Assets
Scaling up quickly
Managing physical growth
On-Premise Infrastructure is Costly & Complex
Key benefits to running in the AWS Cloud
No Up-Front
Capital Expense
Pay Only for
What You Use
Self-Service
Infrastructure Easily Scale Up
and Down
Improve Agility &
Time to Market
Low Variable
Pricing
No Up-Front Capital Expense
Up-Front On-Premise Costs
Physical Space
Cabling
Power
Cooling
Networking
Racks
Servers
Storage
Certification
Labor
On-Premise Variable Cloud Computing Costs
$0 to Get Started
Cloud Computing
Low Cost
“TCO savings inherent in a cloud provider’s environment relative to that of a
tradition enterprise datacenter may be as high as 60%.”
Invest in Capital
Invest in Technology
Improve Efficiency
Reduce Prices
Attract More
Customers
Scale & Innovation … … Drive Costs Down
Morgan Stanly Research, Cloud Computing Takes Off
Pay Only for What You Use C
om
pu
te P
ow
er
Time
Predicted Usage
Actual Usage
Waste
Customer
Dissatisfaction
Self-Service Infrastructure On-Premise
Build new environments can be
complex and slow
Cloud Computing
New infrastructure is always a few
clicks away
New Development Environment
New Test Environment
New Environment in Japan
Add 1,000 Servers
Remove 1,000 Servers
Needs Survey Assess
Plan Design Engineer
Procure Construct Commissi
on
Deploy
Source: PTS Data Center Solutions
5,000
0 Monday Tuesday Wednesday Thursday Friday Saturday Sunday
Internet Video App on Amazon EC2
From 50 to 5,000 servers in 3 days
The Animoto Blog
Num
ber
of E
C2 I
nsta
nces
Launch of
application
Scaled to peak of
5,000 instances in
3 days
Easily Scale Up and Down
Cloud Computing is More Than Just
Virtualization Cloud Computing On-Premise
Virtualization
Self-Service Infrastructure ?
No Up-Front Capital Expense
Low Cost
Pay Only for What You Use
Easily Scale Up and Down
Improve Agility & Time-to-Market
Infrastructure-as-a-Service
Market Share Leader Leader in 2011 Gartner
IaaS Magic Quadrant
Leader in 2011 Forrester
Hadoop Wave
What Analysts are Saying about AWS
AWS Global Infrastructure US West
(Northern
California)
US East (Northern
Virginia)
EU (Ireland)
Asia
Pacific (Singapore)
Asia
Pacific (Tokyo)
GovCloud (US ITAR
Region)
US West (Oregon)
South
America (Sao Paulo)
AWS Regions
AWS Edge Locations
Built for Enterprise Security Standards
Certifications
SOC 1 Type 2 (formerly
SAS-70)
ISO 27001
PCI DSS for EC2, S3,
EBS, VPC, RDS, ELB, IAM
FISMA Moderate
Compliant Controls
HIPAA & ITAR Compliant
Architecture
Physical Security
Datacenters in nondescript
facilities
Physical access strictly
controlled
Must pass two-factor
authentication at least
twice for floor access
Physical access logged
and audited
HW, SW, Network
Systematic change
management
Phased updates
deployment
Safe storage
decommission
Automated monitoring and
self-audit
Advanced network
protection
aws.amazon.com/security
Virtual Private Cloud
10.2.1.1
Internet
VPN
10.1.1.1
Your
Network
Enterprise Apps
On AWS
10.2.1.1
Internet
10.1.1.1
AWS Direct Connect
Your
Network
Enterprise Apps
On AWS
What Enterprises are Running on AWS
Web
Applications
Big Data & High
Performance Computing
Business
Applications
Disaster Recovery
& Archive
Business apps are
more efficient
in the cloud
A Variety of Partner Choices..
A Variety of Enterprise Products and Licensing Options..
SAP ERP/A1
SAP Business Objects
SAP Rapid Deployment Solutions
Oracle Applications
Oracle Fusion Middleware
Oracle DB 11g
Microsoft SharePoint Server
Microsoft Server and Tools
Microsoft Windows Server Apps
IBM DB2 and Informix
IBM WebSphere
IBM Lotus, Tivoli, etc.
Popular Applications
License
Mobility Hourly
Licensing
RedHat Enterprise Linux
JBOSS
Gluster
Benefits Infrastructure Procurement Time Reduced from over four to six weeks to minutes.
Server Image Build Process that had previously taken a half day is now automated.
Annual Infrastructure Costs Cut by 22 percent when replacing on-premise hardware with equivalent cloud resources.
Eliminating Operational Overhead of server lease returns, freeing up approximately 2 weeks of engineering overhead per year by replacing servers with equivalent cloud resources.
Amazon Corporate IT Deploys Mission-Critical
Corporate Intranet running SharePoint 2010
to AWS Cloud
• No minimum commitment up front and
pay per use brings significant savings
• Fast provisioning within minutes for
many applications
• Elasticity – the ability to expand and
contract IT infrastructure as needed
Enterprise case study Business Benefits
• Using AWS since 2010
• Operationalizing their cloud strategy
• Shell Foundation Platform – an IT
framework – is AWS approved
• Core operational applications
running in production on AWS
• Default for new apps: AWS
“The AWS Cloud brings business agility as Shell is able to deploy services much more quickly”
- Johan Krebers Vice President of Architecture
Cloud-hosted service approved by security
and privacy officers.
Compliant with data privacy requirements
in the U.S. and Europe.
E-signature application in production.
Insurance and Financial Services
company with over 15M customers.
Address security challenges while
handling customer data in a regulated
industry.
Amazon AWS services leveraged to
deliver Trend Micro SecureCloud.
“This is a fantastic cloud use case for our company – a truly
live production environment with dynamic content.”
- Rob Prager, Director of IT
Use of AWS Business Benefit
Project
- Started in Jan 2008, 5 FTE
- Focus: IT Automation on IaaS
- SAP Self-service since March 2008
- Enables unlimited # systems in clouds
- Weekly Feature Extensions
Usage
- 276 Cloud Appliances
> 600 SAP employees as direct users
from >16 countries
>10,000 SAP systems provisioned
- Cost Savings based on
1. Less expensive Hardware Hosting
2. IT Process Automation
AWS Footprint
1,100 new SAP systems
42,086 EC2 Instance Hours
39 TB EBS Storage
3 TB S3 Storage
Top 3 Consuming Departments – Avg. Cost Saving Rate: 77%
Customer Trainings
111 SAP Systems
$ 42 / SAP system
82 hrs / SAP system
Status: Pilot + Ramp up
Customer Demos
118 SAP Systems
$ 76 / SAP system
119 hrs / SAP system
Status: Productive + Ramp up
Customer Workshops
215 SAP Systems
$ 15 / SAP system
26 hrs / SAP system
Status: Productive
Source: SAP
Enterprises getting to value
quickly
in the cloud
Samsung saved $34M on their Smart Hub
application Problem:
Needed to reduce IT costs and were looking
to create a more flexible IT environment
Solution:
AWS’s low, pay-as-you-go prices and reliable
services. With every request, the application
authenticates devices, delivers apps and
content, and pushes notifications.
Business Benefits:
Saved $34M in hardware and maintenance
expenses, 85% less than running on-
premises
Problem:
Building new online services and they needed the ability to easily respond to large-scale unpredictable demand
Solution:
The scale and reliability of the AWS Cloud.
GNM uses AWS for its Apple iPhone application and Content API service
Business Benefits:
Reduced server configuration from 3 weeks to 30 minutes
Able to meet availability SLAs even with significant demand peaks after the service’s launched.
The Guardian easily responds to the
unpredictable demand of new applications
Use of AWS:
FCBarcelona’s websites, ecommerce, and
mobile applications.
Use Amazon EC2, Amazon CloudFront,
Amazon RDS, Amazon Route 53, and many
other services.
Business Benefits:
Easily respond to game day peaks
Improved time-to-market
FCBarcelona Responds to its Game Day
Demand Peaks with AWS, Saving Money
Enterprise Case Study Business Benefit
• Started moving Internet and Intranet
workloads to AWS in early 2011
• Runs 15 production applications on
AWS
• Used Amazon VPC to connect its
datacenter to the AWS cloud
“IaaS will significantly change the way IT will deliver infrastructure services to the business. We selected AWS
because they are a leader in that field.”
- Yves Martelle, Global Director of Infrastructure
• Open and flexible platform allows
Schneider to run Java and .NET apps on
Windows and Linux virtual servers
• Increased IT agility by rolling out new
applications faster on AWS
Enterprises are scaling
e l a s t i c a l l y
in the cloud
Bank – Credit-Risk Simulation
“The AWS platform was a good fit for its unlimited and flexible computational power to our risk-simulation process requirements.
With AWS, we now have the power to decide how fast we want to obtain
simulation results, and, more importantly, we have the ability to run simulations not possible before due to the large amount of infrastructure
required.”
– Castillo, Director, Bankinter
Average time-to-solution down from 23 hours to 20 minutes
Bank – Credit-Risk Simulation
“The AWS platform was a good fit for its unlimited and flexible computational power to our risk-simulation process requirements.
With AWS, we now have the power to decide how fast we want to obtain
simulation results, and, more importantly, we have the ability to run simulations not possible before due to the large amount of infrastructure
required.”
– Castillo, Director, Bankinter
Average time-to-solution down from 23 hours to 20 minutes
• EMR and S3 provided a low-cost and
high-performance foundation for
parallel applications
• Increased security by using VPC and
to extend corporate datacenter into
the AWS cloud
Big Data Case Study Business Benefit
“We see continued value in using the AWS cloud because of the flexibility and the scalability. We have a long queue of projects and we envision using AWS to help us get there.”
Jeff Sternberg, Data Science Lead Capital IQ / Standard & Poors
• Recommendation engine for investment
bankers looking for new ideas.
• Leverages EC2, EMR, S3, VPC.
• EMR pulls data from S3 for processing
and pushes the results into a SQL
database.
• Ten times as many scientists can process
studies simultaneously, compared to non-cloud
architecture
• Genetic sequence processing is twenty times
faster, without increasing compute costs
• Both companies are confident that the AWS-
based program helps Unilever’s scientists
create market-leading innovations
The Story Business Benefit
• New biology and informatics program
promotes access to public data
• Underlying architecture must keep pace with
expanding scientific discoveries
• Simple but robust solution combines Amazon
EC2, Amazon RDS, and Amazon S3 with the
open-source workflow system, eHive
“Unilever’s digital data program now processes genetic sequences twenty times
faster—without incurring higher compute costs. In addition, its robust architecture
supports ten times as many scientists, all working simultaneously.”
- Pete Keeley
Unilever Research’s eScience IT Lead for Cloud
Enterprises are
protecting their data
in the cloud
• Flexible DR architecture at low cost
• Avoided large up-front investment
• IT and Operations are more responsive to the
business
• New builds that used to take days now take hours
• U.K.-based electric company
• Needed flexible disaster recovery
• AWS offered flexibility, proven services, lower cost
• Smart421 able to quickly translate requirements
into a solution
• Running disaster recovery, testing, and
development on AWS
• Planning big data projects on AWS
“The primary driver wasn't cost, but rather the ability to set
up the infrastructure even though we recognized the design
was changing.”
- Paul Armstrong, Business Systems Manager
Use of AWS Business Benefit
HAVEN POWER
• Complete elimination of tape from the
archival process
• Faster recovery speeds
• Protects 246 nodes and 40TB daily
Business Benefits
“Since 2003 we used IT-Lifeline to safeguard
our corporate data and provide data center,
technology, and workspace recovery if
adversity strikes. Because they have delivered
their promise of recovery on multiple
occasions, we feel confident in expanding our
relationship with IT-Lifeline.”
Jim Brockett, Chief Information Officer,
Washington Trust Bank
Archive Vaulting solution
Fortune 400 Customer Uses Sonian to Migrate Archiving to AWS
Customer:
• Had a legacy on-prem archive system that wasn’t keeping up with their incoming data – 10K mailboxes
• Challenged to find support for Lotus Domino archiving
• Needed support for early-case assessment and internal investigations
Business Problem
Sonian’s email archiving
platform to enable:
• Enhanced early case
assessment activities
• Intuitive search
capabilities
• Cost-effective archiving
solution
AWS Solution
• Reduced risk on
company’s early case
assessment
• Enabled search across
millions of archived emails
to facilitate eDiscovery as
well as worker productivity
• 50% less cost than on-
premise archiving
• Reduced overhead on IT
staff to support archiving
Business Benefit
Partner:
Next Steps
Learn more on Enterprise
Cloud Computing:
aws.amazon.com/enterprise
Get started with a free trial
aws.amazon.com/free
Thank You!
# Cloud Computing for the Enterprise | London
hashtag
#AWSLondon
WiFi access
Network: WCH
Username: AMAZON
Password: P6FW3HY
AWS: Overview of Security Processes
Stephen Schmidt
Chief Information Security Officer
Certifications & Accreditations
Sarbanes-Oxley (SOX) compliance
ISO 27001 Certification
PCI DSS Level I Certification
HIPAA compliant architecture
SAS 70(SOC 1) Type II Audit
FISMA Low & Moderate ATOs
DIACAP MAC III-Sensitive Pursuing DIACAP MAC II–Sensitive
Shared Responsibility Model
Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance
Application level security, including password and role based access
Host-based firewalls, including Intrusion Detection/Prevention Systems
Separation of Access
Physical Security
Multi-level, multi-factor controlled access environment
Controlled, need-based access for AWS employees (least privilege)
Management Plane Administrative Access
Multi-factor, controlled, need-based access to administrative host
All access logged, monitored, reviewed
AWS Administrators DO NOT have logical access inside a customer’s VMs, including applications and data
AWS Security Model Overview
VM Security
Multi-factor access to Amazon Account
Instance Isolation
• Customer-controlled firewall at the hypervisor level
• Neighboring instances prevented access
• Virtualized disk management layer ensure only account owners can access storage disks (EBS)
Support for SSL end point encryption for API calls
Network Security
Instance firewalls can be configured in security groups;
The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
Shared Responsibility Model
AWS
Facilities
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization
Infrastructure
Customer
Operating System
Application
Security Groups
Network ACLs
Network Configuration
Account Management
AWS Security Resources
http://aws.amazon.com/security/
Security Whitepaper
Risk and Compliance Whitepaper
Latest Versions May 2011, January
2012 respectively
Regularly Updated
Feedback is welcome
AWS Certifications
Sarbanes-Oxley (SOX)
ISO 27001 Certification
Payment Card Industry Data Security
Standard (PCI DSS) Level 1 Compliant
SAS70(SOC 1) Type II Audit
FISMA A&As • Multiple NIST Low Approvals to Operate (ATO)
• NIST Moderate, GSA issued ATO
• FedRAMP
DIACAP MAC III Sensitive IATO
Customers have deployed various compliant applications such as HIPAA (healthcare)
SOC 1 Type II
Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors. AWS identifies those controls relating to the operational performance and security to safeguard customer data. The SOC 1 report audit attests that AWS’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. This report is available to customers under NDA.
SOC 1
Type II – Control Objectives
Control Objective 1: Security Organization
Control Objective 2: Amazon Employee Lifecycle
Control Objective 3: Logical Security
Control Objective 4: Secure Data Handling
Control Objective 5: Physical Security
Control Objective 6: Environmental Safeguards
Control Objective 7: Change Management
Control Objective 8: Data Integrity, Availability and Redundancy
Control Objective 9: Incident Handling
ISO 27001
AWS has achieved ISO 27001 certification of our
Information Security Management System (ISMS)
covering AWS infrastructure, data centers in all regions
worldwide, and services including Amazon Elastic
Compute Cloud (Amazon EC2), Amazon Simple Storage
Service (Amazon S3) and Amazon Virtual Private Cloud
(Amazon VPC). We have established a formal program
to maintain the certification.
Physical Security
Amazon has been building large-scale data centers for many years
Important attributes: • Non-descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
Controlled, need-based access for
AWS employees (least privilege)
All access is logged and reviewed
US West (Northern
California)
US East (Northern
Virginia)
EU (Ireland)
Asia
Pacific (Singapore)
Asia
Pacific (Tokyo)
AWS Regions
AWS Edge Locations
GovCloud (US ITAR
Region)
US West (Oregon)
South
America (Sao Paulo)
Customer Decides Where Applications and Data Reside
AWS Regions and Availability Zones
AWS Identity and Access Management Enables a customer to create multiple Users and
manage the permissions for each of these
Users.
Secure by default; new Users have no access to
AWS until permissions are explicitly granted. Us
AWS IAM enables customers to minimize the
use of their AWS Account credentials. Instead
all interactions with AWS Services and
resources should be with AWS IAM User
security credentials.er
Customers can enable MFA devices for their
AWS Account as well as for the Users they have
created under their AWS Account with AWS IAM.
AWS MFA Benefits
Helps prevent anyone with unauthorized knowledge of your e-
mail address and password from impersonating you
Requires a device in your physical possession to gain access
to secure pages on the AWS Portal or to gain access to the
AWS Management Console
Adds an extra layer of protection to sensitive information,
such as your AWS access identifiers
Extends protection to your AWS resources such as Amazon
EC2 instances and Amazon S3 data
Amazon EC2 Security
Host operating system • Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
Guest operating system • Customer controlled at root level
• AWS admins cannot log in
• Customer-generated keypairs
Firewall • Mandatory inbound instance firewall, default deny mode
• Outbound instance firewall available in VPC
• VPC subnet ACLs
Signed API calls • Require X.509 certificate or customer’s secret AWS key
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n …
… Virtual Interfaces
Firewall
Customer 1 Security Groups
Customer 2 Security Groups
Customer n Security Groups
Virtual Memory & Local Disk
Amazon EC2 Instances
Amazon EC2 Instance
Encrypted File System
Encrypted Swap File
• Proprietary Amazon disk management prevents one Instance from reading the disk contents of another
• Local disk storage can also be encrypted by the customer for an added layer of security
Network Security Considerations
DDoS (Distributed Denial of Service): • Standard mitigation techniques in effect
MITM (Man in the Middle): • All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
IP Spoofing: • Prohibited at host OS level
Unauthorized Port Scanning: • Violation of AWS TOS
• Detected, stopped, and blocked
• Ineffective anyway since inbound ports
• blocked by default
Packet Sniffing: • Promiscuous mode is ineffective
• Protection at hypervisor level
Amazon Virtual Private Cloud (VPC)
Create a logically isolated environment in Amazon’s highly scalable infrastructure
Specify your private IP address range into one or more public or private subnets
Control inbound and outbound access to and from individual subnets using stateless
Network Access Control Lists
Protect your Instances with stateful filters for inbound and outbound traffic using
Security Groups
Attach an Elastic IP address to any instance in your VPC so it can be reached
directly from the Internet
Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted
VPN connection and/or AWS Direct Connect
Use a wizard to easily create your VPC in 4 different topologies
Customer’s
Network
Amazon
Web Services
Cloud
Secure VPN
Connection over
the Internet
Subnets
Customer’s isolated
AWS resources
Amazon VPC Architecture
Router VPN
Gateway
Internet NAT
AWS Direct
Connect –
Dedicated
Path/Bandwidth
Amazon VPC Network Security Controls
Amazon VPC - Dedicated Instances
New option to ensure physical hosts are not shared with
other customers
$10/hr flat fee per Region + small hourly charge
Can identify specific Instances as dedicated
Optionally configure entire VPC as dedicated
AWS Deployment Models Logical Server
and
Application
Isolation
Granular
Information
Access Policy
Logical
Network
Isolation
Physical
server
Isolation
Government Only
Physical Network
and Facility
Isolation
ITAR
Compliant
(US Persons
Only)
Sample Workloads
Commercial
Cloud Public facing apps. Web
sites, Dev test etc.
Virtual Private
Cloud (VPC) Data Center extension,
TIC environment, email,
FISMA low and
Moderate
AWS GovCloud
(US) US Persons Compliant
and Government
Specific Apps.
Thanks!
Remember to visit
https://aws.amazon.com/security
# Cloud Computing for the Enterprise | London
hashtag
#AWSLondon
WiFi access
Network: WCH
Username: AMAZON
Password: P6FW3HY