Tim SandageSenior Security Partner Strategist, Amazon Web Services

Cloud Computing - How Does it Work?

Security Benefits Expert Guidance Product Features Compliance

Cloud Computing provides a simple and secure way to access servers, storage, databases and a broad set of application services over the Internet.

AWS “Shared Responsibility” model illustrated

AWS Global InfrastructureAWS Cloud operates 42 Availability Zones within 16 geographic Regions around the world.

Canada Edge locations:• Montreal, QC • Toronto, ON

Cloud Computing Security?

Yes, when deployed Correctly…

• Focus - Promotes culture of “everyone is an owner” for security• Prioritize - Makes security a stakeholder in business success• Enables - Easier and smoother communication

Distributed Embedded

AWS Cloud Security

“We worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our data centers.”

Rob Alexander CIO, Capital One

Cloud Computing Trends

Hybrid Cloud Computing

Cloud Services Brokerage

Cloud Friendly Decision

Frameworks

Application Design Cloud-Optimized

AWS Reports, Certifications & Accreditations

https://aws.amazon.com/compliance/

Traditional Security Approaches…

Defense in Depth• Multi level security

• Physical security of the data centers• Network security• System security• Data security

DATA

AWS Security by DesignSecurity by Design (SbD) is a security assurance approach that formalizes AWS account design, automates security controls, and streamlines auditing.

Instead of relying on auditing security retroactively, SbD provides security control built in throughout the AWS IT management process.

Identity & Access Management

CloudTrail

CloudWatch

Config Rules

Trusted Advisor

Cloud HSMKey Management Service

Directory Service

Security by Design - Design Principles

• Build security in every layer • Design for failures • Implement auto-healing • Think parallel • Plan for Breach

• Don't fear constraints • Leverage different storage options • Design for cost • Treat Infrastructure as Code

• Modular• Versioned• Constrained

Developing new risk mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation

SbD - Modernizing Technology Governance (MTG)

1.2 Identify Your Workloads Moving to AWS

2.1 Rationalize Security Requirements

2.2 Define Data Protections and Controls

2.3 Document Security Architecture

3.1 Build/deploy Security Architecture

1. Decide what to do (Strategy)

2. Analyze and Document (outside of AWS)

1.1 Identify Stakeholders

3. Automate, Deploy & Monitor

3.2 Automate Security Operations

4. Certify

3.3 Continuous Monitor

4.1 Audit and Certification

3.4 Testing and Game Days

Automating - Security RequirementsAWS has partnered with CIS Benchmarks to create consensus-based, technical security configuration guide which align to multiple security frameworks globally.

https://www.cisecurity.org/

The Benchmarks are:

Technical security control rules/values for hardening AWS services, auditing and remediate configurations.

Security Automation Building BlocksAutomate deployments, provisioning, and configurations of the AWS customer environments

CloudFormation Service CatalogStack

Template

Instances AppsResourcesStack

Stack

Design Package

Products Portfolios

DeployConstrain

Identity & Access Management

Set Permissions

Splunk App for AWSEC2

EMR

Kinesis

R53

VPC

ELB

S3

CloudFront

CloudTrail

CloudWatch

RedshiftSNS

API Gateway

Config

RDS

CF

IAM

Lambda

Explore Analyze Dashboard Alert Act

AWS Data Sources

Comprehensive AWS Visibility

SbD - Modernizing Technology Governance (MTG)

Automate Governance

Automate Deployments

Automate Security Operations

Continuous Compliance

Thank You!