Bill Murray
General Manager, AWS Security Programs
AWS Cloud Security
Cloud Security is:
• Universal
• Visible
• Auditable
• Transparent
• Shared
• Familiar
Universal Cloud Security
• Every Customer Has Access to the Same Security Capabilities, and Gets to Choose What’s Right for Their Business - Governments
- Financial Sector
- Pharmaceuticals
- Entertainment
- Start-Ups
- Social Media
- Home Users
- Retail
Visible Cloud Security
• AWS allows you to see your ENTIRE infrastructure at the click of a mouse.
- Can you map your current network?
This
Or
This?
Auditable Cloud Security
• How do you know AWS is right for your business?
- 3rd Party Audits
• Independent auditors
- Artifacts
• Plans, Policies and Procedures
- Logs
• Obtained
• Retained
• Analyzed
Transparent Cloud Security
• Choose the audit/certification that’s right for you:
- ISO-27001
- SOC-1, SOC-2, SOC-3
- FedRAMP
- PCI
Security & Compliance Control Objectives
• Control Objective 1: Security Organization – Who we are
– Proper control & access within the organization
• Control Objective 2: Amazon User Access
– How we vet our staff
– Minimization of access
Security & Compliance Control Objectives
• Control Objective 3: Logical Security
– Our staff start with no systems access
– Need-based access grants
– Rigorous systems separation
– Systems access grants regularly re-evaluated & automatically
revoked
Security & Compliance Control Objectives
• Control Objective 4: Secure Data Handling
– Storage media destroyed before being permitted outside our datacenters
– Media destruction consistent with US Dept. of Defense Directive 5220.22
• Control Objective 5: Physical Security and Environmental Safeguards
– Keeping our facilities safe
– Maintaining the physical operating parameters of our datacenters
Security & Compliance Control Objectives
• Control Objective 6: Change Management
– Continuous Operation
• Control Objective 7: Data Integrity, Availability and Redundancy
– Ensuring your data remains safe, intact & available
• Control Objective 8: Incident Handling
– Processes & procedures for mitigating and managing potential
issues
Shared Responsibility
• Let AWS do the heavy lifting
• This is what we do – and we do it all the time
• As the AWS customer you can focus on your business and not be distracted by the muck
• AWS • Facilities
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
• Customer • Choice of Guest OS
• Application Configuration Options
• Account Management flexibility
• Security Groups
• Network ACLs
Physical Security
• Large non-descript facilities
• Robust perimeter controls
• 2 factor authentication for entry
• Controlled, need-based access for AWS employees
• All access is logged and reviewed
Physical Security
• Distributed Regions – Multiple Availability Zones
Network Security
• DDoS attacks defended at the border
• Man in the Middle attacks
• SSL endpoints
• IP Spoofing prohibited
• Port scanning prohibited
• Packet Sniffing prevented
Amazon EC2 Security
• Host operating system – Individual SSH keyed logins via bastion host for AWS admins – All accesses logged and audited
• Guest operating system – Customer controlled at root level – AWS admins cannot log in – Customer-generated keypairs
• Stateful firewall – Mandatory inbound firewall, default deny mode
• Signed API calls – Require X.509 certificate or customer’s secret AWS key
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n
…
… Virtual Interfaces
Firewall
Customer 1 Security Groups
Customer 2 Security Groups
Customer n Security Groups
Customer’s
Network
Amazon
Web Services
Cloud
Secure VPN Connection
over the Internet
Subnets
Customer’s isolated
AWS resources
Amazon VPC Architecture
Router
VPN Gateway Internet
NAT
AWS Direct Connect –
Dedicated
Path/Bandwidth
VPC - Dedicated Instances
• Option to ensure physical hosts are not shared with other customers
• $2/hr flat fee per Region + small hourly charge
• Can identify specific Instances as dedicated
• Optionally configure entire VPC as dedicated
• Customers have requirements defining specific encryption key management procedures – Requirements are based on contractual or regulatory mandates for
keeping encryption keys stored in a specific manner or with specific access controls
• Customers want to use AWS but had to retain keys in HSMs in on-premises datacenters – Applications may slow down due to network latency
– Requires several DCs to provide high availability, disaster recovery and durability of keys
Customer Challenge: Encryption
• Customers receive dedicated access to HSM appliances
• HSMs are physically located in AWS datacenters – in close network
proximity to Amazon EC2 instances
• Physically managed and monitored by AWS, but customers control
their own keys
• HSMs are inside customer’s VPC – dedicated to the customer and
isolated from the rest of the network
What is AWS CloudHSM?
AWS CloudHSM
AWS CloudHSM
• With AWS CloudHSM customers can: – Encrypt data inside AWS
– Store keys in AWS within a Hardware Security Module
– Decide how to encrypt data
• The AWS CloudHSM implements cryptographic functions and key
storage for customer applications
– Use third party validated hardware for key storage
• AWS CloudHSMs are designed to meet Common Criteria EAL4+
and FIPS 140-2 standards
• Secure Key Storage – customers retain control of their own keys and cryptographic operations on
the HSM
• Contractual and Regulatory Compliance – helps customers comply with the most stringent requirements for key
protection
• Reliable and Durable Key Storage – AWS CloudHSMs are located in multiple Availability Zones and Regions to
help customers build highly available applications that require secure key storage
• Simple and Secure Connectivity – AWS CloudHSMs are in the customer’s VPC
• Better Application Performance – reduce network latency and increase the performance
AWS CloudHSM Service Highlights
• AWS offers several data protection mechanisms – Access control
– Encryption
• AWS data encryption solutions allow – Encrypt and decrypt sensitive data inside or outside AWS
– Decide which data to encrypt
– Partner with 3rd party key management solutions
• AWS CloudHSM complements existing AWS data
protection and encryption solutions
AWS Data Protection Solutions
9/30/2013 Slides not intended for redistribution.
Familiar Cloud Security
• Everything You Do Now Can Be Done in the Cloud
- Intrusion Detection
- Intrusion Prevention
- Packet Capture
- Firewalls
- Access Control Lists
- Multi-Factor Authentication
- Identity and Access Management
AWS Security Resources
• http://aws.amazon.com/security/
• Security Whitepaper
• Risk and Compliance Whitepaper
• Regularly Updated
• Feedback is welcome
Recommended