Upload
amazon-web-services
View
61
Download
2
Embed Size (px)
Citation preview
Move Better, Faster, and More Securely
Cloud-Enabled Security Solutions
Pawan Agnihotri– AWS Principal Security Solutions Architect
Takeaways from today’s session
I. Revolution: Why the Cloud? The Inspirations and Motivations
II. Myth Busting: Common Security Misconceptions
III. Protection: Benefits of Cloud-Enabled Security for the Enterprise
IV. Transformation: Common Best Practices When Migrating to the Cloud
Revolution“There has never been a time of greater promise, or one of greater potential peril. Today’s decision-makers, however, are too often trapped in traditional, linear thinking, or too absorbed by the multiple crises demanding their attention, to think strategically about the forces of disruption and innovation shaping our future.”
- Klaus Schwab, Founder & Executive Chairman, World Economic Forum
1784Steam PowerMechanical Production
1870Electricity
Mass Production
1969ElectronicsAutomated Production
TodayCloud
IoTDigital
We stand on the brink of a technological revolution that will fundamentally alter the way we live, work, and relate to one another. In its scale, scope, and complexity, the transformation will be unlike anything humankind has experienced before.
”“
”“- Klaus Schwab, Founder & Executive Chairman, World Economic Forum
The First Industrial Revolution used water and steam power to mechanize production. The Second used electric power to create mass production. The Third used electronics and information technology to automate production. Now a Fourth Industrial Revolution is building on the Third, the digital revolution that has been occurring since the middle of the last century. It is characterized by a fusion of technologies that is blurring the lines between the physical, digital, and biological spheres.
FinTech
Challenger BanksMarket Agility
Improved Margins
Risk Reduction
Onerous Regulations
Greater Transparency
Improved Responsiveness
Responsiveness
Resiliency
The Digital Agenda
Cost Reduction
Increased Productivity
Inspirations and Motivations for Migration
OR
Move Fast
Stay Secure
AND
Move Fast
Stay Secure
Myth Busting“Cyber security is better in the cloud than it is in private managed data centers.”
- Steve Randich, EVP and CIO of FINRA
Some API-enabled services
Disparate APIs
No true control plane
Physical concealments
Often co-habited
Physical vs API
Fully API-enabled
API homogeneity
A “source of truth” control plane
Nowhere to hide
Nobody can “climb into” your account
State of the Art Facilities
Documented and Verified Controls
We’ve helped our FSI customers successfully address regulatory requirements from these agencies, and many others around the world.
APAC Regulatory Landscape
Tested by Millions and Standardized for all
Capital One
Protection“We worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our data centers.”
- Rob Alexander, CIO of Capital One
16 Regions – 42 Availability Zones – 68 Edge Locations Region & Number of Availability Zones
AWS GovCloud (2) EUIreland (3)
US West Frankfurt (2)
Oregon (3) London (2)
Northern California (3)
Asia PacificUS East Singapore (2)
N. Virginia (5) Ohio (3) Sydney (2), Tokyo (3)
Seoul (2), Mumbai (2)
CanadaCentral (2) China
Beijing (2)
South AmericaSão Paulo (3) New regions coming soon
Paris, Ningxia
Deploy Faster Wherever You Like
Local Versus Global View
> 90% driven by customers needs
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
AWS AWS Security
Security Innovation: AWS Innovates Constantly
1017722
516
280
159
826148
2008 2009 2010 2011 2012 20130
50
100
150
200
250
0 8 14 2051
71
2448 61
82
159
235
Security Features All Significant Services & Features 2 per Mov. Avg. (security features) 2 per. Mov. Ag (all significant services & features)
Pace of Innovation: Security versus All
Multi-Dimensional Protection at Many Layers
SecureDMZs Honeypot
PerimeterIDS/IPS DLP
Message Security (anti-virus, anti-malware)
PerimeterFirewall
DHSEinstein
Web Proxy Control Filtering
Enterprise Message Security
InlinePatching
EnterpriseWirelessSecurity
NAC
VoIPProtection
EnterpriseRemoteAccess
DLP
Enclave/DatacenterFirewall
Endpoint SecurityEnforcement
Content Security(anti-virus,
anti-malware)
HostIDS/IPS
DesktopFirewall
FDCCCompliance
Patch Management
DLP
WAFDynamic App
TestingDatabase
Monitoring/Scanning
Database Secure Gateway (Shield)
Static AppTestingCode
Review
Identity & Access Management
Enterprise RightManagement
DataClassification
Data IntegrityMonitoring
Data/DriveEncryption
DAR/DIMProtection
Data WipingCleansing
PKI
SIEM Digital Forensics Security SLA/SLO Reporting
EscalationManagement
Situational Awareness
SecurityDashboard
FocusedOps
Continuous Monitoring &Assessment
Incident Reporting, Detection, Response (CIRT)
SOC/NOCMonitoring (24x7)
OPERATIONSPOLICY MANAGEMENT
Continuous C&A Security Awareness Training Vulnerability Assessment
Penetration Testing
Security Architecture& Design
ThreatModeling
Cyber ThreatIntelligence
Security Policies& Compliance
IT Security &Governance
EnterpriseIDS/IPS
DLP
Risk Management
MISSIONCRITICALASSETS
Reaction Time (Inequality thereof…) – Get Ahead
Deter
Monitor
DetectDiagnose
Secure
Before: Attackers (minutes) > Defenders (days)
AFTER: Constant, real-time protection
Administration& Security
Access Control
Identity Management
Key Management & Storage
Monitoring& Logs
Resource & Usage Auditing
PlatformServices
Analytics App Services Developer Tools & Operations Mobile Services
DataPipelines
DataWarehouse
Hadoop
Real-timeStreaming Data
Application Lifecycle Management
Containers
Deployment
DevOps
Event-driven Computing
Resource Templates
Identity
Mobile Analytics
Push Notifications
Sync
App Streaming
Queuing & Notifications
Search
Transcoding
Workflow
CoreServices
CDNCompute(VMs, Auto-scaling, and Load Balancing)
Databases(Relational, NoSQL, and Caching)
Networking(VPC, DX, and DNS)
Storage(Object, Block, EFS, and Archival)
InfrastructureAvailability Zones
Points of PresenceRegions
EnterpriseApplications
Business Email
Sharing & Collaboration
Virtual Desktop
Technical & Business Support
AccountManagement
PartnerEcosystem
ProfessionalServices
Security & Pricing Reports
SolutionsArchitectsSupport Training &
Certification
Machine Learning
What is Amazon Web Services?
Transformation
“There’s so much security built into these cloud computing platforms today. For us, it’s our No. 1 priority — it’s not even close, relative to anything else.”
- Rob Alexander, CIO of Capital One
Cloud Security – Design Patterns
01Access rights just-in-time
Temporary Credentials
Integrated Identity and Access Management
+
02Durable, Highly
Available StorageAPI Logs
Performance, Network, Apps LogsDurable and Cheap
Archive Storage
Consolidated Logging
+ +Streaming
Data
03Key Storage on HSMManaged KMI
DIY
ArchiveObjectStorage
Block Storage
Out-of-band data transfer
Database Data Warehouse Log Trails
Ubiquitous Encryption
+
04Auto-ScalingCompute Instances
Non-Persistent & Elastic
+
05Logically Isolated Section
of the Cloud
Network Architecture Agility
+Virtual Firewall
+Leased Line
Virtual Firewall
DNS
Web App Firewall
CDN Auto-scalingScaling Load Balancer
06 Network Architecture Resiliency
Event-Driven, Server-Less Code Execution
Monitor and React swiftly
+Alarms Based on
Performance, Network, Apps
07
Standardized Environments & Security as Code
+Continuous Configuration
AutomationSoftware Development
Kit (SDKs)
08
Validate Change at Scale
+Inventory, Configuration
History and Change
Baselines Rules for Inventory and Configuration
09