aws re:invent re:cap - 종단간 보안을 위한 클라우드 아키텍처 구축 - 양승도

© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

December 8, 2014 | Korea

양승도 솔루션스 아키텍트

re:

JOB ZERO

Job Zero

Network

Security Physical

Security

Platform

Security People &

Procedures

SHARED

constantly improving

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

AWS is

responsible for

the security OF

the Cloud

GxP

ISO 13485

AS9100

ISO/TS 16949

AWS Foundation Services

Compute Storage Database Networking

AWS Global Infrastructure Regions

Availability Zones

Edge Locations

Client-side Data Encryption

Server-side Data Encryption

Network Traffic Protection

Platform, Applications, Identity & Access Management

Operating System, Network, & Firewall Configuration

Customer applications & content C

ust

om

ers

shared responsibility

Customers have

their choice of

security

configurations IN

the Cloud

AWS is

responsible for

the security OF

the Cloud

FAMILIAR

familiar

VISIBILITY

VISIBILITY

RIGHT NOW?

Visible

You are making

API calls... On a growing set of

services around the

world…

AWS CloudTrail

is continuously

recording API

calls…

And delivering

log files to you

AWS CLOUDTRAIL

Redshift AWS CloudFormation

AWS Elastic Beanstalk

Use cases enabled by CloudTrail

AUDITABILITY

Continuous Change Recording Changing Resource

s

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

Integrated Support from Our Partner Ecosystem

CONTROL

First class security and compliance

starts (but doesn’t end!) with encryption

Automatic encryption with managed keys

Bring your own keys

Dedicated hardware security modules

Encryption & Best Practices with AWS

Managed key encryption

Key storage with AWS CloudHSM

Customer-supplied key encryption

DIY on Amazon EC2

Create, store, & retrieve keys securely

Rotate keys regularly

Securely audit access to keys

Partner enablement of crypto

DIY AWS Marketplace

Partner Solution AWS CloudHSM

AWS Key

Management

Service

Where are keys

generated and

stored

Your network or in

AWS

Your network or in

AWS

In AWS, on an

HSM that you

control

AWS

Where keys are

used

Your network or

your EC2 instance

Your network or

your EC2 instance

AWS or your

applications

AWS services or

your applications

How to control key

use

Config files,

Vendor-specific

management

Vendor-specific

management

Customer code +

Safenet APIs

Policy you define;

enforced in AWS

Responsibility for

Performance/Scale

You You You AWS

Integration with

AWS services?

Limited Limited Limited Yes

Pricing model Variable Per hour/per year Per hour Per key/usage

How AWS Services Integrate with AWS Key

Management Service

• Two-tiered key hierarchy using envelope

encryption

• Unique data key encrypt customer data

• AWS KMS master keys encrypt data keys

• Benefits of envelope encryption: • Limits risk of a compromised data key

• Better performance for encrypting large data

• Easier to manage a small number of master

keys than millions of data keys

Customer Master

Key(s)

Data Key 1

Amazon

S3 Object Amazon

EBS

Volume

Amazon

Redshift

Cluster

Data Key 2 Data Key 3 Data Key 4

Custom

Application

AWS KMS

AWS Key Management Service Reference Architecture

Application or

AWS Service

+

Data Key Encrypted Data Key

Encrypted

Data

Master Key(s) in

Customer’s Account

AWS

Key Management Service

1. Application or AWS service client requests an encryption key to use to encrypt data, and passes a

reference to a master key under the account.

2. Client request is authenticated based on whether they have access to use the master key.

3. A new data encryption key is created and a copy of it is encrypted under the master key.

4. Both data key and encrypted data key are returned to the client. Data key is used to encrypt

customer data and then deleted as soon as is practical.

5. Encrypted data key is stored for later use and sent back to AWS KMS when the source data

needs to be decrypted.

Nasdaq is a great example of security excellence in the cloud

Nasdaq Use Case Requirement

Replace on-premises data warehouse while keeping

equivalent schemas and data

Only one year of capacity remaining

4-8 billion rows of new information stored daily stock trading

Must cost less than existing system

Must satisfy multiple security and regulatory audits

Must perform similarly to legacy warehouse under

concurrent query load

AWS’s ability to satisfy multiple security and regulatory audits was critical to

Nasdaq’s migrating its data warehouse to AWS

Nasdaq Data Warehouse Implementation Pull data from numerous sources, validate data, and securely load into Redshift

AWS CloudTrail to monitor and audit environment

Network isolation with Amazon VPC and AWS

Direct Connect

Encryption in flight using TLS and Amazon

Redshift JDBC connections

Encryption at rest with Amazon S3 (client-side,

AES-256) with Amazon Redshift cluster

encryption enabled and AWS CloudHSM

Nasdaq Security Best Practices AWS CloudHSM integration was critical to Nasdaq adoption of AWS

AGILITY

Agility Self-service

Time to market

IT Developers

Control Visibility

Compliance

Use a personalized portal to find & launch services

IT Developers

Create custom services and grant access to

developers

Providing Developers fast provisioning

Create and

manage Portfolio Add custom products

and services

Grant access to

developers

Achieving self-service with IT approval

Find and launch

services

Automate

provisioning

Manage AWS

resources

Creates portfolio

Adds constraints

and grant access

1

4

5

Administrator

Portfolio

Users

Browse Products

6 Launch Products AWS CloudFormation

template

Creates

product 3 Authors template 2 ProductX ProductY ProductZ

7 Deploys

stacks

Notifications Notifications

8 8

Simple Security Controls

BETTER OFF IN AWS