aws cloud security
DESCRIPTION
Segurança na Nuvem da AWSTRANSCRIPT
- 1. Max Ramsay AWS Cloud Security Principal Security SolutionsArchitect
2. Vrios Tutoriais , treinamentos e mentoria em portugus Inscreva-se agora !! http://awshub.com.br 3. What we will be covering today AWS Security Overview Focus on Serasa Experian Focus on Trend Micro 4. AWS Security Overview 5. Cloud Security is 6. Every Customer Has Access to the Same Security Capabilities And gets to choose whats right for their business needs Governments Financial Sector Pharmaceuticals Entertainment Start-ups Social Media Home Users Retail 7. Focus on Serasa Experian Rodrigo Zenun IT Specialist 8. No nosso Laboratrio de Inovao na AWS, conseguimos testar novas tecnologias e lanar novos produtos em tempo recorde. A Serasa Experian, parte do grupo Experian, o maior bureau de crdito do mundo fora dos Estados Unidos, detendo o mais extenso banco de dados da Amrica Latina sobre consumidores, empresas e grupos econmicos. H 45 anos no mercado brasileiro, a Serasa Experian participa da maioria das decises de crdito e negcios tomadas no Pas, respondendo, on-line e em tempo real, a 6 milhes de consultas por dia, demandadas por 500 mil clientes diretos e indiretos. A AWS nos possibilita estudar novas tecnologias e inovar em uma velocidade antes inimaginvel para uma grande empresa do setor financeiro - Rodrigo Zenun 9. O Desafio Criar uma extenso de nossos data centers com, no mnimo, os mesmos padres de segurana que possibilitasse o estudo de tecnologias emergentes. Combinar flexibilidade, agilidade e segurana da informao. Usufruir da elasticidade oferecida pela AWS para front-end de aplicaes e produtos. 10. Sobre a o Papel da AWS e Benefcios alcanados Realizao de provas de conceito e prottipos com muita facilidade e agilidade; Viabilidade de lanamento de novos produtos; Distribuio de contedo pblico; Reduo de despesas e elasticidade; 11. AWS Security Overview Continued 12. Visible Cloud Security This Or This? 13. Auditable Cloud Security 14. Transparent Cloud Security 15. Security & Compliance Control Objectives Control Objective 1: Security Organization Control Objective 2: Amazon User Access Control Objective 3: Logical Security Control Objective 4: Secure Data Handling Control Objective 5: Physical Security and Environmental Safeguards Control Objective 6: Change Management Control Objective 7: Data Integrity, Availability and Redundancy Control Objective 8: Incident Handling 16. Security & Compliance Control Objectives (contd) Control Objective 1: Security Organization Who we are Proper control & access within the organization Control Objective 2: Amazon User Access How we vet our staff Minimization of access 17. Security & Compliance Control Objectives (contd) Control Objective 3: Logical Security Our staff start with no system access Need-based access grants Rigorous system separation System access grants regularly evaluated & automatically revoked 18. Security & Compliance Control Objectives (contd) Control Objective 4: Secure Data Handling Storage media destroyed before being permitted outside our datacenters Media destruction consistent with US Dept. of Defense Directive 5220.22 Control Objective 5: Physical Security and Environmental Safeguards Keeping our facilities safe Maintaining the physical operating parameters of our datacenters 19. Security & Compliance Control Objectives (contd) Control Objective 6: Change Management Continuous operation Control Objective 7: Data Integrity, Availability and Redundancy Ensuring your data remains safe, intact, & available Control Objective 8: Incident Handling Process & procedures for mitigating and managing potential issues 20. Shared Responsibility AWS Facilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Customer Choice of Guest OS Application Configuration Options Account Management Flexibility Security Groups Network ACLs Network Configuration Control 21. You Decide Where Applications and Data Reside 22. Network Security 23. Amazon EC2 Security Host operating system (AWS controlled) Individual SSH keyed logins via bastion host for AWS admins All accesses logged and audited Guest operating system (Customer controlled) AWS admins cannot log in Customer-generated keypairs Stateful firewall Mandatory inbound firewall, default deny mode Customer controls configuration via Security Groups Signed API calls Require X.509 certificate or customers secret AWS key 24. Physical interfaces Customer 1 Hypervisor Customer 2 Customer n Virtual interfaces Firewall Customer 1 Security groups Customer 2 Security groups Customer n Security groups 25. Tiering Security Groups 26. Tiering Security Groups (Contd) Dynamically created rules based on Security Group membership Effectively create tiered network architectures Web Security Group: TCP 80 0.0.0.0/0 TCP 22 Mgmt App Security Group: TCP 8080 Web TCP 22 Mgmt DB Security Group: TCP 3306 App TCP 22 Mgmt Mgmt Security Group: TCP 22 163.128.25.32/32 Firewall Web Server App Server Firewall Firewall DB Server Web (HTTP) 8080 3306 22 22 Bastion Host Firewall 22 27. Amazon VPC Architecture Customers network Amazon Web Services cloud Secure VPN Subnets Router VPN gateway Internet NAT AWS DirectConnect Dedicated Path/Bandwidth Customers isolated AWS resources 28. Amazon VPC Network Security Controls 29. VPC - Dedicated Instances Option to ensure physical hosts are not shared with other customers $2/hr flat fee per region + small hourly charge Can identify specific Instances as dedicated Optionally configure entire VPC as dedicated 30. AWS Deployment Models Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads CommercialCloud Public-facing apps, web sites, dev, test, etc. Virtual Private Cloud (VPC) Datacenter extension, TIC environment, email, FISMA low and Moderate AWS GovCloud (US) US Persons Compliantand Government Specific Apps 31. Premium Support Trusted Advisor Security Checks Security Group Rules (Hosts & Ports) IAM Use S3 Policies Fault Tolerance Checks Snapshots Multi-AZ VPN Tunnel Redundancy 32. Focus on Trend Micro JD Sherry Vice President, Technology and Solutions 33. Security in 2013 The Cloud Changes Nothing and Everything! July 2013 JD Sherry Vice President, Technology & Solutions 34. Discussion Outcomes 8/2/2013 Copyright 2013 Trend Micro Inc. 36 Enterprises and the Cloud Best Practices for Compliance & Security in the Cloud Solutions and Case Studies 35. Enterprises and the Cloud 8/2/2013 Copyright 2013 Trend Micro Inc. 37 Security & compliance top priorities for enterprises, underscoring concerns that are impeding cloud adoption Are cloud security needs that different than on-premise? Cloud introduces the concept of shared responsibility for securing their services and applications running in the cloud Security is not the only inhibitor Many organizations are reluctant to change status quo Fear of the unknown Cloud concepts & terminology intimidating IT job loss concerns Dramatic change from a process & operations perspective Not sure how/where to get started 36. Customer Security Concerns 8/2/2013 Copyright 2013 Trend Micro Inc. 38 Data sovereignty Concerns over stewardship of data Who has access to the data? customer, provider, government? Data privacy concerns > other tenants, attacks against my data Will my data leave the country? If I terminate a cloud server, do copies of my data still exist in the cloud? US Patriot Act Could USA law enforcement gain access to my systems and data? 37. Customer Security Concerns 8/2/2013 Copyright 2013 Trend Micro Inc. 39 Multi-tenancy Risk of configuration errors leading to data exposure How can I protect my cloud servers from attack? Will I even know my cloud servers are being attacked? Compliance How can I use the cloud and still meet internal and external compliance requirements? Who is responsible for cloud security? 38. Consumers of Cloud Services Responsibilities 8/2/2013 Copyright 2013 Trend Micro Inc. 40 Consumers of cloud services are responsible for Security of the instance (OS & Applications) Ensuring SLAs are maintained Ultimately it boils down to protecting your instances from compromise and the integrity of the applications running in the cloud How do you protect AWS instances? Traditional network appliances are not feasible Limited control over the network Agent-based host security controls are required 39. Cloud Security is a Shared Responsibility 8/2/2013 Copyright 2013 Trend Micro Inc. 41 What type of host security controls are required? The Need Preferred Security Control Data confidentiality Encryption Block malicious software Anti-Malware Detect & track vulnerabilities Vulnerability scanning services Control server communications Host-firewalls Detect suspicious activity Intrusion Prevention Detect unauthorized changes File Integrity Monitoring Block OS & App vulnerabilities Patch & shield vulnerabilities Data monitoring & compliance DLP Security principles dont change Implementation & Management change drastically 40. 8/2/2013 42 The Cloud Changes Nothingand Everything! Practical Guidance for Compliance & Security in the Cloud 41. Practical Considerations 8/2/2013 Copyright 2013 Trend Micro Inc. 43 Cloud Elasticity Automated protection of new instances critical to success Equally important that terminated instances are not left orphaned Security must become part of the cloud fabric, including working within the provisioning process, with support for leading tools critical OpsWorks 42. Copyright 2013 Trend Micro Inc. Transformation Physical Virtual Cloud Cloud and Data Center Security Anti-Malware Integrity Monitoring Encryption Log Inspection Firewall Intrusion Prevention Data Center Ops Security Deep Security SecureCloud 43. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 45 Global Financial/Insurance Company Rapid business expansion Address high cost & complexity with cloud First Mover in their industry Opportunities Challenges Compliance & data privacy Cloud provider role definition Data destruction Solution Shared responsibility model SecureCloud Dynamic encryption via automated policy Data persistently encryption (destruction) Sensitive data protected via key access 44. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 46 Large Manufacturing Company Data center consolidation Address high cost with cloud (utility pricing) Infrastructure elasticity Opportunities Challenges Management & platform support Security in the cloud Managing multiple point solutions Solution Dynamic infrastructure with utility billing Deep Security Comprehensive cloud security Automated management & integration with Chef Broad environment support 45. Case Study 8/2/2013 Copyright 2013 Trend Micro Inc. 47 Global Transportation Company Efficiency Drive down cost with cloud Infrastructure elasticity & reliability Opportunities Challenges Management across systems Support for multiple clouds Corporate governance Solution Rapid deployment Deep Security Comprehensive cloud security SecureCloud Encryption of sensitive data Broad environment support 46. Thank You! JD Sherry Vice President, Technology & Solutions Booth 101 47. AWS Security Overview Continued 48. AWS Security, Compliance, & Architecture Resources http://aws.amazon.com/security/ Security whitepaper Security best practices Security bulletins Customer security testing process http://aws.amazon.com/compliance/ Risk and compliance whitepaper http://aws.amazon.com/architecture/ Reference Architectures Whitepapers Webinars http://blogs.aws.amazon.com/security/ Stay up to date on security and compliance in AWS Feedback is always welcome! 49. Thank You!!! [email protected]