aws security - amazon web...
TRANSCRIPT
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Security
Stephen E. Schmidt, Directeur de la Sécurité
Different customer viewpoints on security
PR exec keep out of the news
CEO protect shareholder
value
CI{S}O preserve the
confidentiality, integrity
and availability of data
Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE &
PROCEDURES
NETWORK
SECURITY
PHYSICAL
SECURITY
PLATFORM
SECURITY
SOC CONTROL OBJECTIVES
1. SECURITY ORGANIZATION
2. AMAZON USER ACCESS
3. LOGICAL SECURITY
4. SECURE DATA HANDLING
5. PHYSICAL SECURITY AND ENV. SAFEGUARDS
6. CHANGE MANAGEMENT
7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY
8. INCIDENT HANDLING
“Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
You are making
API calls... On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
Security Analysis Use log files as an input into log management and analysis solutions to perform
security analysis and to detect user behavior patterns.
Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.
Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
‣ CloudTrail records API calls and
delivers a log file to your S3 bucket.
‣ Typically, delivers an event within 15
minutes of the API call.
‣ Log files are delivered approximately
every 5 minutes.
‣ Multiple partners offer integrated
solutions to analyze log files.
Defense in Depth Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security
AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
AWS STAFF ACCESS
‣ Staff vetting
‣ Staff has no logical access to customer instances
‣ Staff control-plane access limited & monitored Bastion hosts, Least privileged model, Zoned data center access
‣ Business needs
‣ Separate PAMS
AWS IAM: Recent Innovations Securely control access to AWS services and resources
• Delegation
– Roles for Amazon EC2
– Cross-account access
• Powerful integrated permissions
– Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk
• Federation
– Web Identity Federation
– AD and Shibboleth examples
– Partner integrations
– Case study: Expedia
• Strong authentication
– MFA-protected API access
– Password policies
• Enhanced documentation and videos
Amazon DynamoDB Fine Grained
Access Control
Directly and securely access application
data in Amazon DynamoDB
Specify access permissions at table, item
and attribute levels
With Web Identity Federation, completely
remove the need for proxy servers to
perform authorization
DATA ENCRYPTION
CHOOSE WHAT’S RIGHT FOR YOU:
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
AWS CloudHSM
Managed and monitored by AWS, but you
control the keys
Increase performance for applications that
use HSMs for key storage or encryption
Comply with stringent regulatory and
contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Axway, Cloud and Security
David FIGINI, VP Cloud Managed Services EMEA
• 11,000 customers
• 100 countries
• 332,5M € revenue in 2013
• 1,700+ employees
• HQ in Phoenix, AZ USA
• Offices in 19 countries
Governing the flow of data
DATA FLOW GOVERNANCE
Axway Cloud and AWS
• Start Quickly
• Everywhere
• No initial cost
• Pay per use
• Scale up and down
• No commitment
• Repeatable
• Reliable
• Secure
VPC (Virtual Private
Cloud) – Privatization for Cloud components.
Data centers (zones) - Tier IV and compliant with all major third-party certifications.
Storage – 99.999999999 durability
Database – Multizone configuration
Elastic Load Balancers – Zone independence
VPN – AWS Direct Connect provides dedicated private networking for increased bandwidth and reliability.
EC2 Instances – Elastic computing
Cloud Formation – Reliable delivery from Web Services
Applications – Designed for no single points of failure and non-repudiation.
All services are monitored through a centralized location utilizing, SES, SNS, Cloud Watch, Nagios, etc.
Axway Cloud threat mitigation
Architecture and Datacenter Vulnerabilities
Service Platform Availability
Information Confidentiality and Integrity Loss
Decrease in Functional Performance
Human Activities
• Multi AZ Auto-Scaling groups Very High Availability
• Solution deployed by Axway OS Patch
management
• Data encryption at rest and for communications
• Backup policy based on snapshots
Data loss and confidentiality
• Access to environments is centralized and all activity is tracked Human activity
• Security and monitoring tools (Ossec, syslog, Nagios, CloudWatch, …)
• Splunk to receive, process and present security events
Real time monitoring
Axway Cloud security architecture
• SOC1 Type 2 certification achieved in March
• ISO27001 Beginning of 2015
Management
Solution
Access
Control
Axway data center
Amazon
Route 53
Axway
workforce VPN
Elastic Load
Balancing
Supervision
Monitoring
& Security
tools
VPC peering
Solution
Elastic Load
Balancing
VPC peering
Monitoring
& Security
data
Acc
ess
CloudWatch Amazon SES
Auto Scaling group
AZ #1
AZ #2
Auto Scaling group
AZ #1
AZ #2
CloudTrail
• Axway governs the flow of data in the Cloud
• Axway Cloud is based on a strong AWS partnership
• Security = AWS + Axway + Processes+ People
Takeaways from Axway
© 2014 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Axway, Cloud and Security
David FIGINI, VP Cloud Managed Services EMEA
Merci !
“Based on our experience, I believe that we
can be even more secure in the AWS
cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
AWS SECURITY WHITEPAPERS
RISK & COMPLIANCE
AUDITING SECURITY CHECKLIST
SECURITY PROCESSES
SECURITY BEST PRACTICES