ENTERPRISE APPS

DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

DataWarehousing

Hadoop/Spark

Streaming Data Collection

Machine Learning

Elastic Search

Virtual Desktops

Sharing & Collaboration

Corporate Email

Backup

Queuing & Notifications

Workflow

Search

Email

Transcoding

One-click App Deployment

Identity

Sync

Single Integrated Console

PushNotifications

DevOps Resource Management

Application Lifecycle Management

Containers

Triggers

Resource Templates

TECHNICAL & BUSINESS SUPPORT

Account Management

Support

Professional Services

Training & Certification

Security & Pricing Reports

Partner Ecosystem

Solutions Architects

MARKETPLACE

Business Apps

Business Intelligence

DatabasesDevOps Tools

NetworkingSecurity Storage

Regions Availability Zones

Points of Presence

INFRASTRUCTURE

CORE SERVICES

ComputeVMs, Auto-scaling, & Load Balancing

StorageObject, Blocks, Archival, Import/Export

DatabasesRelational, NoSQL, Caching, Migration

NetworkingVPC, DX, DNS

CDN

Access Control

Identity Management

Key Management & Storage

Monitoring & Logs

Assessment and reporting

Resource & Usage Auditing

SECURITY & COMPLIANCE

Configuration Compliance

Web application firewall

HYBRID ARCHITECTURE

Data Backups

Integrated App Deployments

DirectConnect

IdentityFederation

IntegratedResource Management

Integrated Networking

API Gateway

IoT

Rules Engine

Device Shadows

Device SDKs

Registry

Device Gateway

Streaming Data Analysis

Business Intelligence

MobileAnalytics

JOB ZERO

more secure

Job Zero

Network Security

Physical Security

Platform Security

People & Procedures

Art Science

Our CultureSimple Security Controls

”Of the changes catalyzed by cloud, security is the most exciting.”

AWS• Micro-Perimeters• Own just enough• Focus on your core value• Service-Centric• Platform Services• Continuously Evolving• Central Control Plane (API)

SHARED

exactly

GxPISO 13485AS9100ISO/TS 16949

AWSFoundationServices

Compute Storage Database Networking

AWSGlobalInfrastructure Regions

AvailabilityZonesEdgeLocations

AWS is responsible for the security OF

the Cloud

AWSFoundationServices

Compute Storage Database Networking

AWSGlobalInfrastructure Regions

AvailabilityZonesEdgeLocations

Client-sideDataEncryption

Server-sideDataEncryption

NetworkTrafficProtection

Platform,Applications,Identity&AccessManagement

OperatingSystem,Network,&FirewallConfiguration

Customerapplications&contentCu

stom

ers

Customers have their choice of

security configurations IN

the Cloud

AWS is responsible for the security OF

the Cloud

Trusted Advisor

SECURITY IS VISIBILITY AND AUDITABILITY

How often do you map your network?

RIGHT NOW?

Integrated Support for CloudTrail and Config from our AWS Partner Ecosystem

SECURITY IS CONTROL

control of privacy

you choose to do so

encryption any way that you choose

access

lifecycle and disposal

Customers retain full ownership and control of their content

US-WEST (Oregon)

EU-WEST (Ireland)

ASIA PAC (Tokyo)

US-WEST (N. California)

SOUTH AMERICA (Sao

Paulo)

US-EAST (Virginia)

AWS GovCloud (US)

ASIA PAC (Sydney)

ASIA PAC (Singapore)

CHINA (Beijing)

EU-CENTRAL (Frankfurt)

you put it

Regions

ASIA PAC (Seoul)

WHO CAN DO WHAT

segregate duties

WithAWSIAMyougettocontrolwhocandowhatinyourAWSenvironmentandfromwhere

Fine-grainedcontrolofyourAWScloudwithtwo-factorauthentication

Integrated withyourexistingcorporatedirectoryusingSAML2.0andsinglesign-on

AWS account owner

Network management

Security management

Server management

Storage management

NETWORK

Avai

labi

lity

Zone

A

Avai

labi

lity

Zone

B

AWS Virtual Private Cloud • Provision a logically

isolated section of the AWS cloud

• You choose a private IP range for your VPC

• Segment this into subnets to deploy your compute instances

AWS network security• AWS network will prevent

spoofing and other common layer 2 attacks

• You cannot sniff anything but your own EC2 host network interface

• Control all external routing and connectivity

YOUR AWS ENVIRONMENT

AWSDirect

ConnectYOUR

PREMISES

Digital Websites

Big Data Analytics

Dev and Test

Enterprise Apps

AWSInternet

VPN

CONTROL YOUR COMPUTE

First class security and compliancestarts (but doesn’t end!) with encryption

Automatic encryption with managed keys

Bring your own keys

Dedicated hardware security modules

Integrated with AWS Services

Highly Available and durable

Key Management ServiceEncryption key management and compliance made easy

you fully control the keys

Increase performance

Comply with stringent regulatory

single tenant for you

EC2 Instance

AWS CloudHSM

AWS CloudHSM

You can also store your encryption keys in AWS CloudHSM

REACT AND RESPOND

CloudWatch Logs log everything andmonitor events in those logs• Storage is cheap - collect and keep your logs• Store logs durably in write-only storage• Integration with CloudWatch Metrics and Alarms means you

can continually scan for events you know might be suspicious

IF (detect web attack > 10 in a 1 minute period) ALARM - INCIDENT IN PROGRESSNOTIFY SECURITY

Change as the threat environment changesWhat does agility look like?

• Quickly

within hours • Reacting quicker • Continuous assurance

AUDIT EVERYTHING SIMPLIFIED

Clouds Are Secure: Are You Using Them Securely? Published: 22 September 2015

-- Jay Heiser