aws webcast - security best practices on aws

Download AWS Webcast - Security Best Practices on AWS

Post on 13-Jan-2015

694 views

Category:

Technology

3 download

Embed Size (px)

DESCRIPTION

Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability, and the flexibility to enable customers to build a wide range of applications. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Join this webcast to learn more.

TRANSCRIPT

  • 1. Security Best Practices on AWSUnderstanding AWS Security, the Shared Responsibility Model, and some security best practices 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Cloud Security is: 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 3. Every Customer Has Access to the Same Security Capabilities And gets to choose whats right for their business needs Governments Financial Sector Pharmaceuticals Entertainment Start-ups Social Media Home Users Retail 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 4. Visible Cloud SecurityThis Or This? 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 5. Auditable Cloud Security 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 6. Transparent Cloud Securityhttp://aws.amazon.com/compliance/ 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 7. ISO 27001 Certification Covers the AWS Information Security Management System Follows ISO 27002 best practice guidance Includes all Regions Certification in the standard requires: Systematic evaluation of information security risks Evaluate the impact of company threats and vulnerabilities Design and implement comprehensive information security controls Adopt an overarching management process to ensure that the information security controls meet the information security needs on an ongoing basis 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 8. Service Organization Controls American Institute of Certified Public Accountants report What it containsWho uses itSOC 1Attests that the AWS internal controls for financial reporting are appropriately designed and the controls are operating effectivelyUser auditors & users controllers office. Shared under NDA by AWS.SOC 2Expanded evaluation of controls to include AICPA Trust Services PrinciplesManagement, regulators & others. Shared under NDA by AWS.SOC 3Summary of SOC 2 and provides AICPA SysTrust Security Seal.Management, regulators & others. Publicly available. 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 9. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant Covers core infrastructure & services EC2, EBS, VPC, ELB, DirectConnect, S3, Glacier, RDS, DynamoDB, SimpleDB, EMR, RedShift, CloudHSM, and IAMUse services normally, no special configuration Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) can support forensic investigationsCertified in all regions 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 10. FedRAMP (FISMA) Moderate U.S. Civilian Government Agency Specific FedRAMP Approval To Operate (ATO) FISMA Moderate (NIST 800-53) Much more stringent than other commercial standards 205 high-level controls spanning 18 domains Access Control, Awareness & Training, Audit & Accountability, Security Assessment & Authorization, Configuration Management, Contingency Planning, ID & Authentication, Incident Response, Maintenance, Media Protection, Physical & Environment Protection, Planning, Personnel Security, Risk Assessment, System & Services Acquisition, System & Communications Protections, System & Information Integrity, Program Management 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 11. Shared Assessments SIG Standard Information Gathering (SIG) Questionnaire shared under NDA www.sharedassessments.orgRobust, easy to use set of questions to gather and assess Information Technology Operating and Security Risks (and corresponding controls)Based on referenced industry standards Including, but not limited to, FFIEC, ISO, COBIT and PCIExcel format with AWS provided answers Updated periodically to stay current 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 12. Additional Initiatives U.S. Health Insurance Portability and Accountability Act (HIPAA) AWS enables covered entities and their business associates subject to the U.S. HIPAA to leverage the secure AWS environment to process, maintain, and store protected health information and AWS will be signing business associate agreements with such customers.Cloud Security Alliance (CSA) Questionnaire Answers in the Risk and Compliance WhitepaperMotion Picture Association of America (MPAA) Answers in the Risk and Compliance Whitepaper Best practices for storing, processing and delivering protected media & content 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 13. Security & Compliance Control Objectives Control Objective 1: Control Objective 2: Control Objective 3: Control Objective 4: Control Objective 5: Safeguards Control Objective 6: Control Objective 7: Control Objective 8:Security Organization Amazon User Access Logical Security Secure Data Handling Physical Security and EnvironmentalChange Management Data Integrity, Availability and Redundancy Incident Handling 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 14. Security & Compliance Control Objectives (contd) Control Objective 1: Security Organization Who we are Proper control & access within the organizationControl Objective 2: Amazon User Access How we vet our staff Minimization of access 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 15. Security & Compliance Control Objectives (contd) Control Objective 3: Logical Security Our staff start with no system access Need-based access grants Rigorous system separation System access grants regularly evaluated & automatically revoked 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 16. Security & Compliance Control Objectives (contd) Control Objective 4: Secure Data Handling Storage media destroyed before being permitted outside our datacenters Media destruction consistent with US Dept. of Defense Directive 5220.22Control Objective 5: Physical Security and Environmental Safeguards Keeping our facilities safe Maintaining the physical operating parameters of our datacenters 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 17. Security & Compliance Control Objectives (contd) Control Objective 6: Change Management Continuous operationControl Objective 7: Data Integrity, Availability and Redundancy Ensuring your data remains safe, intact, & availableControl Objective 8: Incident Handling Process & procedures for mitigating and managing potential issues 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 18. Shared Responsibility AWS CustomerFacilities Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Choice of Guest OS Application Configuration Options Account Management Flexibility Security Groups Network ACLs Network Configuration Control 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 19. You Decide Where Applications and Data Reside 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 20. Network Security 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 21. Amazon EC2 Security Host operating system (AWS controlled) Individual SSH keyed logins via bastion host for AWS admins All accesses logged and auditedGuest operating system (Customer controlled) AWS admins cannot log in Customer-generated keypairsStateful firewall Mandatory inbound firewall, default deny mode Customer controls configuration via Security GroupsSigned API calls Require customers secret AWS key 2011 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc. 22. Customer 1Customer 2Customer nHypervisor Vi