innovation (and security) by design · | #cloudsec innovation (and security) by design seungdoyang...
TRANSCRIPT
www.cloudsec.com | #cloudsec
Innovation (and security) by design
SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where are Enterprises Innovating?
AI/ML HPCIoT/Edge Big Data
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dev & test New applications Digital Analytics
Mobile Datacenter migration Mission-critical applications All-in
Common Use Cases for Cloud Adoption
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Innovation atAmazon
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1994 Founded
1995 Amazon.com
1998 Added CDs & DVDs
2006 Amazon Web Services
2007 Kindle
2011 Video
2012 Groceries
2014 Alexa/Echo
2015 Bookstores
2017 Go
http://phx.corporate-ir.net/phoenix.zhtml?c=176060&p=irol-corporatetimeline
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
and move faster
How can enterprises devote more resources to the things that matter
while being more secure?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why is security traditionally so hard?
Lack of visibility
Low degree of automation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORMove fast Stay secure
Before…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ORANDMove fast Stay secure
Now…
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The most sensitive workloads run on AWS
“With AWS, DNAnexus enables enterprises worldwide to perform
genomic analysis and clinical studies in a secure and compliant
environment at a scale not previously possible.”
— Richard Daly, CEO DNAnexus
“The fact that we can rely on the AWS security posture to boost our
own security is really important for our business. AWS does a much
better job at security than we could ever do running a cage in a data
center.”
— Richard Crowley, Director of Operations, Slack
“We determined that security in AWS is superior to our on-premises data
center across several dimensions, including patching,
encryption, auditing and logging, entitlements, and compliance.”
—John Brady, CISO, FINRA (Financial Industry Regulatory Authority)
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automatewith deeply integrated
security services
Inheritglobal
security and compliance
controls
Highest standards for privacy and data security
Largest network
of security partners and
solutions
Scale with superior visibility and
control
Move to AWS Strengthen your security posture
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Inherit global security and compliance controls
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scale with visibility and control
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Encryption at scale with keys managed by
our AWS Key Management Service (KMS) or managing your own encryption keys
with Cloud HSM using FIPS 140-2 Level 3
validated HSMs
Meet data residency requirements
Choose an AWS Region and AWS will not replicate it elsewhere unless you choose
to do so
Access services and tools that enable you to
build compliant infrastructure
on top of AWS
Comply with local data privacy laws
by controlling who can access content, its lifecycle, and disposal
Highest standards for privacy
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate with integrated services
CloudWatch Events
Amazon CloudWatch
CloudWatch Event
Lambda
Lambda Function
AWS Lambda
GuardDuty
Amazon GuardDuty
Automated threat remediation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Infrastructure security
Logging & monitoring
Identity & access control
Configuration & vulnerability
analysis
Data protection
Largest ecosystem of security partners and solutions
Infrastructure security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Identity & Access Management (IAM)
AWS Directory Service
AWS Organizations
AWS Secrets Manager
AWS Single Sign-On
Amazon Cognito
AWS CloudTrail
AWS Config
AmazonCloudWatch
Amazon GuardDuty
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private Cloud (VPC)
AWS Key Management Service (KMS)
AWS CloudHSM
Amazon Macie
AWS Certificate Manager
Server-Side Encryption
AWS Config Rules
AWS Lambda
IdentityDetective
controlInfrastructure
securityIncidentresponse
Dataprotection
AWS security solutions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Customers control their own security policy
Customers have their choice of
security configurations IN
the Cloud
AWS is responsible for the security OF
the Cloud
Shared responsibility model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
A Financial Customer’s Journey to the Cloud
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2 Accounts | 20 VPCs
Production
Non-Prod
2015
A Financial Customer’s Journey to the Cloud
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
29 Accounts | 62 VPCs2 Accounts | 20 VPCs
Production
Non-Prod
2016
+
2015
A Financial Customer’s Journey to the Cloud
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Services
Security
Data Center
29 Accounts | 62 VPCs 35 Accounts | 35 VPCs2 Accounts | 20 VPCs
Production
Non-Prod
2016 2017
+
2015
A Financial Customer’s Journey to the Cloud
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS CLOUD
VIRTUAL PRIVATE CLOUD
AWS IAM AWS KMS Amazon CloudWatch
AWSCloudTrail
AWSConfig
AMI Flow logs
Amazon EC2
Elastic Load Balancing
AmazonRDS
AmazonSQS
AmazonSES
AmazonS3
AWS Direct Connect
VPC SUBNET
AUTO SCALING GROUP
SECURITY GROUP
Non-Prod Prod
VPCpeering
DNS SSO
Logging
Log Analysis
SHARED SERVICES SECURITY
Corporate data center
Financial Customer: Where are they today
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Services
Security
Data Center
AWS CLOUD
VIRTUAL PRIVATE CLOUD
AWS IAM AWS KMS Amazon CloudWatch
AWSCloudTrail
AWSConfig
AMI Flow logs
Amazon EC2
Elastic Load Balancing
AmazonRDS
AmazonSQS
AmazonSES
AmazonS3
AWS Direct Connect
VPC SUBNET
AUTO SCALING GROUP
SECURITY GROUP
Non-Prod Prod
Financial Customer: Where are they today
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate and Orchestrate Incident response when a potential threat is detected
Use Case 1: Deep Security with AWS GuardDuty
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Easily integrates with Security Information and Event Manager (SIEM) solutions
Easily integrates with SIEM, e.g. Sumo Logic, through installed Collector and Syslog source
Use Case 2: Deep Security SIEM Integration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Directory Server
Identity Provider Deep Security Manager
Group Claim Roles
User account
Seamlessly signing on to Deep Security using organisation account and possible to implement user authentication access control such as: - Password strength or change enforcement- One-time Password- Two-factor Authentication (2FA) or Multi-factor Authentication (MFA)
Use Case 3: Deep Security SAML Integration
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate deployment using AWS CloudFormation- Uses AWS Best Practices- High Availability through
multi-AZ- Pre-configured Security
Group
Use Case 4: Deep Security Rapid Deployment using CloudFormation
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed Security Services
• Security Operations Monitoring• Security Logs & Event Management• Security Analytics• Intrusion Detection and Prevention• Web Application Security• Next Generation Firewalls• Endpoint Protection• Data Loss Prevention• Websites & Content Filtering• Advanced Threat Intelligence• Periodic Vulnerability Assessment• Cloud Audit & Compliance• Container Security
Use Case 5: Managed Security Services
더 이상, 보안은클라우드 도입을 가로막는
걸림돌이 아닙니다!
이제는, 보안과 규정준수가클라우드를 도입하는
중요한 이유가 되고 있습니다!
www.cloudsec.com | #cloudsec
SeungDoYang | Sr. Mgr, Solutions Architect, Amazon Web Services Korea
THANK YOU