mexicocity wwps summit assets... · 2020-03-23 · flexible options for data encryption using the...

M E X I C O C I T Y

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Managing Security At AWS

Arturo Cabañas

M G M T 1 0 4

Public Sector Security Assurance Lead, AWS Public Sector Latin America

Known Security Model

Major client requirements are audited and conducted by experts

PEOPLE & PROCESSES

SYSTEMS

NETWORK

PHYSICAL

All clients benefit

Security in AWS is Priority Zero


“In accordance with our experience, I believe we can be even safer in the AWS Cloud than in our own data centers".

Tom Soderstrom

CTO, NASA JPL

Security and Protection of Personal Data in AWS

The storage of information poses a series of common matters in the practice that must be addressed, such as

• Is the content safe?• Where will the content be stored?• Who will have access to the content?

But mainly, how do we comply with the Mexican laws and regulations?:• General Law on Protection of Personal Data in Possession of Regulated

Entities and Individuals (LGPDPPSO)• General Law on Transparency and Right-to-Know Public Information

(LGTAIP)

S H A R E D R E S P O N S I B I L I T Y

The AWS shared responsibility approach to manage security in the cloud

Multi-regions & Availability Zones to store their information

GLOBAL INFRASTRUCTURE

Different options of security services to control access to its content.

SECURITY SERVICES

National Digital StrategyLGPDPPSOLGTAIP

LEGAL FRAMEWORK IN MEXICO

Agenda

Security is a shared responsibility

+ =

• Premises

• Physical Security

• Computing Infrastructure

• Storing Infrastructure

• Networking Infrastructure

• Virtualization Layer (EC2)

• Reinforced Service Endpoints

• Network Configuration

• Security Groups

• Operative System Firewall

• Operative Systems

• Application Security

• Proper Service Configuration

• Authorization Policies

Safer and Compliant Systems than what any entity could achieve by

itself.

The Shared Responsibility Approach

Clients trust in AWS compliance with global standards

Certifications & Attestations Laws, Regulations & Privacy Guidelines & Frameworks

The Shared Responsibility Approach

ISO 27001 • It is a standard of security administration which establishes recommended practices

in matters of security administration and control

ISO 27017• Provides guidance on matters of information security in the cloud computing, and

recommends the implementation of cloud-specific information security controls

ISO 27018• Standard ISO 27018 is a code of conduct designed to protect personal data in the

cloud

The AWS Artifact tool helps bring transparency

What is it?

A global and free portal that provides access on-demand to the AWS certifications with the latest updates in security and compliance

How does it work?

Clients may review the controls, set their own in line with AWS controls and use reports to verify that AWS controls are in effective operation

• Information about AWS policies, processes and controls

• Documentation about relevant controls to AWS specific

services

• Validation for the effective operation of AWS controls

Global Certifications & Attestations

AWS Security Solutions

AWS Identity and Access Management (IAM)

AWS Organizations

AWS Directory Service

AWS Single Sign-On

AWS Cognito

AWS Secrets Manager

AWS Configuration

Amazon GuardDuty

AmazonCloudWatch

AWS CloudTrail

VPC Flow Logs

AWS Shield

AWS Firewall Manager

AWS WAF Web ApplicationFirewall

Amazon Virtual PrivateCloud (VPC)

Amazon EC2 SystemManager

Amazon Inspector

AWS KMS Key Management Service

AWS CloudHSM

Amazon Macie

AWS Certificate Manager

Server-Side Encryption

AWS Config Rules

AWS Lambda

Identity Detective Control

Infrastructure Security

Incident Response

Data Protection

AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources.

AWS OrganizationsPolicy-based management for multiple AWS accounts

Amazon CognitoAdd user sign-up, sign-in and access control to your web and mobile applications

AWS Directory ServiceMicrosoft Active Directory managed in AWS Cloud

AWS Single Sign-OnCentrally manage single sign-on (SSO) to multiple AWS accounts and business applications

Define, enforce and audit user permits in AWS services, actions and resources.

Identity and Access Management

AWS CloudTrailEnable governance, compliance, operational / risk auditing of your AWS account

AWS ConfigRecord and evaluate your AWS resource configuration. Enable compliance auditing, security analysis, tracking of resource changes and problem solving

Amazon CloudWatchSupervise resources in the AWS Cloud and your AWS applications to collect metrics, monitor log files, configure alarms and take automated action to changes

Amazon GuardDutySmart threat detection and continuous monitoring to protect your AWS accounts and workloads

VPC Flow LogsCapture information about IP traffic in and out of network interfaces in your VPC. Flow log records are stored using the Amazon CloudWatch Logs

Get the visibility you need to detect issues before they affect

the business, improve your security and limit the risk profile

of your environment

Detective Control

Amazon EC2 System ManagerEasily configure and manage Amazon EC2 and the local systems to apply patches in operative systems, create system safe images and configure safe operative systems

AWS ShieldManaged Distributed Denial of Service (DDoS) that safeguards applications running on AWS

AWS Web Application Firewall (WAF)Protect your web applications from common web exploits safeguarding availability and security

Amazon InspectorAutomated security assessment service to help improve the security and compliance of applications deployed on AWS.

Amazon Virtual Private Cloud (VPC)Provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define

Limit the space to manage and increase the privacy and control of your general infrastructure in

AWS.

InfrastructureSecurity

AWS Key Management Service (KMS)Easily create and control the keys used to encrypt your data

AWS CloudHSMManaged hardware security module (HSM) on the AWS Cloud

Amazon MacieA machine learning-powered security service to discover, classify, and protect sensitive data

AWS Certificate ManagerEasily provision, manage, and deploy SSL/TLS certificates to use with AWS services

Server-Side EncryptionFlexible options for data encryption using the keys managed by AWS services, AWS keys managed through AWS KMS, or keys managed by the client

In addition to our encrypted automated services and data management, use more data

protection functions(including data management, data security, and

encryption key storage).

Data Protection

AWS Config RulesCreate rules that take automated action in response to changes of your environment, like isolating resources, enriching events with additional data, or reestablishing your configuration to a known good state

AWS LambdaUse our serverless computing service to run code without provisioning or managing servers so that you may scale your response to incidents in a planned and automated manner

During an incident, event containment and restoring a known good state are important elements of a response plan. AWS provides the following tools to automate

aspects of this good practice.

IncidentResponse

How to use ML to protect my environment in the cloud?

Amazon GuardDuty is a managed service for threat detection that continuously monitors and detects malicious and/or unauthorized activity to help protect your AWS accounts and workloads using ML.

Amazon GuardDuty

GuardDuty – Centralized Alerts

Amazon GuardDuty – quick response to a security event

CloudWatch EventsGuardDuty Lambda

How to use ML to protect my environment in the cloud?Amazon Macie

• Personally Identifiable

Information (PII)

• Intellectual Property

• Source Code

• Private Keys

• API Keys

• SSL Certificates, etc.


Amazon Macie


CloudWatch Events

Amazon CloudWatch

CloudWatch Event

Lambda

Lambda Function

AWS Lambda

Macie

Amazon Macie

AWS Security Solutions

Physical Layer Secure facilities and optical encryption using AES-256

VPC Encryption | Cross-Region Peering | Amazon VPN

Amazon s2n | NLB-TLS | ALB | CloudFront | ACM integration

AWS Crypto SDK | Server-side encryption with KMS integration

Data link layer

Network Layer

Transport Layer

Application Layer

MACsec AES-256 (IEEE 802.1AE)

More than 7,000 products in our AWS Marketplace

Is the content safe?

• AWS has more than 58 certifications and attestations (+ 2,600 controls, audited every year)

• AWS offers a broad selection of security tools and functions that clients can use.

• Clients may also use their own security tools and controls, including a wide variety of third-party security solutions

• Clients are also free to design and conduct security evaluations in accordance with their own preferences

Where will the content be stored?

AWS Data Centers are built in groups in several regions worldwide. This means each of our data center groups in a country is “Region”

AWS now has 69 availability zones in 22 geographic regions worldwide. In addition, plans to incorporate 16 more availability zones and 5 regions have been announced, these will include Indonesia, Italy, Japan, South Africa and Spain.

RegionsComing soon

Zoom: Availability ZoneExample of a region in the U.S. Example of an Availability Zone

Zone ofAvailability B

Zone ofAvailability A

Zone ofAvailability C

Data Center 2

Data Center 1

Data Center 3

Zoom: AWS Region

Availability Zones

• Totally isolated infrastructure with one or more data centers

• Significant-distance separation• Single-energy Infrastructure• Many 100Ks of scale servers• Data centers connected through

totally redundant and isolated meter fiber

Anatomy of a Region on AWSRedundant Transit Centers Highly interconnected

— Intra-AZ Connections — Inter-AZ Connections — Transit Center Connections

Understanding durability

Designed for a durability of

99.99%

Dos copias en un sitio


99.999%

Copias en dos sitios


99.999999999%

GlacierStandard IA

AWS Region

Where will the content be stored?

• Only AWS clients choose the AWS Region or Regions where their content and servers will be located.

• Clients always keep control of the Regions used to store and process the content.

• AWS only stores and processes the content of each client in the Region(s) and uses the services chosen by the client and cannot transfer the client’s content in any way whatsoever.

Define, enforce and audit userpermits in AWS services, actions and resources.


AWS Identity and Access Management (IAM) Securely manage access to AWS services and resources.

AWS OrganizationsPolicy-based management for multiple AWS accounts

Amazon CognitoAdd user sign-up, sign-in and access control to your web and mobile applications

AWS Directory ServiceMicrosoft Active Directory managed in AWS Cloud

AWS Single Sign-OnCentrally manage single sign-on (SSO) to multiple AWS accounts and business applications

Who will have access to the content?

• You may control who, when and from where they may conduct actions in your AWS environment

• Control granular access in the AWS cloud with multi-factor authentication (tokens)

• Integrate your Active Directory by federation and single sign-on.

Who will have access to the content?

AWS Management Console/APIs

AWS Infrastructure

AWS Applications

Your applications

Developers

Admins

Security Employees

Clients

Partners


Who will have access to the content? – In short

Clients using AWS services who keep and not give up effective control over their content within the AWS environment, may:

• Determine where their content will be

• Control the format, structure and security of their content

• Manage other access controls, like identity credentials, access management, permits and security

General Law on Transparency and Right-to-KnowPublic InformationIt is important to mention that you are the only responsible for classifying the information, as set out in Article 100 of the LGTAIP:

“Article 100. • Classification is the process through which the regulated entity or individual subject to

this Law determines that the information in their power is applicable to any of the cases of reserve or confidentiality

• The Chiefs of the Areas of the Regulated Entities or Individuals shall be responsible of classifying the information

Data, by default, are of public classification:

“Article 11. • All the information in possession of the regulated entities or individuals shall be public, complete,

timely and accessible, subject to very specific exceptions

General Law on Transparency and Right-to-KnowPublic Information

Article 63. • The responsible entity or individual may contract or adhere to services, applications and

infrastructure of cloud computing, and other matters that implicate processing personal data

General Law on Protection of Personal Data in Possession of Regulated Entities and Individuals(LGPDPPSO)

II. Provider should have mechanisms, at least, to:

a) Inform changes in their privacy policies or conditions in the service rendered;

b) Allow the responsible entity o individual limit the type of data processing

c) Establish and maintain security measures

d) Guarantee the suppression of the personal data

e) Prevent individuals who do not have access privileges to access the personal data.



Mechanisms AWS

Inform changes in their privacy policies or conditions in the service rendered

https://aws.amazon.com/es/privacy/

Allow the responsible entity o individual limit the type of data processing

Global Infrastructure, Shared Responsibility, Encryption, etc.

Maintain security measures

SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018Guarantee the suppression of the personal data

Prevent individuals who do not have access privileges to access the personal data

IAM, Server-Side Encryption (SSE) with the keys managed by Amazon S3 (SSE-S3), SSE with the keys managed from AWS KMW (SSE-KMS) or SSE with encryption keys provided by the client (SSE-C)

Learn Security with AWS Training and CertificationResources created by the experts at AWS to help you build and validate cloud security skills

Visit the Learning Path at https://aws.training/Security

Take one of the classroom offerings, like AWS Security Engineering on AWS, featuring AWS expert instructors and hands-on activities

30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security

Validate your expertise with the AWS Certified Security –Specialty exam

¡Gracias!


mexicocity wwps summit assets... · 2020-03-23 · flexible options for data encryption using the...

Documents