s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com marketing... · us west paris (3)...
TRANSCRIPT
S U MM I TB e r l i n
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Cloud Security: Myths & Opportunities
Tim RainsEMEA Regional Leader Security & ComplianceWorldwide Public SectorAmazon Web Services
S e s s i o n I D
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Agenda
Myth #1: Attacks are getting more advanced...
Myth #2: On-premises IT is more secure than the Cloud…
Myth #3: Data Residency Means Better Security…
Opportunity: Higher Levels of Security Assurance
Opportunity: Innovation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Related breakouts
Enterprise SecurityJavier Ribelles, AWS
How to Migrate a Highly Regulated Workload to AWSLucas Shaughnessy, Fraugster Ltd
Integrated AWS Idendity and Access Management & Organizations - New Features
Marcus Fritsche, AWS
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Examples of Advanced Malware
• Zeus/Zbot (2007): very successful information stealing Trojan
• Conficker (2008): novel payload distribution mechanism
• Stuxnet (2010): state sponsored cyber-kinetic attack
• Flame (2012): cryptographic attack enabling forged certificate
• Duqu 2.0 (2014-2015): advanced persistence capabilities using multiple zero-day vulnerabilities
• Triton (2016-2017): attack framework to reprogram industrial control systems
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Historically Large Publicly Disclosed Data Breaches
Top 10 breaches
• 40% occurred in 2018
• 80% occurred in the last 2 years
Top 25 breaches
• Average 298,084,000 records
• Greater than population of every country except top 3
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Security Organizations Breached
• RSA Security
• Kaspersky Lab
• US National Security Agency (NSA)
• DigiNotar certificate authority
• Etc.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attacker Motivations
• Notoriety
• Profit
• Military espionage
• Economic espionage
• Hacktivism
• Foreign policy goals via information warfare, cultural manipulation, etc.
• Etc.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attacker Tactics for Initial Compromise
1. Unpatched vulnerabilities
2. Security misconfigurations
3. Weak, leaked, stolen passwords
4. Social engineering
5. Insider threat
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Least Privilege Access to Data
Security best practice Start with a minimum set of permissions
Grant additional permissions as necessary
Define only the required set of permissions
What actions a particular service supports
What collection of API actions are required for the specific task
What permissions are required to perform those actions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Confidentiality, Integrity, Availability of Data
Confidentiality• Controlled, authorized access
• Preventing exposure, leakage, and theft
Integrity• Trustworthy, coherent data
• Preventing corruption and unauthorized modification
Availability• Reliable, timely access
• Preventing denial of service at the data layer
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attacker Tactics for Initial Compromise
https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Zoom In: AWS Region Zoom In: AWS AZ
Sample Region
Datacenter Datacenter
Datacenter
Sample Availability Zone
Availability
Zone B
Availability
Zone A
Availability
Zone C
• Independent Geographic Areas, isolated from other Regions (security boundary)
• Customer chooses in which Region(s) to deploy services
• Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of High-
Availability Architecture
• AZs are Independent Failure Zones; Physically separated; On separate Low Risk Flood Plains
• Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities
• Built for Continuous Availability
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Global InfrastructureRegion & Number of Availability Zones
AWS GovCloud EU
US-East (3)
US-West (3)
Ireland (3)
Frankfurt (3)
London (3)
US West Paris (3)
Oregon (3)
Northern California (3)
Sweden (3)
Asia Pacific
US East Singapore (3)
N. Virginia (6), Ohio (3) Sydney (3), Tokyo (4),
Seoul (2), Mumbai (2)
Canada Osaka-Local (1)
Central (2)
China
South America
São Paulo (3)
Beijing (2)
Ningxia (3)
Announced Regions
Bahrain, Hong Kong SAR, Cape Town, Milan
60 Availability Zones within 20 geographic regions around the world, with announced plans for 12 more Availability Zones and four more AWS Regions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS CloudFront & Route 53 Edge InfrastructureAmazon CloudFront uses a global network of 160 Points of Presence (149 Edge Locations and 11 Regional Edge Caches) in 65 cities across 29 countries
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Myth #2: On-premises IT is more secure than the Cloud
On AWS On-premises
Big Perimeter
End-to-End Ownership
Build it all yourself
Server-centric approach
De-centralised Administration
Focus on physical assets
Multiple (manual) processes
Micro-Perimeters
Own just enough
Focus on your core values
Service-Centric approach
Central control plane (API)
Focus on protecting data
Everything is automated
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Advantages of the API
• Authoritative - the interface to, and between, AWS services
• Auditable – always know what, and who, is doing what
• Secure – verified integrity, authenticated, no covert channels
• Fast - can be read and manipulated in sub-second time
• Precise – defines the state of all infrastructure and services
• Evolving – continuously improving
• Uniform - provides consistency across disparate components
• Automatable - enables some really cool capabilities
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Attacker Tactics for Initial Compromise
1. Unpatched vulnerabilities
2. Security misconfigurations
3. Weak, leaked, stolen passwords
4. Social engineering
5. Insider threat
Physical location of data doesn’t mitigate any of these
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Data Residency Does Not Provide Better Security
1. Most threats are exploited remotely
2. Manual processes present risk of human error
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Why Unauthorized Risk is Lower in the Cloud
1. Encryption - Appropriately encrypting data can make it unreadable if compromised.
2. Tokenization – A sequence of data that represents sensitive information and is undecipherable without a tokenization system.
3. Data Decomposition – Reducing data sets into unrecognizable fragments that are stored in a distributed fashion so that any compromise would yield insignificant data.
4. Cyber Deception Defense – Deception solutions use highly sophisticated traps and decoys to present an attacker with the perception that they have infiltrated the system while in reality diverting them to a highly controlled environment.
Preventing unauthorized access requires practicing proper security hygiene and implementing robust
preventive and detective capabilities.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Broad Accreditations & Certifications
GLACIER VAULT LOCK
& SEC RULE 17A-4(F)
SOC 1
SOC 2
SOC 3
PSN
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Security Assurance
Start with bare concrete
Periodic checks
Workload-specific compliance
checks
Must keep pace and invest in
security innovation
Heterogeneous governance
processes and tools
Typically reactive
Start on accredited services
Continuous monitoring
Compliance approach based
on all workload scenarios
Security innovation drives
broad compliance
Integrated governance
processes and tools
Focus on prevention
On AWS On-premises
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Innovation• First standard public telephone kiosk introduced by
UK Post Office, produced in concrete, in 1920 and was designated K1 (Kiosk No.1)
• First red telephone box, constructed in cast iron, deployed in the UK in 1926, called K2 (Kiosk No.2)
• K3-K8 models introduced 1930-1968
• After privatisation in 1982, British Telecom began to replace most of the existing boxes with modern models
• BT was reported to have stopped making telephone boxes in January 2001
• Public telephone kiosks obsolete less than 100 years after introduction
Source: https://en.wikipedia.org/wiki/Red_telephone_box
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
AWS Pace of Innovation
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
COMES TO LONDON
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
Serverless means…
No servers to provision
or manage
Never pay for idle Availability and fault
tolerance built in
Scales with usage
F R A M EW OR K S
ML Frameworks
+ Inf rastructure
ML Services
AI Services
I N T E R F A C E S I N F R A S T R U C T U R E
A m a zo n
S a g e M ak e r
AmazonTranscribe
AmazonPolly
AmazonLex
C H A T B O T S
AmazonRekognition
Image
AmazonRekognition
Video
V I S I ON S P E E C H
Amazon Comprehend
Amazon Translate
L A N G U A GE S
P3 P3dn C5 C5n Elastic inference Inferentia AWS Greengrass
N E WN E W
Ground Truth Notebooks Algorithms + Marketplace RL Training Optimization Deployment HostingN E W N E W N E W N E W
AI & ML
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“The future is already here — it's just not very evenly distributed.”
William Gibson
Author
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT
https://aws.amazon.com/blogs/publicsector/dont-discount-the-value-of-innovation/
Thank you!
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SUMMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.