s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com marketing... · us west paris (3)...

S U MM I TB e r l i n

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SUMMIT

Cloud Security: Myths & Opportunities

Tim RainsEMEA Regional Leader Security & ComplianceWorldwide Public SectorAmazon Web Services

S e s s i o n I D


Agenda

Myth #1: Attacks are getting more advanced...

Myth #2: On-premises IT is more secure than the Cloud…

Myth #3: Data Residency Means Better Security…

Opportunity: Higher Levels of Security Assurance

Opportunity: Innovation


Related breakouts

Enterprise SecurityJavier Ribelles, AWS

How to Migrate a Highly Regulated Workload to AWSLucas Shaughnessy, Fraugster Ltd

Integrated AWS Idendity and Access Management & Organizations - New Features

Marcus Fritsche, AWS


Examples of Advanced Malware

• Zeus/Zbot (2007): very successful information stealing Trojan

• Conficker (2008): novel payload distribution mechanism

• Stuxnet (2010): state sponsored cyber-kinetic attack

• Flame (2012): cryptographic attack enabling forged certificate

• Duqu 2.0 (2014-2015): advanced persistence capabilities using multiple zero-day vulnerabilities

• Triton (2016-2017): attack framework to reprogram industrial control systems


Historically Large Publicly Disclosed Data Breaches

Top 10 breaches

• 40% occurred in 2018

• 80% occurred in the last 2 years

Top 25 breaches

• Average 298,084,000 records

• Greater than population of every country except top 3


Security Organizations Breached

• RSA Security

• Kaspersky Lab

• US National Security Agency (NSA)

• DigiNotar certificate authority

• Etc.


Attacker Motivations

• Notoriety

• Profit

• Military espionage

• Economic espionage

• Hacktivism

• Foreign policy goals via information warfare, cultural manipulation, etc.

• Etc.


Attacker Tactics for Initial Compromise

1. Unpatched vulnerabilities

2. Security misconfigurations

3. Weak, leaked, stolen passwords

4. Social engineering

5. Insider threat


Least Privilege Access to Data

Security best practice Start with a minimum set of permissions

Grant additional permissions as necessary

Define only the required set of permissions

What actions a particular service supports

What collection of API actions are required for the specific task

What permissions are required to perform those actions


Confidentiality, Integrity, Availability of Data

Confidentiality• Controlled, authorized access

• Preventing exposure, leakage, and theft

Integrity• Trustworthy, coherent data

• Preventing corruption and unauthorized modification

Availability• Reliable, timely access

• Preventing denial of service at the data layer



https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/

https://aws.amazon.com/blogs/publicsector/the-five-ways-organizations-initially-get-compromised-and-tools-to-protect-yourself/


Zoom In: AWS Region Zoom In: AWS AZ

Sample Region

Datacenter Datacenter

Datacenter

Sample Availability Zone

Availability

Zone B

Availability

Zone A

Availability

Zone C

• Independent Geographic Areas, isolated from other Regions (security boundary)

• Customer chooses in which Region(s) to deploy services

• Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of High-

Availability Architecture

• AZs are Independent Failure Zones; Physically separated; On separate Low Risk Flood Plains

• Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities

• Built for Continuous Availability


AWS Global InfrastructureRegion & Number of Availability Zones

AWS GovCloud EU

US-East (3)

US-West (3)

Ireland (3)

Frankfurt (3)

London (3)

US West Paris (3)

Oregon (3)

Northern California (3)

Sweden (3)

Asia Pacific

US East Singapore (3)

N. Virginia (6), Ohio (3) Sydney (3), Tokyo (4),

Seoul (2), Mumbai (2)

Canada Osaka-Local (1)

Central (2)

China

South America

São Paulo (3)

Beijing (2)

Ningxia (3)

Announced Regions

Bahrain, Hong Kong SAR, Cape Town, Milan

60 Availability Zones within 20 geographic regions around the world, with announced plans for 12 more Availability Zones and four more AWS Regions


AWS CloudFront & Route 53 Edge InfrastructureAmazon CloudFront uses a global network of 160 Points of Presence (149 Edge Locations and 11 Regional Edge Caches) in 65 cities across 29 countries


Myth #2: On-premises IT is more secure than the Cloud

On AWS On-premises

Big Perimeter

End-to-End Ownership

Build it all yourself

Server-centric approach

De-centralised Administration

Focus on physical assets

Multiple (manual) processes

Micro-Perimeters

Own just enough

Focus on your core values

Service-Centric approach

Central control plane (API)

Focus on protecting data

Everything is automated


Advantages of the API

• Authoritative - the interface to, and between, AWS services

• Auditable – always know what, and who, is doing what

• Secure – verified integrity, authenticated, no covert channels

• Fast - can be read and manipulated in sub-second time

• Precise – defines the state of all infrastructure and services

• Evolving – continuously improving

• Uniform - provides consistency across disparate components

• Automatable - enables some really cool capabilities



1. Unpatched vulnerabilities

2. Security misconfigurations

3. Weak, leaked, stolen passwords

4. Social engineering

5. Insider threat

Physical location of data doesn’t mitigate any of these


Data Residency Does Not Provide Better Security

1. Most threats are exploited remotely

2. Manual processes present risk of human error


Why Unauthorized Risk is Lower in the Cloud

1. Encryption - Appropriately encrypting data can make it unreadable if compromised.

2. Tokenization – A sequence of data that represents sensitive information and is undecipherable without a tokenization system.

3. Data Decomposition – Reducing data sets into unrecognizable fragments that are stored in a distributed fashion so that any compromise would yield insignificant data.

4. Cyber Deception Defense – Deception solutions use highly sophisticated traps and decoys to present an attacker with the perception that they have infiltrated the system while in reality diverting them to a highly controlled environment.

Preventing unauthorized access requires practicing proper security hygiene and implementing robust

preventive and detective capabilities.


Broad Accreditations & Certifications

GLACIER VAULT LOCK

& SEC RULE 17A-4(F)

SOC 1

SOC 2

SOC 3

PSN


Security Assurance

Start with bare concrete

Periodic checks

Workload-specific compliance

checks

Must keep pace and invest in

security innovation

Heterogeneous governance

processes and tools

Typically reactive

Start on accredited services

Continuous monitoring

Compliance approach based

on all workload scenarios

Security innovation drives

broad compliance

Integrated governance

processes and tools

Focus on prevention

On AWS On-premises


Innovation• First standard public telephone kiosk introduced by

UK Post Office, produced in concrete, in 1920 and was designated K1 (Kiosk No.1)

• First red telephone box, constructed in cast iron, deployed in the UK in 1926, called K2 (Kiosk No.2)

• K3-K8 models introduced 1930-1968

• After privatisation in 1982, British Telecom began to replace most of the existing boxes with modern models

• BT was reported to have stopped making telephone boxes in January 2001

• Public telephone kiosks obsolete less than 100 years after introduction

Source: https://en.wikipedia.org/wiki/Red_telephone_box


AWS Pace of Innovation


Serverless means…

No servers to provision

or manage

Never pay for idle Availability and fault

tolerance built in

Scales with usage

F R A M EW OR K S

ML Frameworks

+ Inf rastructure

ML Services

AI Services

I N T E R F A C E S I N F R A S T R U C T U R E

A m a zo n

S a g e M ak e r

AmazonTranscribe

AmazonPolly

AmazonLex

C H A T B O T S

AmazonRekognition

Image

AmazonRekognition

Video

V I S I ON S P E E C H

Amazon Comprehend

Amazon Translate

L A N G U A GE S

P3 P3dn C5 C5n Elastic inference Inferentia AWS Greengrass

N E WN E W

Ground Truth Notebooks Algorithms + Marketplace RL Training Optimization Deployment HostingN E W N E W N E W N E W

AI & ML


“The future is already here — it's just not very evenly distributed.”

William Gibson

Author


https://aws.amazon.com/blogs/publicsector/dont-discount-the-value-of-innovation/

https://aws.amazon.com/blogs/publicsector/dont-discount-the-value-of-innovation/

Thank you!


Tim [email protected]

s u m m i t - aws-de-marketing.s3-eu-central-1.amazonaws.com marketing... · us west paris (3)...

Documents