(sec201) aws security keynote address | aws re:invent 2014
DESCRIPTION
Security must be at the forefront for any online business. At AWS, security is priority number one. Stephen Schmidt, vice president and chief information officer for AWS, shares his insights into cloud security and how AWS meets our customers' demanding security and compliance requirements, and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.TRANSCRIPT
JOB ZERO
Job Zero
Network
SecurityPhysical
Security
Platform
SecurityPeople &
Procedures
SHARED
constantly improving
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data Encryption
Server-side Data Encryption
Network Traffic Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentC
ust
om
ers
shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
FAMILIAR
familiar
– Agility
VISIBILITY
VISIBILITY
RIGHT NOW?
Visible
You are making
API calls...On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
AWS CLOUDTRAIL
RedshiftAWS CloudFormation
AWS Elastic Beanstalk
Use cases enabled by CloudTrail
CloudTrail Regional Availability
AUDITABILITY
and notifies you
Continuous ChangeRecordingChanging
Resources
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
Integrated Support from Our Partner Ecosystem
CONTROL
First class security and compliance
starts (but doesn’t end!) with encryption
Automatic encryption with managed keys
Bring your own keys
Dedicated hardware security modules
Encryption & Best Practices with AWS
Managed key encryption
Key storage with AWS CloudHSM
Customer-supplied key encryption
DIY on Amazon EC2
Create, store, & retrieve keys securely
Rotate keys regularly
Securely audit access to keys
Partner enablement of crypto
Nasdaq is a great example of security excellence in the cloud
Nasdaq Use Case Requirement
Replace on-premises data warehouse while keeping
equivalent schemas and data
Only one year of capacity remaining
4-8 billion rows of new information stored daily stock trading
Must cost less than existing system
Must satisfy multiple security and regulatory audits
Must perform similarly to legacy warehouse under
concurrent query load
AWS’s ability to satisfy multiple security and regulatory audits was critical to
Nasdaq’s migrating its data warehouse to AWS
Nasdaq Data Warehouse ImplementationPull data from numerous sources, validate data, and securely load into Redshift
AWS CloudTrail to monitor and audit environment
Network isolation with Amazon VPC and AWS
Direct Connect
Encryption in flight using TLS and Amazon
Redshift JDBC connections
Encryption at rest with Amazon S3 (client-side,
AES-256) with Amazon Redshift cluster
encryption enabled and AWS CloudHSM
Nasdaq Security Best PracticesAWS CloudHSM integration was critical to Nasdaq adoption of AWS
Block key
Amazon
S3
Block key
Cluster key Cluster key
Master key
AWS
CloudHSM
1MB
1MB
Amazon Redshift and Encryption
AGILITY
AWS
The practice of security at AWS is
different, but the outcome is familiar:
So what does your security team look like?
Our Culture:
Everyone’s an owner
When the problem is “mine” rather than
“hers” there’s a much higher likelihood I’ll do
the right thing
Measure constantly, report regularly, and
hold senior executives accountable for
security – have them drive the right
culture
Our Culture:
Our Culture:
Measure measure measure
• 5 min metrics are too coarse
• 1 min metrics just barely OK
Our Culture:
Saying “no” is a failure
Our Culture:
Apply more effort to the “why” rather than the
“how”
Why is what really matters
When something goes wrong, ask the “five whys”
Our Culture:
Decentralize — don’t be a bottleneck
It’s human nature to go around a bottleneck
Our Culture:
Produce services that others can consume
through hardened APIs
Our Culture:
Test, CONSTANTLY
• Inside/outside
• Privileged/unprivileged
• Black-box/white-box
• Vendor/self
Our Culture:
Proactive monitoring rules the day
• What’s “normal” in your environment?
• Depending on signatures == waiting to
find out WHEN you’ve been had
Our Culture:
Collect, digest, disseminate, & use intelligence
Our Culture:
Make your compliance team a part of your
security operations
Our Culture:
Base decisions on facts, metrics, & detailed
understanding of your environment and
adversaries
Simple Security Controls
REDUCTION
REDUCTION
ENCRYPTION
GRANULAR
SEPARATION
BETTER OFF IN AWS
Please give us your feedback on this session.
Complete session evaluations and earn re:Invent swag.
http://bit.ly/awsevals