security compliance in the aws cloud compliance in the aws cloud. ... hadoop/ spark. streaming...

Download Security  Compliance in the AWS Cloud   Compliance in the AWS Cloud. ... Hadoop/ Spark. Streaming Data ... AWS Global Infrastructure. Regions. Availability Zones. Edge

Post on 30-Mar-2018

218 views

Category:

Documents

6 download

Embed Size (px)

TRANSCRIPT

  • www.cloudsec.com | #CLOUDSEC

    Security & Compliance in the AWS Cloud

    Vijay Rangarajan Senior Cloud Architect, ASEANAmazon Web Services@awscloud

  • Security & Compliance in the AWS Cloud

  • ENTERPRISE APPS

    DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS

    DataWarehousing

    Hadoop/Spark

    Streaming Data Collection

    Machine Learning

    Elastic Search

    Virtual Desktops

    Sharing & Collaboration

    Corporate Email

    Backup

    Queuing & Notifications

    Workflow

    Search

    Email

    Transcoding

    One-click App Deployment

    Identity

    Sync

    Single Integrated Console

    PushNotifications

    DevOps Resource Management

    Application Lifecycle Management

    Containers

    Triggers

    Resource Templates

    TECHNICAL & BUSINESS SUPPORT

    Account Management

    Support

    Professional Services

    Training & Certification

    Security & Pricing Reports

    Partner Ecosystem

    Solutions Architects

    MARKETPLACE

    Business Apps

    Business Intelligence Databases

    DevOps Tools NetworkingSecurity Storage

    Regions Availability ZonesPoints of Presence

    INFRASTRUCTURE

    CORE SERVICES

    ComputeVMs, Auto-scaling, & Load Balancing

    StorageObject, Blocks, Archival, Import/Export

    DatabasesRelational, NoSQL, Caching, Migration

    NetworkingVPC, DX, DNSCDN

    Access Control

    Identity Management

    Key Management & Storage

    Monitoring & Logs

    Assessment and reporting

    Resource & Usage Auditing

    SECURITY & COMPLIANCE

    Configuration Compliance

    Web application firewall

    HYBRID ARCHITECTURE

    Data Backups

    Integrated App Deployments

    DirectConnect

    IdentityFederation

    IntegratedResource Management

    Integrated Networking

    API Gateway

    IoT

    Rules Engine

    Device Shadows

    Device SDKs

    Registry

    Device Gateway

    Streaming Data Analysis

    Business Intelligence

    MobileAnalytics

  • Job Zero

  • 2009

    48

    280

    722

    82

    2011 2013 2015

    AWS has been continually expanding its services to support virtually any cloud workload and now has more than 70 services that range from compute, storage, networking, database, analytics, application services, deployment, management and mobile

    AWS Pace of Innovation

  • Our Culture

    Simple Security Controls

  • SHARED

  • exactly

    GxPISO 13485AS9100ISO/TS 16949

    AWS Foundation Services

    Compute Storage Database Networking

    AWS Global Infrastructure Regions

    Availability Zones Edge

    Locations

    AWS is responsible for the security OF

    the Cloud

  • AWS Foundation Services

    Compute Storage Database Networking

    AWS Global Infrastructure Regions

    Availability ZonesEdge

    Locations

    Client-side Data Encryption

    Server-side Data Encryption

    Network Traffic Protection

    Platform, Applications, Identity & Access Management

    Operating System, Network, & Firewall Configuration

    Customer applications & contentC

    usto

    mer

    sCustomers have their choice of

    security configurations IN

    the Cloud

    AWS is responsible for the

    security OFthe Cloud

    decide how to implement

  • SECURITY IS VISIBILITY AND AUDITABILITY

  • How often do you map your network?

    RIGHT NOW?

  • You are making API calls...

    On a growing set of services around the

    world

    AWS CloudTrail is continuously recording API

    calls

    And delivering log files to you

    AWS CLOUDTRAIL

    RedshiftAWS CloudFormation

    AWS Elastic Beanstalk

  • Continuous ChangeRecordingChanging Resources

    History

    Stream

    Snapshot (ex. 2014-11-05)AWS Config

    AWS Config

  • SECURITY IS CONTROL

  • (USERS, RESOURCES,CONTENT)

  • Control access and segregate duties everywhereWith AWS Identity Access Management you get to control who can do what in your AWS environment and from where

    Fine-grained control of your AWS cloud with two-factor authentication

    Integrate with your existing corporate directory using SAML 2.0 and single sign-on

    AWS account owner

    Network management

    Security management

    Server management

    Storage management

  • US-WEST (Oregon)

    EU-WEST (Ireland)

    ASIA PAC (Tokyo)

    US-WEST (N. California)

    SOUTH AMERICA (Sao

    Paulo)

    US-EAST (Virginia)

    AWS GovCloud (US)

    ASIA PAC (Sydney)

    ASIA PAC (Singapore)

    CHINA (Beijing)

    EU-CENTRAL (Frankfurt)

    you put itASIA PAC (Korea)

    13 Regions35 Availability Zones59 Edge Locations

    ASIA PAC (Mumbai)

  • Create your own private, isolated section of the AWS cloudAv

    aila

    bilit

    y Zo

    ne A

    Avai

    labi

    lity

    Zone

    B

    AWS Virtual Private Cloud Provision a logically

    isolated section of the AWS cloud

    You choose a private IP range for your VPC

    Segment this into subnets to deploy your compute instances

    AWS network security AWS network will prevent

    spoofing and other common layer 2 attacks

    You cannot sniff anything but your own EC2 host network interface

    Control all external routing and connectivity

  • connect resiliently and in private

    YOUR AWS ENVIRONMENT

    AWSDirect

    ConnectYOUR

    PREMISES

    Digital Websites

    Big Data Analytics

    Dev and Test

    Enterprise Apps

    Internet VPN

  • AWS Key Management Service

    PCI DSS SP L1 CompliantUnder-going FIPS140-2

    Encryption key management and compliance made easy

    Integrated with AWS Services(e.g. S3, EBS, RDS, Redshift,

    CloudTrail, EMR)

    Highly Available and durable

  • Cloud HSMdedicated access

    Only you have access to your keys and operations on the keys

    CloudHSM

    AWS administratorManages the appliance

    YouControl keys and crypto operations

  • AUDIT EVERYTHING

  • Auditors

  • Geographic data locality

    Control over regionalreplication

    Policies, resource level permissions,

    temporary credentials

    Fine-grainedaccess control In-depth

    logging

    AWS CloudTrail and Config

    Fine-grained visibility and control for accounts, resources, data

    Visibility into resources and

    usage

    Service Describe* APIs and

    AWS CloudWatch

    Control over deployment

    AWS CloudFormation

    Governance

  • COMPLIANCE

  • ISO 9001

    SOC 3

    SOC 2

    ISO 27001

    ISO 27017

    PCI DSS Level 1ISO 27018

    SOC 1 / ISAE 3402

    GxPHIPAA

    ITAR

    FERPA

    FISMA, RMF, and DIACAP

    FedRAMP

    Section 508 / VPAT

    DoD SRG Levels 2 & 4

    FIPS 140-2

    CJIS

    Cloud Security Alliance

    MPAA

    NIST

    MLPS Level 3

    G-Cloud

    IT-Grundschutz

    MTCS Tier 3

    IRAP Cyber Essentials Plus

    More accreditations & certifications than anyone

  • evidence

  • You retain control and ownership of your content

    Choose your AWS region and adhere to data sovereignty laws

    Compliant with ISO 27001, ISO 27017, ISO 27018

    Encrypt your data using AWS Services or using your own

    Data Sovereignty & Privacy

  • Vibrant Partner EcosystemInfrastructure Security

    Logging and Monitoring

    Identity and Access Control

    Configuration and Vulnerability Analysis

    Data Protection

    SaaS

    SaaSSaaS

    https://aws.amazon.com/marketplace/pp/B00EV8VXG2/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489021752https://aws.amazon.com/marketplace/pp/B00EV8VXG2/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489021752https://aws.amazon.com/marketplace/pp/B00S04UTHC/ref=sp_mpg_product_image?ie=UTF8&sr=0-2https://aws.amazon.com/marketplace/pp/B00S04UTHC/ref=sp_mpg_product_image?ie=UTF8&sr=0-2https://aws.amazon.com/marketplace/pp/B00KNLVLP4/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489517615https://aws.amazon.com/marketplace/pp/B00KNLVLP4/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489517615https://aws.amazon.com/marketplace/pp/B00UAWMXG2/ref=srh_res_product_image?ie=UTF8&sr=0-3&qid=1432489551865https://aws.amazon.com/marketplace/pp/B00UAWMXG2/ref=srh_res_product_image?ie=UTF8&sr=0-3&qid=1432489551865https://aws.amazon.com/marketplace/pp/B00AA00Q7W/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489070217https://aws.amazon.com/marketplace/pp/B00AA00Q7W/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432489070217https://aws.amazon.com/marketplace/pp/B00OU5UFM4/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432490285981https://aws.amazon.com/marketplace/pp/B00OU5UFM4/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432490285981https://aws.amazon.com/marketplace/pp/B00MBY2XUS/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432490364299https://aws.amazon.com/marketplace/pp/B00MBY2XUS/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1432490364299https://aws.amazon.com/marketplace/pp/B008OIZ0TQ/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1431576861765https://aws.amazon.com/marketplace/pp/B008OIZ0TQ/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1431576861765https://aws.amazon.com/marketplace/pp/B00PUXWXNE/ref=srh_res_product_image?ie=UTF8&sr=0-2&qid=1431576902990https://aws.amazon.com/marketplace/pp/B00PUXWXNE/ref=srh_res_produ