Visibility, Auditability and Control in the Cloud
advertisement
Security Management for Cloud Computing AWS Region EU-WEST (Ireland) EU-Central (Frankfurt) US-WEST (N. California) China (Beijing) GOV CLOUD ASIA PAC (Tokyo) US-EAST (Virginia) US-WEST (Oregon) ASIA PAC (Singapore) SOUTH AMERICA (Sao Paulo) ASIA PAC (Sydney) • Regions: – Dublin (EU-West) – 3 x Availability Zones • – • Frankfurt (EU-Central) – 2 x Availability Zones Edge Locations: – • Launched in 2007 Amsterdam, The Netherlands (2), Dublin, Ireland, Frankfurt, Germany (3), London, England (3), Madrid, Spain, Marseille, France, Milan, Italy, Paris, France (2), Stockholm, Sweden, and Warsaw, Poland Direct Connect POPs: – Dublin, London, Frankfurt Your Applications Enterprise Applications Document Collaboration Virtual Desktop AWS Global Infrastructure Workspaces Deployment & Management Web Interface Zocalo Monitoring Deployment & Automation Identity & Access Human Interaction AWS Global Infrastructure Management Console Application Services Billing CloudWatch Content Delivery BeanStalk OpsWorks Cloud Formation Applications DataPipe IAM Distributed Computing Federation Mechanical Turk Libraries & SDK’s AWS Global Infrastructure CloudFront Foundation Services SES SNS Compute SQS Elastic CloudSearch Transcoder Storage SWF EMR Networking Databases AWS Global Infrastructure EC2 S3 EBS Regions Glacier Storage Gateway VPC Direct Connect ELB Route53 Availability Zones AWS Global Infrastructure AWS Global Infrastructure RDS Dynamo ElastiCache RedShift Edge Locations Security cannot be a blocker of innovative business Pace of Innovation: Security vs. All 600 40% 514 35% 500 30% 400 25% 280 300 20% 192 200 15% 159 10% 100 0 24 61 48 16 13 82 51 70 5% 23 0 0% 2008 2009 2010 Security Features 2011 2012 All Significant Features and Services 2013 Percent 2014 manages Customers Customer content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Server-side Data Encryption Client-side Data Encryption Customers are responsible for their security and compliance IN the Cloud Network Traffic Protection AWS Foundation Services Compute AWS Global Infrastructure Storage Database Networking Availability Zones Edge Locations Regions AWS is responsible for the security OF the Cloud Customer content Client-Side Data encryption & Data Integrity Authentication Server-Side Encryption Network Traffic Protection Fire System and/or Data Encryption / Integrity / Identity Managed by Customers Operating System, Network & Firewall Configuration Customer IAM Platform & Applications Management Optional – Opaque data: 1’s and 0’s (in transit/at rest) AWS Foundation Services AWS Global Infrastructure Storage Database Availability Zones Regions Networking Edge Locations AWS IAM Compute Managed by Encryption / Integrity / Identity Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Managed by Operating System, Network Configuration AWS Global Infrastructure Storage Database Availability Zones Regions Networking Edge Locations AWS IAM AWS Foundation Services Compute Customers Network Traffic Protection Firewall Configuration Client-Side Data encryption & Data Integrity Authentication Customer IAM Customer content Managed by Customers Managed by Customer content Client-Side Data Encryption & Data Integrity Authentication Optional – Opaque Data: 1’s and 0’s Network Traffic Protection by the Platform (in flight / at rest) Protection of Data at Rest Network Traffic Protection by the Platform Platform & Applications Management Operating System, Network & Firewall Configuration AWS Foundation Services Compute AWS Global Infrastructure Storage Database Availability Zones Regions Networking Edge Locations AWS IAM Protection of Data at in Transit Managed by Identity Access Management (IAM) With AWS IAM you get to control who can do what in your AWS environment and from where • • • • • • Root in AWS is the same as Root in Windows/Linux Password Policies IAM Credentials Reports Manage Access Keys Fine grained control of users, groups, roles, and permissions to resources Integrate with your existing corporate directory using SAML 2.0 and single sign-on AWS account owner Network management Security management Server management Storage management Fully managed service which provides: • An Inventory of your AWS resources • Lets you audit the resource configuration history • Notifies you of resource configuration changes • Security Analysis: Am I safe? • Config allows you to continuously monitor and evaluate configuration of workloads • Audit Compliance: Where is the evidence? • Complete inventory of all resources and their configuration attributes @ any point in time • Change Management: What will this change affect? • All resource changes (create,update,delete) streamed to SNS • Troubleshooting: What has changed? • Identify changes in resource to resource relationships AWS CLOUDTRAIL AWS CloudFormation Redshift AWS Elastic Beanstalk You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CloudTrail Whitepaper: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf Singapore MTCS Accreditation & Compliance: on-prem vs on AWS On-prem On AWS • Start with bare concrete •Start on base of accredited services • Functionally optional •Functionally necessary – high watermark of requirements – (you can build a secure system without it) • Audits done by an in-house team •Audits done by third party experts • Accountable to yourself •Accountable to everyone • Typically check once a year •Continuous monitoring • Workload-specific compliance checks • •Compliance approach based on all workload scenarios Must keep pace and invest in security innovation •Security innovation drives broad compliance Customers Your own accreditation Your own certifications Your own external audits Customer scope and effort is reduced Better results through focused efforts AWS Foundation Services Compute AWS Global Infrastructure Storage Database Networking Availability Zones Edge Locations Regions Built on AWS consistent baseline controls AWS partner solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure + = Your secure AWS solutions Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability These local and global AWS partners provide wide range solutions from intrusion detection, data encryption, user management etc via SaaS and EC2 based Virtual Appliance Company: UK-based global communications platform for call centers to capture communications data Challenge: must comply with PCI DSS so their customers can process payment card data on the platform Results: PCI certified on AWS; also SOC 1 Type 2 audited, ISO 27001 certified http://d36cz9buwru1tt.cloudfront.net/Cognia-Case-Study.pdf Company: France-based insurance and healthcare coverage company, responsible for secure use and storage of confidential customer information Challenge: move critical IT to AWS and comply with the Solvency II Directive (EU insurance regulation) Results: Moved to AWS, realized cloud benefits (financial, security, scalability, availability, resiliency) and remain fully compliant with Solvency II and other compliance requirements. They are moving their other environments onto AWS. http://aws.amazon.com/solutions/case-studies/smatis/ awscompliance
