1 AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero!
2 Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud Region Summary
3 AWS Security Resources Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011 Regularly Updated Feedback is welcome
4 AWS Certifications Shared Responsibility Model Sarbanes-Oxley (SOX) ISO Certification Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70 Type II (SOC1 coming soon) Audit FISMA A&As Multiple NIST Low Approvals to Operate (ATO) NIST Moderate GSA ATO FedRAMP DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare) Achieving Government Standards and Mandates in the Cloud
5 Physical Security Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical access 2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed
6 Amazon S3 Data Protection Data in Transit Supports Upload and Download data using secure HTTP (HTTPS) protocol Data Stored at Rest Supports Amazon S3 Server Side Encryption (SSE) and Client Encryption libraries Access Control for Stored Data Support for Access Control Lists (ACLs), Bucket Policies, and Identity and Access Management (IAM) policies
7 Amazon EC2 Instance Isolation Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups Firewall Physical Interfaces
8 Network Security Considerations DDoS (Distributed Denial of Service): Standard mitigation techniques in effect MITM (Man in the Middle): All endpoints protected by SSL Fresh EC2 host keys generated at boot IP Spoofing: Prohibited at host OS level Unauthorized Port Scanning: Violation of AWS TOS Detected, stopped, and blocked Ineffective anyway since inbound ports blocked by default Packet Sniffing: Promiscuous mode is ineffective Protection at hypervisor level Configuration Management: Configuration changes are authorized, logged, tested, approved, and documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via , or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.
9 Fault Separation and Geographic Diversity US East Region (N. VA) EU Region (IRE) Amazon CloudWatch Zone A Zone B Zone A Zone B US West Region (N. CA) Zone C APAC Region (Singapore) APAC Region (Tokyo) Zone A Zone B Zone C Zone A Zone B Zone A Zone B Note: Conceptual drawing only. The number of Zones may vary
10 Amazon VPC Architecture Customer s isolated AWS resources Subnets Internet NAT VPN Gateway Router Secure VPN Connection over the Internet Amazon Web Services Cloud Customer s Network
11 a new region AWS GovCloud (US)
12 Designed for US Government Customers AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be: U.S. Persons; not subject to export restrictions; and comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations. FISMA Moderate Compliant Controls US Persons-Only access (Physical & Logical) Data Isolation (Service & IAM Controls) Network Isolation (VPC required, FIPS Compliant endpoints, AWS Direct Connect Optional) Machine Isolation (Dedicated instances optional)
13 Summary of AWS Deployment Models Commercial Cloud Amazon Virtual Private Cloud (VPC) Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads Public facing apps. Web sites, Dev test, FISMA low and Mod Data Center extension, TIC environment, , FISMA low and Mod. AWS GovCloud USP Compliant and Government Specific Aps. AWS GovCloud Session Amazon Confidential
14 AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO Certification PCI DSS Level I Certification HIPAA compliant architecture SAS 70 Type II Audit FISMA Low and Moderate ATOs FedRAMP DIACAP MAC III Sensitive IATO Service Health Dashboard Shared Responsibility Model Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance Application level security, including password and role based access Host-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security Modules Separation of Access Physical Security Multi-level, multi-factor controlled access environment Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative host All access logged, monitored, reviewed AWS Administrators DO NOT have access inside a customer s VMs, including applications and data VM Security Multi-factor access to Amazon Account Instance Isolation Customer-controlled per-vm firewall Neighboring instances prevented access Virtualized disk management layer ensure only account owners can access storage disks (EBS) Support for SSL end point encryption for API calls Network Security Instance-level hypervisor-enforced firewalls can be configured across instances via security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR)block). Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources
Amazon Web Services: Overview of Security Processes May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 Amazon Web Services (AWS) delivers a scalable cloud computing
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
AWS Security Best Practices Dob Todorov Yinal Ozkan November 2013 (Please consult http://aws.amazon.com/security for the latest version of this paper) Page 1 of 56 Table of Contents Abstract... 4 Overview...
Guide to Understanding FedRAMP Version 1.0 June 5, 2012 Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP s requirements. The primary purpose of
Guide to Understanding FedRAMP Version 1.0 June 4, 2012 Executive Summary This document provides helpful hints and guidance to make it easier to understand FedRAMP s requirements. The primary purpose of
Security Whitepaper: OCLC's Commitment to Secure Library Services Contents Executive Summary... 2 I. Information Security and Enterprise Risk Management... 4 A. OCLC's Corporate Policies... 5 B. Data Classification
s for PCI DSS Compliance A Trend Micro White Paper Addressing PCI DSS Requirements with Trend Micro Enterprise July 2010 I. PCI DSS AND TREND MICRO ENTERPRISE SECURITY Targeted threats, distributed environments,
CRM ARCHITECTURAL DESIGNS PAGE 1 Microsoft Dynamics CRM 2013 on Amazon Web Services Microsoft Dynamics CRM 2013 on Amazon Web Services Whitepaper PAGE 3 Abstract This whitepaper is intended for architects
Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
ArcGIS Cloud Security Roadmap & Best Practices for Federal Agencies Michael E. Young Agenda Introduction ArcGIS Cloud Capabilities ArcGIS Online (SaaS) Security ArcGIS Cloud Providers ArcGIS IaaS Security
Virtualization Security Checklist This virtualization security checklist is intended for use with enterprise full virtualization environments (as opposed to paravirtualization, application or operating
w h i t e p a p e r : c l o u d s e c u r i t y Securing the Cloud for the Enterprise A Joint White Paper from Symantec and VMware White Paper: Cloud Security Securing the Cloud for the Enterprise Contents
vshield Manager 5.0.1 vshield App 5.0.1 vshield Edge 5.0.1 vshield Endpoint 5.0.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
Update 1 ESXi 5.1 vcenter Server 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent
Top 10 SIEM Implementer s Checklist Operationalizing Information Security Compliments of AccelOps www.accelops.com Table of Contents Executive Summary....................................................................
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
AWS Public Sector Jerusalem 19 Nov 2014 AWS Security & Compliance CJ Moses General Manager, Government Cloud Solu3ons Security Is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually
ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential
Set Up the VM-Series Firewall in AWS Palo Alto Networks VM-Series Deployment Guide PAN-OS 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054
Dolphin 70e Black powered by Android Network and Security Guide Disclaimer Honeywell International Inc. ( HII ) reserves the right to make changes in specifications and other information contained in this
Security Overview Introduction ShowMyPC provides real-time communication services to organizations and a large number of corporations. These corporations use ShowMyPC services for diverse purposes ranging
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October