AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II



Similar documents
Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Cloud S ecurity Security Processes & Practices Jinesh Varia

319 MANAGED HOSTING TECHNICAL DETAILS

Famly ApS: Overview of Security Processes

Application Security Best Practices. Matt Tavis Principal Solutions Architect

KeyLock Solutions Security and Privacy Protection Practices

Live Guide System Architecture and Security TECHNICAL ARTICLE

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager

Security Essentials & Best Practices

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Using ArcGIS for Server in the Amazon Cloud

Building Energy Security Framework

PATCH MANAGER what does it do?

Amazon Web Services: Risk and Compliance January 2013

Anypoint Platform Cloud Security and Compliance. Whitepaper

Amazon Web Services: Overview of Security Processes May 2011

Amazon Web Services: Risk and Compliance July 2012

Security Practices, Architecture and Technologies

Amazon Web Services: Risk and Compliance January 2011

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Amazon Web Services: Risk and Compliance July 2015

Securing Amazon It s a Jungle Out There

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

CLOUD COMPUTING WITH AWS An INTRODUCTION. John Hildebrandt Solutions Architect ANZ

Cloud Security Overview

Run SAP for Savings and Speed in the Cloud Presentation for ASUG, September 28, 2011

The Education Fellowship Finance Centralisation IT Security Strategy

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Amazon Web Services: Overview of Security Processes March 2013

Agenda. - Introduction to Amazon s Cloud - How ArcGIS users adopt Amazon s Cloud - Why ArcGIS users adopt Amazon s Cloud - Examples

White Paper How Noah Mobile uses Microsoft Azure Core Services

Amazon Web Services: Overview of Security Processes June 2014

Using ArcGIS for Server in the Amazon Cloud

Apteligent White Paper. Security and Information Polices

Simple Storage Service (S3)

Chapter 11 Cloud Application Development

VMware vcloud Air Security TECHNICAL WHITE PAPER

How To Extend Security Policies To Public Clouds

THE BLUENOSE SECURITY FRAMEWORK

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Cloud IaaS: Security Considerations

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Every Silver Lining Has a Vault in the Cloud

How To Create A Walkme.Com Walkthrus.Com Website And Help With Your Website Or App On A Pc Or Mac Or Ipad (For Pc) Or Mac (For Mac) Or Ipa (For Ipa) Or Pc

AWS Worldwide Public Sector

DoD-Compliant Implementations in the AWS Cloud

Overview and Deployment Guide. Sophos UTM on AWS

PCI DSS 3.0 Compliance

Amazon Web Services: Overview of Security Processes August 2015

twilio cloud communications SECURITY ARCHITECTURE

U.S. Securities and Exchange Commission s Office of Compliance Inspections and Examinations (OCIE)

White Paper. BD Assurity Linc Software Security. Overview

Level Agreements, and loss of availability due to security breach: Amazon EC2 and S3, Microsoft Windows Azure Compute and Storage.

SonicWALL PCI 1.1 Implementation Guide

Security Overview Enterprise-Class Secure Mobile File Sharing

A Decision Maker s Guide to Securing an IT Infrastructure

Security, Risk, and Compliance: Engine Yard

BMC s Security Strategy for ITSM in the SaaS Environment

Amazon Web Services: Overview of Security Processes August 2015

FISMA / NIST REVISION 3 COMPLIANCE

SoftLayer Fundamentals. Security / Firewalls. August, 2014

A Guide to Common Cloud Security Concerns. Why You Can Stop Worrying and Start Benefiting from SaaS

Cloud models and compliance requirements which is right for you?

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

74% 96 Action Items. Compliance

Deploy Remote Desktop Gateway on the AWS Cloud

Security Whitepaper. NetTec NSI Philosophy. Best Practices

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

CIT 668: System Architecture

Running Oracle Applications on AWS

Opsview in the Cloud. Monitoring with Amazon Web Services. Opsview Technical Overview

Using AWS in the context of Australian Privacy Considerations October 2015

Microsoft Azure. Microsoft Azure Security, Privacy, & Compliance

Dooblo SurveyToGo: Security Overview

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

DLT Solutions and Amazon Web Services

CLOUD FRAMEWORK & SECURITY OVERVIEW

Enterprise Applications on AWS

Alfresco Enterprise on AWS: Reference Architecture

Clever Security Overview

Appendix C Pricing Index DIR Contract Number DIR-TSO-2724

Security Solution Architecture for VDI

Amazon Web Services Primer. William Strickland COP 6938 Fall 2012 University of Central Florida

Accellion Security FAQ

Helping people make better decisions DATA SECURITY POLICY. Kiilakiventie 1, Oulu, Finland tel:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Amazon EC2 Product Details Page 1 of 5

Security Controls for the Autodesk 360 Managed Services

How To Protect Your Data From Harm

Transcription:

AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero!

Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud Region Summary

AWS Security Resources http://aws.amazon.com/security/ Security Whitepaper Risk and Compliance Whitepaper Latest Versions May 2011 Regularly Updated Feedback is welcome

AWS Certifications Shared Responsibility Model Sarbanes-Oxley (SOX) ISO 27001 Certification Payment Card Industry Data Security Standard (PCI DSS) Level 1 Compliant SAS70 Type II (SOC1 coming soon) Audit FISMA A&As Multiple NIST Low Approvals to Operate (ATO) NIST Moderate GSA ATO FedRAMP DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare) Achieving Government Standards and Mandates in the Cloud

Physical Security Amazon has been building large-scale data centers for many years Important attributes: Non-descript facilities Robust perimeter controls Strictly controlled physical access 2 or more levels of two-factor auth Controlled, need-based access for AWS employees (least privilege) All access is logged and reviewed

Amazon S3 Data Protection Data in Transit Supports Upload and Download data using secure HTTP (HTTPS) protocol Data Stored at Rest Supports Amazon S3 Server Side Encryption (SSE) and Client Encryption libraries Access Control for Stored Data Support for Access Control Lists (ACLs), Bucket Policies, and Identity and Access Management (IAM) policies

Amazon EC2 Instance Isolation Customer 1 Customer 2 Customer n Hypervisor Virtual Interfaces Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups Firewall Physical Interfaces

Network Security Considerations DDoS (Distributed Denial of Service): Standard mitigation techniques in effect MITM (Man in the Middle): All endpoints protected by SSL Fresh EC2 host keys generated at boot IP Spoofing: Prohibited at host OS level Unauthorized Port Scanning: Violation of AWS TOS Detected, stopped, and blocked Ineffective anyway since inbound ports blocked by default Packet Sniffing: Promiscuous mode is ineffective Protection at hypervisor level Configuration Management: Configuration changes are authorized, logged, tested, approved, and documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.

Fault Separation and Geographic Diversity US East Region (N. VA) EU Region (IRE) Amazon CloudWatch Zone A Zone B Zone A Zone B US West Region (N. CA) Zone C APAC Region (Singapore) APAC Region (Tokyo) Zone A Zone B Zone C Zone A Zone B Zone A Zone B Note: Conceptual drawing only. The number of Zones may vary

Amazon VPC Architecture Customer s isolated AWS resources Subnets Internet NAT VPN Gateway Router Secure VPN Connection over the Internet Amazon Web Services Cloud Customer s Network

a new region AWS GovCloud (US)

Designed for US Government Customers AWS will screen customers prior to providing access to the AWS GovCloud (US). Customers must be: U.S. Persons; not subject to export restrictions; and comply with U.S. export control laws and regulations, including the International Traffic In Arms Regulations. FISMA Moderate Compliant Controls US Persons-Only access (Physical & Logical) Data Isolation (Service & IAM Controls) Network Isolation (VPC required, FIPS 140-2 Compliant endpoints, AWS Direct Connect Optional) Machine Isolation (Dedicated instances optional)

Summary of AWS Deployment Models Commercial Cloud Amazon Virtual Private Cloud (VPC) Logical Server and Application Isolation Granular Information Access Policy Logical Network Isolation Physical server Isolation Government Only Physical Network and Facility Isolation ITAR Compliant (US Persons Only) Sample Workloads Public facing apps. Web sites, Dev test, FISMA low and Mod Data Center extension, TIC environment, email, FISMA low and Mod. AWS GovCloud USP Compliant and Government Specific Aps. AWS GovCloud Session Amazon Confidential

AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS Level I Certification HIPAA compliant architecture SAS 70 Type II Audit FISMA Low and Moderate ATOs FedRAMP DIACAP MAC III Sensitive IATO Service Health Dashboard Shared Responsibility Model Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance Application level security, including password and role based access Host-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security Modules Separation of Access Physical Security Multi-level, multi-factor controlled access environment Controlled, need-based access for AWS employees (least privilege) Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative host All access logged, monitored, reviewed AWS Administrators DO NOT have access inside a customer s VMs, including applications and data VM Security Multi-factor access to Amazon Account Instance Isolation Customer-controlled per-vm firewall Neighboring instances prevented access Virtualized disk management layer ensure only account owners can access storage disks (EBS) Support for SSL end point encryption for API calls Network Security Instance-level hypervisor-enforced firewalls can be configured across instances via security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR)block). Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources

Thank You! aws.amazon.com/security cmoses@amazon.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information