Mais conteúdo relacionado Mais de Amazon Web Services (20) SEC102 Security and Compliance in the AWS Cloud - AWS re: Invent 20121. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
2. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
3. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
4. AWS Customer
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
5. • AWS Responsibility: • Customer Responsibility:
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
6. Parameter Customer Provider
Responsibility Responsibility
1. Service availability X
2. Incident response X
3. Service elasticity and load tolerance X
4. Data lifecycle X
5. Technical compliance and vulnerability X
management
6. Change management X
7. Isolation X
8. Log management and forensics X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
7. Areas Customer Provider
Responsibility Responsibility
Governance X
Compliance X
Trust X
Architecture X
Identity and Access Management X
Software Isolation X
Data Protection X
Availability X
Incident Response X X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
8. Domain Customer Provider
Responsibility Responsibility
Governance and Enterprise Risk Management X
Legal issues: Contracts and E-Discovery X
Compliance and Audit X
Information Management and Data Security X
Portability and Interoperability X
Traditional Security, Business Continuity, and DR X X
Data Center Operations X
Incident Response, Notification, and Remediation X X
Application Security X
Encryption and Key Management X
Identity and Access Management X
Virtualization X
Security as a Service X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
9. Certifications & Accreditations Physical Security
Multi-level, multi-factor controlled access
SOC 1 (previously SAS 70) Type II environment
SOC 2 Type II Security Controlled, need-based access for AWS employees
Audit, supporting SOX compliance (least privilege)
ISO 27001 Certification Management Plane Administrative Access
PCI DSS Level I Compliance Multi-factor, controlled, need-based access to
administrative host
FISMA Moderate ATO (currently pursuing FedRAMP)
All access logged, monitored, reviewed
DIACAP MAC III-Sensitive
AWS administrators DO NOT have logical access
Aligned to CSA’s control matrix inside a customer’s VMs, including applications and
MPAA compliant data
HIPAA compliant architecture
VM Security Network Security
Multi-factor access to Amazon account Instance firewalls can be configured in security
Instance isolation groups
• Customer-controlled firewall at the hypervisor The traffic may be restricted by protocol, by service
level port, as well as by source IP address (individual IP or
• Neighboring instances prevented access classless inter-domain routing (CIDR) block)
• Virtualized disk management layer ensure only Virtual Private Cloud (VPC) provides IPSec VPN
account owners can access storage disks access from existing enterprise data center to a set
of logically isolated AWS resources
Support for SSL end point encryption for API calls
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
10. Applications/Bu PCI DSS SSAE 16 SOC 2 SOX FFIEC Federal, Tax, GLBA Non-US HIPAA/
7216 HITECH
Business App 1 X X(4)
Unit (BU) #1
App 2 X X X X(5)
App 3 X X(1) X(1) X X(6) X(9)
App 4 X
App 5 X(2) X(2) X(8) X(8)
BU #2 App A X X X(7)
App B X X
App C X
BU #3 X
BU #4 X X X
Global BU X X
Shared Services X X(3) X(9)
CIO office App 6 X X X(9)
BU #5 X X X X
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
11. • PE - Physical and Environmental
Protection
• PL – Planning
• PS – Personnel Security
• RA – Risk Assessment
• SA – System and Services
Acquisition
• SC – System and
Communications Protection
• SI – System and Information
Integrity
• PM – Program Management
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
12. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
13. AWS account security roles Protecting data at rest
Manage IAM users Protecting data in flight
AWS credentials Security zoning and segmentation
Initial OS-level access to EC2 Secure periphery systems: User
instances repositories, DNS, NTP
Managing AWS groups Threat protection layers
Temporary credentials Testing security
Identity federation & replication Measurement and metrics
Data classification DoS & DDoS mitigation and protection
Security controls /access to data Manage security monitoring alerting,
classes audit trail and incident response
Data storage requirements and secure
access
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
14. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
15. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
16. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
17. © 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.
18. We are sincerely eager to
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.
© 2012 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified or distributed in whole or in part without the express consent of Amazon.com, Inc.