As government agencies expand the use of cloud services, security continues to be a top priority for program managers, policymakers, and cloud service providers (CSPs). Governments and agencies worldwide are moving workloads with varying levels of sensitivity to the cloud. This session will feature agency-level security risk management practices and address common myths about security in the cloud. Participants will gain insight into how governments are leveraging cloud computing to improve their security posture and more quickly benefit from economies of scale. Mark Ryland, Chief Solutions Architect, Amazon Web Services, WWPS

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark Ryland
Chief Architect, Worldwide Public Sector Team
markry@amazon.com
April 28th, 2016
Demystifying Cloud Security:
Lessons from the Public Sector

2. Security is Job Zero at AWS
Network
Security
Physical
Security
Platform
Security
People &
Procedures

3. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Security & compliance is a shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud

4. Build everything on a constantly monitored and audited,
constantly improving security baseline
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
AWS is
responsible for
the security OF
the Cloud
GxP
ISO 13485
AS9100
ISO/TS 16949

5. Simple Security Controls
Easy to Get Right
Easy to Audit
Easy to Enforce

6. This
To This

7. Our Security Culture
Make your security engineers part of
your product/service engineering teams
Make your compliance team part of your
engineering and security teams

8. Our Security Culture…
Collect, digest, disseminate
& use intelligence

9. Our Security Culture…
Proactive, predictive monitoring rules the day
• What’s “normal” in your environment?
• Depending on signatures == waiting to
find out WHEN you’ve been had

10. Our Security Culture…
Base decisions on facts, metrics, &
detailed understanding of your
environment and adversaries

11. Our Security Culture…
Test, CONSTANTLY
• Inside/outside
• Privileged/unprivileged
• Black-box/white-box
• Vendor/self

12. AWS: Cloud Leader and Visionary
Gartner Magic Quadrant for Cloud Infrastructure as a Service, Worldwide
Source: Gartner (May 2015)
Gartner “Magic Quadrant for Cloud Infrastructure as a Service, Worldwide,” Lydia Leong, Douglas
Toombs, Bob Gill, May 18, 2015. This Magic Quadrant graphic was published by Gartner, Inc. as part of
a larger research note and should be evaluated in the context of the entire report. The Gartner report is
available at http://aws.amazon.com/resources/analyst-reports/. Gartner does not endorse any vendor,
product or service depicted in its research publications, and does not advise technology users to select
only those vendors with the highest ratings or other designation. Gartner research publications consist of
the opinions of Gartner's research organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose.

13. Forrester Cloud Security Wave
Nov 2014

14. Cloud Security Alliance – AWS Keynote (Dec 2013)
“Seven Systemic Advantages of Cloud Security”
Seven reasons, plus one to grow on:
1. Security is the CSP’s highest priority; no compromises, ever
2. Integration of compliance and security
3. Economies of scale and separation of duties
4. Customers refocus on systems and applications
5. Visibility, homogeneity, and automation
6. Cloud platforms as “systems containers”
7. Cloud, big data, security: using the cloud to secure the cloud
8. With cloud speed of innovation and increasing scale, the story
will only get better – quickly!

15. USA CIO Tony Scott
“I see the big cloud providers in the same way I
see a bank,” he says. “They have the incentive,
they have skills and abilities, and they have the
motivation to do a much better job of security than
any one company or any one organization can
probably do. […] I think today the better bet is get
to the cloud as quick as you can because you're
guaranteed almost to have better security there
than you will in any private thing you can do.”
CIO Magazine: http://bit.ly/1LpX8Uy

16. Role of compliance
and 3rd party auditors
• Vendor claims alone are not
good enough!
• Testing, auditing and certification
by multiple teams of 3rd-party
pros provides needed proof
• Far more rigorous process than
any gov’t agency or corporation
could reasonably sustain

17. Five Security Myths About the AWS Cloud
1. Multi-tenancy is inherently risky
2. In the cloud, I lose visibility and control
3. Incident response is harder in the cloud
4. In the cloud I must choose between central governance
and control versus agility and mission ownership (aka
“shadow IT”)
5. Cloud is only appropriate for less sensitive data; more
sensitive data is safer on-premises

18. Multi-tenancy
• The AWS business fundamentally depends on complete
isolation of tenants
• Logical isolation, automation of controls, push-button
encryption of all data—these far outweigh value of
physical separation
• Separation of duties and data protection through
services like Key Management Service and CloudHSM
• Dedicated instances and dedicated hosts in EC2 for the
extra-cautious

19. Visibility and Control
• Easy/cheap to enable logging of APIs & data services
• CloudTrail, S3, ELB, CloudWatch/CloudWatch Logs, VPC Flow
Logs, CloudFront
• Rich 3rd party ecosystem
• AWS Config and Config Rules for configuration
management and state maintenance
• Powerful IAM system to enforce least privilege
• Limit even administrative access to core security data
with API-level MFA, Glacier policies, etc.

21. Incident Response
• Prepare in advance!
• With preparation, IR is easier and richer in AWS that in
on-prem environments (ask NASA JPL IG)
• Three presentations with lots of details:
SEC308: Wrangling Security Events in The Cloud (ReInvent 2015):
https://www.youtube.com/watch?v=uc1Q0XCcCv4
SEC216: Harden Your Architecture with Security Incident Response Simulations (same):
https://www.youtube.com/watch?v=u-mRU44Q5u4
NIST Forensics in the Cloud Conference, Sept 2015:
http://www.nist.gov/itl/cloud/cloud_comp_webcast_viii.cfm, click on Day 3, Part 6

22. Central Control Versus Agility
• Reframing: GRC and the AWS cloud
• Governance means being able to answer key questions
• What do I have? How is performing? Who can control/is
controlling it? What is it costing me? Is it in compliance? Is it
secure?
• Achieve both goals with a centralized governance
organization and decentralized development teams
• https://www.youtube.com/watch?v=YYiV_z9D2CE

23. Cloud Only Appropriate for Less Sensitive Data
• Reasonable to start with less sensitive data /
workloads on your cloud journey
• There is a learning curve, so lower your risks while
learning
• However, that is not the end state!

24. “From a physical and logical security standpoint, I
believe that, if done right, public cloud computing is
as or more secure than self-hosting.”
– Steve Randich, EVP and CIO, Financial Industry Regulatory Authority, USA
FINRA now deploying multiple Hadoop-based and Redshift-based
analytics apps core to their regulatory mission
• Multi-petabyte clusters growing by terabytes per day
• Core apps in full production since January 2015
• Half way thru 2 year plan to go “all in” to the AWS cloud
Improving security with the cloud

25. Improving security with the cloud
For more details, see Re:Invent 2013 presentations by NASA JPL cyber
security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4)
“Based on our experience, I believe that we can be even
more secure in the AWS cloud than in our own
datacenters.”
-Tom Soderstrom, CTO, NASA JPL

26. Rob Alexander / CIO of Capital One Bank
“And of course, security is critical for us.
The financial services industry attracts
some of the worst cyber criminals. So
we worked closely with the AWS team
to develop a security model which, we
believe, allows us to operate more
securely in the public cloud than we can
even in our own datacenters.”
re:Invent Keynote 2015 https://youtu.be/0E90-ExySb8

27. UK MoJ CTO David Rogers
“You should probably start engaging with
the idea that the cloud can be
considerably more secure than the private
cloud or your own data centre, and start
engaging with the risks that are building in
the spaces where you haven't moved to
the cloud yet.”
The Guardian: http://bit.ly/1HXS321
(emphasis added)

28. Former CIO of US VA & DoC Roger Baker in NextGov.com (Jan 2015):
“Why Commercial Cloud Are More Secure Than Federal Data Centers”
Six reasons:
• New and sometimes purpose-built equipment and software,
constantly updated
• System configurations are standardized and automatically
created to eliminate variances, and for maximum efficiency
• Security patches are automatically applied to all systems on a
timely basis
• Cloud environments are certified to multiple different national
and international security standards
• The private sector can hire high-level system engineering and
security talent more readily; and
• The company’s brand is at risk should security be
compromised, ensuring full alignment and motivation.
http://bit.ly/1tMrUSp

29. Analyst’s Perspective
CIOs and CISOs need to stop obsessing over
unsubstantiated cloud security worries, and instead
apply their imagination and energy to developing new
approaches to cloud control, allowing them to securely,
compliantly and reliably leverage the benefits of this
increasingly ubiquitous computing model.
Clouds Are Secure: Are You Using Them Securely?
Published: 22 September 2015
-- Jay Heiser

30. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!