Elevate_your_security_with_the_cloud

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. H O N G K O N G Elevate your security with the cloud -- AWS Security & Compliance for Enterprises Michael Chen, Ph.D. Sr. Engagement Manager Professional Services, AWS 18OCT2019

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud first, cloud by default, and cloud native Cited benefits • Cost saving/better way to manage cost • Agility, speed, continuous improvement • Elasticity, scalability • Improve resiliency • Technology capability • Operational efficiency • Security Government- published cloud policy United States (2011) Saudi Arabia (2019)

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Top concerns in cloud adoption Legacy systems Budget Skill/ Expertise Security Develop & maintain Types of workloads, how to decide Skill/expertise Authorization policy Time to authorization Addition of new services

4. Why is security traditionally so hard? Low degree of automationLack of visibility © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. A set of risk management challenges: Compliance, Organizational, Communication

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automate with comprehensive, integrated security services Inherit global security and compliance controls Highest standards for privacy and data security Largest network of security partners and solutions Scale with superior visibility and control Elevate your security with the AWS Cloud

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared responsibility model Customer Security OF the Cloud AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud Security IN the Cloud Customer responsibility will be determined by the AWS Cloud services that a customer selects AWS

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers Responsibility for end-to-end security in their on-premises data centers Software Platform, applications, identity, and access management Operating system, network, and firewall configuration Customer data Traditional on-premises security model Client-side data Encryption & data integrity authentication Server-side data File system and/or data Network traffic Protection (encryption, integrity, identity) Hardware/AWS global infrastructure Compute Storage Database Networking Regions Availability Zones Edge locations

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding the AWS shared responsibility model Customers Responsibility for security “in” the cloud Platform, applications, identity, and access management Operating system, network, and firewall configuration Customer data Client-side data Encryption & data integrity authentication Server-side data File system and/or data Network traffic Protection (encryption, integrity, identity) Software Hardware/AWS global infrastructure Compute Storage Database Networking Regions Availability Zones Edge locations AWS Responsibility for security “of” the cloud ProvableSecurity

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding the AWS shared responsibility model Customers Responsibility for security “in” the cloud Platform, applications, identity, and access management Operating system, network, and firewall configuration Customer data Client-side data Encryption & data integrity authentication Server-side data File system and/or data Network traffic Protection (encryption, integrity, identity) Software Hardware/AWS global infrastructure Compute Storage Database Networking Regions Availability Zones Edge locations AWS Responsibility for security “of” the cloud ProvableSecurity “Could my AWS IAM policy allow unintended users access to my Amazon S3 bucket?” “How do we know that the AWS crypto primitives are correctly implemented?”

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding the AWS shared responsibility model Customers Responsibility for security “in” the cloud Platform, applications, identity, and access management Operating system, network, and firewall configuration Customer data Client-side data Encryption & data integrity authentication Server-side data File system and/or data Network traffic Protection (encryption, integrity, identity) Software Hardware/AWS global infrastructure Compute Storage Database Networking Regions Availability Zones Edge locations AWS Responsibility for security “of” the cloud ProvableSecurity “Could my AWS IAM policy allow unintended users access to my Amazon S3 bucket?” “How do we know that the AWS crypto primitives are correctly implemented?” Provable security refers to a suite of AWS technology, powered by automated reasoning, that helps verify the correctness of critical security and compliance components in the cloud. 1. AWS re:Invent 2016: Automated Formal Reasoning About AWS Systems (SEC401): https://youtu.be/U40bWY6oVtU 2. AWS re:Invent 2018: The Theory and Math Behind Data Privacy and Security Assurance (SEC301): https://youtu.be/F3JmBhTQmyY

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. = ISO 11 12 13 14 15 16 PCI # Req Summary 99.52 ✓ ✓ 99.53 ✓ 99.54 ✓ ✓ ✓ 99.55 ✓ 99.56 ✓ ✓ ✓ ✓ SOC Control Criteria Test Result CTRL5 CC1; CC2 CTRL6 CC3; CC4 CTRL7 CC5; CC6; CC7; CC8; CC9 CTRL8 CC6; CC7 CTRL9 CC5; CC6; CC11 Customer Cloud Control Framework # Domain Objective Implementatio n 1 2 3 4 5 6 = Controls inherited from AWS Enterprise-wide controls Service-specific controls Workload-specific controls + Customer Controls in the AWS Cloud Applying the shared responsibility model to your Cloud Control Framework

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Environmental Perimeter Infrastructure Data Hardware At AWS, security is job zero The AWS global infrastructure is built on Amazon hardware and provides customers with the highest levels of reliability AWS protects the data layer by maintaining a separation of privilege for each layer and deploying threat detection devices and system protocols AWS monitors equipment and performs preventative maintenance to maintain continued operability Data center access is granted only to employees and third-parties with a valid business justification AWS data centers are secure by design Data center locations are selected to mitigate environmental risk and Availability Zones are independent and physically separated

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS global infrastructure is built for resiliency 22 Geographic Regions – 69 Availability Zones – 187 Points of Presence* *As of July 2019 • Regions are autonomous and isolated • Availability Zones are physically separated and independent • Points of presence securely deliver data, videos, and APIs globally with low latency To avoid single points of failure, AWS minimizes interconnectedness within our global infrastructure:

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS services are designed for security and compliance Security and compliance are built into our service development lifecycle Idea Design Security Risk Assessment Threat modeling Security design reviews Secure code reviews Security testingVulnerabilityPenetration testing ApprovalConfiguration management

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Customers rely on AWS’s compliance with global standards Certifications & Attestations Laws, Regulations and Privacy Alignments & Frameworks Cloud Computing Compliance Controls Catalogue (C5) 🇩🇪 CISPE 🇪🇺 CIS (Center for Internet Security) 🌐 Cyber Essentials Plus 🇬🇧 GDPR 🇪🇺 CJIS (US FBI) 🇺🇸 DoD SRG 🇺🇸 FERPA 🇺🇸 CSA (Cloud Security Alliance) 🌐 FedRAMP 🇺🇸 GLBA 🇺🇸 Esquema Nacional de Seguridad 🇪🇸 FIPS 🇺🇸 HIPAA 🇺🇸 EU-US Privacy Shield 🇪🇺 IRAP 🇦🇺 HITECH 🌐 FISC 🇯🇵 ISO 9001 🌐 IRS 1075 🇺🇸 FISMA 🇺🇸 ISO 27001 🌐 ITAR 🇺🇸 G-Cloud 🇬🇧 ISO 27017 🌐 My Number Act 🇯🇵 GxP (US FDA CFR 21 Part 11) 🇺🇸 ISO 27018 🌐 Data Protection Act – 1988 🇬🇧 ICREA 🌐 MLPS Level 3 🇨🇳 VPAT / Section 508 🇺🇸 IT Grundschutz 🇩🇪 MTCS 🇸🇬 Data Protection Directive 🇪🇺 MITA 3.0 (US Medicaid) 🇺🇸 PCI DSS Level 1 💳 Privacy Act [Australia] 🇦🇺 MPAA 🇺🇸 SEC Rule 17-a-4(f) 🇺🇸 Privacy Act [New Zealand] 🇳🇿 NIST 🇺🇸 SOC 1, SOC 2, SOC 3 🌐 PDPA - 2010 [Malaysia] 🇲🇾 Uptime Institute Tiers 🌐 PDPA - 2012 [Singapore] 🇸🇬 Cloud Security Principles 🇬🇧 PIPEDA [Canada] 🇨🇦 🌐 = industry or global standard Agencia Española de Protección de Datos 🇪🇸 26 AWS engages with global regulatory bodies on an ongoing basis

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://www.atlas.aws/ The AWS Artifact tool supports increased transparency And provide resources to help you learn more about our controls A portal that provides on-demand access to: Customers can use the reports to align AWS controls to their own control frameworks, and verify that AWS controls are operating effectively. • Information on AWS policies, processes, and controls • Documentation of controls relevant to specific AWS services • Validation that AWS controls are operating effectively The AWS Compliance Center provides research on cloud regulations The AWS Compliance Center provides a central location to research cloud regulations in specific countries and learn about AWS Compliance programs

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. APAC • Financial Services Regulations Guidelines in Singapore • Hong Kong Insurance Authority Guide to Financial Services Regulations and Guidelines • Hong Kong Monetary Authority Guide to Financial Services Regulations & Guidelines • AWS User Guide to Banking Regulations & Guidelines in India • AWS User Guide to Financial Services Regulations & Guidelines in Australia • The APRA CPG 234 Workbook(available in the console from AWS Artifact) • The MAS TRM Guidelines Workbook (available in the console from AWS Artifact) • The HKMA TM-G1 Workbook (available in the console from AWS Artifact) Workbooks and guidelines for national privacy considerations, government- issued compliance guidance, and best practices

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Design control objectives Repeat process throughout cloud journey to build a cloud control library Classify solution and identify applicable risks, requirements, and regulations Building a cloud control framework with AWS 3 4 5 62 Identify strategic objective(s) or solution(s) Conduct due diligence of AWS services Document and implement enterprise, service, and workload controls Verify control objectives are met and controls are operating effectively 1

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. • Data Protection • Identity and Access Management • Logging and Monitoring • Compliance Validation • Resilience • Infrastructure Security • Configuration and Vulnerability Analysis • Security Best Practices Assess AWS services and identify service-specific controls Documented Risk Position & Identified Security Configurations OUTPUT Directive: Cloud Service Policy Detective Controls Preventive Controls APPROVED SERVICE & SERVICE-SPECIFIC CCONTROLS Dedicated security chapters for over 40 AWS services The AWS documentation for over 40 services now contains dedicated security chapters with information about topics such as:

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Capability Things you know Things you do What a stakeholder executes to support the organization’s business strategy The knowledge used to execute the capability The processes used to execute the capability The AWS Cloud Adoption Framework (AWS CAF) Learn more about the CAF online: https://d0.awsstatic.com/whitepapers/aws_cloud_adoption_framework.pdf Core 5 Security Epics

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Use AWS security services to implement and automate controls Identity and Access Management Detective control Infrastructure security Incident response Data protection AWS Security Hub Centrally view and manage security alerts and automate compliance checks AWS Control Tower Automates the set up and governance of a secure, compliant multi-account AWS environment New services: AWS Identity & Access Management (IAM) AWS Single Sign-On AWS Directory Service Amazon Cognito AWS Organizations AWS Secrets Manager AWS Resource Access Manager AWS Security Hub Amazon GuardDuty AWS Config AWS CloudTrail Amazon CloudWatch VPC Flow Logs AWS Systems Manager AWS Shield AWS WAF – Web application firewall AWS Firewall Manager Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service (KMS) AWS CloudHSM AWS Certificate Manager Amazon Macie Server-Side Encryption Amazon S3 Object Lock Amazon S3 Cross-Region Replication AWS Backup AWS Config Rules AWS Lambda AWS Personal Health Dashboard AWS Cross Service Integration

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The fundamentals pattern of AWS cloud security Data encryption: AWS Key Management Service (AWS KMS) Network security controls: Amazon Virtual Private Cloud (Amazon VPC)

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Profiles are intended to convey the organization’s as-is and desired risk postures Tiers characterize an organization’s aptitude for managing cybersecurity risk The core represents a set of cybersecurity practices, outcomes, and technical, operational, and managerial security controls (referred to as informative references) that support the five risk management functions • The NIST CSF offers a simple, yet effective risk-based, outcome-focused framework consisting of three elements: core, tiers, and profiles. Core Tiers Profiles Identify Protect Detect Respond Recover Tier 4: Adaptive Tier 3: Repeatable Tier 2: Risk informed Tier 1: Partial Current Target These three elements enable organizations to prioritize and address cybersecurity risks consistent with their business and mission needs NIST Cybersecurity Framework (CSF)

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How to use this resource • Executive level o Summary of AWS and customer responsibilities to align to each of the five functions in the CSF (identify, protect, detect, respond, and recover) o Third-party attestation • Technical level o Detailed mapping of AWS services and resources (beyond FedRAMP and ISO 27001) o Customer responsibilities o AWS responsibilities Aligning to the NIST CSF in the AWS Cloud

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We determined that security in AWS is superior to our on- premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.” • Looks for fraud, abuse, and insider trading over nearly 6 billion shares traded in U.S. equities markets every day • Processes approximately 6 terabytes of data and 37 billion records on an average day • Went from 3–4 weeks for server hardening to 3–4 minutes • DevOps teams focus on automation and tools to raise the compliance bar and simplify controls • Achieved incredible levels of assurance for consistencies of builds and patching via rebooting with automated deployment scripts —John Brady, CISO FINRA Financial industry regulatory authority

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Previously all our servers were configured and updated by hand or through limited automation, we didn’t take full advantage of a configuration management…All our new services are built as stateless docker containers, allowing us to deploy and scale them easily using Amazon’s ECS.” “AWS allowed us to scale our business to handle 6 million patients a month and elevate our security—all while maintaining HIPAA compliance-–as we migrated 100% to cloud in less than 12 months” • Migrated all-in on AWS in under 12 months, becoming a HIPAA compliant cloud-first organization • New York based startup leveraged infrastructure as code to securely scale to 6 million patients per month • Data liberation—use data to innovate and drive more solutions for patients, reducing patient wait times from 24 days to 24 hours • Maintain end to end visibility of patient data using AWS Online medical care scheduling —Brian Lozada, chief information security officer

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Amazon Web Services was the clear choice in terms of security and PCI DSS Level 1 compliance compared to an on- premises or co-location data center solution.” “Using AWS, we were able to design and launch a security-compliant solution in three months while reducing our capital expenses by 30 percent.” • Vodafone Italy is a prominent player in the Italian mobile phone market with over 30 million users. • With a rise in SIM transactions, the company wanted to find a way to make it easier for customers to top up using a credit or debit card— and since each SIM card contains valuable personal information, that solution needed to be not only flexible, but also secure. • With AWS Cloud, Vodafone Italy was able to users to purchase credits online with strong security and be compliant with the Payment Card Industry Data Security Standard (PCI DSS). • With the muscle of the AWS cloud behind it, Vodafone easily managed top-up requests through the new service as it grew to several thousand daily and spread to multiple online channels, including social media platforms. Mobile top-up service —Stefano Harak, online senior product manager

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and Compliance Technology Partner ecosystem Data Protection and Encryption Governance, Risk, and Compliance Identity & Access Management Host and Endpoint Security Logging, Monitoring, Threat Detection, and Analytics Detective (Some Responsive) Preventative Compliance Archiving Application Security User External Network Network and Infra Security Vulnerability and Config Assessment

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and Compliance Consulting Partners Security engineeringSecurity engineering Governance, Risk, and Compliance Security operations and automation

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ready to start building? Work with your AWS account team to understand how AWS can help you build secure, compliant workloads in the cloud. Work with an APN Partner to integrate control monitoring with your existing on- premises solutions. Contact the Professional Services Security and Compliance team to schedule a workshop with AWS Compliance specialists. 2019 Amazon Web Services Inc. or its Affiliates. All rights reserved.

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Path to Production 1. Identify & Engage Stakeholders 2. Capability & Enablement 4. Security of the Cloud 3. Operational Model 5. Security in the Cloud 6. Regulations 7. Legal Agreements 8. Establish Security Controls (Prevent, Detect, Respond, Recover) 10. Regulator Approval or Notification 9. Internal & External Assessment

38. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. https://aws.amazon.com/security/ https://aws.amazon.com/compliance/ https://aws.amazon.com/products/security/ Michael Chen, cxiaowei@amazon.com

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Define, enforce, and audit user permissions across AWS services, actions, and resources Identity & access management AWS Identity and Access Management (IAM) Securely control access to AWS services and resources AWS Single Sign-On (SSO) Centrally manage SSO access to multiple AWS accounts & business apps AWS Directory Service Managed Microsoft Active Directory in the AWS Cloud Amazon Cognito Add user sign-up, sign-in, and access control to your web/ mobile apps AWS Organizations Policy-based management for multiple AWS accounts AWS Secrets Manager Easily rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle AWS Resource Access Manager Simple, secure service to share AWS resources

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gain the visibility you need to improve your security posture, reduce the risk profile of your environment, and spot issues before they impact the business Detective controls AWS Security Hub Centrally view & manage security alerts and automate compliance checks Amazon GuardDuty Intelligent threat detection and continuous monitoring to protect your AWS accounts and workloads AWS Config Record and evaluate configurations of your AWS resources to enable compliance auditing, resource change tracking, and security analysis AWS CloudTrail Track user activity and API usage to enable governance, compliance, and operational/risk auditing of your AWS account Amazon CloudWatch Complete visibility of your cloud resources and applications to collect metrics, monitor log files, set alarms, and automatically react to changes VPC Flow Logs Capture info about the IP traffic going to and from network interfaces in your VPC; flow log data is stored using Amazon CloudWatch Logs

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Reduce surface area to manage and increase privacy for and control of your overall infrastructure on AWS Infrastructure protection AWS Systems Manager Easily configure and manage Amazon EC2 and on-premises systems to apply OS patches, create secure system images, and configure secure operating systems AWS Shield Managed DDoS protection service that safeguards web applications running on AWS AWS WAF—Web application firewall Protects your web applications from common web exploits ensuring availability and security AWS Firewall Manager Centrally configure and manage AWS WAF rules across accounts and applications Amazon Inspector Automates security assessments to help improve the security and compliance of applications deployed on AWS Amazon Virtual Private Cloud (Amazon VPC) Provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. In addition to our automatic data encryption and management services, employ more features for data protection (including data management, data security, and encryption key storage) Data protection AWS Key Management Service (AWS KMS) Easily create and control the keys used to encrypt your data AWS CloudHSM Managed hardware security module (HSM) on the AWS Cloud AWS Certificate Manager Easily provision, manage, and deploy SSL/TLS certificates for use with AWS services Amazon Macie Machine learning-powered security service to discover, classify, and protect sensitive data Server-side encryption Flexible data encryption options using AWS service-managed keys, AWS-managed keys via AWS KMS, or customer-managed keys

43. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. During an incident, containing the event and returning to a known good state are important elements of a response plan; AWS provides these tools to automate aspects of this best practice Incident response AWS Config Rules Create rules that automatically take action in response to changes in your environment, such as isolating resources, enriching events with additional data, or restoring configuration to a known good state AWS Lambda Use our serverless compute service to run code without provisioning or managing servers so you can scale your programmed, automated response to incidents

Elevate_your_security_with_the_cloud

Esté a ler uma amostra.

Confira estes a seguir

Elevate_your_security_with_the_cloud

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Elevate_your_security_with_the_cloud (20)

Mais de Amazon Web Services (20)