O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Initiate Edinburgh 2019 - Governance & Compliance in your VPC

1.852 visualizações

Publicada em

Cloud computing on AWS provides central IT organisations with the ability to control their applications, data and security. This session will detail the processes and controls that CIO organisations can put in place to maintain control while helping their customers to realise the many benefits of cloud computing.

  • Seja o primeiro a comentar

Initiate Edinburgh 2019 - Governance & Compliance in your VPC

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security From A-Z: Governance & Compliance in your VPC Stephen McDermid Sr. Solution Architect - Security & Compliance
  2. 2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. All AWS customers benefit from a data center and network architecture built from the ground up to satisfy the requirements of the most security- sensitive organizations. At AWS, cloud security is job zero Designed for Security Constantly Monitored Highly Available Constantly Accredited Highly Automated https://aws.amazon.com/security/ https://aws.amazon.com/compliance
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Global Infrastructure 21 Regions – 66 Availability Zones – 180 Points of Presence Region & Number of Availability Zones AWS GovCloud (3) 2X EU Ireland (3) US West Frankfurt (3) Oregon (3) London (3) Northern California (3) Paris (3) Stockholm (3) US East N. Virginia (6), Ohio (3) Asia Pacific Singapore (3) Canada Sydney (3), Tokyo (4), Central (2) Seoul (2), Mumbai (2) Osaka-Local (1) South America China São Paulo (3) Beijing (2) Ningxia (3) Announced Regions Bahrain, Hong Kong SAR, Cape Town, Milan
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. PoPs in Europe / Middle East / Africa Europe (Ireland) Region AZs: 3 - Launched 2007 Europe (London) Region AZs: 3 - Launched 2016 Europe (Frankfurt) Region AZs: 3 - Launched 2014 Europe (Paris) Region AZs: 3 - Launched 2017 AWS Edge Network Locations Edge locations - Amsterdam, The Netherlands (2); Berlin, Germany (2); Cape Town, South Africa; Copenhagen, Denmark; Dubai, United Arab Emirates; Dublin, Ireland; Frankfurt, Germany (8); Fujairah, United Arab Emirates; Helsinki, Finland; Johannesburg, South Africa; London, England (9); Madrid, Spain (2); Manchester, England; Marseille, France; Milan, Italy; Munich, Germany (2); Oslo, Norway; Palermo, Italy; Paris, France (4); Prague, Czech Republic; Stockholm, Sweden (3); Vienna, Austria; Warsaw, Poland; Zurich, Switzerland Regional Edge Caches - Frankfurt, Germany; London, England Direct Connect Locations: https://aws.amazon.com/directconnect/features/ Europe (Stockholm) Region AZs: 3 - Launched 2018
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Zoom In: AWS Region Zoom In: AWS AZ Sample Region Datacenter Datacenter Datacenter Sample Availability Zone Availability Zone B Availability Zone A Availability Zone C • Independent Geographic Areas, isolated from other Regions (security boundary) • Customer chooses in which Region(s) to deploy services • Regions are comprised of multiple Availability Zones (AZs), which enables the deployment of High- Availability Architecture • AZs are Independent Failure Zones; Physically separated; On separate Low Risk Flood Plains • Discrete Uninterruptible Power Supply (UPS); Onsite backup generation facilities • DCs in AZ less than ¼ ms apart • Each AZ is 1 or more DC • No data center is in two AZs • Some AZs have as many as 6 DCs
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Example AWS Region AZ AZ AZ AZ AZ Transit Transit • Mesh of Availability Zones (AZ) and Transit Centers • Redundant paths to transit centers • Transit centers connect to: – Private links to other AWS regions – Private links to customers – Internet through peering & paid transit • Metro-area DWDM links between AZs • 82,864 fiber strands in region • AZs <2ms apart & usually <1ms • 25Tbps peak inter-AZs traffic
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Global Network • Redundant 100GbE network • Redundant private capacity between all Regions except China
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Direct Connect Gateway • Customers reach every AWS region from the local Direct Connect location
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why have a backbone network? Security Traffic traverses our infrastructure rather than the internet Availability Controlling scaling and redundancy Traffic operates over Amazon- controlled infrastructure Reliable performance Controlling specific paths customer traffic traverses Connecting closer to customers Avoiding internet “hot spots” or sub-optimal external connectivity All commercial Region-to-Region traffic traverses the backbone except China
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 24 48 61 82 159 280 516 722 1017 1430 1,957 0 300 600 900 1200 1500 1800 2100 1 2 3 4 5 6 7 8 9 10 11 Pace of innovation | Launches
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Adopting AWS you can… …concentrate on securing your own application, using automation and many built- in security tools designed to meet the most stringent regulations and requirements + = • Facilities • Physical security • Compute infrastructure • Storage infrastructure • Network infrastructure • Virtualization layer (EC2) • Hardened service endpoints • Rich IAM capabilities • Extensive set of security services • Extensive assurance program • Network configuration • Security groups • OS / Network firewalls • Operating systems security • Application security • Proper service configuration • AuthN and account management • Authorization policies • Data Security • Operational Security Automation More secure and compliant systems
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. More secure in the cloud AWS customers tell us that the workloads they have running in AWS are more secure than the workloads they are running on premise. "I have come to realize that as a relatively small organization, we can be far more secure in the cloud and achieve a higher level of assurance at a much lower cost, in terms of effort and dollars invested. We determined that security in AWS is superior to our on-premises data center across several dimensions, including patching, encryption, auditing and logging, entitlements, and compliance.” - John Brady, CISO FINRA What key AWS features are these customers using to achieve this?
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common Security Enablers Visibility & Knowledge Automation / Repeatable Processes Cross-team / cross-process synchronisation Fast Implementation / Reaction Time
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Advantages to the API • Authoritative - The interface to, and between, AWS services • Auditable – always know what, and who, is doing what • Secure – verified integrity, authenticated, no covert channels • Fast - can be read and manipulated in sub-second time • Precise – defines the state of all infrastructure and services • Evolving – continuously improving • Uniform - provides consistency across disparate components • Automatable - Enables some really cool capabilities
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with deeply integrated security services Inherit global security and compliance controls Highest standards for privacy and data security Largest network of security partners and solutions Scale with superior visibility and control Move to AWS Strengthen your security posture
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The status (knowledge), and control (automation), of the ENTIRE infrastructure one click of a mouse, or API call, away Security policies for the whole system (in code not paper) constantly and automatically evaluated (visibility, synchronization, time) Consistent tooling and processes, and built-in solutions, for the whole environment using a common interface Detection and/or reaction time reduced to seconds Ubiquitous encryption, in transit, at rest, AWS-managed, customer- managed, and with customer imported keys Some of the AWS security enablers…
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Immutable systems and/or Self-healing infrastructures (that automatically protects from attacks) Focus on security applications and business assets (instead of managing the infrastructure necessary to manage security) Improved security whilst reducing complexity in a standardised manner Comply with new regulations easily and with low cost Laser-focused, incremental, changes or improvements without impacting other controls/workloads Providing things such as…
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. And also… Dedicated, programmable hardware (FPGAs) and GPUs for HPC and/or security applications Edge computing, for either: • Connected devices controlled by the customers • Local (customer premises) workloads in remote or offline location • AWS Edge locations ML, AI, IoT, Serverless computing https://aws.amazon.com/stateandlocal/justice-and-public-safety/ https://aws.amazon.com/smart-cities/
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The security paradigm shifted On AWSOn-premises Big Perimeter End-to-End Ownership Build it all yourself Server-centric approach De-centralised Administration Focus on physical assets Multiple (manual) processes Micro-Perimeters Own just enough Focus on your core values Service-Centric approach Central control plane (API) Focus on protection data Everything is automated
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SecurityAssurance - Comparison Start with bare concrete Periodic checks Workload-specific compliance Must keep pace and invest in security innovation Heterogeneous governance processes and tools Typically reactive Start on accredited services Continuous monitoring Ubiquitous compliance Integrated Security innovation drives broad compliance Integrated governance processes and tools Focus on prevention On AWSOn-premises
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “CIOs and CISOs need to stop obsessing over unsubstantiated cloud security worries, and instead apply their imagination and energy to developing new approaches to cloud control, allowing them to securely, compliantly, and reliably leverage the benefits of this increasingly ubiquitous computing model.” Source: Clouds Are Secure: Are You Using Them Securely?
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The shared responsibility model RESPONSIBLE FOR SECURITY “IN” THE CLOUD RESPONSIBLE FOR SECURITY “OF” THE CLOUD SOFTWARE HARDWARE / AWS GLOBAL INFRASTRUCTURE
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security OF the Cloud
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Global Certifications GLACIER VAULT LOCK & SEC RULE 17A-4(F) SOC 1 SOC 2 SOC 3 PSN
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Self-service Compliance Reports – AWS Artifact e-NDA
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How do we do it? 100+ services Controls, Artefacts, Audits Thousands of Controls, Artefacts, Audit requirements Set on the highest bar, standardisation and automation
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Data Security & Privacy
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overview Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless customer chooses to move it Customers manage access to their customer content and AWS services and resources Customers choose how their content is secured https://aws.amazon.com/compliance/data-privacy-faq/
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. In-Country vs. EU vs. Global Unless there is a specific need to comply with a local law or regulation, customers can run workloads anywhere in Europe - because of AWS compliance with the GDPR Regulation (EU) 2016/679 as a processor. And with our EU-approved Data Processing Addendum and ‘Model Clauses’, AWS customers can continue to run their global operations outside EU (including in US) in full compliance with EU law - as confirmed by the Article 29 Working Party The AWS Data Processing Addendum is available to all AWS customers that are processing personal data whether they are established in Europe or a global company operating in the European Economic Area As discussed, customer – as the sole owner of their content - are still responsible for classifying their data and deciding how it is protected Data Residency whitepaper: https://d1.awsstatic.com/whitepapers/compliance/Data_Residency_Whitepaper.pdf
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security IN the Cloud
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Identity & Access Management (IAM) AWS Organizations AWS Cognito AWS Directory Service AWS Single Sign-On AWS Secret Manager AWS CloudTrail AWS Config Amazon CloudWatch Amazon GuardDuty VPC Flow Logs AWS Security Hub Amazon EC2 Systems Manager AWS Shield AWS Web Application Firewall (WAF) Amazon Inspector Amazon Virtual Private Cloud (VPC) AWS Key Management Service AWS CloudHSM Server/Client Side Encryption Amazon Macie AWS Certificate Manager AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions AWS CAF Security Perspective: https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Access a deep set of cloud security tools Encryption & Data Protection Networking & Infrastructure Monitoring & Governance Identity & Access Management Security Groups Endpoints g VPN Gateway Customer gateway Internet gateway Network access control list Route table Alarm Rule AutomationInventory Parameter Store Patch manager Run command State manager Change set Checklist security Flow logs Checklist AWS Organizations AWS STS Temporary security credential Permissions Long-term security credential MFA token Role Federation Data encryption key SAML, OAuth OpenID Connect Template Server-Side Encryption Client-Side Encryption
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Governance
  34. 34. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Largest ecosystem of security partners and solutions
  35. 35. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Consulting competency partners with demonstrated expertise
  36. 36. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Automate with deeply integrated security services Inherit global security and compliance controls Highest standards for privacy and data security Largest network of security partners and solutions Scale with superior visibility and control Move to AWS Strengthen your security posture
  37. 37. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×