Mais conteúdo relacionado Semelhante a Protecting Your Data (20) Mais de Amazon Web Services (20) Protecting Your Data1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Protecting Your Data: AWS Security Tools and Features
Will St. Clair
Sr. Solutions Architect
Worldwide Public Sector
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Why is Enterprise Security Traditionally Hard?
Lack of visibility Low degree of automation
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
OR
Move
Fast
Stay
Secure
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AND
Move
Fast
Stay
Secure
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Making life easier
• Choosing security does not mean giving up
on convenience or introducing complexity
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS Security (“Of” & “In”)
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security “Of” The Cloud
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Strengthen your security posture
Leverage security
enhancements from 1M+
customer experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity
organizations
Over 50 global
compliance
certifications and
accreditations
“We work closely with AWS to
develop a security model, which we
believe enables us to operate more
securely in the public cloud than we
can in our own data centers.”
Rob Alexander - CIO, Capital One
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
The AWS Compliance “Display Cabinet”
Certificates: Programs:
ISO 27001
Certified
ISO 9001
CertifiedMPAA
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
AWS AWS Security
1017
722
516
280
159
826148
397 (or 39%) of AWS’ 2016 innovations were
focused on Security & compliance*
Security Innovation: Constantly Evolving
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
18 Regions – 53 Availability Zones
Region & Number of Availability Zones
AWS GovCloud (US) (2) EU
Ireland (3), London (3)
US West Frankfurt (3), France (3)
Oregon (3)
Northern California (3) Asia Pacific
Singapore (3)
US East Sydney (3), Tokyo (4)
N. Virginia (6) Ohio (3) Seoul (2), Mumbai (2)
Osaka-Local (1)
Canada
Central (2) China
Beijing (2), Ningxia (2)
South America
São Paulo (3) New regions coming soon
Hong Kong SAR, Sweden, AWS
GovCloud (US-East), Bahrain
AWS Global Infrastructure
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
95 Edge locations (84 Points of Presence and 11 Regional Edge Caches) in 50 cities across 23 countries.
Global – CloudFront Edge Network
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
• Full ownership
• Full accountability
• Aligned incentives
• Dev-Sec-Ops Model
AWS Service Teams & Ownership
Security ownership as part of DNA
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security “In” The Cloud
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
CUSTOMER
CUSTOMER DATA
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
AWS PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
RESPONSIBILITY FOR
SECURITY
“IN” THE CLOUD
COMPUTE STORAGE DATABASE NETWORKING
CLIENT-SIDE DATA ENCRYPTION &
DATA
INTEGRITY AUTHENTICATION
SERVER-SIDE ENCRYPTION (FILE
SYSTEM AND / OR DATA)
NETWORKING TRAFFIC
PROTECTION (ENCRYPTION /
INTEGRITY / IDENTITY)
RESPONSIBILITY FOR
SECURITY
“OF” THE CLOUD AWS GLOBAL
INFRA-
STRUCTURE
EDGE
LOCATIONS
REGIONS
AVAILABILITY ZONES
AWS Shared Responsibility Model
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Security end-to-end
– Help customer build/deploy/operate secure applications
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
19. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
Identity &
Access
Management
Identity and Access Management
• Identities: Developers, Solutions
Architects, Testers, Software/Platform
• Interaction of AWS Identities: EC2, ELB,
S3, DynamoDB, SQS, SNS etc.
IAM Users IAM Groups IAM Roles IAM Policies
20. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
Detective Controls
Enable
Detective
Controls
AWS
CloudTrail
Amazon
CloudWatch
Enable globally for all AWS Regions
Encryption & Integrity Validation
Archive & Forward
Amazon CloudWatch Logs
Metrics & Filters
Alarms & Notifications AWS X-Ray
21. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Automate
Security
Functions
Optimize
Change
Management
Change Management & Visibility
AWS
Config
Amazon
Config
Rules
Record configuration changes
continuously
Time-series view of resource
changes
Archive & Compare
Enforce best practices
Automatically roll-back
unwanted changes
Trigger additional
workflow
22. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Establish
Network
Security
Optimize
Change
Management
Automate
Security
Functions
Data Protection
Implement
Data
Protection
Amazon
CloudHSM
Deep integration with AWS Services
Audit KMS Key Usage via CloudTrail
KMS Import Key
AWS SDK for application encryption
Security of the keys themselves
Plaintext keys never stored in persistent memory
Automatically rotate keys
Separation of duties between systems that use master keys and data keys
Multi-party control for all maintenance on systems that use master keys
Dedicated HSM
Integrate with on-premises HSMs
Hybrid Architectures
AWS Key Management Service
23. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Establish
Network
Security
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
Automated Security Functions
Template
Stack
AWS
CloudFormation
Orchestrate changes across AWS Services
Use as foundation to Service Catalog products
Use with source code repositories to manage
infrastructure changes
JSON-based text file describing
infrastructure
Resources created from
a template
Can be updated
Updates can be
restrictured
24. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure
Cloud
Application
SHARED
RESPONSIBILITY
Strong
Compliance
Foundation
Identity &
Access
Management
Enable
Detective
Controls
Implement
Data
Protection
Optimize
Change
Management
Automate
Security
Functions
Network Security
Establish
Network
Security
Flow
Logs
Amazon
VPC
AWS
Direct
Connect
VPN
Gateway
Availability Zone A
Private
subnet
Public
subnet
Private
subnet
Availability Zone B
Public
subnet
Private
subnet
ELB
Web
Back end
VPC CIDR 10.1.0.0/16
ELB
Web
Back end
sg_ELB_FrontEnd (ELB Security Group)
sg_Web_Frontend (Web Security Group)
sg_Backend (Backend Security Group)
Security Group
Security Group
Security Group
AWS WAF
AWS Shield
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Virtual Private Cloud
Isolated cloud resources
Web Application
Firewall
Filter Malicious Web Traffic
Shield
DDoS protection
Certificate Manager
Provision, manage, and
deploy SSL/TSL certificates
Networking
Key Management
Service
Manage creation and control
of encryption keys
CloudHSM
Hardware-based key storage
Server-Side Encryption
Flexible data encryption
options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to allow
on-prem identity integration
Directory Service
Host and manage Microsoft
Active Directory
Organizations
Manage settings for multiple
accounts
Identity & Management
Service Catalog
Create and use standardized
products
Config
Track resource inventory and
changes
CloudTrail
Track user activity and API
usage
CloudWatch
Monitor resources and
applications
Inspector
Analyze application security
Artifact
Self-service for AWS’
compliance reports
Compliance
Access a deep set of cloud security tools
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Batches and Streams
Direct ConnectSnowball data
transport
3rd Party
Connectors
Transfer
Acceleration
Storage
Gateway
Kinesis Firehose
File
Amazon EFS
Block
Amazon EBS
(persistent)
Object
Amazon GlacierAmazon S3 Amazon EC2
Instance Store
(ephemeral)
Robust Security for Your Entire Storage Infrastructure
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Storage
Service
IAM Encryption More info
Amazon S3 IAM Policy –
Resource, Bucket
& User/Role policy
ACLs
Query String Auth
SSE-S3 , SSE-C, SSE-KMS
Client Side Encryption
SSL
Versioning
MFA-Delete
Access Log – Audit,
Customer base,S3 Bill
Amazon Glacier IAM Policy – Vault
Operations
Vault Access
Policies
Server Side Encryption
AES-256 (Block Cipher)
Lock Vault Policy..
E.g. WORM
Cloud Trail Integration
Amazon EBS IAM Policy –
Access EBS
Volumes
Seamless EBS Encryption (C, KMS)– Data Vol,
Snapshots,
Encryption occurs on Servers hosting EC2 & data &
boot volume. Redundancy – Same AZ
Security for AWS Storage Services… High Level Info…
28. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Storage
Service
IAM Encryption More info
AWS Snowball IAM Policy Supports Server Side
encryption with S3
managed keys.
AES GCM 256 bit keys
SSL Encryption
Physically Secured
– TPM Chip
Amazon EFS IAM Policy Seamless encryption using
KMS – Data at rest
Security Group for
EC2 Instances,
EFS Mount (e.g.
NFS 2049 port)
Amazon
Instance Store
IAM Policy –
EC2 Operations
Encryption via linux lib
and/or 3rd party
Data erased when
instance stops or
terminates
Security for AWS Storage Services… High Level Info…
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Demo
30. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How can I make sure S3 is secure?
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How do I encrypt EBS volumes?
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
How do I protect log files from tampering?
33. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Automate all the things!!
34. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Typical Enterprise Cloud Migration Journey…
Landing Zone
Backup & Recovery
Security (Data, Network)
CI/CD – DevSecOps
Compliance Automation
35. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Flexibility and Complexity
What is the regulatory
requirement?
What's in-scope or out-
of-scope?
How to verify the standards
are met?
36. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design – Soln to Automate Security
Compliance and Auditing in AWS
Security by Design (SbD) is a security
assurance approach that formalizes AWS
account design, automates security controls,
and streamlines auditing.
Instead of relying on auditing security
retroactively, SbD provides security control
built in throughout the AWS IT management
process.
https://d0.awsstatic.com/whitepapers/complia
nce/Intro_to_Security_by_Design.pdf
Identity & Access
Management
CloudTrail
CloudWatch
Config Rules
Trusted Advisor
Cloud HSMKey Management
Service
Directory Service
37. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security by Design - Design Principles
• Build security in every layer
• Design for failures
• Implement auto-healing
• Think parallel
• Plan for Breach
• Don't fear constraints
• Leverage different storage options
• Design for cost
• Treat Infrastructure as Code
• Modular
• Versioned
• Constrained
Developing new risk mitigation capabilities, which go beyond global security frameworks,
by treating risks, eliminating manual processes, optimizing evidence and audit ratifications
processes through rigid automation
38. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Trusted Advisor
39. © 2017 | Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Security Partners
Infrastructure
Security
Logging &
Monitoring
Identity &
Access Control
Configuration &
Vulnerability
Analysis
Data
Protection
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Recent Services/Features
41. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon GuardDuty
Amazon GuardDuty
Intelligent Threat Detection in the AWS Cloud
GuardDuty helps security professionals
quickly find the threats (needle) to their
environments in the sea of log data
(haystack) so they can focus on hardening
their AWS environments and responding
quickly to malicious or suspicious behavior.
https://aws.amazon.com/guardduty/
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon GuardDuty
The Three “C’s” of GuardDuty
https://aws.amazon.com/guardduty/
43. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon GuardDuty
Threat Detection and Notification
https://aws.amazon.com/guardduty/
44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS security service that uses machine learning to automatically discover, classify, and protect sensitive
data in AWS. Features enable you to:
• Recognize sensitive data such as personally identifiable information (PII) or intellectual property
• Use dashboards and alerts that give visibility into how this data is being accessed or moved
• Monitor data access activity for anomalies, and generates detailed alerts when it detects risk of
unauthorized access or inadvertent data leaks
Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional
AWS data stores coming later this year. For more information, visit http://aws.amazon.com/macie
45. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Amazon Elastic File System (Amazon EFS) provides simple, scalable file storage for use with Amazon
EC2 instances in the AWS Cloud.
Encryption of data at rest is available now in all regions where EFS is
supported, at no additional charge.
For more information, visit http://aws.amazon.com/efs
Amazon Elastic File System
49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate
and use your own encryption keys on the AWS Cloud.
• Pay as you go
• Fully managed
• Open & Compatible
For more information, visit https://aws.amazon.com/cloudhsm/
AWS CloudHSM V2
• FIPS 140-2 Level 3 validated HSMs
• AWS-Native
• Integrate with industry-standard APIs: PKCS#11, JCE, Microsoft
CryptoNG
50. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Visit our Security and Compliance Hubs
Consult the AWS Security & Compliance Quick
Reference Guide
https://d0.awsstatic.com/whitepapers/compliance/AWS_Complia
nce_Quick_Reference.pdf
Explore the AWS Artifact portal https://aws.amazon.com/artifact/
Learn more about our security & compliance
accelerators
https://aws.amazon.com/quickstart/
http://aws.amazon.com/security
http://aws.amazon.com/compliance
Where to learn more about AWS’ security & compliance resources
Getting Started
51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS