O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Security: A Driving Force Behind Cloud Adoption

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
State of the Union: Networking
State of the Union: Networking
Carregando em…3
×

Confira estes a seguir

1 de 27 Anúncio

Security: A Driving Force Behind Cloud Adoption

There are four common challenges that CISOs and their security teams struggle with, even in the most secure and mature organizational datacenters – visibility, resilience, defense-in-depth, and automation. Learn how these challenges become benefits of using the AWS Cloud and why Cybersecurity is becoming a driving force behind commercial cloud adoption. This is an executive level presentation that covers key technical concepts and capabilities to meet business security and compliance objectives. Intended audience includes CIOs, CISOs, Technical Managers, senior architects and engineers new to AWS, and Technically-savvy Business Managers.

There are four common challenges that CISOs and their security teams struggle with, even in the most secure and mature organizational datacenters – visibility, resilience, defense-in-depth, and automation. Learn how these challenges become benefits of using the AWS Cloud and why Cybersecurity is becoming a driving force behind commercial cloud adoption. This is an executive level presentation that covers key technical concepts and capabilities to meet business security and compliance objectives. Intended audience includes CIOs, CISOs, Technical Managers, senior architects and engineers new to AWS, and Technically-savvy Business Managers.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Security: A Driving Force Behind Cloud Adoption (20)

Anúncio

Mais de Amazon Web Services (20)

Security: A Driving Force Behind Cloud Adoption

  1. 1. ©2017, Amazon Web Services, Inc. or its affiliates. All rights reserved Security: A Driving Force Behind Moving to the Cloud Michael South Americas Regional Leader, Public Sector Security & Compliance
  2. 2. Why is security traditionally so hard? Lack of Visibility Low degree of Automation Lack of Resiliency Defense-in-Depth Challenges
  3. 3. Four Security Benefits of the Cloud • Increased visibility • Increased availability and resiliency • True Defense-in-Depth • Ability to automate for governance and Security Operations
  4. 4. Customer AWS AWS is responsible for security of the cloud Customer is responsible for security in the cloud Customer data Platform, applications, identity, & access management Operating system, network, & firewall configuration Client-side data encryption & data integrity authentication Server-side encryption (file system &/or data) Network traffic protection (encryption/integrity/identity) Compute Storage Database Networking Edge locations Regions Availability Zones AWS Global Infrastructure Share your security responsibility with AWS
  5. 5. Visibility
  6. 6. Means of obtaining Visibility Use of resource tags CLI Describe Console Business Intelligence Tools API Queries
  7. 7. AWS Services that provide Operational Visibility Track user activity and API usage Monitor resources and applications Analyze OS and application security Self-service for AWS’ compliance reports Track network activity in/out of VPC Intelligent Threat Detection Discover, classify, and protect sensitive data Guidance to reduce cost, increase performance, and improve security Track application access/denials Flow logs
  8. 8. Inherit global security and compliance controls Certifications / Attestations Laws / Regulations / Privacy Alignments / Frameworks C5 ! Agentina Data Privacy CIS (Center for Internet Security) 🌐 Cyber Essentials Plus # CISPE $ CJIS (US FBI) % DoD SRG % EU Model Clauses $ CSA (Cloud Security Alliance) 🌐 FedRAMP % FERPA % ENS High & FIPS % GDPR $ EU-US Privacy Shield $ IRAP ' GLBA % FFIEC % ISO 9001 🌐 HIPAA % FISC ( ISO 27001 🌐 HITECH 🌐 FISMA % ISO 27017 🌐 IRS 1075 % G-Cloud # ISO 27018 🌐 ITAR % GxP (US FDA CFR 21 Part 11) % K-ISMS ) My Number Act ( ICREA 🌐 MTCS * UK DPA - 1988 # IT Grundschutz ! PCI DSS Level 1 🌐 VPAT/Section 508 % MITA 3.0 (US Medicaid) % SEC Rule 17-a-4(f) % Data Protection Directive $ MPAA % SOC 1, SOC 2, SOC 3 🌐 Privacy Act [Australia] ' NIST % Privacy Act [New Zealand] + PHR % PDPA—2010 [Malaysia] , Uptime Institute Tiers 🌐 PDPA—2012 [Singapore] * Cloud Security Principles # PIPEDA [Canada] - 🌐 = industry or global standard Spanish DPA Authorization & Spanish DPA Authorization &
  9. 9. Resiliency
  10. 10. AWS Global Infrastructure Region & Number of Availability Zones (AZ) US Middle East Oregon (3) Bahrain (3) Northern California (3) N. Virginia (6) Asia Pacific Ohio (3) Singapore (3) Sydney (3) Canada Tokyo (4) Central (2) Seoul (2) Mumbai (2) South America Hong Kong (3) São Paulo (3) China Europe Beijing (2) Ireland (3) Ningxia (3) Frankfurt (3) London (3) Paris (3) Stockholm (3) Announced Regions Jakarta, Milan, Cape Town 22Regions 69Availability Zones 199Edge Locations
  11. 11. Region Announced Regions Bahrain, Jakarta, Milan, Sweden Scale globally with resilience in every region The largest global foot print consistently built with a multi-AZ and multi-datacenter design AWS Availability Zone (AZ)AWS Region A Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Transit Transit AZ AZ AZ AZ Datacenter Datacenter Datacenter
  12. 12. Public Subnet Public Subnet Auto Scaling group Achieving High Availability in AWS Customer data center WEB APP DB DB WEB LB FW Customer Datacenter AWS Cloud AWS Region VPC Availability Zone A Availability Zone B Web Server App Subnet App Subnet DB Subnet DB Subnet DB Primary DB Secondary Web Server Auto Scaling group App Server App Server OR APP
  13. 13. Defense in Depth
  14. 14. Reality of Many On-Prem Network Defenses Hard Outer Shell (Perimeter) Soft and Gooey Middle (LAN / Datacenter)WAF Firewall IDS/IPS DLP VLANs ACLs EPS
  15. 15. Defense-in-Depth in AWS at the Perimeter DDoS Protection Web Application Firewall VPN Gateway Secure DevOps Comms VPC w/ Subnet ACLs Stateless Firewall Internet Gateway Path to Public Internet (Not present by default) Signature & Behavioral-based Intrusion Detection System using Machine Learning Private Fiber Between AWS & Customer Partner Solutions Firewall, IDS/IPS, WAF VPC AWS Cloud AWS Region Public Subnet Web Server App Subnet DB Subnet DB Primary App Server
  16. 16. Defense-in-Depth in AWS between Workloads VPC w/ Subnet ACLs Stateless Firewall VPC 1 AWS Cloud AWS Region Public Subnet Web Server App Subnet DB Subnet DB Primary App Server VPC w/ Subnet ACLs Stateless Firewall VPC 2 Public Subnet Web Server App Subnet DB Subnet DB Primary App Server VPC Peering (Private network connection between VPCs) Internet gateway w/ VPN (Public path to Internet) Default No Communications Between VPCs Private Link (1-way secure comms)
  17. 17. Defense-in-Depth in AWS inside the Workload Signature & Behavioral-based Intrusion Detection System using Machine Learning VPC AWS Cloud AWS Region Web Security Group App Security Group DB Security Group DB Server 3rd Party EPS OS Anti-virus, Firewall, Host Intrusion Protection System Security & Compliance assessment Event Management and Alerting API Logging Operational View & Control of ResourcesStatefull Firewall between Each application tier Does NOT allow peer-to- peer communications by default Web Servers App Servers
  18. 18. Automation
  19. 19. Remove Humans from the Data
  20. 20. Amazon GuardDuty IDS • Reconnaissance • Instance recon: • Port probe / accepted comm • Port scan (intra-VPC) • Brute force attack (IP) • Drop point (IP) • Tor communications • Account recon • Tor API call (failed) Instance compromise • C&C activity • Malicious domain request • EC2 on threat list • Drop point IP • Malicious comms (ASIS) • Bitcoin mining • Outbound DDoS • Spambot activity • Outbound SSH brute force • Unusual network port • Unusual traffic volume/direction • Unusual DNS requests Account compromise • Malicious API call (bad IP) • Tor API call (accepted) • CloudTrail disabled • Password policy change • Instance launch unusual • Region activity unusual • Suspicious console login • Unusual ISP caller • Mutating API calls (create, update, delete) • High volume of describe calls • Unusual IAM user added • Detections in gray are signature based, state-less findings • Detections in blue are behavioral, state- full findings / anomaly detections
  21. 21. Automate with integrated services Automated threat remediation Event (event- based) Lambda Function Filtering rule Other AWS & Partner Services
  22. 22. AWS Identity & Access Management (IAM) AWS Organizations AWS Directory Service AWS Single Sign-On AWS Cognito AWS Secrets Manager Resource Access Manager AWS Config AWS Security Hub Amazon GuardDuty Amazon CloudWatch AWS CloudTrail VPC Flow Logs AWS Shield AWS Firewall Manager AWS Web Application Firewall (WAF) AWS Firewall Manager Amazon Virtual Private Cloud (VPC) Amazon EC2 Systems Manager Amazon Inspector AWS Key Management Service (KMS) AWS CloudHSM Amazon Macie Certificate Manager Server Side Encryption AWS Config Rules AWS Lambda Identity Detective control Infrastructure security Incident response Data protection AWS security solutions
  23. 23. Workloads appropriate for AWS Web applications and websites Backup, recovery and archiving Disaster recovery Development and test Big data High-performance computingEnterprise IT MobileMission critical applications Data center migration and hybrid IoT Security Operations
  24. 24. Improving security with the cloud For more details, see Re:Invent 2013 presentations by NASA JPL cyber security engineer Matt Derenski (http://awsps.com/videos/SEC205E-640px.mp4) “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters.” -Tom Soderstrom, CTO, NASA JPL
  25. 25. Summary The cloud is not only secure, but through shared responsibility, well-architected solutions, and best practices, it can be more secure than the traditional on-prem datacenter!
  26. 26. Come visit our booth!!! Booth #3 Drop your business card to enter the raffle to win an Amazon Echo Or, register online at: All participants will receive our whitepaper “A call to action to protect citizens, the private sector, and governments” developed in partnership with Organization of American States https://amzn.to/cyberspace-protection
  27. 27. ©2017, Amazon Web Services, Inc. or its affiliates. All rights reserved Thank you! Questions?

×