Security is a top priority to both AWS and its customers and many enterprises trust us with some of their most sensitive information, including financial, personal and health information. Learn about the key security features of AWS that these enterprise customers are using to build their own secure applications and secure and encrypt their content. We will also share how you can integrate AWS into your existing security policies and how partners like Trend Micro can help you extend this into the AWS Cloud.
2. Every Customer Gets the Same AWS Security Foundations
Independent validation by experts
• Every AWS Region is in scope
• SOC 1 (SSAE 16 & ISAE 3402) Type II
• SOC 2 Type II and public SOC 3 report
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP Certification, HIPAA capable
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
3. Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
Security is a Shared Responsibility Between AWS and our Customers
Customers are
responsible for
their security IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
AWS Foundation Services
4. Your
own
compliant
solu0ons
• Culture of security and
continual improvement
• Ongoing audits and
assurance
• Protection of large-scale
service endpoints
Your Own Auditor Can Still Audit your AWS Environment
Your
own
ISO
cer0fica0ons
Your
own
external
audits
and
assurance
• Achieve PCI, HIPAA and
MPAA compliance
• Certify against ISO27001
with a reduced scope
• Have key controls audited
or publish your own
independent attestations
Customers
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
AWS Foundation Services
5. Let AWS Take Care of the Heavy Lifting for You
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
Customers get to choose the right level of security for their business. As an AWS customer
you can focus on your business and not be distracted by the muck.
6. You choose where to store it and who can use it
• Customers manage their privacy objectives how they choose to
• Select the AWS geographical Region and no automatic
replication elsewhere
• Customers can encrypt their content, retain management and
ownership of keys and implement additional controls to protect
their content within AWS
The security of our services and customers is key to AWS
Customers Retain Full Ownership and Control of Their Content
7. Region
US-WEST (N. California)
EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC
(Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC
(Sydney)
Customers Choose Where Their Compute and Storage is Located
CHINA (Beijing)
8. Build Your Own Resilient, Fault Tolerant Solutions
AWS operates scalable, fault tolerant services
Build resilient solutions operating in multiple datacenters
AWS helps simplify active-active operations
All AWS facilities are always on
No need for a “Disaster Recovery Datacenter” when you can have
resilience
Every one managed to the same global standards
AWS has robust connectivity and bandwidth
Each AZ has multiple, redundant Tier 1 ISP Service Providers
Resilient network infrastructure
9. Create Your Own Integrated Hybrid Environment with Amazon VPC
Your
organiza+on
Project
Teams
Marke+ng
Business
Units
Repor+ng
Digital
/
Websites
Dev
and
Test
env
RedshiB
EMR
Analy+cs
Internal
Enterprise
Apps
Amazon
S3
Amazon
Glacier
Storage
/
Backup
10. You Can Apply Your Existing Security Policies and Standards
Launch
instance
EC2
AMI
catalogue
Running
instance
Your
instance
Hardening
and
configura0on
Audit
and
logging
Vulnerability
management
Malware
and
IPS
Whitelis0ng
and
integrity
User
administra0on
Opera0ng
system
Configure
instance
Configure
your
environment
as
you
like
You
get
to
apply
your
exis0ng
security
policy
Create
or
import
your
own
‘gold’
images
• Import
exis0ng
VMs
to
AWS
or
save
your
own
custom
images
Choose
how
to
build
your
standard
host
security
environment
11. AWS
account
owner
Network
management
Security
management
Server
management
Storage
management
Control Access and Segregate Duties with AWS IAM
You
get
to
control
who
can
do
what
in
your
AWS
environment
and
from
where
Fine-‐grained
control
of
your
en0re
cloud
environment
with
two-‐factor
authen0ca0on
Integrated
with
your
exis0ng
corporate
directory
using
SAML
2.0
Build
and
run
Internet
Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer
Gateway
Region
12. You Can Choose to Encrypt Your Content Any Way You Like
Encrypt your Elastic Block Store volumes any way you like
• Many free utilities, plus Trend and other partners offer
high-assurance solutions
S3 offers either server or client-side encryption
• Manage your own keys or let AWS do it for you
Redshift has one-click disk encryption as standard
• You can supply your own keys
RDS supports transparent data encryption (TDE)
• Easily encrypt sensitive database tables
DBA
13. Tamper-resistant, customer controlled hardware security
module within your VPC
• Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified
• No access from Amazon administrators who manage and
maintain the appliance
Reliable & Durable Key Storage
• Use for database and Redshift encryption
• Integrate with your own applications
• Integration with partner disk-encryption
You Can Use AWS CloudHSM to Store Your Encryption Keys
14. You Can Also Use or Integrate with Your Own On-premise
HSMs
Your
premises
Applica+ons
Your
HSM
NAT
CloudHSM
NAT
CloudHSM
Volume,
object,
database
encryp+on
Transac+on
signing
/
DRM
/
apps
EC2
H/A
PAIR
SYNC
EBS
S3
Amazon S3
Amazon
Glacier
15. AWS Partners Can Help You Build and Implement Secure Solutions
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
Rich security features
+ =
AWS partner solutions
There are also now free trials of security software on the AWS
marketplace that you can use to evaluate for your own security
Your secure AWS solutions
16. Simple . Smart . Security that fits
Instant ON Security for AWS
David Ng
APAC PMM | Cloud & Data Center Security
17. Own
Data
Center
Physical
By 2016, 71% of server workloads will be
virtualized
90% of large enterprises and government
agencies will use cloud by 2015
1. Source: Gartner, Forecast Analysis: Data Center, May 2012
2. Source: Forrester Study, 2013
Virtual
Cloud
Data Center Ops
1
2
19. • Minutes to deploy a server…
weeks to secure it?
• Knowing what security is needed… and
if it is applied appropriately?
• Cloud scale beyond physical limits…
hitting a wall on security?
Are you Dealing With…
20. *Source: Trend Micro survey, May 2013
76%of organizations
indicated they had
compliance or data confidentiality
requirements*
Production Apps?
Sensitive
Data?
Patch Scheduling?
Web App
Vulnerability?
Compliance?
Public Cloud
How are You Dealing with…
21. Security Principles Remain the Same;
APPROACH to Security Must Change
CONTEXT Workload and application-aware
SOFTWARE Optimized for cloud infrastructure
PLATFORM
Comprehensive capabilities extended across your data
center and cloud
Many Tools
Generic
Hardware
ADAPTIVE
Intelligent, dynamic policy enforcement
Automated provisioning specific to
platform
Static
22. Cloud
Service
Provider
Founda+on
Services
Compute
Storage
Database
Networking
AWS
Global
Infrastructure
Regions
Availability
Zones
Edge
Loca+ons
Client-‐side
Data
Encryp0on
Server-‐side
Data
Encryp0on
Network
Traffic
Protec0on
PlaYorm,
Applica0ons,
Iden0ty
&
Access
Management
Opera0ng
System,
Network
&
Firewall
Configura0on
Customer
content
Customers
Cloud Security is a Shared Responsibility
23. Provision securely within the dynamic cloud
Manage security efficiently as you scale
Security optimized for the cloud
New Approaches Can Deliver Instant-on Cloud
Security
24. 24
• Recommend and apply security
policies for instant-on protection
• Continuously scan applications
for vulnerabilities
• Protect data in motion and at rest
Automate Security as a Part of Your
Operations
25. Achieved COMPLIANCE with critical regulations & corporate
standards
COMPREHENSIVE capabilities from a leader in security
AUTOMATED security for maximum operational efficiency
RESULTS:
After examining the available
options and consulting with
AWS on how to fulfill on their
Shared Responsibility, it was
clear that Trend Micro had
the optimal solution for
securing their cloud
deployment and fitting into
the AWS environment.
Required major deployment in AWS to be as
secure or more than the data center.
Global Telecom Company
450 million subscriber worldwide
26. Provision securely within the dynamic cloud
Manage security efficiently as you scale
Security optimized for the cloud
New Approaches Can Deliver Instant ON Cloud
Security
27. • Deploy software in the EC2
Instance to ensure context-
based security
HITECH
ACT
Integrity
Monitoring
Host
Firewall
Intrusion
Preven0on
An0-‐malware
Log
Inspec0on
Applica0on
Scanning
Data
Protec0on
Deploy Security Controls Where They
are Needed
• Address key compliance
needs
• Automatically deploy the right
controls to address security
needs
28. • Leverage a comprehensive
dashboard across multiple
security controls with integrated
reporting and alerting
• Continuously monitor servers
AND applications
• Virtually patch deployed instances
for maximum protection
• Manage via web console OR via
API
Manage Security Efficiently as You Scale
29. Virtual Patching – Protect Against Vulnerabilities
• Reduce risk of exposure to
vulnerability exploits – especially
as you scale
• Save money avoiding costly
emergency patching
• Patch at your convenience
Vulnerability Disclosed or
Exploit Available
Patch
Available
Complete
Deployment
Test
Soak
Exposure
Begin
Deployment
Patched
Trend Micro Virtual Patching
30. Trend Micro’s Virtual
Patching rules were
released
more than a month before
these hacks were
reported!
90% of all organizations have strong pain
points with patch management, zero-day &
legacy system
31. Enabled AUTOMATED provisioning and security
CENTRALIZED MANAGEMENT of all security
policies and reporting
COMPLETE set of security capabilities
Needed a partner who could easily add security to
fulfill on shared responsibility in the cloud
RESULTS:
“As an AWS Premier
Consulting Partner, our
clients look to us for
solutions that deliver the full
benefits of the cloud without
compromising security.
Trend Micro and AWS allow
us to achieve this, with a full
set of security capabilities,
and without the cost and
complexity of other
approaches”
Mauricio Fernandes
President
32. VM
Private Cloud
• Agentless security
• Layered server security
Security Virtual
Appliance VM VM VM
AWS Cloud
VM
• Encryption for vCloud
• Compliance support
(FIM, Encryption, etc.)
• Agent-based security
• Layered server security
• Encryption for leading cloud providers
• Compliance support (FIM, Encryption, etc.)
VM
Virtualization
Security Virtual
Appliance VM VM VM VM
• Agentless security
• Layered server security
Dynamic Security across Environments
Confidential | Copyright 2012 Trend Micro Inc.
33. INCREASED EFFICIENCY over previous
traditional security controls
Gave IT COMPREHENSIVE security controls in
a single solution
SEAMLESS integration with AWS for security
RESULTS:
“We highly value the
comprehensive security
functions that Deep
Security has. We couldn’t
find any other solution that
guaranteed operation on
AWS while also fulfilling
our requirements.”
Needed to enhance security of sensitive web
servers and address shared responsibility on AWS
34. Cloud
and
Data
Center
Security
An0-‐
Malware
Log
Inspec0on
Encryp0on
&
SSL
Applica0on
Scanning
Host
Firewall
Intrusion
Preven0on
Data Center Ops
Security
Integrity
Monitoring
Own
Data
Center
Physical
Virtual
Cloud
35. Large-‐scale
Web
site
secured
with
mul0ple
controls
Security
for
complete
data
center
move
to
cloud
Addressed
data
protec0on
&
compliance
PCI
compliance
on
AWS
Data-‐center
level
security
in
the
cloud
Mul0ple
controls
securing
new
LOB
Using
mul0ple
controls
to
protect
cloud
Highly
secure
managed
cloud
Thousands of customers…millions of servers protected
36. Trend Micro Cloud Security for AWS
So^ware
or
as
a
Service
Deep
Security
SecureCloud
Security
for
Web
Apps
As
a
Service
As
a
Service
37. 2 Models of Deep Security
Software
Service
Deep Security Software
• Datacenter security
requirements
• Hybrid cloud environments
• Prefer to run Deep Security
Manager themselves
Deep Security as a Service
• AWS only security
requirement
• Prefer utility charging model
• Want the convenience of a
SaaS
38. Deep Security: Push to Trial
deepsecurity.trendmicro.com/free-trial
https://aws.amazon.com/testdrive/trendmicro/
39. Deep Security for Web Apps: Push to Trial
webappsecurity.trendmicro.com/free-trial/
40. Source:
IDC
Worldwide
Endpoint
Security
2013-‐2017
Forecast
and
2012
Vendor
Shares,
Figure
2,
doc
#242618,
August
2013
31%
#1 Corporate Server Security Market
Share
41. • Amazon Advanced Technology Partner
• Deep Security is Common Criteria EAL 4+
• #1 in Server Security (2012 IDC–Worldwide Endpoint Security Revenue Share
by Vendor, 2011)
• #1 in Virtualization Security (2011 Technavio – Global Virtualization Security
Management Solutions)
• #1 in Cloud Security (2012 Technavio – Global Security World Market)
• 1st & only security that extends from enterprise datacenter to
cloud
• Security optimized for AWS
Why Trend Micro for AWS?
43. Browse and read AWS security whitepapers and good practices
• http://blogs.aws.amazon.com/security
• http://aws.amazon.com/compliance
• http://aws.amazon.com/security
• Risk and compliance, including CSA questionnaire response
• Security best practices, audit guides and operational checklists to help you assess
security before you go live
Sign up for AWS support
• http://aws.amazon.com/support
• Get help when you need it most – as you grow
• Choose different levels of support with no long-term commitment
AWS Publishes Lots of Information that Can Help You With Security