SlideShare uma empresa Scribd logo

Blue Chip Tek Connect and Protect Presentation #3

Transferir como PPTX, PDF
Kimberly Macias
Kimberly Macias

AWS Security and Compliance Overview By: Todd Gleason

Serviços
1 de 47
Security & Compliance Overview Todd Gleason, Partner Solutions Architect December 15, 1015
Of the changes catalyzed by cloud, security is the most exciting.
Over A Million Active Customers Running Every Imaginable Use Case 1500+ Government Agencies 3600+ Education Institutions 190 Countries 11,200+ Nonprofits
Rate of Customers Requesting Compliance Reports and Certifications 50% 40% 36% 12% 17% 5% 50% 60% 64% 88% 83% 95% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Top 10 Top 25 Top 50 Top 100 Top 500 Top 5000 PercentageofCustomers RequestingComplianceReports/Certs Revenue Tier No Compliance Report Requested Compliance Report Requested
Customers Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters. CTO Space Agency
Industry Analysts … We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013
Legacy Datacenters • Big Perimeter • End-to-End Ownership • Build it all yourself • Server-centric approach • Self-managed Services • Static Architecture • De-centralized Administration The security paradigm shifted AWS • Micro-Perimeters • Own just enough • Focus on your core value • Service-Centric • Platform Services • Continuously Evolving • Central Control Plane (API)
Security & compliance requirements from every industry Nothing better for the entire community than a tough set of customers… Everyone’s Systems and Applications Financial Health Care Government Requirements Requirements Security Infrastructure Requirements
Security & compliance is a shared responsibility Customer Applications & Content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration AWS Foundation Services AWS Global Infrastructure Customers Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Compute Storage Database Networking Availability Zones Regions Edge Locations Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
Let AWS take care of the heavy lifting for you Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Application security Service configuration AuthN & acct management Authorization policies + = Customer Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
Security OF the Cloud
Rapid pace of security innovation & customer driven improvements Security, compliance, governance, and audit related launches and updates 2007 2008 2009 2010 2011 2012 2013 2014 48 61 82 159 280 516 40%
AWS Security Team Operations Application Security Engineering Compliance Aligned for agility
Physical Security of Data Centers Amazon has been building large-scale data centers for many years Important attributes: ‒ Non-descript facilities ‒ Robust perimeter controls ‒ Strictly controlled physical access ‒ 2 or more levels of two-factor auth Controlled, need-based access All access is logged and reviewed Separation of Duties ‒ Employees with physical access don’t have logical privileges
Network Security Distributed Denial of Service (DDoS): • Standard mitigation techniques in effect for AWS API endpoints Man in the Middle (MITM): • All endpoints protected by SSL • Fresh EC2 host keys generated at boot IP Spoofing: • Prohibited at host OS level Unauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Inbound ports blocked by default Packet Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level AWS reduces common attack vectors at the infrastructure level.
Security IN the Cloud
Your Role in Securing AWS is Well-Defined Customer Data Applications Identity Access Mgmt OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Compute Storage Networking AWS Global Infrastructure (Regions, Azs, Edge Locations) AWS: Security of the Cloud Customer: Security in the Cloud
… but the security technology has lagged Customer Data Applications Identity Access Mgmt OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Network Appliances Host-based Agents IP-based scanners Log Analytics DLP & Encryption Manual Audits These technologies don’t embrace cloud values…
Host-centric Security Strategies fail in AWS Protecting the host while ignoring the services is a bad decision. Your most critical data often lives in S3, Glacier, RDS, Redshift, and other key services.
Security by Design – SbD • Systematic approach to ensure security • Formalizes AWS account design • Automates security controls • Streamlines auditing AWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config Amazon Inspector Provides control insights throughout the IT management process
Amazon Virtual Private Cloud (VPC) Specify your private IP address range into one or more public or private subnets Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection Create a logically isolated environment in Amazon’s highly scalable infrastructure
Inventory of Assets
AWS CloudTrail
AWS Key Management Service (KMS) • Centralized control of YOUR encryption keys • Designed for Scalability and Throughput • Is a multi-tenant service • Integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift • Integrated with CloudTrail – logs key usage • Easily implement and audit key creation, rotation, usage policies
CloudHSM Hardware Security Modules: real hardware in the cloud. • Secure, Reliable & Durable Key Storage: available in multiple AZs and Regions, or replicate to on premise HSMs • Tamper-resistant and Tamper Evident • Customer controlled hardware security module within your VPC • Only customer has access to keys (including Amazon administrators who manage and maintain the appliance). • Common Criteria EAL4+, NIST FIPS 140-2 Level 2.
Governance
Key governance questions • What do I have? • How it is performing? • Who is controlling it? • What is it costing me? • Is it secure and compliant? • Are changes occurring with the right processes and protections?
The AWS cloud allows for advanced governance Manual auditing in a simple world Governance in a complex world Thick procedure manuals Software-enforced processes Periodic surveys Alarming/triggering Few truly automated controls Ubiquitous, software-driven, predictable controls Sample testing, hoping Full population monitoring, test of 1
AWS and governance AWS capabilities and services provide key building blocks for systems that answer these questions Better answers than ever before in traditional infrastructure Integration challenges remain, but don’t be constrained by on-prem systems when leveraging the cloud
AWS Config
AWS Config Relationships Resources are related to each other • Permissions applied to a server or instance • Amazon EBS volume attached to an Amazon EC2 instance • Network interfaces • An instance is contained in subnet or VPC
AWS Config Rules • Flexible rules evaluated continuously and retroactively • Dashboard and reports for common goals • Customizable remediation • API automation
AWS Config Rules benefits Continuous monitoring for unexpected changes Shared compliance across your organization Simplified management of configuration changes
Amazon Inspector
What? Security assessment tool for analyzing end-to-end application configuration and activity
Why? Securing infrastructure is often expensive and hard to do effectively. • Inspector is automated, repeatable, and designed to reduce cost. • Use AWS security knowledge to strengthen customer servers, services, and infrastructure. • Delivery of actionable findings that are carefully explained and help their resolution.
Features • Configuration Scanning and Activity Monitoring Engine • Selectable built-in rules • Security findings – guidance and management • Automatable via APIs 37
Rule packages • CVE (common vulnerabilities and exposures) • Network security best practices • Authentication best practices • Operating system security best practices • Application security best practices • PCI DSS 3.0 readiness
Amazon Inspector benefits Increased agility Embedded expertise Improved security posture Streamlined compliance
Compliance
Expert Audits: Transparency & Accuracy
Risk & Compliance Whitepaper “Shared Responsibility Model” Compliance Governance FedRAMPSM Risk Management FIPS 140‐2SOC1/ SSAE16/ ISAE3402 SOC2 SOC3 FISMA & DIACAP CSA Consensus Assessment Questionnaire PCI DSS Level -1 MPAA AWS Global Regions ITAR ISO27001 Control EnvironmentInformation Security HIPAA http://media.amazonwebservices.com/AWS Risk_and_Compliance_Whitepaper.pdf
PCI Overview AWS is a Level 1 service provider (the highest level) Compliant with new released DSS version 3.1 published in April 2015. https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
PCI Package Use Case Customer wants to process, store or transmit credit card information using AWS Customer wants to learn more about AWS PCI Compliance Customer is being audited by their QSA (Qualified Security Assessor) Customer is preparing for an audit and/or monitoring their environment for PCI compliance PCI Package: What we Provide AWS provides customers and customer’s auditors with: • Attestation of Compliance (AoC) • PCI Responsibility Summary AWS PCI Responsibility Summary provides: • Description of the in-scope services • Customer implementation considerations • Overview of shared responsibility
Additional resources for Customers aws.amazon.com/compliance AWS Certifications and FAQs SOC 1 FAQs ISO 27001 FAQs PCI DSS Level 1 FAQs FEDRamp FAQs ISO 9001 FAQs DoD CSM FAQs
Conclusions Security is critical We’re creating tools to make it easier We’re creating ways to help you build a world-class team You can move fast and stay safe
Thank You!

Recomendados

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
AWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - Keynote
Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
Amazon Web Services
 
AWS - Security and Compliance Overview
AWS - Security and Compliance OverviewAWS - Security and Compliance Overview
AWS - Security and Compliance Overview
RightScale
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Integrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWSIntegrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWS
Amazon Web Services
 

Recomendados

Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
Amazon Web Services
 
AWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - Keynote
Amazon Web Services
 
AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”AWS Security Overview and “What’s New”
AWS Security Overview and “What’s New”
Amazon Web Services
 
AWS - Security and Compliance Overview
AWS - Security and Compliance OverviewAWS - Security and Compliance Overview
AWS - Security and Compliance Overview
RightScale
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Integrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWSIntegrated Security & Operations for Scaling Securely in AWS
Integrated Security & Operations for Scaling Securely in AWS
Amazon Web Services
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
Alert Logic
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
Amazon Web Services
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
Amazon Web Services
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
Karim Hopper
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
Alert Logic
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
Amazon Web Services
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
Christopher Caplan
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
Amazon Web Services LATAM
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
Alert Logic
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
Gaurav "GP" Pal
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
Udaiappa Ramachandran
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 
Rinjo-Resume
Rinjo-ResumeRinjo-Resume
Rinjo-Resume
Rinjo Paul
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab Sheet
Kimberly Macias
 

Mais conteúdo relacionado

Mais procurados

How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
Amazon Web Services
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Amazon Web Services
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
Jason Chan
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
Amazon Web Services
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Amazon Web Services
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Amazon Web Services
 

Mais procurados (20)

CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
CSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in PracticeCSS17: DC - The AWS Shared Responsibility Model in Practice
CSS17: DC - The AWS Shared Responsibility Model in Practice
 
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
How to Meet Strict Security & Compliance Requirements in the Cloud (SEC208) |...
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
Palo Alto Networks and AWS: Streamline Your Accreditation with Superior Secur...
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
 
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
CSS17: Atlanta - The AWS Shared Responsibility Model in Practice
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Journey Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWSJourney Through the Cloud - Security Best Practices on AWS
Journey Through the Cloud - Security Best Practices on AWS
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry1. aws security and compliance wwps pre-day sao paolo - markry
1. aws security and compliance wwps pre-day sao paolo - markry
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
Deploy a DoD Secure Cloud Computing Architecture Environment in AWS | AWS Pub...
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
Meeting DFARS Requirements in AWS GovCloud (US) | AWS Public Sector Summit 2017
 

Destaque

Destaque (9)

Rinjo-Resume
Rinjo-ResumeRinjo-Resume
Rinjo-Resume
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab Sheet
 
Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2Blue Chip Tek AWS Connect and Protect Presentation #2
Blue Chip Tek AWS Connect and Protect Presentation #2
 
Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1Blue Chip Tek Connect and Protect Presentation #1
Blue Chip Tek Connect and Protect Presentation #1
 
Bct Aws-VPC-Training
Bct Aws-VPC-TrainingBct Aws-VPC-Training
Bct Aws-VPC-Training
 
MarkH-CV 2015
MarkH-CV 2015MarkH-CV 2015
MarkH-CV 2015
 
Contrail Basics
Contrail BasicsContrail Basics
Contrail Basics
 
Aws Autoscaling
Aws AutoscalingAws Autoscaling
Aws Autoscaling
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flow
 

Semelhante a Blue Chip Tek Connect and Protect Presentation #3

AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
Amazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
Amazon Web Services
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
Amazon Web Services
 
AWS Shared Responsibility Model & Compliance Program Overview
AWS Shared Responsibility Model & Compliance Program OverviewAWS Shared Responsibility Model & Compliance Program Overview
AWS Shared Responsibility Model & Compliance Program Overview
Amazon Web Services
 
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
Amazon Web Services Korea
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
Amazon Web Services
 

Semelhante a Blue Chip Tek Connect and Protect Presentation #3 (20)

AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Getting started with AWS Security
Getting started with AWS SecurityGetting started with AWS Security
Getting started with AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
AWS Shared Responsibility Model & Compliance Program Overview
AWS Shared Responsibility Model & Compliance Program OverviewAWS Shared Responsibility Model & Compliance Program Overview
AWS Shared Responsibility Model & Compliance Program Overview
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
선도 금융사들의 aws security 활용 방안 소개 :: Eugene Yu :: AWS Finance...
 
Sicurezza e Compliance nel Cloud
Sicurezza e Compliance nel CloudSicurezza e Compliance nel Cloud
Sicurezza e Compliance nel Cloud
 
AWS Enterprise Summit London 2015 | Security in the Cloud
AWS Enterprise Summit London 2015 | Security in the CloudAWS Enterprise Summit London 2015 | Security in the Cloud
AWS Enterprise Summit London 2015 | Security in the Cloud
 
Getting Started With AWS Security
Getting Started With AWS SecurityGetting Started With AWS Security
Getting Started With AWS Security
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
An Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the CloudAn Evolving Security Landscape – Security Patterns in the Cloud
An Evolving Security Landscape – Security Patterns in the Cloud
 
Security and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John HildebrandtSecurity and Compliance Better on AWS_John Hildebrandt
Security and Compliance Better on AWS_John Hildebrandt
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
AWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the CloudAWS Enterprise Day | Securing your Web Applications in the Cloud
AWS Enterprise Day | Securing your Web Applications in the Cloud
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
 

Último

Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Sana Rajpoot
 
lahore night girls 👉03250114445 || girls for night in lahore
lahore night girls 👉03250114445 || girls for night in lahorelahore night girls 👉03250114445 || girls for night in lahore
lahore night girls 👉03250114445 || girls for night in lahore
Deny Daniel
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
apshanarani255
 
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
apshanarani255
 
Udupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort serviceUdupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort service
maheshsingh64440
 
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book nowVaranasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
apshanarani255
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
nishacall1
 
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book nowMysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
apshanarani255
 
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in KarachiKarachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Awais Yousaf
 
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
apshanarani255
 
Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848
Ifra Zohaib
 
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
soniya singh
 
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
callgirlsnewdelhi
 
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book nowRaipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
apshanarani255
 
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
oyomaster143
 
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book nowKanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
apshanarani255
 
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book nowThane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
apshanarani255
 
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Sana Rajpoot
 

Último (20)

Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
Call Girls In Lahore || 03274100048 ||Lahore Call Girl Available 24/7
 
NAGPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
NAGPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICENAGPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
NAGPUR CALL GIRL 7857803690 LOW PRICE ESCORT SERVICE
 
lahore night girls 👉03250114445 || girls for night in lahore
lahore night girls 👉03250114445 || girls for night in lahorelahore night girls 👉03250114445 || girls for night in lahore
lahore night girls 👉03250114445 || girls for night in lahore
 
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book nowLucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
Lucknow ❣️ Call Girl 97487*63073 Call Girls in Lucknow Escort service book now
 
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
Dehradun ❣️ Call Girl 97487*63073 Call Girls in Dehradun Escort service book...
 
Udupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort serviceUdupi Call girl service 6289102337 Udupi escort service
Udupi Call girl service 6289102337 Udupi escort service
 
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
➥🔝9953056974 🔝▻ Anand Vihar Call-girl in Women Seeking Men 🔝Delhi🔝 NCR
 
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book nowVaranasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
Varanasi Call Girl 78709*93772 Call Girls in Varanasi Escort service book now
 
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
9999266834 Call Girls In Noida Sector 37 (Delhi) Call Girl Service
 
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book nowMysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
Mysore 💋 Call Girl 9748763073 Call Girls in Mysore Escort service book now
 
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in KarachiKarachi Sexy Girls || 03280288848 || Sex services in Karachi
Karachi Sexy Girls || 03280288848 || Sex services in Karachi
 
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
Bhubaneswar ❣️ Call Girl 9748763073 Call Girls in Bhubaneswar Escort service ...
 
Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848Call Girls in Sialkot || 🥵👙 || 03280288848
Call Girls in Sialkot || 🥵👙 || 03280288848
 
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
Call Girls in Saket (delhi) call me [8264348440 ] escort service 24X7
 
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
Call Girls In Delhi Just Genuine Call ☎ 9311870488✅ Call Girls Vasant kunj Av...
 
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book nowRaipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
Raipur ❣️ Call Girl 97487*63073 Call Girls in Raipur Escort service book now
 
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
Nagpur ❤CALL GIRL 9874883814 ❤CALL GIRLS IN nagpur ESCORT SERVICE❤CALL GIRL I...
 
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book nowKanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
Kanpur 💋 Call Girls 7870993772 Call Girls in Kanpur Escort service book now
 
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book nowThane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
Thane 💋 Call Girls 7091864438 Call Girls in Thane Escort service book now
 
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
Call Girls in Karachi || 03274100048 || 50+ Hot Sexy Girls Available 24/7
 

Blue Chip Tek Connect and Protect Presentation #3

  • 1. Security & Compliance Overview Todd Gleason, Partner Solutions Architect December 15, 1015
  • 2. Of the changes catalyzed by cloud, security is the most exciting.
  • 3. Over A Million Active Customers Running Every Imaginable Use Case 1500+ Government Agencies 3600+ Education Institutions 190 Countries 11,200+ Nonprofits
  • 4. Rate of Customers Requesting Compliance Reports and Certifications 50% 40% 36% 12% 17% 5% 50% 60% 64% 88% 83% 95% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Top 10 Top 25 Top 50 Top 100 Top 500 Top 5000 PercentageofCustomers RequestingComplianceReports/Certs Revenue Tier No Compliance Report Requested Compliance Report Requested
  • 5. Customers Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own datacenters. CTO Space Agency
  • 6. Industry Analysts … We’ll also see organizations adopt cloud services for the improved security protections and compliance controls that they otherwise could not provide as efficiently or effectively themselves. Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013
  • 7. Legacy Datacenters • Big Perimeter • End-to-End Ownership • Build it all yourself • Server-centric approach • Self-managed Services • Static Architecture • De-centralized Administration The security paradigm shifted AWS • Micro-Perimeters • Own just enough • Focus on your core value • Service-Centric • Platform Services • Continuously Evolving • Central Control Plane (API)
  • 8. Security & compliance requirements from every industry Nothing better for the entire community than a tough set of customers… Everyone’s Systems and Applications Financial Health Care Government Requirements Requirements Security Infrastructure Requirements
  • 9. Security & compliance is a shared responsibility Customer Applications & Content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration AWS Foundation Services AWS Global Infrastructure Customers Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Compute Storage Database Networking Availability Zones Regions Edge Locations Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  • 10. Let AWS take care of the heavy lifting for you Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Rich IAM capabilities Network configuration Security groups OS firewalls Operating systems Application security Service configuration AuthN & acct management Authorization policies + = Customer Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.
  • 12. Rapid pace of security innovation & customer driven improvements Security, compliance, governance, and audit related launches and updates 2007 2008 2009 2010 2011 2012 2013 2014 48 61 82 159 280 516 40%
  • 13. AWS Security Team Operations Application Security Engineering Compliance Aligned for agility
  • 14. Physical Security of Data Centers Amazon has been building large-scale data centers for many years Important attributes: ‒ Non-descript facilities ‒ Robust perimeter controls ‒ Strictly controlled physical access ‒ 2 or more levels of two-factor auth Controlled, need-based access All access is logged and reviewed Separation of Duties ‒ Employees with physical access don’t have logical privileges
  • 15. Network Security Distributed Denial of Service (DDoS): • Standard mitigation techniques in effect for AWS API endpoints Man in the Middle (MITM): • All endpoints protected by SSL • Fresh EC2 host keys generated at boot IP Spoofing: • Prohibited at host OS level Unauthorized Port Scanning: • Violation of AWS TOS • Detected, stopped, and blocked • Inbound ports blocked by default Packet Sniffing: • Promiscuous mode is ineffective • Protection at hypervisor level AWS reduces common attack vectors at the infrastructure level.
  • 17. Your Role in Securing AWS is Well-Defined Customer Data Applications Identity Access Mgmt OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Compute Storage Networking AWS Global Infrastructure (Regions, Azs, Edge Locations) AWS: Security of the Cloud Customer: Security in the Cloud
  • 18. … but the security technology has lagged Customer Data Applications Identity Access Mgmt OS Network Firewall Client-side Encryption Server-side Encryption Network Traffic Protection Network Appliances Host-based Agents IP-based scanners Log Analytics DLP & Encryption Manual Audits These technologies don’t embrace cloud values…
  • 19. Host-centric Security Strategies fail in AWS Protecting the host while ignoring the services is a bad decision. Your most critical data often lives in S3, Glacier, RDS, Redshift, and other key services.
  • 20. Security by Design – SbD • Systematic approach to ensure security • Formalizes AWS account design • Automates security controls • Streamlines auditing AWS CloudTrail AWS CloudHSM AWS IAM AWS KMS AWS Config Amazon Inspector Provides control insights throughout the IT management process
  • 21. Amazon Virtual Private Cloud (VPC) Specify your private IP address range into one or more public or private subnets Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection Create a logically isolated environment in Amazon’s highly scalable infrastructure
  • 24. AWS Key Management Service (KMS) • Centralized control of YOUR encryption keys • Designed for Scalability and Throughput • Is a multi-tenant service • Integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift • Integrated with CloudTrail – logs key usage • Easily implement and audit key creation, rotation, usage policies
  • 25. CloudHSM Hardware Security Modules: real hardware in the cloud. • Secure, Reliable & Durable Key Storage: available in multiple AZs and Regions, or replicate to on premise HSMs • Tamper-resistant and Tamper Evident • Customer controlled hardware security module within your VPC • Only customer has access to keys (including Amazon administrators who manage and maintain the appliance). • Common Criteria EAL4+, NIST FIPS 140-2 Level 2.
  • 27. Key governance questions • What do I have? • How it is performing? • Who is controlling it? • What is it costing me? • Is it secure and compliant? • Are changes occurring with the right processes and protections?
  • 28. The AWS cloud allows for advanced governance Manual auditing in a simple world Governance in a complex world Thick procedure manuals Software-enforced processes Periodic surveys Alarming/triggering Few truly automated controls Ubiquitous, software-driven, predictable controls Sample testing, hoping Full population monitoring, test of 1
  • 29. AWS and governance AWS capabilities and services provide key building blocks for systems that answer these questions Better answers than ever before in traditional infrastructure Integration challenges remain, but don’t be constrained by on-prem systems when leveraging the cloud
  • 31. AWS Config Relationships Resources are related to each other • Permissions applied to a server or instance • Amazon EBS volume attached to an Amazon EC2 instance • Network interfaces • An instance is contained in subnet or VPC
  • 32. AWS Config Rules • Flexible rules evaluated continuously and retroactively • Dashboard and reports for common goals • Customizable remediation • API automation
  • 33. AWS Config Rules benefits Continuous monitoring for unexpected changes Shared compliance across your organization Simplified management of configuration changes
  • 35. What? Security assessment tool for analyzing end-to-end application configuration and activity
  • 36. Why? Securing infrastructure is often expensive and hard to do effectively. • Inspector is automated, repeatable, and designed to reduce cost. • Use AWS security knowledge to strengthen customer servers, services, and infrastructure. • Delivery of actionable findings that are carefully explained and help their resolution.
  • 37. Features • Configuration Scanning and Activity Monitoring Engine • Selectable built-in rules • Security findings – guidance and management • Automatable via APIs 37
  • 38. Rule packages • CVE (common vulnerabilities and exposures) • Network security best practices • Authentication best practices • Operating system security best practices • Application security best practices • PCI DSS 3.0 readiness
  • 39. Amazon Inspector benefits Increased agility Embedded expertise Improved security posture Streamlined compliance
  • 42. Risk & Compliance Whitepaper “Shared Responsibility Model” Compliance Governance FedRAMPSM Risk Management FIPS 140‐2SOC1/ SSAE16/ ISAE3402 SOC2 SOC3 FISMA & DIACAP CSA Consensus Assessment Questionnaire PCI DSS Level -1 MPAA AWS Global Regions ITAR ISO27001 Control EnvironmentInformation Security HIPAA http://media.amazonwebservices.com/AWS Risk_and_Compliance_Whitepaper.pdf
  • 43. PCI Overview AWS is a Level 1 service provider (the highest level) Compliant with new released DSS version 3.1 published in April 2015. https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
  • 44. PCI Package Use Case Customer wants to process, store or transmit credit card information using AWS Customer wants to learn more about AWS PCI Compliance Customer is being audited by their QSA (Qualified Security Assessor) Customer is preparing for an audit and/or monitoring their environment for PCI compliance PCI Package: What we Provide AWS provides customers and customer’s auditors with: • Attestation of Compliance (AoC) • PCI Responsibility Summary AWS PCI Responsibility Summary provides: • Description of the in-scope services • Customer implementation considerations • Overview of shared responsibility
  • 45. Additional resources for Customers aws.amazon.com/compliance AWS Certifications and FAQs SOC 1 FAQs ISO 27001 FAQs PCI DSS Level 1 FAQs FEDRamp FAQs ISO 9001 FAQs DoD CSM FAQs
  • 46. Conclusions Security is critical We’re creating tools to make it easier We’re creating ways to help you build a world-class team You can move fast and stay safe

Notas do Editor

  1. Security is a Path and not a Destiny. We understand that Security and governance are often the top issues identified when we talk to our customers. Based on our experience of working with millions of customers running every imaginable use case, that includes requirements for stringent Security and Compliance controls, we really advise and highly recommend our customers to invest in security review early in the process. Get your security folks talk to our security folks and understand security and compliance. Security is really not on or off. It’s a spectrum of options that you can choose from that is right for your application.
  2. Now that we’ve seen how compliance reports can equate to significantly increased revenue growth rates, the next question is, what is the opportunity for growth in this area? The answer – a lot! In fact, a significant percentage of AWS customers have yet to request a compliance report or certification – if you extrapolate the growth trending noted in that Top 10 customer tier, just imagine how much revenue growth potential there is if more of your customers better understand AWS compliance and therefore feel comfortable moving additional workloads onto AWS?! So let’s get started -
  3. We have to remove the name of NASA/JPL but can speak to it in the class. People wanted cloud just to meet the bar – be as good as what they were accustomed to in their own datacenter. AWS is not comfortable just meeting the bar, but focuses on raising it.
  4. And the analysts agree. Forrester Research identified in their Security’s Cloud Revolution is Upon Us report that we will see organizations adopting the cloud as a route to simplified and improved security and compliance controls.
  5. DC  Cloud Few, Big perimeters  many tiny perimeters Own it all  own just enough Build everything yourself  build your core competency Servers  no servers (LAMBDA) Self-operated services  platform services Static  continuously evolving Security is NOT the same as the legacy DC
  6. When big institutions submit stringent security requirements to us, and review the audit findings of our compliance auditors, we frequently build their requirements and incorporate their feedback into the platform. EVERYBODY benefits from them. We don’t build “one off” solutions for anyone, so everybody benefits from the improvements made for any customer. In many cases, this results in a better security profile than what each individual firm could accomplish on their own. In the past year we have released more than 165 security-related features or service enhancements (nearly 40% of overall feature releases) .
  7. There are never enough great security professional in your organization, but the cloud can help. The Shared Responsibility model hugely reduces the total “security surface area” that customer security experts need to take care of for themselves. They rely on us for all the low level infrastructure security. With that narrower focus, customer security teams have a “reduced security surface area,” and can devote more of their attention to OS and application level security. Their experts can focus and achieve better results in the areas that are more closely related to the differentiated value for their business or mission, as opposed to the generic “undifferentiated heavy lifting” that applies to low-level security and compliance work as well as infrastructure management itself. Talking points AWS is relentless in ensuring that security is a top priority and works hard to ensure that it is providing a secure environment for our customers to operate in. At the same time there is a level of security that the customer must take responsibility for when operating in a cloud environment. This leads to the shared responsibility model for security. AWS looks after the security OF the cloud, and you look after your security IN the cloud. Talking points AWS side of the responsibility Leverage our culture of having a secure environment and constant improvement Perform regular audits Ensure that access and end points are protected Leverage security recommendations from customers and make them available to all customers. Customers Use AWS resources to configure security Customers have the ability to implement their own controls Leverage our partner network to find security solutions that meet their operating needs
  8. When you take the security piece that Amazon owns and offers to every customer, and add it to the security that customers can implement you get a complete and compliant solution that meets the needs of the customers. This approach allows customers to focus on the level of security that is appropriate for their business. It also allows customers to focus more on how their applications function, how they are secured, and continuing to extend the areas that differentiate them as a business because they are relieved of a significant part of the overall security process.
  9. How does AWS illustrate the Security controls that we operate on behalf of our customers? //Additional information regarding technology-specific security features can be found in Appendix A at the end of this slide deck.
  10. It’s no secret that AWS innovates! Nearly 40% of overall releases are security capabilities. As in features that help customers help themselves to secure and evaluate themselves. Some security-centric services and features are: AWS Cloud Trail - AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. Provides insights on how cloud resources are being used and by whom. AWS Config - AWS Config provides you with a detailed inventory of your AWS resources and their current configuration, and continuously records configuration changes. AWS Key Management Services - AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. Amazon S3 Server Side Encryption with Customer-provided Keys (SSE-C). - Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. SSO to AWS Management Console and Support Center Sharing AWS CloudTrail Log Files Between Accounts Amazon WorkSpaces added support for multi-factor authentication (MFA) Others such as granular domain permissions in Amazon CloudSearch, tracking console sign-in events in AWS CloudTrail, and enhanced password management and credential reports in AWS IAM. Cloud HSM - The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
  11. Physical Security Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the AWS platform and infrastructure. AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.   AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by AWS employees is logged and audited routinely.
  12. DDOS - AWS API endpoints are hosted on large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity. Man in the Middle (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints which provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot and log them to the instance’s console. You can then use the secure APIs to call the console and access the host certificates before logging into the instance for the first time. We encourage you to use SSL for all of your interactions with AWS. IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  13. How does AWS illustrate the Security controls that we operate on behalf of our customers?
  14. Customer data Platform, applications, identity, and access management Operating system, network, & firewall config Client-side data encryption & integrity authentication, server-side encryption (FS/data), Network Traffic Protection (encryption, integrity, identity) ----------------- customer above, aws below ------------------- Compute | storage | database | networking AWS Global Infrastructure >> [regions | availability zones] | edge locations
  15. Customer data Platform, applications, identity, and access management Operating system, network, & firewall config Client-side data encryption & integrity authentication, server-side encryption (FS/data), Network Traffic Protection (encryption, integrity, identity) ----------------- customer above, aws below ------------------- Compute | storage | database | networking AWS Global Infrastructure >> [regions | availability zones] | edge locations
  16. Much like beowulf clusters and HPC environments, hosts are becoming less relevant and more like request routers and job processors, and less the center of your data universe. Remember: the cloud is about loosely coupled services and creating elasticity in your infrastructure, while leveraging services to retaining the resiliency and security of your data and workflows. By focus-locking your security strategy on the host, you will expose your critical services, data, and control-plane to emerging attacks.
  17. We are doing the same with security in AWS. We’re designing security and compliance to not simply in OS and application controls as done in the last few decades; we’re designing it in everything about the IT environment; the permissions, the logging, the use of approved machine images, the trust relationships, the changes made, enforcing encryption, and more. We’re converting manual, administrative controls to technically enforced controls with the assurance that, if designed properly, the controls are operating 100% of the time. We call this “Secure by Design” or SbD. AWS is a modern platform that allows you to formalize the design of security controls in the platform itself. It simplifies system use for administrators and those running IT, and makes your AWS environment much simpler to audit. It’s creating an environment where there are no control findings at the audit (similar to having no quality findings at the end of a manufacturing process). It’s a systematic way to security assurance, and gives you insight to how things are operating and insight into how to respond to emerging threats.
  18. I recently had a discussion with a company CISO about managing his on-premise environment. I asked, "how long would it take to inventory your assets?" He said, "if I started today, it would be 100 years after you are dead." Manually tracking assets is an example of a control that is so ineffective that you can't rely on it for providing any assurance at all. So, in general, looking at what you have is simple in AWS. But how are they related to each other?
  19. AWS CloudTrail. Provides logging of API or console actions (e.g., logs when someone changes a bucket policy, stops and instance, etc.) Splunk Dashboard for CloudTrail, showing the log activity with some summarized info Control provided: Advanced monitoring capabilities of actions taken and changes made across entire AWS environment Record AWS API calls for your account and delivers log files to you. Logs delivered (as JSON data) to your S3 Bucket Region-by-Region API log isolation Optionally log multiple AWS accounts to your bucket (ie, cross-account) Currently covers API access to: EC2, EBS, EMR, Kinesis, AutoScaling, ELB, Redshift, RDS, VPC, SWF, CloudFormation, CloudFront, CloudTrail, CloudWatch, Direct Connect, Elastic Beanstalk, IAM, OpsWorks, STS, SQS No cost beyond storage of logs Currently supports 20 services throughout our 8 standard regions (GovCloud coverage is separate). We are regularly adding support for additional services in order to provide a complete auditing solution.
  20. AWS KMS provides customers with centralized control of their encryption keys and is integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift to make it simple to encrypt data with encryption keys that customers manage. It’s also integrated with AWS CloudTrail to provide logs of all key usage. It provides a simple view into all of the key usage in a customer’s organization and lets customers easily implement key creation, rotation, usage policies, and enables login from the AWS Management Console or by using the API.
  21. Hardware Security Modules (HSM) provide a solution where you can centrally and securely store and manage keys utilized by your applications. Cloud HSM allows you to implement the same HSM solution that you may already have in an on-premise data center. This solution allows you to have the same security for our cloud applications as you have for your on-premise applications. The cloud HSM solution possesses all the same attributes as a HSM that would be implemented in an on-premise data center, without the need to buy the physical infrastructure. ***Bullets EAL4 – Evaluation Assurance Level. International standard stating that the solution has been methodically designed, tested, and reviewed. NIST FIPS 140-2 – Is a national standards classification stating that the solution meets a certain cryptographic state.
  22. How does AWS illustrate the Security controls that we operate on behalf of our customers?
  23. And why does it make more sense that using a traditional on-premise environment? The need for automation and control performance consistency will demand a move into an environment that is automated, transparent, and auditable with 100% control coverage. The reasons are becoming more obvious to auditors: Physical procedure manuals do not provide enforceable control. I think we all realize this. When was the last time you pulled a SOP manual for anything other than to feel the thud factor? In my 12 years of auditing and consulting with E&Y, there were very few times someone even knew where the procedure manual was, let alone know the content. In the new world this won’t work: instead, we are scripting processes – you can’t do your job outside of the proscribed coded process. Surveys do not provide authoritative governance. We all know this. They are subjective, and are subject to human error on many levels. Why we ever relied on surveys to do any sort of real control monitoring seems rather ridiculous to me. Now, we’re automating environments and alarming on instances of control failure vs. asking people if controls have failed. Automated controls need to be pervasive. Automation of controls will be the only real way to reduce IT risk in today’s complex IT environment. Sample testing of controls will no longer be a valid audit strategy. Testing a sample of "25" is rapidly becoming statistically invalid and seems archaic considering today’s complex IT environment. The scale of the systems will require control automation, allowing auditors to do a very effective "test of 1." Today we’re going to explore the topic of advanced governance and show you how it can be done in AWS.
  24. How does AWS illustrate the Security controls that we operate on behalf of our customers?
  25. How does AWS illustrate the Security controls that we operate on behalf of our customers?
  26. Inspector is a combination of service / host-based client that aims to provide an overall assessment of the security posture of a distributed system, usually running on top of AWS. Security posture here includes overall AWS services configuration (EC2 security groups, VPCs, S3 buckets, IAM users/roles, ...), host configuration, software running on these hosts, as well as host to host interactions. Its primary intended benefit is to allow service teams, as well as external customers, to easily assess the security posture of their software and systems on their own as they progress through development, as well as on a regular basis during production for auditing purposes. The secondary benefit is to help Application Security Engineers and Penetration Testers to focus on the most complex problems by offloading the checking of low-hanging fruits to an automated system. The automatic generation of a threat model / DFD will also help the engineers get up to speed and understand the targeted systems faster and better, by relying on real observed information rather than information gathered from engineers recollection of how their systems work. A third benefit is to provide the foundations to allow easy monitoring of various elements on a host or AWS account for forensics, troubleshooting or active auditing purposes. The user simply needs to focus on implementing the actions to take rather than on performing the actual monitoring.
  27. Shared responsibility model, Shift in separated model, AWS and Customer responsibilities. WHAT’S IN IT FOR THE CUSTOMER I want to convince you that everyone should run this and reduce their overheads in addressing security manually. Running internet and internal facing services is hard. There are always changes, new patches, new issues to address. Wouldn’t it be great if there was a service to do the lifting for you. There is a lot information to understand when trying to secure your services, expert area, security engineers are not common. Many companies don’t have them on their teams and need to bring in external help. wouldn’t it be helpful if someone could distill it for you. When you spend money on security (or bring in external help), a service like Inspector allows you to focus on the new or unique feature areas of your product over the infrastructural areas
  28. Agent Based – focused on the instances rather than AWS Configuration -> See AWS Config & Config Rules for more in that area. Test your infrastructure and applications for potential security issues.. Provides guidance based on any findings identified. Choice of policy packages for assessing infrastructure and applications.
  29. CVE – several thousand checks Network Security – 4 checks (weak ciphers, vulnerable TLS version, SMB packet signing) Authentication 9 OS – 4 AppSec – 2 PCI - 25
  30. Audits are slow, riddled with spreadsheets and paperwork, and disrupt the innovation cycle or completely stop it during the audit period.
  31. Expert Audits - The best solution is to validate CSP security is to get accredited experts to do it for you. This is using a very sharp tool for a very specific job. CSP auditors understand cloud in general, they understand where AWS plays in the cloud landscape, they understand risk, and they understand the customer use cases in depth. They interpret the traditional standards for you, applying them to AWS in a way that makes sense. They can do a much better job than most audit functions at companies with limited experience in doing this specifically. Multiple certifications and reports offered by AWS provides the ability for you to triangulate on risk and controls if there isn't a report that meets your exact needs. With one report or certification, it's a good data point, but with multiple (overlapping but subtly different controls, different audit types and periods, different points in time), you can get the visibility you need. As of today, AWS infrastructure has been audited to meet controls for workloads requiring HIPAA SOC 1/SSAE 16/ISAE 3402 (formerly SAS70) SOC 2 Security & Availability SOC 3 PCI DSS Level 1 ISO 27001 ISO 9001 FedRAMP(SM) DIACAP ITAR FIPS 140-2 CSA MPAA AUS IRAP Singapore M But we can’t stop there…
  32. AWS GovCloud is an AWS Region designed to allow US government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements, such as ITAR, which governs how organizations manage and store defense-related data. Previously, government agencies with data subject to compliance regulations such as the International Traffic in Arms Regulations (ITAR), which governs how organizations manage and store defense-related data, were unable to process and store data in the cloud that the federal government mandated be accessible only by U.S. persons. Because AWS only allows US Persons to physically and logically access the AWS GovCloud network, government agencies can now manage more heavily regulated data in AWS while remaining compliant with US Persons only access requirements. AWS does not manage physical and logical access controls beyond the AWS network. It is the responsibility of customers to manage end user access controls to their content in the AWS GovCloud Region.   What is ITAR? ITAR is the International Traffic in Arms Regulations, which is a set of United States government regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. The primary issue that impacts AWS is the requirement that all ITAR controlled data must be stored in an environment physically and logically accessible to US Persons only. A US Person is defined as a US citizen or permanent resident.  In this Region, AWS complies with US Persons only physical and logical access requirements for the AWS network, and therefore enables others to use the AWS GovCloud Region to process and store ITAR data. Unlike ISO 27001, there is no formal ITAR certification. However, AWS has conducted a third-party review of the AWS GovCloud ITAR compliance program. This third party has published a favorable letter of attestation regarding AWS’ compliance with the stated ITAR objectives. This letter is provided to customers who enter into an AWS GovCloud Enterprise Agreement. AWS FISMA compliant? Yes, AWS is able to meet Federal FISMA Low and Moderate certifications.  AWS has attained Authority to Operate (ATO) under FISMA Low at several agencies (Department of Education, Recovery and Transparency Board) and can make those control mappings available as part of the Certification & Accreditation process.  Additionally, AWS was granted the ATO at the FISMA Moderate level by the GSA.  AWS will continue pursuing certifications that make it easier for enterprises, businesses and government agencies to use and benefit from our services.   What is FedRAMP? The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels.   Why is FedRAMP important? The Cloud First policy mandates that agencies take full advantage of cloud computing benefits to maximize capacity utilization, improve IT flexibility and responsiveness, and minimize cost. And the Office of Management and Budgets (OMB) mandate states that agencies must “use FedRAMP when conducting risk assessments, security authorizations, and granting ATOs for all Executive department or agency use of cloud services” (FedRAMP Policy Memo , OMB). One of the major benefits of FedRAMP is that it allows for federal agencies to save significant time, costs and resources in their evaluation of the security of cloud providers.
  33. Overview: PCI is the Payment Card Industry Data Security Standard. It is a set of security requirements designed to ensure that all companies which process, store or transmit credit card information maintain a consistent level of data security related to card holder data. This standard is administered and managed by the PCI Security Standards Council, an independent body created by the major payment card brands (Visa, MasterCard, and American Express). We have been successfully validated as a Level 1 service provider. Meaning that our customers may host their applications on our PCI-compliant technology.
  34. Use Cases (Why): We often find customer requesting our PCI Compliance package to share with their auditors, most commonly their chosen QSA, Qualified Security Assessor. Selling Points: Our PCI Compliance Package provides AWS customers, and their auditors if appropriate with two documents. One being the Attestation of Compliance, referred to as the AoC, and the PCI Responsibility Summary. The AWS PCI Responsibility Summary provides customers with a description of the in-scope services, customer implementation considerations, as well as provides an overview to our customers with relation to the shared responsibility between them and AWS for meeting the PCI requirements.
  35. Individual compliance certifications can be covered later in the presentation with current information available at aws.amazon.com/compliance