Security & Compliance Overview

Todd Gleason, Partner Solutions Architect

December 15, 1015

Of the changes catalyzed by cloud, security is the most exciting.

Over A Million Active Customers Running Every Imaginable Use Case

1500+ Government

Agencies

3600+ Education Institutions

190 Countries 11,200+ Nonprofits

Rate of Customers Requesting Compliance Reports and Certifications

Top 10 Top 25 Top 50 Top 100 Top 500 Top 50000%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

50%

40%36%

12%17%

5%

50% 60% 64% 88% 83% 95%

No Compliance Report Re-quested

Compliance Report Re-quested

Revenue Tier

Perc

enta

ge o

f Cus

tom

ers

Req

uest

ing

Com

plia

nce

Rep

orts

/Cer

ts

Customers

Based on our experience, I believe that wecan be even more secure in the AWS

cloud than in our own datacenters.

CTOSpace Agency

Industry Analysts

… We’ll also see organizations adopt cloud servicesfor the improved security protections and compliance

controls that they otherwise could not provide asefficiently or effectively themselves.

Security’s Cloud Revolution is Upon Us Forrester Research, Inc., August 2, 2013

Legacy Datacenters• Big Perimeter• End-to-End Ownership• Build it all yourself• Server-centric approach• Self-managed Services• Static Architecture• De-centralized Administration

The security paradigm shifted

AWS• Micro-Perimeters• Own just enough• Focus on your core value• Service-Centric• Platform Services• Continuously Evolving• Central Control Plane (API)

Security & compliance requirements from every industry

Nothing better for the entire community than a tough set of customers…

Everyone’s Systems and Applications

Financial Health Care Government

Requirements Requirements

Security Infrastructure

Requirements

Security & compliance is a shared responsibility

Customer Applications & Content

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

AWS Foundation Services

AWS GlobalInfrastructure

Cus

tom

ers

Client-side Data Encryption

Server-side Data Encryption

Network TrafficProtection

Compute Storage Database Networking

Availability Zones

RegionsEdge Locations

Customers are responsible for their security IN the Cloud

AWS is responsible

for the securityOF the Cloud

Let AWS take care of the heavy lifting for you

Facilities

Physical security

Compute infrastructure

Storage infrastructure

Network infrastructure

Virtualization layer (EC2)

Hardened service endpoints

Rich IAM capabilities

Network configuration

Security groups

OS firewalls

Operating systems

Application security

Service configuration

AuthN & acct management

Authorization policies

+ =

Customer

Customers get to choose the right level of security for their business. As an AWS customer you can focus on your business and not be distracted by the muck.

Security OF the Cloud

Rapid pace of security innovation & customer driven improvementsSecurity, compliance, governance, and audit related launches and updates

2007 2008 2009 2010 2011 2012 2013 2014

48 61 82159

280

516

40%

AWS Security Team

Operations

Application Security

Engineering

Compliance

Aligned for agility

Physical Security of Data Centers

Amazon has been building large-scale data centers for many years

Important attributes:‒ Non-descript facilities‒ Robust perimeter controls‒ Strictly controlled physical access‒ 2 or more levels of two-factor auth

Controlled, need-based access

All access is logged and reviewed

Separation of Duties‒ Employees with physical access don’t have logical privileges

Network SecurityDistributed Denial of Service (DDoS):• Standard mitigation techniques in effect

for AWS API endpoints

Man in the Middle (MITM):• All endpoints protected by SSL• Fresh EC2 host keys generated at boot

IP Spoofing:• Prohibited at host OS level

Unauthorized Port Scanning:• Violation of AWS TOS• Detected, stopped, and blocked• Inbound ports blocked by default

Packet Sniffing:• Promiscuous mode is ineffective• Protection at hypervisor level

AWS reduces common attack vectors at the infrastructure level.

Security IN the Cloud

Your Role in Securing AWS is Well-Defined

Customer Data

Applications Identity Access Mgmt

OS Network Firewall

Client-side Encryption

Server-side Encryption

Network Traffic Protection

Compute Storage Networking

AWS Global Infrastructure (Regions, Azs, Edge Locations)

AWS: Security of the Cloud

Customer: Security in the Cloud

… but the security technology has lagged

Customer Data

Applications Identity Access Mgmt

OS Network Firewall

Client-side Encryption

Server-side Encryption

Network Traffic Protection

Network Appliances

Host-based Agents

IP-based scanners

Log Analytics

DLP & Encryption

Manual Audits

These technologies don’t embrace cloud values…

Host-centric Security Strategies fail in AWS

Protecting the host while ignoring the services is a bad decision.

Your most critical data often lives in S3, Glacier, RDS, Redshift, and other key services.

EC2

Security by Design – SbD

• Systematic approach to ensure security• Formalizes AWS account design• Automates security controls• Streamlines auditing

AWS CloudTrail

AWS CloudHSM

AWS IAM

AWS KMS

AWS Config

AmazonInspector

Provides control insights throughout the IT management process

Amazon Virtual Private Cloud (VPC)

Specify your private IP address range into one or more public or private subnets

Protect your Instances with stateful filters for inbound and outbound traffic using Security Groups

Control inbound and outbound access to and from individual subnets using stateless Network Access Control Lists

Bridge your VPC and your onsite IT infrastructure with an industry standard encrypted IPSEC VPN connection

Create a logically isolated environment in Amazon’s highly scalable infrastructure

Inventory of Assets

AWS CloudTrail

AWS Key Management Service (KMS)

• Centralized control of YOUR encryption keys

• Designed for Scalability and Throughput

• Is a multi-tenant service

• Integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift

• Integrated with CloudTrail – logs key usage

• Easily implement and audit key creation, rotation, usage policies

CloudHSM

Hardware Security Modules: real hardware in the cloud.• Secure, Reliable & Durable Key Storage: available in multiple

AZs and Regions, or replicate to on premise HSMs• Tamper-resistant and Tamper Evident• Customer controlled hardware security module within your VPC• Only customer has access to keys (including Amazon

administrators who manage and maintain the appliance). • Common Criteria EAL4+, NIST FIPS 140-2 Level 2.

Governance

Key governance questions

• What do I have?• How it is performing?• Who is controlling it?• What is it costing me?• Is it secure and compliant?

• Are changes occurring with the right processes and protections?

The AWS cloud allows for advanced governance

Manual auditing in a simple world

Governance in a complex world

Thick procedure manuals Software-enforced processes

Periodic surveys Alarming/triggering

Few truly automated controls

Ubiquitous, software-driven, predictable controls

Sample testing, hoping Full population monitoring, test of 1

AWS and governance

AWS capabilities and services provide key building blocks for systems that answer these questionsBetter answers than ever before in traditional infrastructureIntegration challenges remain, but don’t be constrained by on-prem systems when leveraging the cloud

AWS Config

AWS Config Relationships

Resources are related to each other• Permissions applied to a server or instance• Amazon EBS volume attached to an

Amazon EC2 instance• Network interfaces• An instance is contained in subnet or VPC

AWS Config Rules

• Flexible rules evaluated continuously and retroactively• Dashboard and reports for common goals• Customizable remediation• API automation

AWS Config Rules benefits

Continuous monitoring for unexpected changes

Shared compliance across your organization

Simplified management of configuration changes

Amazon Inspector

What?

Security assessment tool for analyzing end-to-end application configuration and activity

Why?

Securing infrastructure is often expensive and hard to do effectively.

• Inspector is automated, repeatable, and designed to reduce cost.

• Use AWS security knowledge to strengthen customer servers, services, and infrastructure.

• Delivery of actionable findings that are carefully explained and help their resolution.

Features

• Configuration Scanning and Activity Monitoring Engine• Selectable built-in rules• Security findings – guidance and management• Automatable via APIs

37

Rule packages

• CVE (common vulnerabilities and exposures)• Network security best practices• Authentication best practices• Operating system security best practices• Application security best practices• PCI DSS 3.0 readiness

Amazon Inspector benefits

Increased agility

Embedded expertise

Improved security posture

Streamlined compliance

Compliance

Expert Audits: Transparency & Accuracy

Risk & Compliance Whitepaper

“Shared Responsibility Model”

Compliance Governance FedRAMPSM

Risk Management

FIPS 140‐2SOC1/SSAE16/ISAE3402

SOC2

SOC3

FISMA &DIACAP

CSA Consensus Assessment Questionnaire PCI DSS

Level -1

MPAA

AWS Global Regions

ITARISO27001

Control EnvironmentInformation

Security

HIPAA

http://media.amazonwebservices.com/AWS Risk_and_Compliance_Whitepaper.pdf

PCI Overview

AWS is a Level 1 service provider (the highest level)

Compliant with new released DSS version 3.1 published in April 2015.

https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

PCI Package Use Case

Customer wants to process, store or transmit credit card information using AWS

Customer wants to learn more about AWS PCI Compliance

Customer is being audited by their

QSA (Qualified Security Assessor)

Customer is preparing for an audit and/or monitoring their environment for PCI compliance

PCI Package: What we ProvideAWS provides customers and customer’s auditors with:

• Attestation of Compliance (AoC)• PCI Responsibility Summary

AWS PCI Responsibility Summary provides:• Description of the in-scope services• Customer implementation considerations• Overview of shared responsibility

Additional resources for Customers

aws.amazon.com/compliance

AWS Certifications and FAQs

SOC 1 FAQs ISO 27001FAQs

PCI DSSLevel 1 FAQs

FEDRampFAQs

ISO 9001FAQs

DoD CSMFAQs

Conclusions

Security is critical

We’re creating tools to make it easierWe’re creating ways to help you build a world-class teamYou can move fast and stay safe

Thank You!