Security in the Cloud
Stephen E. Schmidt,
Vice President, Security Engineering &
Chief Information Security Officer
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
8th BirthdayLaunched on March 14th, 2006
Startups on AWS
Enterprises on AWS
Public Sector on AWS
System Integrators on AWS
ISVs on AWS
Why are enterprises & government adopting cloud computing and AWS so quickly?
The primary reason enterprises &
governments are moving so quickly to
AWS and the cloud
#1: Agility
Why does agility matter?
Old World: Infrastructure in weeks
Enterprises & Government Can’t Afford to Be Slow
A Culture of Innovation: Experiment Often & Fail Without Risk
Regions Availability Zones Content Delivery POPs
#2: Platform Breadth and Depth
10 regions26 availability zones51 edge locations
It’s Not Just Having Services in a Couple of Regions…
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Direct ConnectRoute 53
VPCNetworking
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Direct ConnectRoute 53
VPCNetworking
Analytics
Data Pipeline
Redshift
EMRKinesis
SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface
Direct ConnectRoute 53
VPCNetworking
Analytics
Data Pipeline
Redshift
EMRKinesis
SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Elastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net
OpsWorks CloudFormationContainers & Deployment (PaaS)
Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface
Direct ConnectRoute 53
VPC
Networking
Analytics
Data Pipeline
Redshift
EMRKinesis
SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Technology Partners Consulting Partners AWS MarketplaceEcosystemElastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net
OpsWorks CloudFormationContainers & Deployment (PaaS)
Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface
Direct ConnectRoute 53
VPCNetworking
Analytics
Data Pipeline
Redshift
EMRKinesis
SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Support CertificationTrainingProfessional Services
Technology Partners Consulting Partners AWS MarketplaceEcosystemElastic Beanstalk for Java, Node.js, Python, Ruby, PHP and .Net
OpsWorks CloudFormationContainers & Deployment (PaaS)
Management &AdministrationIAM CloudWatchCloudTrail APIs and SDKsManagement ConsoleCloud HSM Command Line Interface
Direct ConnectRoute 53
VPCNetworking
Analytics
Data Pipeline
Redshift
EMRKinesis
SWFSNS SQS CloudSearchSES AppStreamCloudFront
Application Services
WorkSpaces
Regions Availability Zones Content Delivery POPs
Storage GatewayS3 EBS Glacier Import/Export DynamoDB ElastiCache
StorageCompute Databases
RDS
MySQL, PostgreSQL
Oracle, SQL ServerElastic Load BalancerEC2 Auto Scaling
#2: Platform Breadth and Depth
Security is Our No.1 PriorityComprehensive Security Capabilities to Support Virtually Any Workload
PEOPLE & PROCEDURES
NETWORK SECURITY
PHYSICAL SECURITY
PLATFORM SECURITY
“[Enterprise customers are] skipping the years of early getting-their-feet-wet, and immediately jumping in with more significant projects, with more ambitious goals…”
“Increasingly, organizations are asking what can’t go to the cloud, rather than what can…”
“As 2014 dawns, we’re moving into an era of truly mainstream adoption of cloud…”
• SECURITY IS SHARED
WHAT NEEDS TO BE DONE TO KEEP THE SYSTEM SAFE
WHAT WE DO
FOR YOU
WHAT YOU DO YOURSELF
• EVERY CUSTOMER HAS ACCESS TO THE SAME SECURITY CAPABILITIES
• CHOOSE WHAT’S RIGHT FOR YOUR WORKLOAD
• CLOUD SECURITY OFFERS MORE
• VISIBILITY• AUDITABILITY• CONTROL
• MORE VISIBILITY
• CAN YOU MAP YOUR NETWORK?
• WHAT IS IN YOUR ENVIRONMENT RIGHT NOW?
• MORE AUDITABILITY
• SECURITY CONTROL OBJECTIVES
• 1. SECURITY ORGANIZATION• 2. AMAZON USER ACCESS• 3. LOGICAL SECURITY• 4. SECURE DATA HANDLING• 5. PHYSICAL SECURITY AND ENV. SAFEGUARDS• 6. CHANGE MANAGEMENT• 7. DATA INTEGRITY, AVAILABILITY AND REDUNDANCY• 8. INCIDENT HANDLING
• MORE CONTROL
Defense in DepthMulti level security
• Physical security of the data centers• Network security• System security• Data security
DATA
• LEAST PRIVILEGE PRINCIPLE
• AT AWS
• LEAST PRIVILEGE PRINCIPLECONFINE ROLES ONLY TO THE MATERIALREQUIRED TO DO SPECIFIC WORK
• LEAST PRIVILEGE PRINCIPLESEPARATE NETWORKS FOR CORPORATE WORK VS. ACCESSING CUSTOMER DATA
• LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW ABOUT SENSITIVE INFORMATION LIKE DATACENTER LOCATIONS
• LEAST PRIVILEGE PRINCIPLEMUST HAVE A BUSINESS NEED-TO-KNOW IN ORDER TO ACCESS DATACENTERS
• SIMPLE SECURITY CONTROLSARE THE EASIEST TO GET RIGHT, EASIEST TO AUDIT, AND EASIEST TO ENFORCE
• IDC Survey
• Attitudes and Perceptions Around Security and Cloud Services• Nearly 60% of organizations agreed that CSPs [Cloud Service
Providers] provide better security than their own IT organization
• Source: IDC 2013 U.S. Cloud Security Survey• Doc #242836, September 2013
• “Based on our experience, I believe that we can be even more secure in the AWS cloud than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
AWS Security
Stephen E. Schmidt, Chief Information Security Officer
Thank You!
Top Related