Architecting for Greater Security Carlos Conde – Technology Evangelist
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Architecting for Greater Security
Carlos Conde – Technology Evangelist
5 WHYs
1. Why does security come first in
enterprise cloud adoption?
New territory Security is hardAWS job zero
2. Why is enterprise security
traditionally so hard?
Change controlCompliance planning
3. Why so much planning which
takes so long?
So many processes Built-in pausesSo many hand-offs
Processes detect
unwanted change
Reduce impact
of failure
Visibility & control
are essential
4. Why so many processes?
No stimulus
and response
Low degree
of automation
Lack of
visibility
5. Why are change detection and low-risk
changes are so difficult?
So where does AWS come in?
AWS makes
security faster
Lets you move fast
but stay safe
LEAST PRIVILEGE PRINCIPLE
Confine roles only to the material
required to do specific work
AWS IAM
Identity & Access Management.
Control who does what in your AWS account with
fine-grained policies.
LEAST PRIVILEGE PRINCIPLE
Confine network access only to the nodes
required to do specific work
DATA PROTECTION PRINCIPLE
Protect data in transit & at rest
ENCRYPT YOUR DATAAMAZON EMR
AMAZON S3 SSE
AMAZON GLACIER
AMAZON REDSHIFT
AMAZON RDS
…
CHOOSE THE RIGHT MODEL
FOR YOUR NEEDS
Automated – AWS manages encryption
Enabled – user manages encryption using AWS
Client-side – user manages encryption using their own mean
AWS Private Key Management Capabilities
AWS CloudHSMDedicated HSM appliances
Managed and monitored by
AWS, but you control the keys
Increase performance for
applications that use HSMs for
key storage or encryption
Comply with stringent
regulatory and contractual
requirements for key protection
EC2 InstanceAWS CloudHSM
VISIBILITY PRINCIPLE
You can’t protect what you don’t know about
LOG FILES
Obtained, Analysed, Retained
AWS CloudWatch Logs
You are making
API calls...On a growing set of
services around the
world…
CloudTrail is
continuously
recording API
calls…
And delivering
log files to you
AWS CloudTrail
PROTECT YOUR LOGS WITH IAM
ARCHIVE YOUR LOGS
AWS Config
System change deltas time series
Continuous ChangeRecordingChanging
Resources
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
MAKE SECURITY ACTIONABLE
Automate log reviews with AWS Lambda.
Automatically shutdown non-compliant instances.
Validate changes.
Rollback unapproved changes.
CONTINUOUS DEPLOYMENT
FOR SECURITY
Automated deployments are more secure.
Enables “SSH-less” production environments.
Rapid deployment of security fixes.
Use AWS CodeDeploy.
AWS Assurance Programs
aws.amazon.com / compliance
“… We’ll also see organizations adopt cloud
services for the improved security protections
and compliance controls that they otherwise
could not provide as efficiently or effectively
themselves.”
Security’s Cloud Revolution is Upon Us
Forrester Research, Inc., August 2, 2013
Co-Founder
Ohpen is a platform ‘out-of-the-box’ and offers financial service providers a fully integrated, multilingual, web-, front-, mid- and back-end solution for mutual funds and savings accounts.
Ohpen enabled the first bank in the world to go to
the cloud. All-in!
We are extinguishing legacy software by developing the best mutual fund and savings platform in the world.
The financial services industry shall be freed from on premise legacy software by cloud based administration factories, where you just plug in.
59
60
62
•
•
•
•
•
•
•
•
•
•
•
•
@
“Based on our experience,
I believe that we can be even
more secure in the AWS cloud
than in our own data centers”
Tom Soderstrom – CTO – NASA JPL
MORE AUDITABILITY
MORE VISIBILITY
MORE CONTROL
aws.amazon.com/security
Please rate this session & provide your feedback
Download the AWS Summit App
AWS Summit 2015
#AWSSummit@AWS_UKI
LONDON
Related Documents
