© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
AWS Security
Stephen E. Schmidt, Chief Information Security Officer
November 13, 2013
Different customer viewpoints on security:
• CEO: protect shareholder value
• PR exec: keep out of the news
• CI{S}O: preserve the confidentiality, integrity
and availability of data
AWS Viewpoint on Security Art Science
Security is Our No.1 Priority Comprehensive Security Capabilities to Support Virtually Any Workload
AWS Cloud Security
“Based on our experience, I believe that we can be
even more secure in the AWS cloud than in our
own data centers.”
-Tom Soderstrom, CTO, NASA JPL
AWS Security Offers Customers More
Visibility Auditability Control
Visibility
– In the AWS cloud, see your entire infrastructure at the click of a
mouse
– Can you map your current network?
AWS Security Delivers More Auditability
• Consistent, regular, exhaustive 3rd party
evaluations with commonly understood results
Introducing AWS CloudTrail
You are making API
calls...
On a growing set of services
around the world…
CloudTrail is continuously recording API
calls…
And delivering log files to you
Use cases enabled by CloudTrail
• Security Analysis Use log files as an input into log management and analysis solutions to perform security
analysis and to detect user behavior patterns.
• Track Changes to AWS Resources Track creation, modification, and deletion of AWS resources such as Amazon EC2
instances, Amazon VPC security groups and Amazon EBS volumes.
• Troubleshoot Operational Issues Quickly identify the most recent changes made to resources in your environment.
• Compliance Aid Easier to demonstrate compliance with internal policies and regulatory standards.
What is AWS CloudTrail?
• CloudTrail records API calls in your account and delivers a log file to your S3 bucket.
• Typically, delivers an event within 15
minutes of the API call.
• Log files are delivered approximately every 5 minutes.
• Multiple partners offer integrated solutions to analyze log files.
Image Source: Jeff Barr
Visibility
• Logs == one component of visibility
– Obtain
– Retain
– Analyze
Sumo Logic
• Enterprise Class Log Management & Analytics – Availability and Performance
– Security and Compliance
– User and Application Analytics
• Sumo Logic Application for AWS CloudTrail – Real-time Security Monitoring and Alerting
– Compliance Auditing
– Operational Visibility and Cost
• Come see us @ booth #117
• CTO, Christian Beedgen – Wednesday: 3:00 PM - 4:00 PM – San Polo 3501A
Control
• Defense in Depth – Multi level security
• Physical security of the data centers
• Network security
• System security
• Data security
AWS Security Delivers More Control & Granularity Customize the implementation based on your business needs
AWS
CloudHSM
Defense in depth
Rapid scale for security
Automated checks with AWS Trusted Advisor
Fine grained access controls
Server side encryption
Multi-factor authentication
Dedicated instances
Direct connection, Storage Gateway
HSM-based key storage
AWS IAM
Amazon VPC
AWS Direct
Connect
AWS Storage
Gateway
Control
• SSO Federation using SAML – Support for SAML 2.0
– Use existing SAML identity providers to access AWS Resources
• You don’t have to add additional software!
– AWS Management Console SSO
• New sign-in URL
– https://signin.aws.amazon.com/SAML?Token=<yourdatahere>
– API federation using new assumeRoleWithSAML API
Amazon DynamoDB Fine Grained Access Control
• Directly and securely access application data in Amazon DynamoDB
• Specify access permissions at table, item and attribute levels
• With Web Identity Federation, completely remove the need for proxy servers to perform authorization
Control
• AWS Staff Access – Staff vetting
– Staff has no logical access to customer instances
– Staff control-plane access limited & monitored
• Bastion hosts
• Least privileged model
– Zoned data center access
• Business needs
• Separate PAMS
Control
• Shared Responsibility – Let AWS do the heavy lifting
– Focus on your business
• AWS • Facility operations
• Physical Security
• Physical Infrastructure
• Network Infrastructure
• Virtualization Infrastructure
• Hardware lifecycle management
• Customer • Choice of Guest OS
• Application Configuration Options
• Account Management flexibility
• Security Groups
• ACLs
• Identity Management
Control
• Your data stays where you put it
Australia
Control
• Encryption – Customers choose the solution that’s right for them
• Regulatory
• Contractual
• Best-practices
– Options
• Automated – AWS manages encryption for the customer
• Enabled – customer manages encryption using AWS services
• Client-side – customer manages encryption using their own means
Control AWS CloudHSM
• Managed and monitored by AWS, but you control the keys
• Increase performance for applications that use HSMs for key storage or encryption
• Comply with stringent regulatory and contractual requirements for key protection
EC2 Instance
AWS CloudHSM
AWS CloudHSM
AWS IAM: Recent Innovations Securely control access to AWS services and resources
• Delegation
– Roles for Amazon EC2
– Cross-account access
• Powerful integrated permissions
– Resource level permissions: Amazon EC2, Amazon RDS, Amazon DynamoDB, AWS CloudFormation
– Access control policy variables
– Policy Simulator
– Enhanced IAM support: Amazon SWF, Amazon EMR, AWS Storage Gateway, AWS CloudFormation, Amazon Redshift, Elastic Beanstalk
• Federation
– Web Identity Federation
– AD and Shibboleth examples
– Partner integrations
– Case study: Expedia
• Strong authentication
– MFA-protected API access
– Password policies
• Enhanced documentation and videos
Authentication Market
• Consumers are demanding stronger
authentication
• Banks want to reduce fraud
• Regulators are requiring banks to
implement stronger PKI-based
authentication
Entersekt’s Transakt Product End-to-End
Entersekt
Cloud Router
Bank web
server
AZ-USE1d
Auto scaling Group
Entersekt Security
Gateway
Bank’s
firewall
User’s mobile
with Transakt
User’s web
browser
AZ-USE1a
CloudHSM
Mutually secured
channel using
the Entersekt
system
Why the Cloud?
• AWS CloudHSM – We issue X.509 certificates securely from AWS
– We augment the entropy generation on the phone
– Only Entersekt has access to the keys in CloudHSM – AWS does not
• Mobile phone connections fronted by AWS cloud – Mitigates DDoS attacks
– Manages large number of persistent connections
– Maintains end-to-end encryption between enterprise and phone
0
10
20
30
40
50
60
70
80
30-J
an…
03-F
eb
07-F
eb
11-F
eb
15-F
eb
19-F
eb
23-F
eb
27-F
eb…
02-M
ar
06-M
ar
10-M
ar
14-M
ar
18-M
ar
22-M
ar
26-M
ar…
30-M
ar
03-A
pr
07-A
pr
11-A
pr
15-A
pr
19-A
pr
23-A
pr…
27-A
pr
01-M
ay
05-M
ay
09-M
ay
13-M
ay
17-M
ay
21-M
ay…
25-M
ay
29-M
ay
02-J
un
06-J
un
10-J
un
14-J
un
18-J
un…
22-J
un
26-J
un
30-J
un
Attempts Fraud
Entersekt’s Track Record Global Top 500 Banking Customer: 2012 – 450 000 users
Nedbank sees 99% reduction
in phishing losses Nedbank reports a 99% reduction in phishing losses
since launching its internet banking security feature,
Approve-it.
Source: businesstech.co.za
Entersekt
go-live
Entersekt in Action
IDC Survey
Attitudes and Perceptions Around Security and Cloud Services
Nearly 60% of organizations agreed that CSPs [cloud service
providers] provide better security than their own IT organizations.
Source: IDC 2013 U.S. Cloud Security Survey,
doc #242836, September 2013
What to Watch for This Week
• Key Sessions to See – SEC201 – Access Control for the Cloud: AWS Identity & Access
Management
– SEC203 – Security Assurance & Governance in AWS
– SEC205 – Cybersecurity Engineers: You’re More Secure in the Cloud!
– SEC304 – Encryption & Key Management in AWS
– SEC305 – DDOS Resiliency with AWS
– SEC402 – Intrusion Detection in the Cloud
– CPN401 – A Day in the Life of a Billion Packets
Come talk security with AWS!
• When: Thursday 11/14, 4:00-6:00 PM
• Where: Toscana 3605
or
• AWS Booth – Wednesday 10:30 AM – 5:30 PM
– Thursday 10:30 AM – 6:30 PM
– Friday 9:00 AM – Noon
or – https://aws.amazon.com/security
We are sincerely eager to hear
your feedback on this
presentation and on re:Invent.
Please fill out an evaluation form
when you have a chance.