shared-responsibilitysecurity-roadshowlondon-160317131610.pptx

The AWS Shared Security Responsibility Model in Practice Dave Walker Specialist Solutions Architect , Security and Compliance 16/03/16

AWS Global Footprint

AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul)

AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) São Paulo EU Central (Frankfurt) Asia Pacific (Tokyo) China (Beijing) Asia Pacific (Seoul) Region An independent collection of AWS resources in a defined geography A solid foundation for meeting location-dependent privacy and compliance requirements

AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul)

AWS Global Footprint US West (N.California) US West (Oregon) GovCloud US East (Virginia) EU West (Ireland) Asia Pacific (Tokyo) Asia Pacific (Singapore) Asia Pacific (Sydney) China (Beijing) São Paulo EU Central (Frankfurt) Asia Pacific (Seoul) Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region

AWS Global Footprint

AWS Global Footprint Edge Location collections of servers in geographically dispersed data centers deliver content to end users with lower latency

AWS Global Footprint

AWS Global Footprint 12 Regions 33 Availability Zones 5 4 Edge locations Over 1 million active customers Every day, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise.

Data Locality Customer chooses where to place data AWS regions are geographically isolated by design Data is not replicated to other AWS regions and doesn’t move unless you choose to move it

Shared Responsibility Who manages which parts?

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud

AWS Shared Responsibility Model – Deep Dive Will one model work for all services? Infrastructure Services Container Services Abstract Services

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWS IAM Customer IAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data

Infrastructure Service Example – EC2 Foundation Services — Networking, Compute, Storage AWS Global Infrastructure AWS IAM AWS API Endpoints AWS Customer Data Customer Application Operating System Network & Firewall Customer IAM High Availability, Scaling Instance Management Data Protection (Transit, Rest, Backup) Customers RESPONSIBILITIES

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWS IAM Customer IAM

Infrastructure Service Example – RDS Foundational Services – Networking, Compute, Storage AWS Global Infrastructure AWS IAM AWS API Endpoints Operating System Platform / Application AWS Customer Data Firewall (VPC) Customer IAM (DB Users, Table Permissions) High Availability Data Protection (Transit, Rest, Backup) Scaling Customers RESPONSIBILITIES

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model: for Abstract Services Managed by Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication AWS IAM

Foundational Services AWS Global Infrastructure AWS IAM AWS API Endpoints Operating System Platform / Application Data Protection (Rest - SSE, Transit) High Availability / Scaling AWS Customer Data Data Protection (Rest – CSE) Customers Infrastructure Service Example – S3

Summary of Customer Responsibility in the Cloud Customer IAM AWS IAM Firewall Data AWS IAM Data Applications Operating System Networking/Firewall Data Customer IAM AWS IAM Infrastructure Services Container Services Abstract Services

Shared Responsibility What about security OF the cloud?

Security Shared Responsibility Model AWS is responsible for the security OF the cloud AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations

Auditing - Comparison on-prem vs on AWS Start with bare concrete Functionally optional – you can build a secure system without it Audits done by an in-house team Accountable to yourself Typically check once a year Workload-specific compliance checks Must keep pace and invest in security innovation on-prem Start on base of accredited services Functionally necessary – high watermark of requirements Audits done by third party experts Accountable to everyone Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance on AWS

What this means You benefit from an environment built for the most security sensitive organizations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity You always have full ownership and control of your data

AWS Assurance Programs

AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Meet your own security objectives Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Your own external audits Customers Your own accreditation Your own certifications

Navigating Shared Responsibility Achieving accreditation or certification on AWS is possible but how can we help?

Shared Responsibility & Security By Design Phase 1. Outline your requirements Outline your policies, controls you inherit from AWS Document controls you own and operate on AWS Phase 2. Build a Golden Environment Define your AWS resources and controls as Code Phase 3. Enforce with the use of Templates Templates presented to users within Service Catalogue as Products within Portfolios Phase 4. Perform validation checks Deploying your environment through Service Catalogue as Gold Templates you make your environment audit ready

GoldBase — Security Control Responsibility Matrix NIST SP 800-53 rev. 4 control security control matrix

GoldBase — Architecture Diagrams

GoldBase — CloudFormation Templates

GoldBase — Additional Resources

Getting help — AWS Compliance Workbooks IT Grundschutz (TUV Trust IT) CESG UK Security Principles PCI Workbook – Anitian Audit Checklists Whitepapers EU Data Protection Risk & Compliance Overview of Security Processes FERPA FAQs PCI, HIPAA, EU Data Protection, ISO 27001, 9001 etc… Training eLearning: Security Fundamentals, 3 hour free online course Instructor Lead Training: 3day course for Security Professionals Qwiklab: Security & Auditing Self Paced Lab Security Blog: http://blogs.aws.amazon.com/security/

Helpful Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Center Website: https://aws.amazon.com/compliance Security Center: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ AWS Audit Training: [email protected]

aws compliance @amazon.com

Dave Walk er Specialist Solutions Architect A mazon W eb S ervices Thank You

shared-responsibilitysecurity-roadshowlondon-160317131610.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

shared-responsibilitysecurity-roadshowlondon-160317131610.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......