Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

An Evolving Security Landscape – Security Patterns in the Cloud

Amazon Web Services
Amazon Web Services

Availability of cloud computing is helping Financial Services organizations realize accelerated go-to-market speeds, global scalability, and cost efficiencies. This new world forces considerations for security programs – what is different in the cloud and what do I do differently? AWS Security Architects will share protocols that need to be considered in the cloud, on premises, or in a hybrid model. They will also share best practices, lessons learned, efficiencies, and design patterns and architectures unique to cloud.

1 of 27
An Evolving Security Landscape Security Patterns in the Cloud Bill Shinn – AWS Principal Security Solutions Architect
Cloud focuses on differentiation
Global Industry Observations Regulatory compliance continues to drive expense A desire for increased wallet share is driving a focus on innovation Increasing amounts of data, finite resources for analytics Digitization and disruptive technology are accelerating transformation
Move from risk-laden up-front expense to flexible variable expense Stop guessing at capacity planning Go global in minutes Reasons Cloud Computing is Gaining Traction in FinServ Remove complicated infrastructure management that adds little business value
Reasons Cloud Computing is Gaining Traction in FinServ Lower the time spent on infrastructure Dedicate more resources to innovation Concentrate on new business initiatives
What is Amazon Web Services?
Administration & Security Access Control Identity Management Key Management & Storage Monitoring & Logs Resource & Usage Auditing Platform Services Analytics App Services Developer Tools & Operations Mobile Services Data Pipelines Data Warehouse Hadoop Real-time Streaming Data Application Lifecycle Management Containers Deployment DevOps Event-driven Computing Resource Templates Identity Mobile Analytics Push Notifications Sync App Streaming Email Queuing & Notifications Search Transcoding Workflow Core Services CDN Compute (VMs, Auto-scaling, and Load Balancing) Databases (Relational, NoSQL, and Caching) Networking (VPC, DX, and DNS) Storage (Object, Block, EFS, and Archival) Infrastructure Availability Zones Points of Presence Regions Enterprise Applications Business Email Sharing & Collaboration Virtual Desktop Technical & Business Support Account Management Partner Ecosystem Professional Services Security & Pricing Reports Solutions Architects Support Training & Certification Machine Learning What is Amazon Web Services?
Global Footprint 12 (10 Public, China Region and GovCloud Region) 2016 – Canada, Ohio, India, UK and another China Region 32 Availability zones (adding 11 more in 2016 across new Regions) 55+ Edge locations Over 1 million active customers across 190 countries 900+ Government Agencies & 3,400+ Educational Institutions 1,000+ Financial Services Organizations Everyday, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise. Region Edge location
Leveraged by Financial Services Institutions & Enterprises Worldwide
Cloud Security – What’s different & what’s the same?
AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
Accreditation & Compliance, Old and New Old world • Functionally optional (you can build a secure system without it) • Audits done by an in-house team • Accountable to yourself • Must maintain talent and keep pace • Check typically once a year • Workload-specific compliance checks New world • Functionally necessary – high watermark of requirements • Audits done by third party experts • Accountable to everyone • Superior security drives broad compliance • Continuous monitoring • Compliance approach based on all workload scenarios
OR Move Fast Stay Secure
AND Move Fast Stay Secure
Making life easier Choosing security does not mean giving up on convenience or introducing complexity
Strengthen your security posture Get native functionality and tools at no additional charge Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
Access a deep set of cloud security tools Encryption Key Management Service CloudHSM Server-side Encryption Networking Virtual Private Cloud Web Application Firewall Compliance ConfigCloudTrailService Catalog Identity IAM Active Directory Integration SAML Federation
AWS Accreditations and Security Assurance Programs ISO 9001 SOC 3 SOC 2 ISO 27001 ISO 27017 PCI DSS Level 1ISO 27018 SOC 1 / ISAE 3402 GxPHIPAA ITAR FERPA FISMA, RMF, and DIACAP FedRAMP Section 508 / VPAT DoD SRG Levels 2 & 4 FIPS 140-2 CJIS Cloud Security Alliance MPAA NIST MLPS Level 3 G-Cloud IT-Grundschutz MTCS Tier 3 IRAP Cyber Essentials Plus
Evolving the Practice of Security Architecture Security architecture as a seperate function can no longer exist Static position papers, architecture diagrams & documents UI-dependent consoles and “pane of glass” technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
Evolving the Practice of Security Architecture Security architecture can now be part of the ‘maker’ team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice
Cloud Security – Design Patterns
Non-Persistent Platforms Auto-scaling groups will ensure that capacity is predictable while you rotate out portions of the environment. You can also swap out the base AMI In an auto- scaling launch configuration with a freshly patched one, then progressively kill off stale instances. Changing the paradigm of what a target or attack surface looks like. Automation around Amazon Machine Image creation and bootstrapping with tools like AWS OpsWorks, Amazon Elastic Beanstalk, Chef or Puppet means you can constantly lay down a moving target. Amazon Auto-scaling Groups AWS Elastic Compute Cloud +
Agile Network Architecture Update and change private network addressing, subnets, route tables and administrative control of network functions to move systems and applications in response to vulnerabilities, regulatory changes, project partnerships, etc. Use named security groups to logically control access between systems of like trust or based on data classification. Security attributes of system move with the system independent of network location. Relocate systems via API call to address changing threat environment. Security Groups Amazon VPC +
Standardized Environments & Change Detection Interrogate and describe entire environment with Java, Python, .NET, Ruby, PHP or nodeJS SDKs. Detect change in standardized environment programmatically and integrate with existing asset and SIEM workflows. AWS SDKs Use CloudFormation to create an environment that mirrors your security standards. One API call results in hardened AMIs with base security controls installed, predictable firewall and network configuration, and appropriately defined access and roles. + AWS CloudFormation
Managing Change at Scale Use built-in or custom rules to respond to changes in configuration. Config tracks all changes to core infrastructure in a time-series view and reflects the relationships impacted by each change. AWS Config RulesAWS Config +
Consolidated API Logging Log archival solution for life-cycle management. CloudTrail provides increased visibility into your user activity by recording AWS API calls. Integration with Amazon SNS and ecosystem partners facilitates analytics. Provides logging up and down the stack in one place (storage, networking, instances, identity). Amazon S3 + Glacier + AWS CloudTrail & CloudWatch Events
Instance Identity Security token service generates unique credentials and constantly rotates an additional token. Identity and Access Management roles for EC2 instances provide entitlements to the instance itself. Credentials are presented through a RESTful meta-data service accessible only on the local host. Credentials can be leveraged by apps that need to call AWS APIs, retrieve data from S3, etc. Native integration with SDKs and CLI tools. Security Token Service + Identity Management

More Related Content

An Evolving Security Landscape – Security Patterns in the Cloud

  • 1. An Evolving Security Landscape Security Patterns in the Cloud Bill Shinn – AWS Principal Security Solutions Architect
  • 2. Cloud focuses on differentiation
  • 3. Global Industry Observations Regulatory compliance continues to drive expense A desire for increased wallet share is driving a focus on innovation Increasing amounts of data, finite resources for analytics Digitization and disruptive technology are accelerating transformation
  • 4. Move from risk-laden up-front expense to flexible variable expense Stop guessing at capacity planning Go global in minutes Reasons Cloud Computing is Gaining Traction in FinServ Remove complicated infrastructure management that adds little business value
  • 5. Reasons Cloud Computing is Gaining Traction in FinServ Lower the time spent on infrastructure Dedicate more resources to innovation Concentrate on new business initiatives
  • 6. What is Amazon Web Services?
  • 7. Administration & Security Access Control Identity Management Key Management & Storage Monitoring & Logs Resource & Usage Auditing Platform Services Analytics App Services Developer Tools & Operations Mobile Services Data Pipelines Data Warehouse Hadoop Real-time Streaming Data Application Lifecycle Management Containers Deployment DevOps Event-driven Computing Resource Templates Identity Mobile Analytics Push Notifications Sync App Streaming Email Queuing & Notifications Search Transcoding Workflow Core Services CDN Compute (VMs, Auto-scaling, and Load Balancing) Databases (Relational, NoSQL, and Caching) Networking (VPC, DX, and DNS) Storage (Object, Block, EFS, and Archival) Infrastructure Availability Zones Points of Presence Regions Enterprise Applications Business Email Sharing & Collaboration Virtual Desktop Technical & Business Support Account Management Partner Ecosystem Professional Services Security & Pricing Reports Solutions Architects Support Training & Certification Machine Learning What is Amazon Web Services?
  • 8. Global Footprint 12 (10 Public, China Region and GovCloud Region) 2016 – Canada, Ohio, India, UK and another China Region 32 Availability zones (adding 11 more in 2016 across new Regions) 55+ Edge locations Over 1 million active customers across 190 countries 900+ Government Agencies & 3,400+ Educational Institutions 1,000+ Financial Services Organizations Everyday, AWS adds enough new server capacity to support Amazon.com when it was a $7 billion global enterprise. Region Edge location
  • 9. Leveraged by Financial Services Institutions & Enterprises Worldwide
  • 10. Cloud Security – What’s different & what’s the same?
  • 11. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers Security is a shared responsibility Customers are responsible for their security IN the Cloud AWS is responsible for the security OF the Cloud
  • 12. Accreditation & Compliance, Old and New Old world • Functionally optional (you can build a secure system without it) • Audits done by an in-house team • Accountable to yourself • Must maintain talent and keep pace • Check typically once a year • Workload-specific compliance checks New world • Functionally necessary – high watermark of requirements • Audits done by third party experts • Accountable to everyone • Superior security drives broad compliance • Continuous monitoring • Compliance approach based on all workload scenarios
  • 15. Making life easier Choosing security does not mean giving up on convenience or introducing complexity
  • 16. Strengthen your security posture Get native functionality and tools at no additional charge Over 30 global compliance certifications and accreditations Leverage security enhancements gleaned from 1M+ customer experiences Benefit from AWS industry leading security teams 24/7, 365 days a year Security infrastructure built to satisfy military, global banks, and other high-sensitivity organizations
  • 17. Access a deep set of cloud security tools Encryption Key Management Service CloudHSM Server-side Encryption Networking Virtual Private Cloud Web Application Firewall Compliance ConfigCloudTrailService Catalog Identity IAM Active Directory Integration SAML Federation
  • 18. AWS Accreditations and Security Assurance Programs ISO 9001 SOC 3 SOC 2 ISO 27001 ISO 27017 PCI DSS Level 1ISO 27018 SOC 1 / ISAE 3402 GxPHIPAA ITAR FERPA FISMA, RMF, and DIACAP FedRAMP Section 508 / VPAT DoD SRG Levels 2 & 4 FIPS 140-2 CJIS Cloud Security Alliance MPAA NIST MLPS Level 3 G-Cloud IT-Grundschutz MTCS Tier 3 IRAP Cyber Essentials Plus
  • 19. Evolving the Practice of Security Architecture Security architecture as a seperate function can no longer exist Static position papers, architecture diagrams & documents UI-dependent consoles and “pane of glass” technologies Auditing, assurance, and compliance are decoupled, separate processes Current Security Architecture Practice
  • 20. Evolving the Practice of Security Architecture Security architecture can now be part of the ‘maker’ team Architecture artifacts (design choices, narrative, etc.) committed to common repositories Complete solutions account for automation Solution architectures are living audit/compliance artifacts and evidence in a closed loop Evolved Security Architecture Practice
  • 21. Cloud Security – Design Patterns
  • 22. Non-Persistent Platforms Auto-scaling groups will ensure that capacity is predictable while you rotate out portions of the environment. You can also swap out the base AMI In an auto- scaling launch configuration with a freshly patched one, then progressively kill off stale instances. Changing the paradigm of what a target or attack surface looks like. Automation around Amazon Machine Image creation and bootstrapping with tools like AWS OpsWorks, Amazon Elastic Beanstalk, Chef or Puppet means you can constantly lay down a moving target. Amazon Auto-scaling Groups AWS Elastic Compute Cloud +
  • 23. Agile Network Architecture Update and change private network addressing, subnets, route tables and administrative control of network functions to move systems and applications in response to vulnerabilities, regulatory changes, project partnerships, etc. Use named security groups to logically control access between systems of like trust or based on data classification. Security attributes of system move with the system independent of network location. Relocate systems via API call to address changing threat environment. Security Groups Amazon VPC +
  • 24. Standardized Environments & Change Detection Interrogate and describe entire environment with Java, Python, .NET, Ruby, PHP or nodeJS SDKs. Detect change in standardized environment programmatically and integrate with existing asset and SIEM workflows. AWS SDKs Use CloudFormation to create an environment that mirrors your security standards. One API call results in hardened AMIs with base security controls installed, predictable firewall and network configuration, and appropriately defined access and roles. + AWS CloudFormation
  • 25. Managing Change at Scale Use built-in or custom rules to respond to changes in configuration. Config tracks all changes to core infrastructure in a time-series view and reflects the relationships impacted by each change. AWS Config RulesAWS Config +
  • 26. Consolidated API Logging Log archival solution for life-cycle management. CloudTrail provides increased visibility into your user activity by recording AWS API calls. Integration with Amazon SNS and ecosystem partners facilitates analytics. Provides logging up and down the stack in one place (storage, networking, instances, identity). Amazon S3 + Glacier + AWS CloudTrail & CloudWatch Events
  • 27. Instance Identity Security token service generates unique credentials and constantly rotates an additional token. Identity and Access Management roles for EC2 instances provide entitlements to the instance itself. Credentials are presented through a RESTful meta-data service accessible only on the local host. Credentials can be leveraged by apps that need to call AWS APIs, retrieve data from S3, etc. Native integration with SDKs and CLI tools. Security Token Service + Identity Management