Data security is a paramount concern for financial services firms. This session discusses how Fidelity Investments use Amazon S3 with server-side encryption with customer-provided keys (SSE-C) to protect critical information and the firm's use of other AWS services, which include AWS Elastic Beanstalk, Elastic Load Balancer, and Amazon DynamoDB. Fidelity Investments is one of the largest mutual fund and financial services groups in the world. Fidelity manages a large family of mutual funds, provides fund distribution and investment advice services, and also provides discount brokerage services, retirement services,wealth management, securities execution and clearance, life insurance and a number of other services.

1. November 14, 2014 | Las Vegas, NV
Travell Perkins, Fidelity

8. 


•
•
•Virtual asset transfer (inheritance)

11. AmazonAmazon ELBTwilio ServerDSMDSMCloudantCloudantCloudFilesTwilio ServerS3S3EC2 Auto Scaling GroupApplication ServerApplication ServerApplication Server

13. Generates encryption keys using AES- 256 Cipher. The keys are used to encrypt/decrypt files. (DynamicSecurityModule - PHP Service/ FidelityVDC) Documents and data are encrypted for persistent storage and decrypted for presentation layer(Core Service/Node.JS/AWS EC2) Customer facing interface to upload/ download documents(Javascript, EC2) Sends emails for Account Signup, Password Resets, File Sharing Notices etc. (Simple Email Service) Register new users, password resets, user profile management(Core Service/Node.JS/AWS EC2) Get Encryption KeyEncrypted documents (S3) Store Encrypted Documents and meta- DataNotify usersRedundant document storage(CloudFiles) Document Meta-data is stored. Customer accounts info is also stored. (Cloudant) Add a new user, manage usersRegister User, Authenticate usersAdmin interface to manage system users(Javascript, EC2) SMS/Voice for multi- factor authentication(Twilio) Authenticate & Authorize(Core Service/Node.JS/AWS EC2) Is the user a valid user? Manage Users/AdminsCustomersAdminsEncrypt and Store Documents, Get Customer DocumentsSend Email to usersSend Email to usersUpload/DownloadDocumentsManage Admin Users

29. Component
Threat
Protocol
A.S.
Mitigation
All data flows
TID
HTTPS
Various
SSL/TLS everywhere

30. Component
Threat
Mitigation
EndUser
S
Form Authentication; Multi-factor Authentication
RD
Not Applicable
Admin (Jump Box)
S
SSH UserName/Password; Multi-factor Authentication
RD
Not Applicable
Twilio
S
Shared Access Key
RD
No fallback SMS service. But Fidsafe Auth falls back to Security Questions.
SES (Email)
S
Shared Access Key
RD
No fallback. Messages are sent async.

31. Component
Threat
Mitigation
DSM
S
HTTPS SSL Server Authentication
E
Low Privileged Account
TRID
All PHP files are read only (for non-root) and owned by root
Core Service
S
HTTPS SSL/TLS Server Authentication
E
Low Privileged Account, Node (Non-root user)
TRID
Permissions on Node.JS application files 644
Web UI
S
Forms Authentication over HTTPS; SMS or Preference Based Security Question
E
Running as logged-in user
TRID
Default permissions (User has no permissions to Framework binaries)
Mobile App
S
Digital Signature provides authenticity and tamper detection
E
Default container defenses provide least privilege
TRID
Digital Signature provides authenticity and tamper detection

32. Component
Threat
Mitigation
Cloudant
TID
Database Permission (Read, Write, Delete) for CRUD operations.
CloudFiles
TID
Shared Access Key; All data bits are encrypted; Hashes stored separately in Cloudant
S3
TID
Shared Access Key; All data bits are encrypted; Hashes stored separately in Cloudant

34. Request Processing Stack
HTTPS Transport
IP Filtering
HMAC SHA256 Signing
JSON XSS Filtering
Authentication
Authorization
Exception Handling
Execution

42. http://bit.ly/awsevals