Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014


Published on

Security must be at the forefront for any online business. At AWS, security is priority number one. Stephen Schmidt, vice president and chief information officer for AWS, shares his insights into cloud security and how AWS meets our customers' demanding security and compliance requirements, and in many cases helps them improve their security posture. Stephen, with his background with the FBI and his work with AWS customers in the government, space exploration, research, and financial services organizations, shares an industry perspective that's unique and invaluable for today's IT decision makers. At the conclusion of this session, Stephen also provides a brief summary of the other sessions available to you in the security track.

Published in: Technology

(SEC201) AWS Security Keynote Address | AWS re:Invent 2014

  1. 1. JOB ZERO
  2. 2. Job Zero Network Security Physical Security Platform Security People & Procedures
  3. 3. SHARED
  4. 4. constantly improving AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations AWS is responsible for the security OF the Cloud GxP ISO 13485 AS9100 ISO/TS 16949
  5. 5. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network, & Firewall Configuration Customer applications & contentCustomers shared responsibility Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud
  6. 6. FAMILIAR
  7. 7. familiar – Agility
  10. 10. Visible
  11. 11. You are making API calls... On a growing set of services around the world… AWS CloudTrail is continuously recording API calls… And delivering log files to you AWS CLOUDTRAIL Redshift AWS CloudFormation AWS Elastic Beanstalk
  12. 12. Use cases enabled by CloudTrail
  13. 13. CloudTrail Regional Availability
  15. 15. and notifies you
  16. 16. Continuous ChangeRecordingChanging Resources AWS Config History Stream Snapshot (ex. 2014-11-05) AWS Config
  17. 17. Integrated Support from Our Partner Ecosystem
  18. 18. CONTROL
  19. 19. First class security and compliance starts (but doesn’t end!) with encryption Automatic encryption with managed keys Bring your own keys Dedicated hardware security modules
  20. 20. Encryption & Best Practices with AWS Managed key encryption Key storage with AWS CloudHSM Customer-supplied key encryption DIY on Amazon EC2 Create, store, & retrieve keys securely Rotate keys regularly Securely audit access to keys Partner enablement of crypto
  21. 21. Nasdaq is a great example of security excellence in the cloud
  22. 22. Nasdaq Use Case Requirement Replace on-premises data warehouse while keeping equivalent schemas and data Only one year of capacity remaining 4-8 billion rows of new information stored daily stock trading Must cost less than existing system Must satisfy multiple security and regulatory audits Must perform similarly to legacy warehouse under concurrent query load AWS’s ability to satisfy multiple security and regulatory audits was critical to Nasdaq’s migrating its data warehouse to AWS
  23. 23. Nasdaq Data Warehouse Implementation Pull data from numerous sources, validate data, and securely load into Redshift
  24. 24. AWS CloudTrail to monitor and audit environment Network isolation with Amazon VPC and AWS Direct Connect Encryption in flight using TLS and Amazon Redshift JDBC connections Encryption at rest with Amazon S3 (client-side, AES-256) with Amazon Redshift cluster encryption enabled and AWS CloudHSM Nasdaq Security Best Practices AWS CloudHSM integration was critical to Nasdaq adoption of AWS
  25. 25. Block key Amazon S3 Block key Cluster key Cluster key Master key AWS CloudHSM 1MB 1MB Amazon Redshift and Encryption
  26. 26. AGILITY
  27. 27. AWS
  28. 28. The practice of security at AWS is different, but the outcome is familiar: So what does your security team look like?
  29. 29. Our Culture: Everyone’s an owner When the problem is “mine” rather than “hers” there’s a much higher likelihood I’ll do the right thing
  30. 30. Measure constantly, report regularly, and hold senior executives accountable for security – have them drive the right culture Our Culture:
  31. 31. Our Culture: Measure measure measure • 5 min metrics are too coarse • 1 min metrics just barely OK
  32. 32. Our Culture: Saying “no” is a failure
  33. 33. Our Culture: Apply more effort to the “why” rather than the “how” Why is what really matters When something goes wrong, ask the “five whys”
  34. 34. Our Culture: Decentralize — don’t be a bottleneck It’s human nature to go around a bottleneck
  35. 35. Our Culture: Produce services that others can consume through hardened APIs
  36. 36. Our Culture: Test, CONSTANTLY • Inside/outside • Privileged/unprivileged • Black-box/white-box • Vendor/self
  37. 37. Our Culture: Proactive monitoring rules the day • What’s “normal” in your environment? • Depending on signatures == waiting to find out WHEN you’ve been had
  38. 38. Our Culture: Collect, digest, disseminate, & use intelligence
  39. 39. Our Culture: Make your compliance team a part of your security operations
  40. 40. Our Culture: Base decisions on facts, metrics, & detailed understanding of your environment and adversaries
  41. 41. Simple Security Controls
  42. 42. REDUCTION
  43. 43. REDUCTION
  44. 44. ENCRYPTION
  47. 47. Please give us your feedback on this session. Complete session evaluations and earn re:Invent swag.