Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security in AWS - Dave Walker

2,813 views

Published on

At our winter East Midlands Cyber Security Forum event, Dave Walker gave a presentation looking at Amazon’s security approach for their web services, outlining the key tools that are available to ensure a secure deployment.

http://qonex.com/east-midlands-cyber-security-forum/

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Information Security in AWS - Dave Walker

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dave Walker, Specialist Solutions Architect, Security and Compliance 25/01/17 Information Security in AWS
  2. 2. About the Presenter • Worked in IT for 24 years • ...of which 18 have been in security • project-based • Telcos, Utilities, Retail, Financial Services, Public Sector... • Design, Implementation, Invention, Incident Response, Standards Contribution • Also been looking carefully at Cloud security for 5 years • ...and been working at AWS for the last 2
  3. 3. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model Customers are responsible for their security and compliance IN the Cloud AWS is responsible for the security OF the Cloud
  4. 4. AWS Shared Responsibility Model – More Detail Will one model work for all services? Infrastructure Services Container Services Abstract Services
  5. 5. Network Traffic Protection Encryption / Integrity / Identity AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Platform & Applications Management Customer content Customers AWS Shared Responsibility Model: for Infrastructure Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication AWSIAMCustomerIAM Operating System, Network & Firewall Configuration Server-Side Encryption Fire System and/or Data APIEndpoints Mgmt Protocols API Calls
  6. 6. Infrastructure Service Example – EC2 • Foundation Services — Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints AWS • Customer Data • Customer Application • Operating System • Network & Firewall • Customer IAM (Corporate Directory Service) • High Availability, Scaling • Instance Management • Data Protection (Transit, Rest, Backup) • AWS IAM (Users, Groups, Roles, Policies) Customers RESPONSIBILITIES
  7. 7. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Optional – Opaque data: 1’s and 0’s (in transit/at rest) Firewall Configuration Platform & Applications Management Operating System, Network Configuration Customer content Customers AWS Shared Responsibility Model: for Container Services Managed by Managed by Client-Side Data encryption & Data Integrity Authentication Network Traffic Protection Encryption / Integrity / Identity AWSIAMCustomerIAM APIEndpoints Mgmt Protocols API Calls
  8. 8. Infrastructure Service Example – RDS • Foundational Services – Networking, Compute, Storage • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application • High Availability (in part) AWS • Customer Data • Firewall (VPC) • Customer IAM (DB Users, Table Permissions) • AWS IAM (Users, Groups, Roles, Policies) • High Availability (in part) • Data Protection (Transit, Rest, Backup) • Scaling Customers RESPONSIBILITIES
  9. 9. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Platform & Applications Management Operating System, Network & Firewall Configuration Customer content Customers AWS Shared Responsibility Model: for Abstract Services Managed by Managed by Data Protection by the Platform Protection of Data at Rest Network Traffic Protection by the Platform Protection of Data at in Transit (optional) Opaque Data: 1’s and 0’s (in flight / at rest) Client-Side Data Encryption & Data Integrity Authentication APIEndpoints AWSIAM API Calls
  10. 10. • Foundational Services • AWS Global Infrastructure • AWS API Endpoints • Operating System • Platform / Application • Data Protection (Rest - SSE, Transit) • High Availability / Scaling AWS • Customer Data • Data Protection (Rest – CSE) • AWS IAM (Users, Groups, Roles, Policies) Customers Infrastructure Service Example – S3
  11. 11. Summary of Customer Responsibility in the Cloud Customer IAM AWS IAM Firewall Data AWS IAM Data Applications Operating System Networking/Firewall Data Customer IAM AWS IAM Infrastructure Services Container Services Abstract Services
  12. 12. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Meet your own security objectives Customer scope and effort is reduced Better results through focused efforts Built on AWS consistent baseline controls Your own external audits Customers Your own accreditation Your own certifications
  13. 13. Auditing - Comparison on-prem vs on AWS Start with bare concrete Functionally optional – you can build a secure system without it Audits done by an in-house team Accountable to yourself Typically check once a year Workload-specific compliance checks Must keep pace and invest in security innovation on-prem Start on base of accredited services Functionally necessary – high watermark of requirements Audits done by third party experts Accountable to everyone Continuous monitoring Compliance approach based on all workload scenarios Security innovation drives broad compliance on AWS
  14. 14. AWS Assurance Programs
  15. 15. What this means You benefit from an environment built for the most security sensitive organisations AWS manages 1,800+ security controls so you don’t have to You get to define the right security controls for your workload sensitivity
  16. 16. Compliance: How to work with AWS Certifications • “The magic’s in the Scoping” • If a Service isn’t in scope, that doesn’t necessarily mean it can’t be used in a compliant deployment • …but it won’t be usable for a purpose which touches sensitive data • See Re:Invent sessions, especially "Navigating PCI Compliance in the Cloud”, https://www.youtube.com/watch?v=LUGe0lofYa0&index=13&list=PLhr 1KZpdzukcJvl0e65MqqwycgpkCENmg • Remember the Shared Responsibility Model • “we do our bit at AWS, but you must also do your bit in what you build using our services” • Our audit reports make it easier for our customers to get approval from their auditors, against the same standards • Liability can’t be outsourced…
  17. 17. Compliance: How to work with AWS Certifications • Time-based Subtleties: • PCI, ISO: point-in-time assessments • SOC: assessment spread over time, therefore more rigorous assessment of procedures and operations • (AWS Config allows you to make a path between these, for your own auditors) • FedRAMP: Continuous Monitoring and Reporting – important proof • If a service for defined sensitive data isn’t in scope of an audit report, can this be designed around? • Eg standing up a queue system on EC2 as a substitute for SQS… • Be careful of what elements of a Service are in scope, too… • Metadata is typically “out”
  18. 18. SOC 1 • Availability: • Audit report available to any customer with an NDA • Scope: • AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces • Sensitive data: • N/A • Particularly good for: • Datacentre management, talks about KMS for key management and encryption at rest, discusses Engineering bastions • Downsides: • None
  19. 19. SOC 2 • Availability: • Audit report available to any customer with an NDA • Scope: • AWS CloudFormation, AWS CloudHSM, AWS CloudTrail, AWS DirectConnect, Amazon DynamoDB, Amazon EBS, Amazon EC2, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, Amazon Workspaces • Sensitive data: • N/A • Particularly good for: • Risk assessment considerations, management visibility and process, organisational structure • Downsides: • None
  20. 20. PCI-DSS • Availability: • Audit report available to any customer with an NDA • Scope: • Amazon EC2, Application Auto Scaling, ELB, Amazon VPC, Amazon Route 53, AWS Direct Connect, Amazon S3, Amazon Glacier, Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon SimpleDB, Amazon Redshift, Amazon EMR, Amazon SWF, IAM, AWS CloudTrail, AWS CloudHSM, Amazon SQS, Amazon CloudFront, AWS CloudFormation, AWS Elastic Beanstalk, AWS KMS, Amazon ECS, AWS WAF • Sensitive data: • CVV, PAN • Particularly good for: • Forensics cooperation, breach disclosure, explaining Shared Responsibility in depth; also Hypervisor-based instance separation assurance • Downsides: • None (since the August 2015 update, when KMS was added)
  21. 21. ISO 27001 • Availability: • Certificate is public at http://d0.awsstatic.com/certifications/iso_27001_global_certification.pdf, Statement of Applicability is normally not available externally • Scope: • AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces • Sensitive data: • N/A • Particularly good for: • A broad-ranging “backstop” and important “tick box item” – ISMS considerations • Downsides: • No detailed audit report available
  22. 22. ISO 27018 • Availability: • Certificate available at https://d0.awsstatic.com/certifications/iso_27018_certification.pdf • Scope: • AWS CloudFormation, Amazon CloudFront, AWS CloudHSM, AWS CloudTrail, AWS Direct Connect, AWS Directory Service, Amazon DynamoDB, Amazon EBS, Amazon EC2, Amazon ECS, Amazon EFS, AWS Elastic Beanstalk, ELB, Amazon EMR, Amazon ElastiCache, Amazon Glacier, IAM, AWS KMS, Amazon RDS, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon SES, Amazon SimpleDB, Amazon SQS, AWS Storage Gateway, Amazon SWF, AWS VM Import / Export, Amazon VPC, AWS WAF, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces • Sensitive data: • PII • Particularly good for: • Assurance of protection of PII in AWS environments • Downsides: • No detailed audit report available
  23. 23. Others (and Resources): • ISO 27017: Cloud security recommended practices • ISO 9001: Quality control (Handbook available under NDA) • UK G-Cloud / NCSC Security Principles, gov.uk “Cyber Essentials”: • See me  and our whitepaper at https://d0.awsstatic.com/whitepapers/compliance/AWS_CESG_U K_Cloud_Security_Principles.pdf • IT-Grundschutz: Workbook at https://d0.awsstatic.com/whitepapers/compliance/AWS_IT_Grundschu tz_TUV_Certification_Workbook.pdf • MTCS, IRAP, …: “Other People’s Geos” – we can put you in touch with AWS Specialist Security and Compliance SAs there as needed, there are also some whitepapers. • EU Data Protection Guidance: https://d0.awsstatic.com/whitepapers/compliance/AWS_EU_Data_Prot ection_Whitepaper.pdf
  24. 24. Other Resources: • CSA CAIQ: See Risk and Compliance whitepaper at https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Co mpliance_Whitepaper.pdf • Santa Fe Group SIG (available under NDA) • ...or see my sessions on Control Mapping
  25. 25. Agreements: • Click-through • Enterprise • EU Data Processor • available to all customers • includes commitment to maintain ISO 27001 or successor certification, in perpetuity • Pentest authorisation
  26. 26. “Familiar functions, made Cloud scale”: • IAM: “RBAC writ large” • Fine-grained privilege • Further access controls • Source IP • Time of day • Use of MFA • Region affected (a work in progress; works for EC2, RDS) • Data Pipeline: “Cron writ large” • (…and now, CloudWatch Events = “cron for Lambda”)
  27. 27. Asset Management, Logging and Analysis: • “What the API returns, is true” • CloudTrail, Config, CloudWatch Logs • “Checks and balances” • S3 append-only, MFA delete • SNS for alerting • Easy building blocks for Continuous Protective Monitoring AWS Config AWS CloudTrail CloudWatch
  28. 28. Logs→metrics→alerts→actions AWS Config CloudWatch / CloudWatch Logs CloudWatch alarms AWS CloudTrail Amazon EC2 OS logs Amazon VPC Flow Logs Amazon SNS email notification HTTP/S notification SMS notifications Mobile push notifications API calls from most services Monitoring data from AWS services Custom metrics
  29. 29. Thank you!

×